Privacy Policy

NIS2Shield

NIS2 Article 23 incident reporting for Jira Cloud

Effective: February 19, 2026 | Operator: IronClad Forge

1. What We Collect

NIS2Shield collects only what's necessary to provide the service:

  • Incident data: Incident title, description, severity, classification, affected sector, services, geographic scope, cross-border impact, and malicious intent indicators — entered by your team when reporting NIS2 incidents
  • Organisation settings: Organisation name, primary sector, national CSIRT, and contact email — configured by administrators for CSIRT template generation
  • User identifiers: Atlassian Account IDs — used for audit trail attribution (who created, updated, or submitted phases)
  • Jira issue keys: Issue identifiers for linked Jira issues — used to display incident panels and post deadline notification comments

2. What We Don't Collect

  • We do not sell your data to third parties
  • We do not use your data for advertising
  • We do not share your data with other IronClad Forge products
  • We do not transmit data to external servers — NIS2Shield runs entirely on the Atlassian Forge platform
  • We do not access Jira issue content beyond the issue key used for incident linking

3. How We Use Your Data

  • To track NIS2 Article 23 reporting deadlines (24h early warning, 72h notification, 30-day final report)
  • To generate pre-filled CSIRT notification templates with your organisation and incident details
  • To post deadline escalation comments on linked Jira issues (at 75%, 90%, and 100% of elapsed time)
  • To maintain an audit trail of all incident lifecycle actions for compliance evidence
  • To display incident status and countdown timers in Jira issue panels

4. Data Storage

  • All data is stored in Atlassian Forge Storage — a key-value store managed by Atlassian within your Jira Cloud instance
  • No data leaves the Atlassian platform — there are no external databases, servers, or API calls
  • Data is encrypted in transit and at rest by Atlassian's infrastructure
  • Data residency follows your Atlassian Cloud organisation's data residency settings

5. Data Retention

  • Active installations: Incident data and settings are retained while the app is installed
  • Uninstallation: Data stored in Forge Storage is automatically removed when the app is uninstalled from your Jira instance
  • Deletion requests: Contact us to request manual deletion of specific records — processed within 30 days

6. Your Rights

You can request to:

  • Export your incident data and audit trail records
  • Delete specific incidents or all stored data
  • Correct inaccurate information in incident records or organisation settings

Contact support@ironclad-forge.com for any of the above.

7. GDPR Compliance

NIS2Shield is designed with GDPR compliance in mind:

  • Data minimisation: We only store data required for NIS2 incident reporting — no unnecessary personal data collection
  • Purpose limitation: Data is used exclusively for NIS2 compliance workflows
  • Right to erasure: Contact us to request deletion of personal data (Atlassian Account IDs in audit logs)
  • No data transfers outside Atlassian: All processing occurs within the Forge platform, which operates under Atlassian's own GDPR compliance framework

8. Third-Party Services

Service Purpose
Atlassian Forge App platform, hosting, storage, authentication, and licensing
Atlassian Jira Cloud Issue panel rendering, comment posting for deadline notifications

NIS2Shield does not use any third-party services beyond the Atlassian platform. No external APIs, analytics, or tracking services are used.

9. Changes

We may update this policy. Changes will be posted at this URL with the updated effective date.

10. Contact

IronClad Forge

Email: support@ironclad-forge.com

Website: ironclad-forge.com