Security & Compliance

Security & Compliance

Armada is designed with security and compliance at its core, suitable for enterprise deployments in regulated industries.

SOC 2 Type II Compliance

Armada maintains SOC 2 Type II certification, covering:

• Security: Protection against unauthorized access
• Availability: System uptime commitments
• Processing Integrity: Accurate data processing
• Confidentiality: Data protection controls
• Privacy: Personal information handling

Trust Center

Access our full Trust Center for:

• SOC 2 Report (available upon request)
• Penetration Test Results
• Security Policies

---

Data Security

Data Storage

Data Type	Location	Encryption
Campaign state	Jira entity properties	At-rest (Jira)
Fleet config	Forge Storage	At-rest (Atlassian)
User preferences	Forge Storage	At-rest (Atlassian)
Audit logs	Jira issue comments	At-rest (Jira)

Data Residency

• Default: United States
• Enterprise: Custom data residency (US, EU, APAC)

Contact [email protected] for data residency requirements.

Encryption

• All API calls use TLS 1.3
• Jira credentials stored in OS keychain
• No sensitive data in logs (PII scrubbing enabled)

---

Access Control

User Permissions

Armada respects Jira’s existing permission model:

Action	Required Permission
Launch campaign	Create issues
View campaign	Browse projects
Approve campaign	Administer projects
Configure fleet	Administer projects
Manage templates	Administer projects

Role-Based Access Control (RBAC)

Enterprise plans include:

• Custom roles with granular permissions
• Team-scoped access
• Audit logging of permission changes

---

Audit Logging

What Gets Logged

Every significant action is recorded:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "action": "CAMPAIGN_LAUNCHED",
  "user": "user-123",
  "campaign": "PROJ-100",
  "children": 45,
  "metadata": {
    "strategy": "LINKED_ISSUE",
    "approvalRequired": true
  }
}

Log Retention

• Standard: 90 days
• Enterprise: Configurable up to 7 years

Export Audit Logs

# Via API (Enterprise)
GET /rest/armada/1.0/audit?from=2024-01-01&to=2024-01-31

# Via UI
Settings > Governance > Audit Log > Export

---

Vulnerability Management

Security Updates

• Critical vulnerabilities patched within 24 hours
• Regular dependency updates (monthly)
• Security advisories published at github.com/armada/security

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities:

1. Email [email protected]
2. Include detailed reproduction steps
3. Allow 48 hours for initial response
4. We commit to not take legal action against good-faith researchers

Bug Bounty Program

Enterprise customers have access to our bug bounty program:

• Critical: $10,000
• High: $5,000
• Medium: $1,000
• Low: $250

---

Compliance Mappings

GDPR

Requirement	Implementation
Right to access	Export via API
Right to erasure	Campaign deletion
Data portability	JSON export available
Consent	Permission-based

HIPAA

Safeguard	Implementation
Administrative	Access controls, RBAC
Physical	Atlassian cloud infrastructure
Technical	Encryption, audit logging
Organizational	Business associate agreements

ISO 27001

Armada aligns with ISO 27001 controls:

• A.9.4 - Access control
• A.12.4 - Logging and monitoring
• A.18.1 - Compliance with laws

---

Security Best Practices

For Administrators

1. Install from trusted source only

   • Use official Atlassian Marketplace

2. Review permissions regularly

   • Quarterly access audits
   • Remove unused team members

3. Enable audit logging

   • Monitor for suspicious activity
   • Set up alerts for bulk operations

4. Keep templates updated

   • Review mission templates annually
   • Remove outdated configurations

For Users

1. Verify campaign targets

   • Double-check issue selection
   • Review affected teams

2. Use approval workflows

   • Enable for sensitive campaigns
   • Set appropriate thresholds

3. Report issues

   • Use “Report Issue” in Armada panel
   • Contact admin for urgent problems

---

Incident Response

Suspected Breach?

1. Immediately notify [email protected]
2. Preserve evidence - don’t delete logs
3. Document timeline of events
4. We’ll respond within 4 hours

Containment Steps

1. Disable affected user accounts
2. Revoke API tokens
3. Freeze non-essential operations
4. Begin forensic investigation

Recovery

1. Identify and patch vulnerability
2. Restore from known-good backup
3. Verify system integrity
4. Resume operations with monitoring

---

Compliance Reports

Available Documents

Document	Availability	Request
SOC 2 Type II	Enterprise	[email protected]
Penetration Test	Enterprise	[email protected]
Privacy Policy	All	Link
Terms of Service	All	Link
Data Processing Agreement	Enterprise	[email protected]

Custom Compliance

Need specific compliance documentation?

• Custom DPA with additional terms
• Right to audit clauses
• Specific security attestations

Contact [email protected]