Page Comparison

...

All data processed by is stored and managed on hardware under the control of the customer.

1. JEMH processes email supplied by users, using connectivity mechanisms controlled by the user. If enabled, the action of Auditing stores those emails in raw, unencrypted form in the JIRA_HOME/jemh/auditing folder.

2. As part of supporting email only users, JEMH stores non-Jira email addresses in TEXT custom fields, unencrypted.

3. As part of processing user comments by email, JEMH also stores some of those comments, and the email addresses involved within the JEMH tables (prefixed with AO_78C957_), unencrypted.

4. As part of support, JEMH Profiles are often requested in order to reproduce configuration scenarios and solve problem. The XML payload contains email addresses, website URL’s, server license details and database settings, but no authentication details. When attached to the public JEMH Jira Issue Tracker, standard practice is to mark the issue security as Private between Reporter and Developers.

5. As part of support, JEMH Test Cases, which are exports of real emails supplied by the customer. Usually these emails contain 'test' data and are not sensitive, but still may contain IP address or other identifying data. Issues containing test cases are not always marked as private, if there are concerns, users may do this.

JEMHC (for Jira Cloud)

We categorically do not extract data from your site for any purpose other than fulfilling functionality that you configure within your JEMHC instance.

When does JEMHC store data from customer instances

1. If you configure JEMHC to send outbound notifications the app will need to access data from your Jira instance to be able to provide that functionality.

2. When an issue event webhook is sent to JEMHC, they are stored in an AWS SQS queue. JEMHC has compute nodes that process items from this queue, determining whether you have outbound notifications setup for the related project. If not, we drop the data at this point. That is the life span of data that you don’t expect to be processed by JEMHC.

3. During generation of notifications, we call back to Jira to retrieve additional data (e.g. attachments) that are related to the current notification, do a range of user lookups.

4. As part of sending the notification, JEMHC creates audit history of who got sent what. We retain, in JEMHC, the email addresses of recipients, as well as the content of the notification (stored in AWS S3 buckets). We have no access to this, it is for your benefit (as is the incoming auditing). If you choose to disable auditing, you can, but our ability to help you solve your problems relating to processing mail will be much harder, and may not be possible.

5. During support, you (the JEMHC admin) may elect to ‘flag’ incoming mails for support. This action makes the Email, its incoming processing Report and the related JEMHC Profile available to support staff. That email could be anything, including a reply to a Jira notification, containing data from Jira.

Where is data stored

All retained data is held within a virtual private cloud database and S3 storage buckets (both are encrypted at REST) managed by AWS located within the USA. We have no way to shard user data to European data centers at this time.

...

Once authorized and configured, JEMHC will be able to retrieve email from the linked account(s) and process as described below.

Inbound processing

1. JEMHC processes email supplied by users, using connectivity mechanisms controlled by the user. By default, the action of email retrieval:

   1. stores those complete emails in

...

1. 1. S3 buckets with an ‘audit’ link in the JEMHC database. Customers can opt out of the

...

1. 1. storage and audit retention (re-enabling requires support intervention). Opting out makes diagnosing email related problems much harder to resolve, if not impossible.

   2. stores subject, sender (from:), and recipients (to:, cc:) email address in JEMHC database, unencrypted.

2. As part of supporting email only users, JEMHC stores non-Jira email addresses in TEXT custom fields, unencrypted.

3. Email content is stored in Jira in plain text as issue summary/description/comment.

Outbound processing

1. Regardless of whether you have a license present for JEMHC or not, if JEMHC installed, the issue https://ecosystem.atlassian.net/browse/AC-1620 means that your Jira will send us issue webhook data for every issue event in your instance (over SSL). JEMHC stores this event data

...

...

1. which is encrypted

2. JEMHC will by default attach files added to issues to outbound emails.

3. JEMHC will by default store in an S3 bucket (with a link in the

...

1. outbound auditing view), the full email content of recently sent mail.

2. After sending email, JEMHC retains a recent history of the event, this includes email addresses and subject

...

1. (stored

...

...

1. in encrypted form in the db).

Registration and feedback

The Plugin People Ltd use Slack for this:

1. JEMHC writes registration event data to a private Plugin People Instant Message room (over SSL) identifying the host URL involved

2. JEMHC writes user supplied feedback to a private Plugin People Instant Message room (over SSL) identifying the host URL and the user email address involved

Logging

1. JEMHC writes some debug level logs to a logging database, this contains various information about email processing, subjects and sender email addresses are also hashed, only in some specific situation would we log PII data we'd use proactively to talk to the customer about particular problems. We purge the entire log archive from time to time, its use is transitory.

Support

1. As part of support, JEMHC Profiles are often requested in order to reproduce configuration scenarios and solve problem. The JSON payload contains email addresses, website URL’s, groups, usernames, but no authentication details. When attached to the public JEMHC Jira Issue Tracker, standard practice is to mark the issue security as Private between Reporter and Developers.

2. As part of support, JEMH Test Cases, which are exports of real emails supplied by the customer. Usually these emails contain 'test' data and are not sensitive, but still may contain IP address or other identifying data. Issues containing test cases are not always marked as private, if there are concerns, users may do this.

Use of email Test Cases

As part of Our support for JEMH and JEMHC, its common for us to require test case emails in order to reproduce a processing problem. These emails can contain personal information identifying users, e.g. names, email address, as well as related content. As the point of the Test Case is to validate specific processing, editing the content after the fact is not always an option. Such information is private and not shared.

...