top of page

Security Policy
 

Field

Detail

Document ID

BB-SEC-001

Version

3.0

Created

13 Mar 2026

Last Updated

23 Mar 2026

Last Reviewed

23 Mar 2026

Next Review

Mar 2027

Document Owner

BluBees LLC

Classification

Public

Contact

security@blubees.ai

1. Overview

BluBees LLC designs its AI-powered workflow automation services with a focus on data minimization, platform security, and limited personal data processing.

BluBees provides an application that operates within the Atlassian Jira Cloud platform as a Forge-based application and is distributed through the Atlassian Marketplace. BluBees also operates its own service infrastructure on Amazon Web Services (AWS) in the United States.

The Service enables customers to connect to and integrate with virtually any third-party application, SaaS service, or AI provider. Data flowing between customer's third-party services during workflow execution ("Pass-Through Data") is transmitted transiently and is not stored or persisted by BluBees. BluBees stores only the minimum data required to operate the service: business contact information, Jira platform metadata, encrypted Integration Credentials, and Configuration Data.

2. Data Storage Summary

Data BluBees Stores

Category

Details

Storage

Business contact information

Name, company, email, phone, address, Jira user ID

AWS (AES-256 at rest)

Jira platform metadata

Licensing, tenant identification, integration

AWS (AES-256 at rest)

Integration Credentials

API tokens, OAuth tokens/secrets, account IDs, domains

AWS (encrypted, industry-standard key mgmt)

Configuration Data

Workflows, rules, field mappings, settings, preferences

AWS (AES-256 at rest)

Operational logs

Service operational logs and metadata

AWS (AES-256 at rest)

Data BluBees Does NOT Store

Category

Details

Pass-Through Data

Transmitted transiently during workflow execution — not persisted

Passwords

Managed by Atlassian Jira Cloud

Payment data

Managed by Atlassian Marketplace

IP addresses

Not collected

Location data

Not collected

Behavioral tracking

Not collected

Cookies / web beacons

Not used

3. Platform Architecture

BluBees services operate within the Atlassian Jira Cloud environment as a Forge application. Processing occurs both within the Atlassian Forge runtime and on BluBees's own AWS infrastructure.

Data Flow: Customer users interact with Atlassian Jira Cloud (identity, authentication, licensing). Jira integrates with the BluBees application (platform metadata only). During workflow execution, Pass-Through Data flows transiently between configured third-party services but is not stored. Integration Credentials, Configuration Data, operational logs, and Jira metadata are stored on AWS. Chatlio provides ephemeral support chat (not retained, no file attachments).

Platform

Responsibility

Atlassian Jira Cloud

Application platform, Forge runtime, identity and access management

Atlassian Marketplace

Licensing, billing, account management

Amazon Web Services (AWS)

Cloud infrastructure hosting, compute, and data storage

Chatlio

Real-time customer support chat (ephemeral; no retention; no file attachments)

Note: Third-party services customers connect to via BluBees are not subprocessors of BluBees.

4. Roles and Responsibilities

  • Customer organizations — data controllers for their users' data and Pass-Through Data.

  • BluBees LLC — data processor for stored data. For Pass-Through Data, conduit only.

  • Atlassian — primary platform provider for account management, authentication, and billing.

5. Infrastructure Security

BluBees uses Amazon Web Services (AWS) in the United States.

AWS certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018.

AWS protections: physical data center security (24/7), network monitoring, redundancy and high-availability, infrastructure access management, DDoS mitigation.

6. Encryption

  • Data in transit: TLS 1.2 or higher.

  • Data at rest: AES-256 within AWS infrastructure.

  • Integration Credentials: Encrypted using industry-standard key management.

  • User passwords: Not stored — managed by Atlassian Jira Cloud.

7. Access Control

As documented in the BluBees Access Control Policy (BB-SEC-003):

  • Principle of least privilege.

  • Administrative access requires approval and is reviewed periodically.

  • Access managed through secure AWS access controls.

  • Access revoked upon role change or separation.

  • Infrastructure access logged and monitored.

  • BluBees does not store or manage user passwords.

8. Data Minimization and Handling

Per the BluBees Data Handling Principles:

  • Pass-Through Architecture: Workflow data transmitted transiently, not stored or persisted.

  • Integration Credential Storage: Encrypted at rest, solely for maintaining integrations.

  • Configuration Data Storage: Workflows, rules, mappings, settings.

  • Atlassian-Managed Identity: Authentication handled by Atlassian.

  • Limited Platform Metadata: Only what's needed for licensing and tenant identification.

  • No Behavioral Tracking: No analytics, advertising, profiling, or cookies.

  • Ephemeral Support Chat: Chatlio messages not retained; no file attachments accepted.

  • Purpose Limitation: Data used solely for service operation, integrations, support, and security.

9. Monitoring and Logging

Administrative and operational access is logged and monitored. Anomalous or malicious activities are investigated and documented. Logs retained for appropriate operational and security periods.

10. Vulnerability Management

Regular dependency scanning, application security testing, timely patching, and monitoring of advisories from AWS and Atlassian.

11. Security Incident Response

Per the BluBees Security Incident Response Outline (BB-SEC-004):

Detection: System monitoring, AWS/Atlassian notifications, customer reports, internal monitoring.

Response: Assessment, system isolation, investigation, coordination with providers, containment, restoration, corrective measures.

Notification: Within 48 hours of confirmed incidents.

Post-Incident: Root cause analysis, improvements, preventive measures.

Report concerns to: security@blubees.ai

12. Business Continuity and Disaster Recovery

Per the BluBees Backup & Disaster Recovery Overview (BB-SEC-005):

  • AWS infrastructure reliability, Atlassian platform resilience, and operational recovery procedures.

  • System data backed up or replicated using AWS capabilities.

  • Disruption recovery: identify cause, coordinate with providers, restore, verify stability.

  • Procedures periodically reviewed.

13. Personnel Security

  • Confidentiality obligations for personnel with access to customer data, Integration Credentials, or production systems.

  • Access based on job responsibilities, least-privilege.

  • Security awareness practices maintained.

14. International Data Transfer Safeguards

BluBees relies on Atlassian and AWS international data transfer safeguards: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).

15. Compliance Alignment

GDPR principles, cloud security best practices, SOC 2 Type II compliance program (in progress).

16. Related Documentation

BB-SEC-002 Security & Privacy Summary, BB-SEC-003 Access Control Policy, BB-SEC-004 Security Incident Response Outline, BB-SEC-005 Backup & Disaster Recovery Overview, Data Handling Principles, Data Classification & Storage Map, System Architecture and Data Flow, Security Questionnaire Cheat Sheet.

17. Contact

Privacy inquiries: privacy@blubees.ai

Security reports: security@blubees.ai

bottom of page