Security Policy

Security Overview

Showel is built on Atlassian Forge, a serverless platform. We don't operate our own servers, databases, or infrastructure. All data security and infrastructure management is handled by Atlassian.

Our Security Approach: Minimal permissions, deny-by-default access controls, and no access to your source code or AI prompts.

What We Built

Application Security

• Minimal Permissions: We only request read access to Jira projects and users - no write permissions
• Deny-by-Default: Projects are denied access to reports until explicitly allowed by admins
• No Code Access: We never access your source code, prompts, or AI-generated content
• Encrypted API Keys: Cursor API credentials are stored encrypted in Forge secure storage
• HTTPS Only: All external API calls use encrypted HTTPS connections

Permissions We Request

Showel requests only these Jira permissions:

• read:jira-work - Read project lists for Project Visibility feature
• read:jira-user - Read user information to match with AI usage data
• storage:app - Store API configuration securely

We do not request write permissions - Showel cannot modify your Jira data.

What Atlassian Provides

Infrastructure Security

Atlassian Forge provides:

• Encrypted data storage (encryption at rest)
• Secure data transmission (TLS encryption in transit)
• Isolated execution environment per tenant
• Automatic security patches and updates
• DDoS protection and rate limiting

Atlassian Certifications

Atlassian maintains enterprise security certifications:

• SOC 2 Type II certification
• ISO 27001 certification
• GDPR compliance

Note: These are Atlassian's certifications. Showel inherits these security controls by running on the Forge platform.

Data Handling

What Data We Access

• From Jira: Project names, user names, user emails
• From Cursor API: Token usage statistics (when you provide API credentials)

What We Don't Access

• Your source code
• Your AI prompts or conversations
• AI-generated content
• Jira issue content or descriptions

Where Data is Stored

All data is stored within Atlassian's Forge platform infrastructure:

• Data location follows your Atlassian instance's data residency settings
• We do not operate our own databases or servers
• API credentials are encrypted using Forge's secure storage

Data Deletion

To delete your data:

• Uninstall the app: All data stored by Showel is automatically deleted
• Remove API credentials: Delete your Cursor API key from the configuration page

Access Controls

Admin Controls

Only Jira administrators can:

• Configure Cursor API credentials
• Manage project visibility (which projects can access reports)
• Install or uninstall the app

Project-Level Access

• Deny by Default: New projects cannot access reports until explicitly allowed
• Admin Approval Required: Only admins can grant project access
• Project Permissions: Users can only view reports for projects they have Jira access to

Authentication

All authentication is handled by Atlassian:

• OAuth 2.0 authentication through Atlassian
• No separate login or password management
• Multi-factor authentication (MFA) supported through Atlassian accounts

External Integrations

Cursor API Integration

Showel connects to Cursor's API using credentials you provide:

• Your API Key: You provide your own Cursor Admin API key
• Encrypted Storage: API keys are encrypted and stored in Forge secure storage
• HTTPS Only: All API calls use encrypted HTTPS connections
• Basic Auth: API key authentication over secure connections
• Revocable: You can remove API credentials anytime from the admin page

Whitelisted Endpoints

Showel can only access these Cursor API endpoints (hardcoded in manifest):

• api.cursor.com/teams/members
• api.cursor.com/teams/daily-usage-data
• api.cursor.com/teams/spend
• api.cursor.com/teams/filtered-usage-events

Security Best Practices for Users

For Administrators

• API Key Rotation: Periodically rotate your Cursor API keys
• Project Access: Review which projects have access to reports quarterly
• Least Privilege: Only grant report access to projects that need it
• Enable MFA: Use multi-factor authentication on your Atlassian account

For Users

• Use strong passwords for your Atlassian account
• Enable two-factor authentication (2FA)
• Report suspicious activity to your Jira administrator

Limitations and Transparency

What We Don't Do

To be transparent about our capabilities:

• No Logging: We don't collect or analyze application logs beyond what Forge provides
• No Monitoring: We don't have security monitoring systems - we rely on Forge
• No Penetration Testing: We haven't performed third-party security audits
• No Bug Bounty: We don't currently offer a bug bounty program

What We Rely On

• Atlassian Forge: All infrastructure security, encryption, and compliance
• Atlassian APIs: Authentication, authorization, and session management
• Platform Updates: Automatic security patches from Atlassian

Reporting Security Issues

If you discover a security vulnerability in Showel:

Responsible Disclosure

We request that you:

• Give us reasonable time to investigate and address the issue before public disclosure
• Don't access or modify data that doesn't belong to you
• Don't perform actions that could harm users or service availability

Security Resources

For more information about the security of the platforms we use:

• Atlassian Trust Center: www.atlassian.com/trust
• Forge Security: developer.atlassian.com/platform/forge/security/
• Cursor Security: Refer to Cursor AI's security documentation

Updates to This Policy

We may update this Security Policy as we add features or improve security. Changes will be reflected by updating the "Last updated" date at the top of this page.

Contact Us

For security questions or concerns: