Security Policy

Security information for Refinely

This page summarizes how Smartif.ai handles vulnerability reports, incident communication, Forge-hosted storage, provider egress, and key security controls for Refinely.

Contact & reporting

Report security issues privately so we can investigate and coordinate remediation responsibly.

support@smartif.ai

Hosting & secrets

Refinely is hosted on Forge. App state is stored in Forge-hosted storage, and third-party AI provider API keys are stored using Forge secret storage.

Incident handling

Smartif.ai will notify customers and Atlassian if a confirmed security incident or critical vulnerability affects the app.

Data flow and controls

Refinely can send customer-provided requirement content to the configured AI provider declared in the Forge manifest. The current launch posture supports Anthropic, Google Gemini, and OpenAI.

Optional controls include PII masking before outbound model calls, transparency reports showing context usage, and audit trail records for selected administrative and runtime events.

Similar-story retrieval remains project-scoped and is gated by user permission checks before app-level Jira reads are used to build or read backlog-derived context.

What to include in a report

  • Refinely version or deployment context
  • Affected Jira product and project scope
  • Reproduction steps and expected impact
  • Relevant logs, screenshots, or sample payloads if safe to share
Related policy
Privacy policy
Admin docs
Setup guide