Greenlight
Security
Effective date: 16 July 2026
This page describes the security posture of Greenlight — Release Readiness & Approvals ("the app"), published by Sanyasha Software for Jira Cloud on the Atlassian Marketplace. It complements the privacy policy, which describes what data the app stores.
Architecture in one paragraph
Greenlight is built entirely on Atlassian Forge, Atlassian's managed cloud platform. All code executes on Atlassian-operated infrastructure, and all data is stored in Forge SQL, Atlassian-hosted storage tied to your own Atlassian site. The app has zero egress: no external servers, no third-party services, no remote APIs, and no data ever leaves Atlassian's infrastructure. This is not just policy — it is technically enforced by the Forge platform, and the app qualifies for Atlassian's Runs on Atlassian program on that basis.
Data flow
- In: the app reads Jira data (issues, projects, versions, user display names) through Atlassian's APIs, as the acting user, under Jira's own permission model.
- At rest: release-readiness content you author (releases, gates, checklist items, sign-off decisions, audit events) is stored in Forge SQL. Only Atlassian account IDs are stored for people — never names, emails, or avatars, which are resolved live from Jira at read time.
- Out: nothing. The app declares no egress permissions, exposes no remote REST APIs, and sends no telemetry, analytics, or logs to any third party.
Platform security
Because the app runs entirely on Forge, it inherits Atlassian's platform security controls:
- Isolation: app code runs in Atlassian's sandboxed Forge runtime, scoped to your site's installation.
- Encryption: data is encrypted in transit and at rest by Atlassian's infrastructure.
- Data residency: Forge hosted storage is pinned to — and migrates with — the data-residency location your admin chooses for the host product.
- Tenancy: each installation's data is partitioned per Atlassian site.
Atlassian's own security and compliance commitments for the Forge platform are documented in the Atlassian Trust Center.
Access control
- All reads and writes run as the acting user, so Jira's project permissions always apply — users only ever see releases in projects they can access.
- Sign-off authority is enforced server-side: only a gate's owner or listed approvers can decide it, and only release managers (project admins) can override, with every decision audit-logged.
- The vendor has no access to your data. Forge storage is readable only by the app inside your site; Sanyasha Software operates no infrastructure that could receive it.
Secrets and authentication
The app requests no credentials of any kind: no Atlassian Personal Access Tokens (PATs), no passwords, no API keys, no shared secrets. Authentication is handled entirely by Atlassian's platform.
Permissions requested
read:jira-work— read issues, projects, and versions the current user can already see.read:jira-user— resolve display names and avatars at render time.storage:app— the app's own Forge SQL storage.
The app never writes to Jira issues, workflows, or versions. Scope changes require your admin's explicit re-consent through Atlassian's upgrade flow.
Development practices
- Dependencies are kept minimal and updated regularly; the frontend is built from source and served as static assets through Forge's CDN.
- Changes are code-reviewed and tested on a development site before any production deployment.
- New versions are distributed exclusively through the Atlassian Marketplace and Forge's deployment pipeline — there is no side-channel update mechanism.
Reporting a vulnerability
If you believe you have found a security issue in Greenlight, email support@sanyasha.com with the details. Please include steps to reproduce where possible. We acknowledge reports within 2 business days and will keep you informed through to resolution. We ask that you practice responsible disclosure and allow us reasonable time to remediate before publishing.
Changes to this page
Material changes to the app's security posture will be reflected here with an updated effective date.
Contact
Security questions or disclosures: support@sanyasha.com · also see sanyasha.com/greenlight/support.