Trust Center
Security overview, data access, storage, and compliance.
1. Security Overview
VelocityHero is designed for enterprise environments where delivery data must be protected.
Our approach is based on:
- Data minimization
- Controlled access
- Clear ownership boundaries
- Transparent infrastructure usage
VelocityHero analyzes delivery signals rather than replicating operational systems.
2. Data Access
VelocityHero connects to:
- Jira project metadata (issue status, transitions, sprint data, workload signals)
- Structured Slack check-in inputs
VelocityHero does not require:
- Full Jira ticket replication
- Slack message history storage
- Source code access
- Attachments or document storage
3. Data Storage
VelocityHero is hosted on modern cloud infrastructure.
- Data encrypted in transit (TLS 1.2+)
- Data encrypted at rest (provider-managed encryption)
4. Data Retention
- Active project data retained while subscription is active.
- Archived project data retained until deletion request or contract termination.
5. Access Control
- Secure authentication
- Jira: email + API token; Slack: OAuth-based app installation
- Access limited to authorized users within customer account
6. Data Ownership
Customers retain ownership of their data at all times.
VelocityHero acts as a data processor for project-level delivery signals.
7. Subprocessors
VelocityHero relies on infrastructure providers.
We maintain a public subprocessor list including: hosting provider, database provider, monitoring/logging provider, email provider (if applicable), payment provider.
8. Incident Response
VelocityHero monitors system integrity and investigates confirmed security incidents.
Customers will be notified in the event of a confirmed data security incident.
9. Security Philosophy
VelocityHero is not a data warehouse.
We focus on delivery signals and structured metrics rather than content-heavy data storage.
By minimizing stored content, we reduce exposure while enabling insight.
10. Integration Requirements & Access Model
VelocityHero integrates directly into modern cloud delivery environments. This section outlines platform requirements, required permissions, and integration boundaries.
11.1 Supported Platforms
- Jira Cloud (Atlassian-hosted, .atlassian.net)
- Slack cloud workspaces
Not supported: Jira Server (on-prem), Jira Data Center, self-hosted Slack deployments.
VelocityHero is purpose-built for cloud-native delivery environments.
11.2 Jira Integration Requirements
VelocityHero connects to Jira using the Jira Cloud REST API (/rest/api/3/ and /rest/agile/1.0/).
- Jira Cloud instance (atlassian.net)
- Valid user account with API token authentication
- Active project and associated board
VelocityHero requires project-level access only. No Jira site-admin or global admin permissions are required. The user whose API token is used must have access to the selected project and board.
VelocityHero requires jira_project_key and jira_board_id. Board access is used to retrieve active sprint information (Scrum) and validate configuration. Project access is used for JQL-based issue searches. Kanban boards are supported using project-level JQL queries.
11.3 Jira Data Access Scope
VelocityHero operates in read-only mode. The system uses read-only endpoints (GET and POST for JQL search), including: /rest/agile/1.0/board/{boardId}, /rest/agile/1.0/board/{boardId}/sprint, /rest/api/3/search/jql, /rest/api/3/project/{projectKey}, /rest/api/3/myself.
VelocityHero does not create or modify issues, update workflows, transition tickets, access attachments, access source code, or replicate full ticket history. Only structured delivery metadata (status, transitions, sprint data, workload signals) is analyzed.
11.4 Slack Integration Requirements
VelocityHero integrates as a Slack app within a Slack workspace. Required: Slack cloud workspace; workspace-level app installation approval (as required by the workspace's security policy).
- chat:write — to post check-in prompts, delivery nudges, and weekly reports
- Interactivity endpoint — to receive structured responses from buttons/actions
Optional (setup-related): channels:read — for channel selection during configuration. VelocityHero does not request conversations.history, direct message history access, or broad message archive access. VelocityHero interacts only with structured signals submitted via configured check-in prompts.
11.5 Data Boundaries
- No full Jira ticket replication
- No Slack message history storage
- No document or attachment storage
- No source code access
- No repository integration
The system analyzes delivery signals — not content archives.
11.6 Authentication Model
Jira: Email + API token authentication (Basic auth). Slack: OAuth-based app installation with workspace-scoped permissions. All integrations operate within the permissions granted by the customer.
11.7 Customer Responsibility
Customers are responsible for ensuring appropriate project and board access, granting Slack app installation approval (if required), and managing API tokens and credential rotation policies. VelocityHero operates strictly within the access permissions explicitly granted by the customer.
11.8 Architectural Principle
VelocityHero enhances delivery environments without altering them. The system reads delivery metadata, analyzes structured signals, surfaces insights, and nudges teams via Slack. It does not replace Jira, replicate Slack, or introduce a parallel workflow layer. VelocityHero is an augmentation layer, not an operational system of record.