1. Architecture Overview
SprintAI is built on a Forge-first architecture. The Jira user interface runs inside Atlassian's Forge sandbox, which manages authentication, authorisation, and API access to your Jira instance. SprintAI's backend APIs are hosted separately on Vercel and communicate with Jira exclusively through authenticated Forge resolvers.
This design means:
- Atlassian manages user authentication — SprintAI never stores Jira passwords or OAuth tokens
- Forge enforces Jira permission scopes at the platform level
- The Forge sandbox isolates SprintAI code from your broader infrastructure
2. Encryption
In transit: All communication between the Forge app, SprintAI APIs, Supabase, and Anthropic uses HTTPS/TLS 1.2 or higher. No data is transmitted in plaintext.
At rest: All data stored in Supabase is encrypted using AES-256 encryption, managed by Supabase on AWS infrastructure.
3. External API Calls
SprintAI makes external network calls only to:
- sprintaiapp.com — SprintAI backend APIs (brain, AI, setup, stats)
- Anthropic Claude API — AI inference for delivery intelligence features
No other third-party APIs receive your Jira data. The Forge manifest explicitly whitelists only sprintaiapp.com for external fetch.
4. Data Minimisation
SprintAI does not store raw Jira issue content (descriptions, comments, attachments). We extract and retain only delivery intelligence:
- Ticket titles and keys
- Assignee display names
- Story points, issue types, and status
- Sprint metadata and velocity history
- AI-generated pattern memories and team profiles
5. Access Control
Role-based access: Pulse and brain setup features are restricted to Jira project managers and administrators. Standard team members cannot access delivery intelligence configuration or archaeology features.
API authentication: All backend API routes require a shared secret header (x-sprintai-jira-secret) validated against environment configuration. Requests without a valid secret are rejected.
Database access: Row Level Security (RLS) is enabled on all brain data tables. Only the service-role backend can read or write brain data. Anonymous and authenticated Supabase clients cannot access brain tables directly.
6. Audit Logging
All AI interactions are logged to an audit table (pulse_audit_log) including the action type, project context, and timestamp. Administrators can review what SprintAI processed and when.
7. Data Deletion
When SprintAI is uninstalled from a Jira site, our uninstall webhook handler marks all associated project data for deletion. All data is permanently deleted within 30 days of uninstallation.
Customers may also request immediate deletion via security@sprintaiapp.com.
8. Infrastructure
- Application hosting: Vercel (serverless functions, global CDN)
- Database: Supabase (PostgreSQL on AWS)
- AI inference: Anthropic Claude API
- Jira integration: Atlassian Forge (managed sandbox)
9. Responsible Disclosure
If you discover a security vulnerability in SprintAI, please report it responsibly to security@sprintaiapp.com. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.
Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.
10. Contact
SprintAI (operated by Vatsal Sinha)
Security: security@sprintaiapp.com