Security Statement — ASYNC by Phoebuz

At Phoebuz, security is foundational to everything we build. ASYNC is designed from the ground up to protect your engineering data using Atlassian's enterprise-grade infrastructure, strong encryption, and privacy-preserving access controls. This document describes our security architecture, data handling practices, and the measures we take to safeguard your information.

1. Architecture

ASYNC is built entirely on Atlassian Forge, Atlassian's serverless app platform. This means:

ASYNC runs inside Atlassian's own infrastructure — not on self-hosted or third-party servers.
All compute is serverless (Forge Functions), eliminating the need for customer-managed infrastructure.
The application inherits Atlassian's platform-level security controls, including network isolation, runtime sandboxing, and automatic patching.
There are no customer-accessible servers, containers, or virtual machines to configure or secure.

2. Data Storage

All persistent data is stored using the Forge Storage API, Atlassian's managed key-value and entity storage service.

Data is encrypted at rest by Atlassian using AES-256 encryption.
Storage is scoped per Atlassian site — data from one installation is never accessible to another.
ASYNC does not maintain any external databases, data warehouses, or file storage systems.
Data retention follows the limits defined by your ASYNC subscription tier (14, 30, or 90 days), after which data is automatically purged.

3. Data in Transit

All data transmitted between ASYNC, Atlassian services, and external integrations is protected in transit.

All communications use HTTPS with TLS 1.2 or higher.
This applies to Forge function invocations, Forge Storage API calls, external REST API requests, and browser-to-server communication.
No data is ever transmitted over unencrypted channels.

4. Authentication

ASYNC relies on Atlassian's built-in authentication for all user access. Users must be authenticated through their Atlassian account before interacting with ASYNC.

For external integrations (GitHub, Slack, Zoom), ASYNC uses OAuth 2.0 authorization flows. Tokens are stored securely in Forge Storage with the same AES-256 encryption at rest. ASYNC never stores user passwords for any external service.

5. OAuth Scopes by Provider

ASYNC requests only the minimum scopes necessary for each integration. Below is a complete list of scopes requested, organized by provider, along with the justification for each.

5.1 GitHub

Scope	Purpose
`repo`	Access pull request data, commit history, and code review activity for intelligence cards and standup generation.
`read:user`	Read user profile information to map GitHub identities to Atlassian users.
`user:email`	Read the user's email address for identity correlation across connected platforms.

5.2 Slack

Scope	Purpose
`channels:read`	List public channels to allow teams to select which channels to monitor.
`channels:history`	Read message history in public channels for team communication analysis and blocker detection.
`channels:join`	Join public channels selected by the team for monitoring.
`groups:read`	List private channels the bot has been invited to, for team-selected monitoring.
`groups:history`	Read message history in private channels (only those the bot has been invited to) for communication analysis and blocker detection.
`users:read`	Read workspace user profiles for identity mapping across platforms.
`users:read.email`	Read user email addresses for cross-platform identity correlation.
`chat:write`	Post messages to channels (e.g., standup summaries, blocker alerts, intelligence notifications).
`team:read`	Read basic workspace information for multi-workspace identification.

5.3 Zoom

Scope	Purpose
`user:read:user`	Read user profile data for identity mapping across platforms.
`user:read:email`	Read user email for cross-platform identity correlation.
`meeting:read`	Read meeting metadata (participants, duration, frequency) for meeting load analysis and focus time calculation.
`cloud_recording:read`	Read cloud recording metadata and transcripts for meeting intelligence and decision tracking.

5.4 Confluence

Scope	Purpose
`read:confluence-space.summary`	Read space summaries to identify relevant documentation spaces for the team.
`read:confluence-content.all`	Read page and blog content for documentation intelligence, knowledge coverage analysis, and staleness detection.
`search:confluence`	Search Confluence content to surface relevant documentation in context (e.g., related design docs for active Jira issues).

