JIRA2SAP™ Security Policy (as of December 2025)

1. Purpose and Scope

This Security Policy describes the measures and principles applied to protect systems, data, and integrations related to JIRA2SAP™, including the use of Jira templates for SAP integration.

The policy applies to:

The JIRA2SAP connector
Data exchanged between Jira and SAP systems
Jira templates provided for Jira Data Center and Jira Cloud

This policy focuses on technical and organizational security controls and is separate from the Privacy Policy, which addresses personal data processing.

2. Security Principles

JIRA2SAP is designed according to the following core principles:

Least privilege: Access is limited to what is strictly necessary
Separation of concerns: Jira templates structure data; integration logic is handled externally
Secure communication: Data is transferred using encrypted channels
Customer isolation: No cross-customer data access
Transparency: Clear documentation of responsibilities and data flows

3. Access Control and Authentication

Access to JIRA2SAP components is restricted to authorized systems and users only.
Authentication mechanisms are used to protect all communication channels.
Credentials and tokens are handled securely and are never exposed in Jira templates.
Administrative access is limited and monitored.

4. Data Transmission Security

All data transfers between Jira, JIRA2SAP, and SAP systems use encrypted connections (e.g. HTTPS/TLS).
No unencrypted communication channels are supported.
Jira templates themselves do not initiate direct connections to SAP systems.

5. Data Processing and Storage

JIRA2SAP processes only the data required to perform the integration.
Jira templates do not store SAP credentials or connection details.
Any temporary data handling is limited to what is technically necessary to complete synchronization.
Data retention follows customer agreements and system requirements.

6. Customer Separation

Each customer’s integration setup is logically separated.
No customer data is shared across environments.
Test and production environments are separated where applicable.

7. Logging and Incident Handling

Integration activities and errors are logged for troubleshooting and audit purposes.
Logs are used for operational security and incident analysis only.
In case of a security incident, appropriate measures are taken to assess, contain, and resolve the issue.

8. Jira Templates – Security Considerations

Jira templates provided by ALPEIN Software SWISS AG are supporting configuration elements, not standalone integration components. Their security characteristics depend on the Jira deployment model.

8.1 Jira Data Center Templates

For Jira Data Center, templates are provided as installable files (e.g. .jar):

Templates are installed within the customer’s Jira Data Center environment.
They define project structures, custom fields, and workflows only.
Templates do not contain SAP credentials or sensitive connection data.
Templates do not directly access SAP systems.
All data transfer to SAP is handled by the JIRA2SAP connector, not by the template itself.
Security of the Jira Data Center environment remains the responsibility of the customer.

8.2 Jira Cloud Templates

For Jira Cloud, templates are provided as configuration instructions, not software components:

No files or applications are installed in Jira Cloud.
Templates consist of documented steps to create Spaces, fields, and automation rules.
Jira Cloud templates do not execute code.
Jira Cloud templates do not store credentials or secrets.
Data transfer is initiated via Jira Cloud automation and handled by the external JIRA2SAP connector.
This approach aligns with Jira Cloud security and compliance requirements.

9. Responsibilities

Customers are responsible for:

Securing their Jira and SAP environments
Managing user access and permissions
Configuring templates according to internal policies

ALPEIN Software SWISS AG is responsible for:

Secure design of JIRA2SAP
Providing secure integration mechanisms
Maintaining and updating documentation

10. Policy Maintenance

This Security Policy is reviewed periodically and updated as necessary to reflect:

Product changes
Security best practices
Customer and regulatory requirements

11. Summary

JIRA2SAP follows a security-by-design approach:

Jira templates are non-invasive and non-sensitive
Integration logic is centralized and controlled
Jira Cloud and Data Center differences are clearly respected
Security responsibilities are transparent and well-defined

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your consent to using cookies.	1 year	HTML	Website
fe_typo_user	Assigns your browser to a session on the server.	session	HTTP	Website
be_typo_user	missing translation: trackingobject.be_typo_user.desc	session	HTTP	Website
PHPSESSID	missing translation: trackingobject.PHPSESSID.desc	session	HTTP	Website

Name	Purpose	Lifetime	Type	Provider
DSID	Google: Security, Functionality, Advertising for AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display + Video 360, Search Ads 360	2 weeks	HTML	Google
test_cookie	Google: Functionality for AdSense, Campaign Manager, Google Ad Manager, Google Analytics, Display + Video 360, Search Ads 360	15 minutes	HTML	Google
IDE	Google: Advertising for Campaign Manager, Display + Video 360, Google Ad Manager, Google Analytics, Search Ads 360	24 months	HTML	Google
FPLC	Google: Analytics for Google Analytics	20 hours	HTML	Google
FPID	Google: Analytics for Google Analytics	2 years	HTML	Google
GA_OPT_OUT	Google: Functionality for Google Analytics	7 years	HTML	Google
__utma	Google: Analytics for Google Analytics	2 years	HTML	Google
__utmb	Google: Analytics for Google Analytics	30 minutes	HTML	Google
__utmc	Google: Analytics for Google Analytics	session	HTML	Google
__utmt	Google: Analytics for Google Analytics	10 minutes	HTML	Google
__utmz	Google: Analytics for Google Analytics	6 months	HTML	Google
__utmv	Google: Analytics for Google Analytics	2 years	HTML	Google
_ga	Used to distinguish users.	2 years	HTML	Google
_gat	Used to throttle request rate.	1 minute	HTML	Google
_gat_--custom-name--	Google: Analytics for Google Analytics	1 minute	HTML	Google
_gid	Used to distinguish users.	24 hours	HTML	Google
_ga_--container-id--	Persists session state.	2 years	HTML	Google
_dc_gtm_--property-id--	Used by DoubleClick (Google Tag Manager) to help identify the visitors by either age, gender or interests.	1 minute	HTML	Google
_gaexp	Google: Analytics for Google Analytics, Optimize	93 days	HTML	Google
_gaexp_rc	Google: Analytics for Google Analytics, Optimize	10 seconds	HTML	Google
_opt_awcid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awmid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awgid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_awkid	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_opt_utmc	Google: Analytics for Google Analytics, Optimize	24 hours	HTML	Google
_gac_--property-id--	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.	90 days	HTML	Google
AMP_TOKEN	Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, request in progress or an error retrieving a Client ID from AMP Client ID service.	1 year	HTML	Google

Name	Purpose	Lifetime	Type	Provider
GoogleMaps	Is used to connect to Google Maps and to display those maps.	none	Connection	Google
YouTube	Is used to connect to YouTube and to display videos.	none	Connection	YouTube