Last updated: 13 July 2026.
BastionTrail is a Jira Cloud app that links development activity from your self-hosted or cloud Git server to your Jira issues and builds an exportable change-audit trail. This policy explains what data the app processes, why, where it is stored, and your rights.
You (the Atlassian site administrator who installs the app) are the data controller; BastionTrail is a data processor on your behalf. A Data Processing Agreement is available on request.
Only what is needed to link Git activity to Jira and produce the audit trail: Git event metadata (commit SHA/message, branch, MR/PR title and state, approver, pipeline status, deployment environment, author name, timestamps, URLs); Jira context (issue/project keys, cloud/installation ids); and config you provide (webhook secret, installation ids). We do not collect source code, files, passwords, or payment data. Author name is end-user data; the app declares inScopeEUD: true.
| Sub-processor | Role |
|---|---|
| Atlassian (Forge) | App UI and event handlers; issues the Forge Invocation Token |
| Railway | Backend and PostgreSQL database storing event/audit data |
| Cloudflare | DNS and TLS for api.bastiontrail.com |
We do not sell, rent, or share your data, and do not use it to train ML models.
All traffic over TLS. Webhooks verified against a per-installation secret with constant-time comparison. Every Forge call verified by validating the Forge Invocation Token (RS256 against Atlassian's JWKS, plus issuer/audience/expiry). Installations isolated; events de-duplicated by content hash.
Data is retained while the app is installed. On uninstall or written request, we delete the installation's data within 30 days. Export or deletion can be requested at any time.
Under GDPR, LGPD, CCPA and similar, you and your end users may access, correct, export or delete personal data. We support these through you, the controller.
The backend runs in a single region today; regional hosting (US/EU) is on the roadmap.