ShipSec

Privacy Policy

Last updated: April 8, 2026

Overview

ShipSec.ai ("we", "us", "our") operates the ShipSec.ai security workflow platform and related integrations, including the ShipSec.ai Forge App for Atlassian Jira. This Privacy Policy describes how we collect, use, and protect information when you use our services.

Information We Collect

When you connect ShipSec.ai to third-party services (AWS, Jira, Slack, GitHub), we collect:

• Connection credentials — OAuth tokens, API keys, webhook URLs, and web trigger URLs required to communicate with your connected services. These are encrypted at rest using AES-256.
• Account metadata — Organization name, user email, and display name for identification purposes.
• Workflow data — Security scan results, vulnerability findings, and workflow execution logs generated during your use of the platform.

We do not collect, store, or process the content of your Jira issues, Confluence pages, or other Atlassian data beyond what is necessary to execute the specific actions you configure in your workflows.

Atlassian Forge App

The ShipSec Forge App for Jira operates within Atlassian's Forge runtime environment. The app:

• Runs with its own app identity ("ShipSec") — it does not impersonate any user.
• Only accesses Jira data (issues, projects, users) when explicitly invoked by ShipSec.ai workflows or the ShipSec.ai agent.
• Does not store Jira credentials in ShipSec.ai infrastructure — authentication is managed entirely by Atlassian's Forge platform.
• Requests only the minimum required Jira scopes: read:jira-work, write:jira-work, and read:jira-user.

How We Use Information

• To execute security workflows you configure (scanning, ticket creation, notifications).
• To authenticate with third-party services on your behalf.
• To display scan results and workflow status in the ShipSec.ai dashboard.
• To improve the reliability and performance of our platform.

Data Security

• All credentials are encrypted at rest using AES-256 with key rotation support.
• All data in transit is encrypted via TLS 1.2+.
• Access to customer data is restricted to authorized personnel and automated systems.
• We do not sell, share, or disclose your data to third parties except as required to provide our services or comply with legal obligations.

Data Retention

We retain your data for as long as your account is active. When you disconnect an integration or delete your account, associated credentials and metadata are permanently deleted within 30 days. Workflow logs are retained for 90 days unless configured otherwise.

Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us. You can disconnect any integration at any time through the ShipSec dashboard, which immediately revokes our access.

Contact

For privacy questions or data requests, contact us at support@shipsec.ai.