Security Policy

Overview

PointPoker is built with a security-first architecture. This document describes how we protect your data across all platforms: the web application, Jira integration, Slack bot, and Microsoft Teams app.

Encryption

In transit

• All connections use HTTPS with TLS 1.2 or above
• WebSocket connections (Socket.io) are encrypted over WSS
• Forge-to-backend requests are additionally signed with HMAC-SHA256 for request integrity and authenticity

At rest

• Upstash Redis provides AES-256 encryption at rest for all stored data
• Atlassian Forge Storage is encrypted at rest by Atlassian
• Backup data is encrypted using the same mechanisms

Authentication

PointPoker uses multi-layer authentication that varies by platform:

Web application

• Room access controlled by room codes and reconnect tokens
• Pro tier uses magic link authentication (no passwords stored)
• JWT-based session management with secure, HTTP-only cookies

Jira integration

• Forge platform authentication (managed by Atlassian)
• HMAC-SHA256 signed requests between Forge resolvers and our backend, with timing-safe comparison and 5-minute replay protection
• Bearer tokens for session-scoped actions (never exposed to the UI)
• Jira permission pre-checks via the Authorize API before all write operations

Slack and Microsoft Teams

• Slack request signature verification (HMAC-SHA256 using signing secret)
• Microsoft Bot Framework token validation
• Platform user identity verified via Slack/Teams APIs

Access controls

• Role-based permissions: facilitator, participant, and observer roles with distinct capabilities
• Facilitator-only actions (reveal, revote, end session, write-back) are enforced server-side
• Rate limiting on all REST endpoints and Socket.io events to prevent abuse
• One active session per Jira issue, enforced with atomic Redis locks

Tenant isolation

For platform integrations (Jira, Slack, Teams), all data is scoped by tenant identifier (Atlassian cloudId, Slack workspace ID, Teams tenant ID). Data from one organization cannot be accessed by another. Storage keys include the tenant identifier as a prefix, ensuring strict isolation.

Input validation

• All user inputs are validated and sanitized on the server
• Vote values are checked against an exact allowlist
• Issue keys are validated with strict regex patterns
• Display names are trimmed and length-capped
• HTML tags are stripped from issue titles before storage
• React JSX auto-escaping prevents XSS in all rendered output

Data minimization

• We collect only the data necessary to run a voting session — no issue descriptions, attachments, or source code
• All session data is ephemeral with automatic expiry (max 72 hours for web, 2 hours for Jira)
• Jira Title Privacy Mode lets teams opt out of sending issue titles to our backend entirely
• Jira scopes are minimal: read user info, read/write Story Points field only

Infrastructure

• Application hosted on Railway with automatic TLS certificate management
• Frontend served via Vercel edge CDN with global distribution
• Full disk encryption on all development workstations (FileVault)
• Multi-factor authentication required on all infrastructure accounts
• Source code hosted on GitHub with branch protection and required pull request reviews

Vulnerability management

• Automated dependency scanning via GitHub Dependabot and npm audit in CI
• Static analysis via TypeScript strict mode and ESLint security rules
• Security code review before every pull request merge
• Timing-safe comparison for all token and signature verification

Incident response

In the event of a security incident, we will:

• Investigate and contain the issue within 24 hours
• Notify affected customers and relevant platform providers (Atlassian, Slack, Microsoft)
• Publish a post-incident report with root cause and remediation steps
• Apply fixes and verify through our standard review process

Responsible disclosure

If you discover a security vulnerability in PointPoker, please report it to support@pointpoker.co. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.

Contact

Questions about our security practices? Contact us at support@pointpoker.co.