Is AI Apps Builder for Jira Secure? Here's Everything You Need to Know
If you’re interested in AI Apps Builder but have security questions that have made you hesitate, this is for you.
We often hear, "We'd love to use it, but we need to understand how it handles our data first." That’s a reasonable concern, so let’s walk through it together.
The AI never sees your Jira data
This is a common misunderstanding. When you describe what you want to build, the AI reads your prompt and creates a Forge app using Atlassian's official Forge documentation. It does not access your Jira issues, projects, boards, or users. Your instance data is never involved.
Your prompts aren't used to train AI models
Anything you describe, such as internal workflows, sensitive processes, or confidential project structures, stays private. Neither Anthropic (the AI provider) nor the SaaSJet team uses your prompts or generated outputs for model training.
You review permissions before anything gets deployed, and you do this twice
Before the generation starts, AI Apps Builder produces an app specification listing every requested scope and permission. You can review it, edit it, and confirm before proceeding.
On the deployment page, you have another chance to review permissions before the app installs. Nothing is deployed without your clear approval at each step.
App data stays inside Atlassian's cloud
Generated apps use Forge-hosted storage, such as Storage API, Forge SQL, and similar tools. This means:
Per-tenant isolation means your data is never mixed with another organization's.
Data is encrypted at rest using AES-256, managed by Atlassian.
Automatic backups are handled by Atlassian infrastructure.
Data residency is supported. If your Jira instance is pinned to a region (EU, US, etc.), app data follows that setting automatically.
The main exception is if an app makes calls to external services, such as third-party APIs or remote backends. In those cases, your organization is responsible for how that external data is stored and secured, not Atlassian.
API tokens are not stored
AI Apps Builder asks for a Jira API token during deployment to verify admin permissions. It is used only for that step and discarded immediately after. If you prefer not to pass it through the interface, you can use manual deployment by downloading the Forge installer and deploying the app yourself.
You can read and edit every line of generated code
Nothing is hidden. You can download the generated code, review it, and make changes before deployment. You can also edit the app specification before generation begins. There is full transparency at every stage.
Who's responsible for what
AI Apps Builder generates Forge apps, which run under Forge's shared responsibility model:
Atlassian covers: platform infrastructure, managed storage, encryption, backups, SOC 2, and ISO 27001 certifications at the platform level.
You are responsible for how your app uses the platform, including scope selection, preventing data leaks, defining any external data egress, and meeting your organization's broader compliance requirements.
Zero-egress apps qualify for "Runs on Atlassian"
By default, generated apps use Forge‑hosted storage and do not make external calls; it can qualify for Atlassian’s "Runs on Atlassian" program, assuming all program checks pass. This program is designed for apps that keep all compute and storage inside Atlassian's cloud, support data residency, and tightly control external egress. This is the closest you can get to an enterprise-locked-down setup on the Forge platform.
Would you prefer to build outside your Jira environment first?
There is a standalone web version of AI Apps Builder: https://app-generator.saasjet.com/
You can generate and preview your app completely outside your Jira instance, then install the finished Forge app when it is ready. This is helpful for teams with strict policies about third-party tools in production.
Do you have questions about a specific security requirement or compliance scenario? Please leave them in the comments, and I’ll be happy to answer.
Replies