SPARK
Get Started

Security Statement for SPARK

Enterprise-grade security protecting your data with industry-leading encryption and compliance standards.

Last Updated: July 2025
Version: 1.0

Overview

SPARK implements enterprise-grade security measures to protect your data and ensure compliance with industry standards. Our security architecture is built on AWS infrastructure with multiple layers of protection.

Infrastructure Security

AWS Compliance Certifications

Our AWS infrastructure maintains the following certifications:

Data Encryption

At Rest

AES-256 encryption for all data stored in AWS Secrets Manager and database

In Transit

TLS 1.2+ encryption for all API communications

JWT Signatures

RSA-256 algorithm for secure token validation

Data Masking

API keys are masked before being stored in Forge's native storage to minimize exposure

Data Protection

API Key Security

Secure Storage

Customer API keys stored in AWS Secrets Manager with AES-256 encryption

Access Control

Keys isolated per customer with strict access controls

Key Rotation

Automatic key rotation capabilities

Zero-Logging of Secrets

Full, unmasked API keys are never written to system logs

Data Residency & GDPR Compliance

EU Data Residency

All data processed exclusively in AWS eu-central-1 (Frankfurt)

Backup Region

AWS eu-west-1 for disaster recovery

GDPR Compliance

Full compliance through regional data isolation and privacy-by-design principles

Data Retention

Automatic cleanup of processing data after 24 hours

Data Residency: Our application infrastructure and all data we control are hosted exclusively within the European Union (AWS eu-central-1). However, under our Bring-Your-Own-Key (BYOK) model, data you process (such as Jira issue content) is sent directly to the Google Gemini API using your key. This transfer is governed by your agreement with Google and their data processing locations.

Operational Security

Access Controls

JWT Authentication

JWT-based authentication for all API requests

Token Expiration

25-second token expiration for enhanced security

Admin Access

Restricted to users with Jira administrator permissions

Multi-Factor Auth

MFA required for all infrastructure access

Rate Limiting & DDoS Protection

  • API Gateway: Rate limiting is enforced to protect the service
  • AWS Shield Standard: Automatic DDoS protection

Monitoring & Auditing

  • CloudWatch Logs: Immutable audit trails for all operations
  • Real-time Monitoring: Automated alerts for security events
  • Security Reviews: Periodic internal reviews of security posture and infrastructure configuration

Incident Response

Feature Description
Security Contact support@leviathan-labs.com
24/7 Monitoring Automated security event detection
Auto Updates Regular security patches applied automatically
Zero-Downtime Zero-downtime deployments for critical updates
Vulnerability Management Automated scanning of code and dependencies

Compliance & Privacy

Data Processing

  • Data Retention: Issue content, images, and comments are deleted immediately after successful generation; failed requests are purged within 24 hours
  • Minimal Collection: Only data necessary for functionality is collected
  • No Data Selling: We do not sell or share data with third parties for marketing
  • BYOK Model: Data sent to Gemini API using your provided API key
  • SPARK Key Model: When BYOK is not configured, data may be sent to the Gemini API using a SPARK-managed key

Security & Compliance

  • Secure Development Lifecycle: Automated vulnerability and dependency scanning before each production release with secure coding best practices

Security Testing & Validation

Prevention Measures

  • Secure Development: Security-first development practices
  • Access Limitations: Minimal data access and processing
  • Encryption: All data encrypted in transit and at rest

Breach Response Plan

In the unlikely event of a data breach:

  1. Containment: Immediately stop unauthorized access
  2. Assessment: Evaluate scope and type of data affected
  3. Notification: Inform Atlassian and affected users within required timeframes
  4. Remediation: Implement fixes and enhanced security measures
  5. Follow-up: Ongoing monitoring and prevention improvements

Google Gemini Integration Security

  • Secure API Calls: All communications use HTTPS encryption
  • Data Handling: Issue data processed only for test case generation
  • No Retention: Google (Gemini) does not retain processed data per their API policies
  • Policy Compliance: Adheres to Google's data usage and security policies

Vendor Security Standards

  • Due Diligence: All third-party services evaluated for security practices
  • Contractual Requirements: Security obligations defined in service agreements
  • Regular Review: Ongoing assessment of third-party security posture

Security Best Practices

Customer Responsibilities

Access Control

Manage access control within your Jira instance

Usage Monitoring

Monitor usage patterns within your organization

Our Commitments

Transparency

Transparent security practices

Prompt Updates

Prompt security updates and patches

Security Training

Regular security training for development team

Continuous Improvement

Continuous improvement of security measures

Contact Information

For security concerns or incidents:

Email

support@leviathan-labs.com

Response Time

Within 24 hours

Security Questions or Concerns?

For all security-related questions, concerns, or to report security issues, please contact us:

support@leviathan-labs.com