This statement covers Redmoon Software’s apps that run on Jira Cloud. For Jira Data Center editions, all app data is stored inside your own Jira Data Center instance — nothing in this statement applies, because Redmoon has no servers in the data path.
All Redmoon Jira Cloud apps are Atlassian Forge apps and install through the Atlassian Marketplace using Atlassian’s standard Forge install flow. You always see exactly which scopes an app requests at install time.
Three architectures, depending on the app
The Redmoon Cloud portfolio is in the middle of a multi-year migration from the older Atlassian Connect model to the Forge model. Different apps are at different stages of that migration. As of this writing, three architectures are in use across the Cloud portfolio:
1. Fully Forge-native apps
Some apps are fully Forge-native. Both the user interface and the data storage live entirely on Atlassian Forge infrastructure inside your Atlassian Cloud site. No data crosses Atlassian’s boundary into a Redmoon-controlled server. Redmoon’s role is to publish the app code; Atlassian Forge runs the code and stores the data.
2. Forge frontend with Redmoon backend (transitional)
Other apps — including STM Issue Templates, Custom Fields, and Watch It — run their user interface on Forge but still use Redmoon-controlled servers for storage and for processing the app’s core logic. The communication path is:
- The Forge frontend, running inside your Atlassian Cloud site, talks to a Redmoon backend through Forge remote calls over HTTPS.
- The Redmoon backend stores the app’s configuration data (templates, executors, audit history, field definitions, watcher rules) and runs the app’s logic.
- When the backend needs to read or write Jira issues, it calls back into your Jira Cloud instance using OAuth 2.0 under the Connect / Forge authentication framework.
This pattern is documented and supported by Atlassian. The Forge platform decides which scopes the backend is permitted to use, and those scopes are shown to you during install. All traffic on both legs of the path is HTTPS only, with no plaintext data in transit.
We are actively working to migrate the remaining apps in this category onto Forge-native storage and processing, so that in time all Redmoon Cloud apps will keep their data inside your Atlassian Cloud site.
3. Connect apps (legacy)
One app — STM Lite — is still on the older Atlassian Connect framework. In a Connect app, the user interface is served from a Redmoon-controlled server and rendered as an iframe inside Jira Cloud; data and processing also live on Redmoon’s server. Authentication between the Connect server and your Jira Cloud instance uses OAuth 2.0 under Atlassian’s Connect framework, and all traffic is HTTPS.
Connect is a fully supported Atlassian framework. The architectural difference vs Forge is where the UI is rendered (Redmoon server vs Atlassian Forge) and how the install model works; the authentication and HTTPS guarantees are the same.
Which app uses which architecture?
| App | Cloud architecture |
|---|---|
| Comment History | Forge — UI and data both inside your Atlassian Cloud site |
| Document Vault | Forge — UI and data both inside your Atlassian Cloud site |
| Move It | Forge — UI and data both inside your Atlassian Cloud site |
| STM Issue Templates | Forge frontend + Redmoon backend (HTTPS + OAuth); migrating to Forge |
| Custom Fields | Forge frontend + Redmoon backend (HTTPS + OAuth); migrating to Forge |
| Watch It | Forge frontend + Redmoon backend (HTTPS + OAuth); migrating to Forge |
| STM Lite | Connect app — UI and data on Redmoon backend |
| Comment Security Default | No Cloud release today; Cloud Forge-native version expected shortly |
| Secure Admin | No Cloud release today; Data Center only |
If you need an up-to-date answer for a specific app, contact support@redmoonsoftware.com and we’ll confirm the current state of that app.
Encryption in transit
All communication is HTTPS only:
- Browser → Forge UI: HTTPS, terminated by Atlassian.
- Forge UI → Redmoon backend (transitional apps only): HTTPS, with Forge remote-call authentication.
- Redmoon backend → Jira Cloud REST API: HTTPS, authenticated with OAuth 2.0 under Atlassian’s Connect / Forge framework.
We never send or receive Jira data in plaintext.
What data is stored
Each app stores only what it needs to do its job:
- Atlassian site identifier — so the app can distinguish one customer’s Jira Cloud site from another.
- App-specific configuration — e.g. template and executor definitions for STM, field definitions for Custom Fields, vault membership lists for Document Vault.
- App-generated artefacts — e.g. STM audit / error log, Comment History change log entries, Document Vault uploaded files (where applicable).
For the apps still on a Redmoon backend (see table above), the items above are stored on Redmoon’s servers. For Forge-native apps, the same items are stored inside your Atlassian Cloud site using Forge storage APIs.
Issue text, comment text, user account data, and the rest of the Jira data model live only in your Jira Cloud instance. Apps read or write that data as needed via the Jira REST API but do not store copies of it on Redmoon’s servers.
People and access
For the apps with a Redmoon backend, only members of Redmoon’s support team can access the servers and stored data, and they do so only when investigating a support request. We do not browse customer data outside of explicit support work.
For fully Forge-native apps, no Redmoon staff can access app data at all — it sits inside your Atlassian Cloud site and is governed by Atlassian’s own access controls.
Hosting infrastructure
Redmoon-controlled backends run on Google Cloud Platform (Google App Engine), which provides multi-data-centre redundancy and an industry-standard uptime SLA. Forge-native storage runs on Atlassian’s own platform infrastructure under Atlassian’s published security and compliance programme.
Sub-processors and third parties
The current sub-processors in the Cloud data path are:
- Atlassian — runs Jira Cloud and Forge.
- Google Cloud Platform — hosts Redmoon-controlled backends (for the apps still on that architecture).
We do not share customer data with third parties beyond what is necessary to deliver the service.
Questions
For a specific procurement or security-review question — including a request for a signed copy of this statement, a sub-processor list, or app-specific scope information — contact support@redmoonsoftware.com.