Forge and Rails architecture
Definition of Ready AI for Jira uses Forge for Jira surfaces and a ProcessLayer Rails backend for prompts, AI provider calls, licensing, usage metering, reports, and audit logs.
Security
Security at ProcessLayer
ProcessLayer is designed around a simple principle: improve business workflows without source-code access, unnecessary automation, or hidden write-back behavior.
Minimal permissions
The app requests only the Jira scopes required to analyze issue readiness and perform approved write actions.
No source-code access in v1
The app does not require repository access, source-code access, PR access, or branch access.
Server-side AI controls
Prompts, model routing, and AI provider keys are held by the ProcessLayer backend, not Forge frontend code.
Approval-gated writes
Generated work orders or subtasks are only written to Jira after explicit user approval.
Forge request verification
Backend requests are designed to be verified using Forge Remote invocation tokens before tenant, license, and quota checks run.
Transport security
ProcessLayer web properties are served over HTTPS with HSTS, content-type protection, referrer policy, and restricted browser permissions.
Data protection
Customer data stored outside Atlassian is intended to be protected with provider-managed encryption at rest, access controls, and least-privilege operational access.
Data stored
The backend may store readiness reports, project settings, generation metadata, usage events, and audit logs for operation and support.
Audit logging
Sensitive app actions such as analysis generation, settings changes, approved Jira writes, and quota denials are designed to be logged.
Responsible disclosure
Security reports can be sent to security@processlayer.co. ProcessLayer intends to use this address as the Marketplace security contact for Atlassian Marketplace Security notifications.
Incident response
ProcessLayer maintains an incident response path for triage, containment, customer communication, and required marketplace or regulatory notifications.
Limitations
ProcessLayer does not claim SOC 2, ISO 27001, Cloud Fortified, or external certification unless actually achieved later.