Security Policy

Effective date: May 5, 2026

Bubbles - AI Risk & Dependency Dashboard for Jira (“the App”) is provided by Moose AI.

Moose AI takes the security and privacy of customer data seriously. This Security Policy explains how security issues related to the App may be reported and summarizes the safeguards used to protect data handled by the App.

Reporting Security Issues

If you believe you have discovered a security vulnerability in the App, please contact us at:

security@mooseai.co

Please include a description of the issue, steps to reproduce it, the affected app or environment, and any relevant screenshots, logs, or technical details.

Please do not include sensitive customer data unless necessary to explain the issue.

We will review reported security issues in good faith and work to investigate, validate, and remediate confirmed issues as appropriate.

Security Practices

The App uses Atlassian Forge permissions to access Jira data required for App functionality.

The App is designed to access and process only the Jira project and issue data needed to provide dependency visualization, risk analysis, AI-assisted dependency signals, caching, troubleshooting, and reliability.

The App uses tenant-scoped cache isolation and hashed tenant/user identifiers where appropriate.

Service credentials and secrets are stored using encrypted environment variables or platform-managed secret storage.

External Processing

The App may process limited Jira project and issue metadata through an external embeddings service hosted on Google Cloud Run in the United States.

This service is used to generate vector embeddings for AI-assisted dependency and risk insights.

The embeddings service is intended only for internal App functionality and is protected by API-key authentication.

Logging and Diagnostics

The App may generate operational logs for troubleshooting, performance monitoring, reliability, and security purposes.

Debug logging is restricted and intended to avoid unnecessary logging of sensitive content.

Logs are used only to operate, secure, and improve the App.

Data Protection

The App uses reasonable administrative, technical, and organizational safeguards to protect information handled by the App.

These safeguards may include:

• Access controls

• Encrypted secret storage

• Tenant-scoped data isolation

• API-key authentication for external service calls

• Data minimization

• Restricted debug logging controls

No method of transmission or storage is completely secure, and absolute security cannot be guaranteed.

Responsible Disclosure

We ask that security researchers and users act in good faith, avoid disrupting the App or customer environments, avoid accessing or modifying data that does not belong to them, and give Moose AI a reasonable opportunity to investigate and address reported issues before public disclosure.

Customer Responsibilities

Because the App operates within Atlassian products, customer access controls, Jira permissions, user management, and data deletion may also be controlled by the customer’s Atlassian organization and Jira administrators.

Updates

We may update this Security Policy from time to time. Updates will be reflected by a revised effective date.

Contact

Moose AI
Email: security@mooseai.co