5.5 Jira

Scope	Purpose
`read:jira-work`	Read issues, worklogs, and project data for sprint health, velocity, and standup generation.
`read:jira-user`	Read user profiles for identity resolution and workload analysis.
`read:sprint:jira-software`	Read sprint data for sprint health monitoring, velocity tracking, and burndown analysis.
`read:board-scope:jira-software`	Read board configuration and scope for board-level intelligence and team structure mapping.

6. External Connections

ASYNC connects to the following external services. Each connection is made over HTTPS and is limited to the minimum data exchange necessary for the feature it supports.

Endpoint	Justification
`api.github.com`	Retrieve pull request, commit, and code review data for engineering intelligence.
`slack.com`	Access team communication data for blocker detection and communication analysis.
`api.zoom.us`	Retrieve meeting metadata and recording transcripts for meeting intelligence.
`api.anthropic.com`	AI synthesis — send structured engineering data for natural language summarization, standup generation, and copilot responses.
`api.openai.com`	AI synthesis — send structured engineering data for natural language summarization, standup generation, and copilot responses.
`generativelanguage.googleapis.com`	AI synthesis — send structured engineering data for natural language summarization, standup generation, and copilot responses.

ASYNC does not connect to any advertising networks, analytics platforms, or third-party tracking services.

7. LLM Data Handling

ASYNC sends structured, aggregated engineering data to large language model (LLM) providers for AI-powered features such as standup generation, copilot queries, and retrospective synthesis.

Data sent to AI providers is used solely for processing the requested task and generating a response.
AI providers do not store your data beyond the duration required to process the request.
ASYNC uses API-tier access with all providers, which excludes data from model training by default.
No raw source code, credentials, or secrets are sent to AI providers. Only structured metadata and summaries are transmitted.
Responses from AI providers are stored in Forge Storage subject to the same encryption and retention policies described in Section 2.

8. Access Control

ASYNC implements a three-rule access control model to protect individual privacy while enabling team visibility:

Own data is always visible. Every user can see their own activity, metrics, and intelligence cards at all times.
Team aggregates are visible. Team-level dashboards (Engineering Pulse, sprint health, velocity) display aggregated data that is visible to all team members. No individual attribution is shown in aggregate views.
Individual data requires strategic access. Viewing another individual's detailed activity data (e.g., in Strategic Pulse) requires the viewer to hold a strategic access role, such as Engineering Manager or Team Lead, as configured by the Atlassian site administrator.

This model ensures that ASYNC is never used as a surveillance tool. Individual engineers always control their own data visibility, and access to individual-level data is restricted, auditable, and role-based.

9. Cookies and Client-Side Tracking

ASYNC does not use cookies. ASYNC does not use any client-side tracking scripts, pixels, or analytics beacons. There is no fingerprinting, no local storage tracking, and no third-party advertising or analytics integration.

10. Compliance

Because ASYNC is built entirely on Atlassian Forge, it inherits the compliance posture of Atlassian's cloud platform:

SOC 2 Type II — Atlassian's cloud infrastructure, including Forge, is audited annually under SOC 2 Type II.
ISO 27001 — Atlassian maintains ISO 27001 certification for its cloud services, covering information security management.
Atlassian's full compliance documentation is available at atlassian.com/trust/compliance.

ASYNC does not independently hold SOC 2 or ISO 27001 certification, but because all data storage and compute runs within Atlassian Forge, customers benefit from Atlassian's platform-level certifications and controls.

11. Vulnerability Reporting

If you discover a security vulnerability in ASYNC, we encourage responsible disclosure. Please report any security issues to:

info@phoebuz.com

We will acknowledge receipt within 2 business days and work to address confirmed vulnerabilities promptly. We ask that you refrain from publicly disclosing the vulnerability until we have had an opportunity to investigate and remediate.

12. Contact

For questions about this Security Statement or ASYNC's security practices, contact us at info@phoebuz.com.