Privacy Policy & Data Security

1. Introduction

At Yamuno, protecting your personal information and securing your data is our highest priority. This policy describes how we collect, use, and protect your personal data across all Yamuno products and platforms — including:

  • Apps developed for the Atlassian Marketplace
  • The Yamuno website (yamuno.com)

By using any of these products or services, you acknowledge and agree to the practices described in this policy.

2. Our Commitment to Data Protection

We adhere to industry-leading privacy and security standards to ensure your data remains confidential, accurate, and protected against unauthorized access or disclosure. Key measures include:

  • End-to-end encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access control and identity verification mechanisms
  • Secure hosting environments managed by trusted cloud providers
  • Routine audits and vulnerability monitoring
  • Compliance with global data protection frameworks including the GDPR and CCPA

We continually review and improve our practices to align with evolving security and privacy regulations.

3. Apps on the Atlassian Marketplace

3.1 Data Collection & Processing

Yamuno apps available on the Atlassian Marketplace do not collect, store, or process private or sensitive data outside of Atlassian's infrastructure.

All licensing, billing, and user account data are managed entirely by Atlassian and governed by:

Yamuno may receive anonymized reporting and analytics data provided by Atlassian to Marketplace partners. This data may be used to:

  • Improve Yamuno apps and services
  • Understand product adoption and performance
  • Contact you about relevant app updates (e.g., if you are a listed technical contact)

Yamuno may use third-party tools for such communications, ensuring all vendors operate under a valid Data Processing Agreement (DPA) in compliance with EU data protection laws.

3.2 Atlassian Forge Platform

Our Atlassian Cloud Apps are built on the Atlassian Forge framework, which provides built-in data protection and hosting controls. Forge ensures that:

  • All data is stored securely within Atlassian's infrastructure
  • Authentication and authorization are managed by Atlassian
  • Data remains in the same region as your Atlassian Cloud instance (e.g., Jira or Confluence)

4. Website Analytics & Cookies

4.1 Analytics

Yamuno uses Google Analytics to collect anonymized usage data on the Yamuno website. This helps us understand how visitors interact with our pages and identify opportunities to improve usability and performance. The data collected is anonymized and does not identify you personally.

4.2 Cookies

Google Analytics may place a small tracking cookie on your browser to enable this functionality. No other cookies or tracking technologies are used by Yamuno.

You can manage or block cookies through your browser settings at any time. Doing so will not affect your access to yamuno.com, although certain analytics functionality may be limited.

5. Customer Support & Communication

Yamuno provides customer support through Atlassian Jira Cloud with Jira Service Management. When you contact Yamuno support, you will be required to use an Atlassian ID. Any personal data provided during that process is collected and processed by Atlassian in accordance with the Atlassian Privacy Policy.

Yamuno accesses only the information necessary to assist with your support request and does not store customer data outside of Atlassian's secure environment.

6. Legal Basis for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases to process personal data:

  • Contractual necessity — to provide and maintain our services
  • Legitimate interests — to improve our products, communicate relevant updates, and prevent fraud
  • Legal obligation — to comply with applicable laws and regulations
  • Consent — for analytics cookies, where required by law

7. Your Rights Under GDPR & CCPA

7.1 GDPR Rights (EEA & UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — request that we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw Consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at [email protected].

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of your personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

To submit a CCPA request, contact us at [email protected].

8. Sub-Processors

We use a limited set of third-party sub-processors to provide our services. All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards:

Sub-Processor Purpose Location
Atlassian App hosting, billing, authentication Global (AWS infrastructure)
Google Analytics Anonymized website analytics United States

We will update this list when sub-processors are added or removed. Customers under a Data Processing Agreement may request notification of sub-processor changes.

9. Data Processing Agreement (DPA)

Enterprise and business customers who require a Data Processing Agreement for GDPR compliance may request one by contacting [email protected]. We are committed to supporting your compliance requirements.

10. Data Retention and Deletion

  • Yamuno retains data only as long as necessary to provide and maintain its apps and services.
  • Upon termination or deletion of your app subscription, all related data is securely deleted within 60 days, in accordance with our EULA.
  • You may request the deletion of any personal data at any time by contacting our support team.

11. Application Security

  • Our apps operate entirely within the Atlassian Forge sandbox environment.
  • We follow the principle of least privilege — our apps request only the permissions strictly necessary to function.
  • We do not integrate with or transmit data to unauthorized third-party services.
  • Authentication and authorization are managed entirely by Atlassian.
  • All production code undergoes peer code review before deployment.
  • We use automated dependency scanning to identify and address known vulnerabilities in third-party libraries.
  • All third-party dependencies are regularly audited for license compliance to ensure no intellectual property conflicts.

12. Secure Development Lifecycle (SDLC)

Our development process includes security at every stage:

  • Security requirements are defined at the start of each feature cycle
  • Code review is mandatory for all changes, including security-sensitive paths
  • Dependencies are regularly audited and updated to eliminate known CVEs
  • We do not store secrets, credentials, or API keys in source code
  • Releases follow a staged rollout process with automated testing

13. Vulnerability Management

Severity SLAs

We follow a structured vulnerability response process based on severity:

Severity Definition Target Remediation
Critical Exploitable, potential data exposure 24 hours
High Significant risk, likely exploitable 7 days
Medium Moderate risk, limited exploitability 30 days
Low Minimal risk, informational 90 days
  • We monitor for new CVEs in our dependencies on a continuous basis.
  • Security patches are prioritized above feature development for Critical and High issues.
  • We conduct periodic internal security reviews and penetration testing of our infrastructure and apps.

14. Incident Response

In the event of a security incident:

  1. We will assess and contain the incident as rapidly as possible.
  2. Affected customers will be notified within 72 hours of confirmed impact, in accordance with GDPR requirements.
  3. We will provide a post-incident summary including the nature of the issue, scope, and remediation steps taken.
  4. We cooperate fully with Atlassian's security team and relevant regulatory authorities as required.

15. Responsible Disclosure

If you believe you've found a security vulnerability in one of our apps, we encourage responsible disclosure. Please contact us at:

[email protected] or visit our Support Portal

Please include:

  • A detailed description of the vulnerability
  • Steps to reproduce (if applicable)
  • Any supporting materials (screenshots, logs, proof-of-concept)

We aim to acknowledge all reports within 48 hours and will keep you informed throughout our investigation. We will not take legal action against researchers who follow responsible disclosure guidelines.

16. Regulatory Compliance

  • Our apps are built in compliance with the Atlassian Marketplace Partner Agreement.
  • Data protection is managed by Atlassian in accordance with their compliance certifications (SOC 2, ISO 27001, GDPR, and others).
  • We follow industry best practices in secure development and deployment.
  • We are actively working toward SOC 2 Type II certification to meet the requirements of enterprise procurement and security reviews.

17. Service Status & Uptime

We publish real-time service status and incident history at:

status.yamuno.com

This includes current system status, ongoing incident updates, and historical uptime data. You can subscribe to receive email or SMS notifications for any status changes.

18. Updates to This Policy

This Privacy Policy & Data Security document may be updated periodically to reflect new features, technologies, or legal requirements. Any changes will be posted on this page with an updated "Last Updated" date. For material changes, we will notify affected customers via email where possible.

19. Contact Us

For questions, concerns, or data rights requests regarding this policy:

For enterprise customers requiring a security review, vendor questionnaire, or Data Processing Agreement, we are happy to provide supporting documentation including our CAIQ Lite and DPA.

Last Updated: April 7, 2026

Company Information

Yamuno Software services are operated by:

Yamuno
Wyoming, United States

For legal and privacy inquiries, please contact: [email protected]