/
HIPAA Compliance & Data Privacy in WorklogPRO Cloud

HIPAA Compliance & Data Privacy in WorklogPRO Cloud

The WorklogPRO Cloud app is designed to be compatible with HIPAA-regulated environments. Because the application is built on the Atlassian Forge platform, it operates within the "Atlassian Trust Boundary." Starware (the developer) does not host external servers, does not store PHI on independent databases, and does not have persistent access to customer data.

Architecture & Data Residency

Unlike legacy "Connect" apps that require the developer to host a separate web server, this app is "Runs on Atlassian."

Feature

Details

Feature

Details

Hosting

Atlassian Managed: The app's compute (Lambda-based) and storage (Secret/KV store) are provided and secured by Atlassian.

Data Residency

Inherited: The app follows Atlassian's Data Residency settings. If the customer's Jira data is pinned to a specific region (e.g., US or EU), the app's storage remains in that region.

Encryption

Standard-grade: Data is encrypted at rest and in transit using Atlassian's native encryption protocols (AES-256).

The "Business Associate" Question

Do we sign a BAA?

Generally, No. Reasoning: Under HIPAA, a Business Associate Agreement (BAA) is required if a third party "creates, receives, maintains, or transmits" Protected Health Information (PHI).

  1. Infrastructure: Atlassian is the entity maintaining and transmitting the data. The customer's existing BAA with Atlassian covers the Forge infrastructure.

  2. Access: Starware has no persistent access to the customer's Jira environment. We cannot "log in" to view their issues or worklog data.

  3. Storage: Any configuration data saved by the app is stored in Atlassian's database, not ours.

Visibility: Logs & Analytics

One of the most common questions from security teams is: "What can Starware see?"

1. Developer Logs

  • Purpose: Only used for troubleshooting and debugging.

  • Control: Customers can opt-out of sharing logs with Starware via the Jira Admin Global Settings. See Manage access to logs.

  • Policy: Our internal development policy strictly forbids console.log() statements that capture variable data (like issue summaries, descriptions, or worklog comments).

2. Analytics

  • Type: We collect Functional Telemetry only (e.g., "The 'Submit Worklog' button was clicked").

  • Anonymization: Analytics are aggregated. We do not track "who" performed the action or "what" specific data was processed.

  • Control: Customers can opt-out of sharing analytics with Starware. See Manage access to analytics.

  • No Egress: We do not send Jira content to third-party analytics tools (like Google Analytics or Mixpanel).

Guidance for HIPAA-Regulated Customers

When customers ask how to configure the app for compliance, suggest these "Three Pillars of Compliance":

  1. Restrict App Access: Use Jira Global Permissions to ensure only authorized "Jira Admins" can access WorklogPRO Cloud admin features.

  2. Audit Monitoring: Regularly review the Jira Audit Log. The app's actions are captured here, providing the "Accountability" required by HIPAA.

  3. Log Management: If the customer's legal team is highly risk-averse, advise them to toggle "App Monitoring" to OFF in the Atlassian Admin Hub. This completely severs Starware's ability to see even debugging logs.