Security policies and controls of the app

Owned by Igor Andriushchenko
Last updated: Feb 07, 2024
2 min read

Whistle Willow is built for Atlassian Forge, Atlassian’s most modern and secure app framework and infrastructure.

WW core (Jira, JSM, Confluence apps) operates in Atlassian cloud infrastructure, and the data doesn't leave Atlassian.

image-20240207-051923.png

There are two essential data flows:

  • Internal submissions

This is the default flow - only submissions from the company's Jira/JSM/Confluence are supported. All data stays in Atlassian Cloud. The reports are encrypted with an encryption key generated for each customer upon the app installation. In addition, all reports are stored in customer-bound storage provided by Atlassian which is isolated from other customers and even app developers by design. The key can’t be read by other apps, nor shows up anywhere in Whistle Willow. It’s used internally to decrypt each report in real time when displaying it for the compliance team. The decrypted reports only exist in Compliance user’s session, and are stored encrypted at all times.

  • External submissions (not enabled by default)

External submissions site can be provisioned by app admins (Compliance team) provides customers with a unique URL that can be used for the rest of the world without Jira/Confluence access.

When External submissions are activated, two additional keys are created. One, public, is sent to the external submissions site and stored in the database.

When a reporter sends in a submission, it's encrypted with a public key, unique for the customer that the submission is for. These reports can only be decrypted to clear text using a private key (also unique per each customer) that is stored in Atlassian cloud, as part of Whistle Willow. This is done to ensure that even if the public site is compromised, the data stays protected and can't be decrypted because the key is stored securely elsewhere (in Atlassian Cloud).

Now, Whistle Willow from Jira/Confluence contacts the public site every hour and checks if there are new reports. If any are found, the encrypted blobs are fetched into Whistle Willow in Jira/Confluence and immediately removed from the public site’s DB. The newly received public reports are decrypted using the private key in Atlassian Cloud. Then, the report is immediately encrypted with internal Jira/Confluence encryption key and stored in Atlassian Cloud storage (same as Internal submissions flow).

Below is the diagram that describes these two flows.