Security

Last updated 2026-05-26 · Operator: Crosstown Tech · Contact: support@crosstowntech.com

OneNote Reports for Jira is a Forge UI app with a backend on Convex Cloud. This page describes the controls we apply to the data flowing through it.

Encryption

In transit: All connections use TLS 1.2 or higher. We never accept unencrypted HTTP.
At rest: Microsoft OAuth refresh tokens and Atlassian app system tokens are encrypted with AES-256-GCM under a 256-bit key held only in Convex environment variables. Decryption happens in-process on demand for each call; tokens are never logged.
OAuth state parameter: Signed HMAC-SHA256 over {installationId, accountId, nonce, exp} with a separate 256-bit key. The OAuth callback won't accept a state value we didn't sign, with a 10-minute TTL window.

Authentication

Forge UI → our backend: Every request carries a Forge Invocation Token (FIT) — a JWT signed by Atlassian. Our backend verifies the signature against Atlassian's public JWKS and checks the audience matches our app ID before processing.
Microsoft OAuth: Standard OAuth 2.0 authorization code flow against Microsoft's /common endpoint. We request the minimum scopes needed: Notes.ReadWrite, User.Read, offline_access.
Atlassian impersonation: The scheduled refresh path mints user-scoped Atlassian tokens via Forge's offlineUserAuthToken GraphQL mutation. Tokens are scoped to the config owner's permissions — a user can only see issues they could see in Jira.

Permissions / Scopes

`read:jira-work`	Read Jira issues matching the user's JQL — the issues are rendered into the OneNote table.
`read:jira-user`	Read display names and account IDs that appear in issue fields (assignee, reporter).
`read:filter:jira`	Read the user's saved JQL filters so the wizard can offer them as a dropdown.
`read:app-system-token`	Forge plumbing — lets our backend call Atlassian's GraphQL gateway to mint user-scoped tokens.
`read:app-user-token`	Forge plumbing — lets the iframe's user-driven calls (wizard, "Run now") forward the user's OAuth token.

No write scopes on the Jira side. The app cannot create, edit, or delete Jira issues or comments.

Logging

Convex captures stdout/stderr from our backend functions for operational debugging. Logs contain installation IDs, account IDs, run timing, and any error messages returned by Atlassian / Microsoft. We never log token values, Jira issue contents, or OneNote page contents.

Sub-processors

Convex, Inc.	Backend hosting (functions, database, cron) — US.
Vercel, Inc.	DNS + static landing pages at `onenote.crosstowntech.com` — global edge.
Atlassian	Your Jira site + Forge platform — your chosen region.
Microsoft	Your Microsoft 365 tenant — your chosen region.

Incident response

We respond to security reports within one business day and aim to triage within 72 hours. Report any concerns to support@crosstowntech.com — please include a description, reproduction steps, and your contact details.

Changes

Material changes are reflected in the date at the top of this page.