Security in Calendar Sync
JIRA access rights
During the installation JIRA will create an artificial "user" representing the add-on in the system. The user is called "Calendar Sync" and is visible in User Management like a regular user account (but it does not count toward the user limit). The addon will use this account to read data from JIRA and generate calendar feeds. You can adjust permissions of that user to narrow down what the addon can see.
Calendar Sync for JIRA does not update any data in JIRA, it is a read-only exporter. However, in order to provide role-based access control it needs project administrator permission. It does not use it for any modifications, but due to JIRA API limitations it is necessary to determine user role assignments.
To control what the add-on can see, adjust permissions of the abovementioned user. If your JIRA is configured in a way that does grant new users access to some information, it will be necessary to configure the permissions before using Calendar Sync for JIRA. Otherwise the add-on will be unable to run queries, showing fewer issues than expected or even errors related to lack of project or issue visibility.
Calendar data security
Calendar Sync for JIRA exposes the calendars with URL addresses which do not require any authentication. It is required in order for calendar applications to be able to obtain the data, as most such applications do not support authentication.
While knowing the URL is that is necessary to obtain feed data, the address is impossible to guess, even for existing users of the add-on. At the same time all communication is encrypted with HTTPS, keeping the URL as well as the data safe from eavesdropping.