SprintAI

Security Statement

Last updated: June 2026

1. Architecture Overview

SprintAI is built on a Forge-first architecture. The Jira user interface runs inside Atlassian's Forge sandbox, which manages authentication, authorisation, and API access to your Jira instance. SprintAI's backend APIs are hosted separately on Vercel and communicate with Jira exclusively through authenticated Forge resolvers.

This design means:

  • Atlassian manages user authentication — SprintAI never stores Jira passwords or OAuth tokens
  • Forge enforces Jira permission scopes at the platform level
  • The Forge sandbox isolates SprintAI code from your broader infrastructure

2. Encryption

In transit: All communication between the Forge app, SprintAI APIs, Supabase, and Anthropic uses HTTPS/TLS 1.2 or higher. No data is transmitted in plaintext.

At rest: All data stored in Supabase is encrypted using AES-256 encryption, managed by Supabase on AWS infrastructure.

3. External API Calls

SprintAI makes external network calls only to:

  • sprintaiapp.com — SprintAI backend APIs (brain, AI, setup, stats)
  • Anthropic Claude API — AI inference for delivery intelligence features

No other third-party APIs receive your Jira data. The Forge manifest explicitly whitelists only sprintaiapp.com for external fetch.

4. Data Minimisation

SprintAI does not store raw Jira issue content (descriptions, comments, attachments). We extract and retain only delivery intelligence:

  • Ticket titles and keys
  • Assignee display names
  • Story points, issue types, and status
  • Sprint metadata and velocity history
  • AI-generated pattern memories and team profiles

5. Access Control

Role-based access: Pulse and brain setup features are restricted to Jira project managers and administrators. Standard team members cannot access delivery intelligence configuration or archaeology features.

API authentication: All backend API routes require a shared secret header (x-sprintai-jira-secret) validated against environment configuration. Requests without a valid secret are rejected.

Database access: Row Level Security (RLS) is enabled on all brain data tables. Only the service-role backend can read or write brain data. Anonymous and authenticated Supabase clients cannot access brain tables directly.

6. Audit Logging

All AI interactions are logged to an audit table (pulse_audit_log) including the action type, project context, and timestamp. Administrators can review what SprintAI processed and when.

7. Data Deletion

When SprintAI is uninstalled from a Jira site, our uninstall webhook handler marks all associated project data for deletion. All data is permanently deleted within 30 days of uninstallation.

Customers may also request immediate deletion via security@sprintaiapp.com.

8. Infrastructure

  • Application hosting: Vercel (serverless functions, global CDN)
  • Database: Supabase (PostgreSQL on AWS)
  • AI inference: Anthropic Claude API
  • Jira integration: Atlassian Forge (managed sandbox)

9. Responsible Disclosure

If you discover a security vulnerability in SprintAI, please report it responsibly to security@sprintaiapp.com. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

10. Contact

SprintAI (operated by Vatsal Sinha)
Security: security@sprintaiapp.com