Security in Calendar Sync
Calendar Sync for Jira does not update any data in Jira, it is a read-only exporter. See below for more information depending on your hosting environment.
Jira access rights (Jira Cloud)
During the installation Jira will create an artificial "user" representing the add-on in the system. The user is called "Calendar Sync" and is visible in User Management like a regular user account (but it does not count toward the user limit). The addon will use this account to read data from Jira and generate calendar feeds. You can adjust permissions of that user to narrow down what the addon can see.
In order to provide role-based access control it needs project administrator permission. It does not use it for any modifications, but due to Jira API limitations it is necessary to determine user role assignments.
To control what the add-on can see, adjust permissions of the abovementioned user. If your Jira is configured in a way that does grant new users access to some information, it will be necessary to configure the permissions before using Calendar Sync for Jira. Otherwise the add-on will be unable to run queries, showing fewer issues than expected or even errors related to lack of project or issue visibility.
Calendar Sync performs queries defined in feed configurations periodically. Some information is stored externally (on Expium servers), but only as much as is configured to be included on the calendars.
Jira access rights (Jira Server)
In case of Jira Server (on premise), Calendar Sync performs all queries with access rights of the user who created the feed. There is no artificial "user" created for the add-on.
Calendar Sync does not transmit or store any information from Jira outside. All data is stored in the same database as Jira itself, managed with Atlassian persistence framework.
The application includes an error reporting functionality that sends notifications to Expium in case of critical errors. These reports should not include any sensitive data, only technical information about the error itself. It helps us provide reliable user experience. If you'd like to opt out, it can be easily turned off from a configuration screen.
Once a feed is created, all users who are configured to see it will be able to access the calendars with all events. Calendar Sync supports flexible configuration of user access rights by group, project role, or Jira user fields on issues. See Access control tab for more information on adjusting user rights for the feeds.
Calendar data security
Calendar Sync for Jira exposes the calendars with URL addresses which do not require any authentication. It is required in order for calendar applications to be able to obtain the data, as most such applications do not support authentication.
While knowing the URL is that is necessary to obtain feed data, the address is impossible to guess, even for existing users of the add-on. At the same time all communication is encrypted with HTTPS, keeping the URL as well as the data safe from eavesdropping.