Data security and privacy statement

Data security and privacy statement


Data security and privacy statement

Data security and privacy statement

Flower is an Atlassian Connect application for JIRA.

The Atlassian Connect architecture requires data communication between JIRA Cloud and the add-on to be hosted on separate hardware. Flower is responsible for provisioning, monitoring, and managing the servers for the add-on’s applications. The add-on is hosted with Heroku and all communication between your JIRA OnDemand instance and the add-on is made over HTTPS (encrypted with SSL). All servers are located in the USA. The remainder of the document describes security and privacy of 3rd party data stored within the add-on only and not Atlassian OnDemand.

Hosting, Data Storage and Backups

Flower has selected Heroku (opens in a new tab) to host the application and Firebase (opens in a new tab) to store all data for the add-on. Heroku and Firebase were selected to due to the high levels of support, quality of service, reliability and security standards they offer their customers.

Our platform at Heroku was designed and optimized to the add-on and has multiple levels of redundancy built in. The application itself runs on separate front-end servers than those on which the data is stored.

The safety and security of your data is our top priority. Firebase requires SSL encryption with 2048-bit certificates for all data transfer and allows restricted reading and writing via granular access controls and custom authentication.

Only customer data required for the operation of the add-on will be accessed from JIRA OnDemand and stored within the add-on’s databases. This data will be encrypted during transit between data centers and when it is removed from data centers for backup purposes. All data is replicated and backed up to multiple secure locations.


Access to the Firebase, data storage is limited to authorized personnel only, as verified by Firebase identity verification measures. Physical security measures include: on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.

Our primary data center is located within the US and our secondary data center as well.

People and Access

Excepting the Database Administrator, no Flower members of staff maintain an account that can access your private data. This access is required for application health monitoring, or for performing system and application maintenance. Authentication to application servers is done via individual passphrase-protected public keys, rather than passwords, and the servers only accept incoming SSH connections from Heroku. Our add-on is designed to allow application data to be accessible only with appropriate credentials, such that one customer cannot access another customer’s data without explicit knowledge of that other customers’ login information. Customers are responsible for maintaining the security of their own login information.

Data retention

When a customer's subscription lapses or ends we will retain the data for a period of 30 days and then the data may be be removed. Within this 30 days period customers can renew their subscription and continue to access their data.

Customers may request the permanent removal of data from our systems by writing to Flower Communication Hub. The removal of data will be conducted within 15 days and does not include removing data from any backups materials.

Effective as of January 1, 2022.

See also

OnDemand security policy (opens in a new tab)

Atlassian privacy statement (opens in a new tab)