Legal

Security Policy

Last updated: May 18, 2026

A2A Gateway ("we", "us", or "our") takes the security of our systems and customer data seriously. This policy describes the security controls, practices, and processes we apply to the AI Triage Agent for Jira Service Management (the "App") and its supporting infrastructure.

1. Reporting a Security Vulnerability

If you discover a security vulnerability in the App or any A2A Gateway system, please report it to us responsibly:

  • Email security@a2agateway.com with a description of the issue, steps to reproduce, and any supporting evidence.
  • We will acknowledge receipt within 2 business days.
  • We will provide a status update within 7 business days and a remediation timeline once the issue has been assessed.
  • Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

2. Incident Response

We maintain an incident response process to detect, contain, and remediate security events promptly:

  • Detection: Application logs are monitored via Axiom. Anomalous patterns (unexpected access spikes, error bursts, authentication failures) trigger investigation.
  • Containment: On confirmation of a security incident, affected components are isolated and access keys are rotated immediately.
  • Customer notification: If an incident results in unauthorised access to customer data, affected customers will be notified by email within 72 hours of confirmation, in accordance with applicable regulations.
  • Post-incident review: Each significant incident is followed by a root-cause analysis and the implementation of controls to prevent recurrence.

3. Vulnerability Management

  • Dependencies (npm packages, backend libraries) are reviewed for known vulnerabilities using automated tooling and updated on a regular basis.
  • Critical or high-severity CVEs affecting a production dependency are remediated within 14 days of disclosure; medium-severity issues are addressed within 90 days.
  • The App runs on Atlassian Forge, which provides a managed, sandboxed runtime. Forge platform-level patches are applied automatically by Atlassian.
  • Infrastructure components (database, API services) are kept up to date with security patches on a rolling basis.

4. Access Controls

  • Access to production systems is restricted to authorised A2A Gateway personnel only, governed by the principle of least privilege.
  • All administrative access to cloud infrastructure requires multi-factor authentication (MFA).
  • API keys and secrets are stored in a secrets manager and are never committed to source control.
  • Customer API tokens (Atlassian API tokens provided during setup) are encrypted at rest using AES-256 and are only decrypted in memory during an active triage or sync operation.

5. Data Encryption

  • All data in transit between the App, our backend, and third-party services (Anthropic, Atlassian) is encrypted using TLS 1.2 or higher.
  • Data at rest (indexed content, configuration, logs) is encrypted at the storage layer.
  • Customer API tokens are additionally encrypted at the application layer with AES-256 before being written to the database.

6. Tenant Isolation

  • Each customer's data is logically isolated by a unique tenant identifier derived from their Atlassian installation.
  • Database queries are scoped to a single tenant at all times; cross-tenant data access is not architecturally possible.

7. Third-Party Security

We rely on reputable, security-conscious third-party providers:

  • Atlassian Forge: The App runs within Atlassian's Forge sandbox, which enforces strict runtime isolation and manages platform security on our behalf.
  • Anthropic: Issue content is sent to Anthropic's API over TLS. Anthropic does not use API inputs to train models by default. See Anthropic's Privacy Policy.
  • Axiom: Operational logs (containing only tenant IDs and metrics — no personal data) are retained for 90 days and access is restricted to authorised personnel.

8. Secure Development Practices

  • Code changes are reviewed before being merged to the main branch.
  • Production deployments are made from a controlled pipeline; direct manual edits to production are not permitted.
  • User-supplied input is validated and sanitised before being used in queries or passed to external APIs.

9. Contact

For security concerns or vulnerability disclosures, contact us at security@a2agateway.com. For general enquiries, email hello@a2agateway.com.