BastionTrail
How it worksPricingPrivacy

Privacy Policy

Last updated: 13 July 2026.

BastionTrail is a Jira Cloud app that links development activity from your self-hosted or cloud Git server (commits, branches, merge/pull requests, builds, deployments) to your Jira issues, and builds an exportable change-audit trail. This policy explains what data the app processes, why, where it is stored, and your rights.

Who is the data controller

You (the Atlassian site administrator who installs the app) are the data controller. BastionTrail acts as a data processor on your behalf. A Data Processing Agreement is available on request.

What data we process

Only what is needed to link Git activity to Jira issues and produce the audit trail: Git event metadata (commit SHA/message, branch name, MR/PR title and state, approver, pipeline status, deployment environment, author name, timestamps, URLs); Jira context (issue key, project keys, cloud/installation identifiers); and configuration you provide (webhook secret, installation identifiers).

We do not collect your source code, files, passwords, Git repository data beyond that metadata, payment information, or browsing/analytics profiles. Author name is end-user data; the app declares inScopeEUD: true.

Where data is stored (sub-processors)

Sub-processorRole
Atlassian (Forge)Hosts the app UI and event handlers; issues the Forge Invocation Token
RailwayHosts the backend and the PostgreSQL database storing event/audit data
CloudflareDNS and TLS termination for api.bastiontrail.com

We do not sell, rent, or share your data with any other third party, and we do not use it to train machine-learning models.

Security

All traffic over HTTPS/TLS. Every webhook is verified against a per-installation secret with a constant-time comparison. Every call from the Forge app is verified by validating the Forge Invocation Token (RS256 against Atlassian's JWKS, plus issuer/audience/expiry). Each installation is isolated with its own secret and scoped data. Events are de-duplicated by a deterministic content hash.

Data retention and deletion

Event and audit data is retained while the app is installed. When you uninstall the app, or on written request, we delete the installation's data within 30 days. You may request export or deletion of an installation's data at any time.

Your rights

Depending on your jurisdiction (GDPR, LGPD, CCPA and similar), you and your end users may have rights to access, correct, export, or delete personal data. We support these requests through you, the controller.

Data residency

Today the backend runs in a single region. Regional hosting (US/EU) for Atlassian PINNED status is on our roadmap; contact us if this is a requirement.

Contact

Data protection contact: privacy@bastiontrail.com

© 2026 BastionTrail
Privacy · support@bastiontrail.com