Skip to main content
launchpad://docs/standard
$launchpad open --docs Security and Forge architecture

Security and Forge architecture

Starter·Platform: Jira Service Management Cloud (Assets)·Trust and Security·Reading time: ~8 min·Version 1.3·Apr 2026

Security and Forge architecture

LaunchPad is a Forge app. That one fact shapes nearly every security question you might have. This page explains what it means in practice, where your data lives, what we do with it, and how our posture maps onto the compliance frameworks your security team is probably tracking.

We have tried to be specific rather than reassuring. Where we rely on Atlassian's platform controls, we say so and link the relevant attestation. Where LaunchPad adds its own surface, we describe it directly.

Where your data lives

LaunchPad runs entirely on Atlassian Forge. The app has no servers of our own, no external databases, and no third-party data processors in the runtime path. When you deploy a schema, the API calls go directly from the Forge runtime to your Jira Cloud instance's Assets API. Nothing leaves the Atlassian Cloud boundary.

Concretely:

  • Your schema definitions, object types, attributes, and relationships are created inside your Assets workspace.
  • Your records (the CMDB data you load after deployment) are stored in Assets, owned by your Jira Cloud tenant.
  • LaunchPad itself does not retain a copy of your schemas or your records outside the Forge runtime's ephemeral execution context.
  • The deployment process is additive. LaunchPad does not modify existing schemas, workspaces, or records, and cannot delete data that it did not create.

This model is what allows the product to be safe by default. There is no place for your data to leak because there is no place for your data to go.

Tenancy isolation and data residency

Forge runs on Atlassian's multi-tenant cloud infrastructure. Tenancy isolation, data residency, and the underlying encryption guarantees are provided and documented by Atlassian rather than by LaunchPad. That distinction matters for procurement conversations.

  • Tenancy isolation: Each Forge app invocation runs in a per-tenant context. LaunchPad cannot read, write, or enumerate data from any tenant other than the one invoking it. This is enforced by Atlassian's Forge runtime, not by LaunchPad.
  • Data residency: Your Assets data resides in the region your Jira Cloud instance is provisioned in. LaunchPad inherits the same residency. If your Jira Cloud tenancy is in the EU region, your schema definitions and record data stay in the EU region.
  • Encryption in transit: All Forge-to-Assets API calls use HTTPS.
  • Encryption at rest: Your Assets data is encrypted at rest by Atlassian Cloud.

For the authoritative, up-to-date descriptions of these controls, refer to Atlassian's Trust Center and the Forge security documentation.

Authentication and permissions

LaunchPad uses Forge's scoped permission model. At install time, the Atlassian admin installing the app reviews and approves the exact scopes the app requests. LaunchPad requests the minimum set needed to deploy schemas:

  • Read and write access to Assets object schemas, object types, reference types, and attributes.
  • Read access to Jira projects (to populate and validate schema selections).
  • App user context, for attributing deployment actions to LaunchPad in your audit trail.

LaunchPad does not request:

  • Access to user email addresses or personal profile data.
  • Access to issue content, comments, or attachments.
  • Access to Confluence content, calendars, or any other Atlassian product surface.
  • Access to external systems outside your Jira Cloud tenancy.

A normal Jira user interacting with LaunchPad can only perform actions their Jira and Assets permissions already allow. The app does not elevate privileges or bypass role-based access control.

The authenticated docs session

A small subset of documentation (the /use/, /operate/, and /improve/ sections, plus schema-specific quick-start, governance, and forms pages) is gated to LaunchPad licensees. That gate is implemented as a Cloudflare middleware in front of this site and is unrelated to the Forge app's access model.

When you open gated documentation from inside LaunchPad, the app mints a short-lived signed token and redirects you to the docs site with that token. The docs site validates the token with an HMAC-SHA256 secret shared between the app and the site, extracts the tier claim, and sets a session cookie (lp_session) scoped to this domain with a 24-hour expiry. No personal data is included in the token or the cookie; the only payload is the tier claim and an expiry timestamp.

You can read a full description of the gating rules in the Cloudflare access rules document in the repository.

Data processing and vendor identity

LaunchPad is built and operated by Let's Talk Solutions Ltd, a UK-registered company. We are the data controller for any information you provide directly to us (for example, a support email), and a data processor for the Assets data LaunchPad manipulates on your behalf inside your Jira Cloud tenancy.

Because the Forge runtime is the transport for every byte of that data, Atlassian is a sub-processor. Atlassian publishes a standard Data Processing Agreement that applies to Forge apps. Let's Talk Solutions offers a complementary DPA covering our specific handling of your data in the support, billing, and onboarding surfaces.

If your procurement team needs a signed DPA, contact us at support@lt.solutions and we will send the standard form. If your team needs custom terms, say so in that email and we will respond with what we can and cannot accommodate.

Compliance posture

LaunchPad's compliance story splits cleanly into two layers.

The Atlassian layer (inherited)

The Forge runtime inherits Atlassian Cloud's attestations. These cover the underlying infrastructure, encryption, tenancy isolation, data residency, availability, and incident response posture. Atlassian publishes:

  • SOC 2 Type II reports.
  • ISO 27001 certification.
  • ISO 27018 certification (cloud-specific privacy).
  • PCI DSS attestation (where relevant).
  • CSA STAR certification.

These are the controls that answer most "is the platform secure?" questions in a procurement review. Request the current reports directly from Atlassian's Trust Center.

