Cloud Fortified — Security Review and Trust Posture for Links Explorer
Overview
Links Explorer on Jira Cloud carries the Cloud Fortified designation from Atlassian. This document explains what Cloud Fortified means, what Atlassian independently reviewed before granting the designation, and what it means for organisations evaluating or deploying Links Explorer in security-sensitive or regulated environments.
Cloud Fortified is relevant to security teams, Jira administrators, and procurement teams assessing Links Explorer against internal security standards, vendor risk requirements, or regulatory procurement criteria.
What Cloud Fortified Means
Cloud Fortified is Atlassian's highest trust tier for Marketplace apps on Jira Cloud. It is not a self-declaration. Atlassian independently assesses apps against a defined set of security, reliability, and privacy criteria before granting the designation.
An app carrying the Cloud Fortified badge has passed Atlassian's assessment across all required criteria. The badge is displayed on the Atlassian Marketplace listing and is renewed on a recurring basis — it is not a one-time certification.
For buyers evaluating Marketplace apps, Cloud Fortified is the primary signal that an app has been independently verified against Atlassian's security and operational standards, rather than self-certified by the vendor.
What Atlassian Assesses for Cloud Fortified
Atlassian evaluates Cloud Fortified apps across five areas. The table below describes each area and what it means for Links Explorer specifically.
Assessment Area | What Atlassian Reviews | Links Explorer |
|---|---|---|
Security bug bounty | The app vendor must operate a public bug bounty programme that covers the app's attack surface | Optimizory operates a bug bounty program. Vulnerability disclosures are accepted and triaged. |
Security self-assessment | The vendor completes Atlassian's security self-assessment questionnaire, covering access controls, data handling, vulnerability management, and incident response | Completed. Responses are available to enterprise customers on request during procurement. |
Privacy self-assessment | The vendor completes Atlassian's privacy self-assessment, covering data collected, data retention, data subject rights, and compliance with applicable privacy regulations | Completed. Links Explorer does not store issue content. See the Data Handling section below. |
Cloud security review | Atlassian reviews the app's cloud architecture, data flows, and third-party service usage | Links Explorer is built on Atlassian Forge. All computation runs within the Atlassian Cloud boundary. No third-party services are called. No data leaves the Atlassian infrastructure. |
Reliability and support | The vendor must meet defined SLAs for support response and demonstrate version update cadence | Optimizory maintains active release cadence.Support available at support.optimizory.com. |
Forge Architecture and Data Handling
The security foundation of Cloud Fortified for Links Explorer is its Forge-native architecture.
Atlassian Forge is Atlassian's platform for building Marketplace apps that run entirely within Atlassian's infrastructure. A Forge app does not call external services, does not write data to external databases, and does not route issue data through vendor infrastructure outside the Atlassian boundary.
For Links Explorer on Jira Cloud:
No external data egress. Issue data — requirements, stories, test cases, links — never leaves the Atlassian Cloud boundary. It is not transmitted to Optimizory servers, not stored in a third-party database, and not processed by external services.
No vendor infrastructure in the data path. When a user opens a traceability view or generates an RTM, the computation runs on Atlassian Forge functions within the Atlassian Cloud. Optimizory does not receive a copy of the request or the output.
No persistent data storage outside Atlassian. LXP stores only app configuration (hierarchy settings, Saved Views) in Atlassian's Forge storage — within the Atlassian boundary. No issue content is persisted by LXP.
This architecture is a prerequisite for Forge apps to qualify for Cloud Fortified. It is verified by Atlassian as part of the cloud security review.