Skip to main content

Data Protection and Privacy Policy

This Data Protection and Privacy Policy (“Policy”) explains how NVA Ventures Ltd (trading as Narva Software) (“we”, “our”, or “us”) apps operate and what limited technical data we may handle to maintain service reliability.

For the purposes of this policy, “Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, and IP addresses, as defined under UK GDPR or GDPR. “Customer Data” refers to all data created, stored, or processed within Atlassian products by end users.

Overview

Narva Software provides applications (“Cloud Apps”) for Atlassian Cloud products which are available via the Atlassian Marketplace. These apps are built and hosted using the Atlassian Forge App Framework (“Forge”) and operate within Atlassian’s infrastructure. In the normal operation of our apps, Customer Data is processed within Atlassian systems, and we do not have direct access to such data.

Narva Software also provides a few downloadable applications (“Data Center Apps”) for Atlassian Data Center environments, which are installed and operated within the Customer’s infrastructure.

Cloud Apps (Atlassian Forge)

Our Cloud Apps are built using Forge framework. Atlassian Forge takes care of authentication and authorization, software execution, and data management.

Key characteristics:

  • Hosted entirely on Atlassian infrastructure

  • Customer Data stored within Atlassian Cloud

  • Data residency aligned with the Customer’s Atlassian region

Data Storage and Location

Narva Software does not store Customer Data outside of Atlassian systems.

All Customer Data remains within the Customer’s Atlassian Cloud instance or Forge Storage and is subject to Atlassian’s data storage, retention, and security policies.

The geographic location of data storage corresponds to the Customer’s selected Atlassian Cloud region.

Access to Customer Data

Our Cloud Apps operate using the minimum required permissions under the Atlassian Forge security model and do not request access to Personal Data scopes.

Our apps are designed with a privacy-first architecture:

  • No access to Personal Data — our apps are designed not to access, process, or store any personally identifiable information such as names, email addresses, or IP addresses of users in your Jira or Confluence instances

  • No access to Customer Data — all data is stored either within your Atlassian product instance or Atlassian Forge Storage, both of which are exclusively controlled by Atlassian and inaccessible to Narva Software

Application Logs

Narva Software may access limited technical log data for the purpose of:

  • Monitoring application performance

  • Diagnosing errors

  • Ensuring service reliability

These logs do not contain any Personal Data and are designed to avoid inclusion of Customer Data wherever possible.

Subprocessors

  • Atlassian, Inc. - App infrastructure, runtime and data storage (Forge platform)

Narva Software does not use additional subprocessors for the processing of Customer Data. Atlassian’s Data Processing Addendum is available at: https://www.atlassian.com/legal/data-processing-addendum

End of Subscription

Our apps do not store any Customer Data independently. All data exists solely within your Atlassian product instance or Forge Storage and is governed by Atlassian’s own data retention and deletion policies.

Data Center Apps

Our Data Center Apps are installed and operated within the Customer’s environment.

We do not have access to Customer Data unless explicitly provided by the Customer for support purposes.

Data Security

We maintain technical and organisational measures to ensure the security of our systems and any technical data we handle in connection with the operation of our apps.

These measures include:

  • Encryption in transit and at rest (via Atlassian infrastructure)

  • Access controls based on least privilege principles

  • Continuous monitoring and logging

  • Managed detection and response (MDR)

  • Annual independent penetration testing

Narva Software is SOC 2 Type II certified, independently audited on an annual basis. For information about our security practices or to request a copy of our SOC 2 report, please contact us at security@narva.net

Security Incidents

Narva Software maintains an incident response process to detect, contain, and remediate security incidents. In the event of a security incident affecting our systems:

  • Affected customers will be notified without undue delay

  • We will fulfil all applicable notification obligations under UK GDPR and GDPR, including notification to the Information Commissioner’s Office (ICO) within 72 hours where required

Business Contact Data

In connection with the purchase, licensing, and support of our Products, Narva Software receives limited contact information — typically the name and email address of billing and technical contacts — provided via the Atlassian Marketplace.

We process this information solely for the following purposes:

  • Administering the customer relationship and managing licences

  • Providing product support and responding to enquiries

  • Communicating service-related notices, updates, and security alerts

The legal basis for this processing is the performance of a contract (UK GDPR Article 6(1)(b)) and, where applicable, our legitimate interests in managing our business operations (UK GDPR Article 6(1)(f)).

We do not use billing or technical contact information for marketing purposes without separate consent.

We retain this information for the duration of the customer relationship and for six (6) years thereafter, in accordance with applicable limitation periods under English law.

Narva Software acts as Data Controller in respect of this business contact data. If you wish to exercise your rights in respect of this data — including access, rectification, erasure or portability — please contact us at support@narva.net.

Data Processing Roles

Our Cloud Apps are designed not to access, process, or store Personal Data and do not request access to Personal Data scopes under the Atlassian Forge security model.

Customer Data within Atlassian products is processed within Atlassian infrastructure and remains under the Customer’s control, in accordance with Atlassian’s terms and privacy policy.

We do not access Customer Data in the normal operation of our apps.

We act as Data Controller in respect of business contact data (billing and technical contacts), as described in the Business Contact Data section above.

Data Processing Agreement

Enterprise customers requiring a Data Processing Agreement (DPA) for GDPR compliance purposes may request one by contacting us at support@narva.net. Given that our apps do not process Personal Data, a DPA may not be required in most cases — however we are happy to accommodate customers whose procurement processes require one.

Your Rights Under GDPR

Narva Software is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR).

As established in this policy, our apps do not process or store Personal Data. As a result, most data subject rights are not directly applicable to our services. However, we remain committed to transparency and will assist customers with any privacy-related enquiries.

Where Personal Data is processed by Atlassian on your behalf as part of your Atlassian subscription, your rights as a data subject should be directed to Atlassian in their capacity as Data Processor. Atlassian’s privacy policy is available at atlassian.com/legal/privacy-policy.

If you believe we hold any Personal Data about you and wish to exercise any of the following rights, please contact us at support@narva.net:

  • Right of access — request a copy of any Personal Data we hold about you

  • Right to rectification — request correction of inaccurate Personal Data

  • Right to erasure — request deletion of Personal Data we hold

  • Right to restriction — request that we restrict processing of your Personal Data

  • Right to data portability — request transfer of your Personal Data in a structured format

  • Right to object — object to processing of your Personal Data

We will respond to all data subject requests within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk (UK) or your relevant national supervisory authority (EU).

Governing Law

This Policy is governed by the laws of England and Wales. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Changes to This Policy

Narva Software may update this policy from time to time. Updates will be published on this page and, where appropriate, communicated to customers.

Contact

For any questions, concerns, or requests relating to this policy or data processing, please contact us at:

Email: support@narva.net

Policy last updated on April 1, 2026

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close