The LaunchPad layer (ours)

LaunchPad as an app does not hold its own SOC 2 or ISO 27001 attestation. Let's Talk Solutions is a small vendor and we have not undertaken the certification effort; doing so would materially increase the price of the product and benefit very few customers. We prefer to be specific about what we do rather than gesture at certification badges.

What LaunchPad itself controls is documented here. In summary:

  • All application logic runs inside Atlassian Forge. We have no separate cloud environment for the runtime.
  • We do not retain, aggregate, or re-use your schema data outside the Forge runtime's execution context.
  • Support correspondence is handled through email and stored in a ticketing system operated by Let's Talk Solutions. We keep support records for 24 months.
  • Billing and account data is processed through a standard third-party billing platform (named in the DPA).
  • We do not ship analytics that report on your Assets content. Anonymous usage telemetry reports aggregate product-level metrics (install counts, feature usage by app version) with no customer-identifying information.

What this means for specific frameworks

SOC 2 Type II: Inherited from Atlassian at the runtime layer. LaunchPad does not hold its own report. The distinction is explicit: auditors have accepted this pattern for other Forge apps, and we can share references.

ISO 27001: Inherited from Atlassian at the runtime layer. Same position as SOC 2.

DORA (EU ICT risk): For EU-regulated financial entities, the DORA posture depends on how Atlassian is classified in your ICT third-party register. Atlassian offers DORA-specific contractual terms. LaunchPad as a sub-processor would be listed in your fourth-party inventory. We can supply an attestation letter describing our role.

GDPR: LaunchPad processes only the data you load into Assets plus support correspondence and billing metadata. Data subject rights requests for Assets content should be directed at your Jira Cloud administrator; for the support and billing surfaces, contact us directly.

HIPAA: Atlassian offers HIPAA-eligible Cloud tenancies. LaunchPad does not sign Business Associate Agreements directly; if your HIPAA posture is being addressed via Atlassian's BAA, LaunchPad sits inside the same controls as any other Forge app. If you require a separate BAA from Let's Talk Solutions, contact us before deploying to a regulated workload.

ISO 9001, ISO 20000, ISO 45001: Out of scope for both the app and the vendor at this time.

If your framework is not listed, email support@lt.solutions with the specific controls you are mapping and we will tell you where we sit.

Audit logging

Two audit trails are relevant.

Atlassian's Jira and Assets audit log captures every change LaunchPad makes to your schema: schema creation, object type creation, reference type creation, attribute creation, and any subsequent modification. Actions are attributed to the LaunchPad app user. Retention and export of the audit log follow Atlassian's defaults for your Jira Cloud plan. If your compliance posture requires longer retention or immutable export, use Atlassian's audit log streaming feature (Premium and Enterprise plans) to push events to an external SIEM.

LaunchPad's own activity log records deployment events (start, progress, complete, failure) at the app level, visible in the LaunchPad UI. This log is a convenience for operators, not a compliance artefact. The authoritative record is always the Jira and Assets audit log.

We do not maintain a separate, queryable audit log of your Assets content changes. The Atlassian audit log is that record.

Incident response

If LaunchPad experiences a service-affecting issue, we publish status and advisories. The current channels are:

  • The Atlassian Marketplace listing for LaunchPad, where we post advisories on significant incidents.
  • Email notifications to subscribed customers.
  • A dedicated incident page in the documentation (forthcoming, currently on the roadmap for Q2 2026).

Response targets:

  • Acknowledgement of a reported security issue: within 1 business day.
  • Initial triage and severity assessment: within 2 business days.
  • Critical security fix deployment: within 5 business days of validated report.
  • Non-critical fix deployment: in the next scheduled release.

These are targets, not contractual guarantees. Customers on a paid support plan have targets defined in their agreement, which take precedence. Contact security@lt.solutions for confidential security reports.

What LaunchPad does not do

The honest list, for procurement clarity:

  • LaunchPad does not call any external (non-Atlassian) service at runtime.
  • LaunchPad does not store your Assets data outside the Forge runtime.
  • LaunchPad does not share your data with third parties for marketing, analytics, or any other purpose.
  • LaunchPad does not train machine-learning models on your data.
  • LaunchPad does not hold its own SOC 2 or ISO 27001 attestation. It inherits Atlassian's for the runtime layer and documents its own controls explicitly on this page.
  • LaunchPad does not provide on-premises or data-residency-locked deployments outside what Atlassian Cloud offers.

What to ask us

Reasonable questions a procurement or security reviewer might raise, and where to find answers:

  • Where does my data physically reside? Refer to your Atlassian Cloud tenancy region. LaunchPad does not change that.
  • Can you provide a DPA? Yes, email support@lt.solutions.
  • Can you provide a SOC 2 Type II report? The Atlassian Forge platform report, yes (via Atlassian). LaunchPad's own, no; see the compliance section above for the rationale.
  • Can you sign a custom MSA or security addendum? Possibly, depending on the scope. Ask.
  • What is your incident response SLA? See the incident response section above, with caveats about paid support plans.
  • Do you share data with sub-processors we have not approved? No. The only sub-processor in the runtime path is Atlassian. Support and billing sub-processors are listed in the DPA.
  • Do you have cyber insurance? Yes. Policy details available on request under NDA.

If your reviewer needs something not covered here, email us. This page is updated each quarter and we fold new questions into it.

Where to next

For the commercial view, see the pricing page. For the technical mechanics of how LaunchPad deploys schemas, see How it works. For a candid view of what LaunchPad does not try to do at all, see What LaunchPad does and does not do.