For enterprise buyers evaluating a Jira app in 2026, one question now comes before features, price, or reviews: where does our data go? Security and procurement teams increasingly treat a single answer — “the app’s data never leaves Atlassian’s cloud” — as a hard requirement, not a nice-to-have. Atlassian has made that answer verifiable with a program called Runs on Atlassian, and it has quietly become one of the most important trust signals on the Marketplace.
At DiViM, building on Atlassian’s Forge platform is our default. Here’s what that means for you, why it matters more every quarter, and which of our apps already carry that guarantee.
What “Runs on Atlassian” actually means
Runs on Atlassian is an Atlassian Marketplace program that identifies Forge apps built for the strictest data-privacy requirements. The badge is applied automatically — partners can’t buy it or opt in — and Atlassian verifies eligibility programmatically against three requirements:
- Atlassian-hosted compute and storage only. The app runs entirely inside Atlassian’s cloud. There is no vendor-operated server in the middle.
- Data residency that matches your Atlassian product. If your Jira data is pinned to a region, the app honors the same boundary.
- Customer-controlled egress. Any external data flow — even analytics or logs — is something your admins can see and switch off.
The contrast is with the older Atlassian Connect model, where an app runs on infrastructure the vendor operates — often a third-party cloud — and your Jira data is sent out to that server to be processed. Connect apps can be perfectly secure and well-run, but they put your data on the move and ask you to trust a vendor’s infrastructure, certifications, and incident response. A Forge app that Runs on Atlassian removes that question entirely: the data stays home.
Runs on Atlassian + Cloud Fortified: better together
These two badges aren’t an either/or — they’re a plus, and the strongest apps carry both. Runs on Atlassian is a technical fact Atlassian verifies automatically: the app is Atlassian-hosted and won’t egress your data without consent. Cloud Fortified reflects operational maturity — reliability and incident-response commitments, security practices like bug-bounty participation, and support standards. One answers “does my data ever leave Atlassian?” The other answers “is this a serious, well-run app I can depend on?” Together, they cover both data containment and operational trust.
Three DiViM apps carry both badges today — Runs on Atlassian and Cloud Fortified: Advanced Release Planning, Time in Status & Flow Metrics, and Enterprise Sprint Automation.
Why this is becoming table stakes for enterprise
Procurement has caught up. In regulated industries — finance, healthcare, government, defense — data sovereignty is now written into vendor questionnaires. “Does the app process our data outside Atlassian?” is a yes/no that can end an evaluation before it starts. An app that Runs on Atlassian lets a security reviewer close that question in seconds instead of opening a weeks-long data-processing-agreement review.
The Connect era is ending. Atlassian is winding down the Connect framework on cloud, with enforcement milestones landing through 2026 and end-of-support for Connect slated for the end of the year. Apps that haven’t moved to Forge face a shrinking runway. Choosing a Forge-native app today means choosing the platform Atlassian is investing in for the next decade — not one it’s sunsetting.
It’s central to Atlassian’s own pitch. Atlassian sells cloud to enterprises on a trust story, and Forge is the proof. When your app vendor is on the same platform, your security posture and Atlassian’s line up instead of fighting each other.
Where DiViM stands
We build on Forge so that the trust question is answered before you ask it. Across our portfolio, the apps below run entirely on Atlassian — your Jira data is read, processed, and stored inside Atlassian’s cloud, within your data-residency boundary, with no vendor server in the path. Apps that also carry the Cloud Fortified badge are marked:
- Advanced Release Planning, Roadmaps & Management for Jira (also Cloud Fortified) — probabilistic release forecasting, capacity-aware planning, and dependency mapping, all without your roadmap data leaving Atlassian.
- Time in Status, Cycle Time & Lead Time Reports (also Cloud Fortified) — six flow metrics plus built-in Atlassian Rovo AI analysis, read-only and data-residency compliant.
- Enterprise Sprint Automation (also Cloud Fortified) — bulk sprint creation for SAFe PI planning and automated sprint lifecycles, with all compute and storage inside Atlassian’s cloud.
- Dependency Manager & Map for Jira — an interactive dependency graph and critical-path analysis that never moves your issue data off-platform.
For your security team, that translates into a shorter review: no external sub-processor to vet for these apps, no separate region to reconcile, and admin-level visibility into any analytics flow.
Questions to ask any Jira app vendor
Whether you’re evaluating DiViM or anyone else, these five questions separate a real data-residency story from marketing:
- Is the app built on Forge, or on Connect? (Forge is the basis for Runs on Atlassian.)
- Does it carry the Runs on Atlassian badge — and is it also Cloud Fortified?
- Where is our data processed and stored — inside Atlassian, or on vendor infrastructure?
- Does the app honor our data-residency region?
- Can our admins see and control any data the app sends externally?
If the answers are Forge, yes, inside Atlassian, yes, and yes — the procurement conversation gets dramatically simpler.
The bottom line
“Where does our data go?” is no longer a question you should have to chase a vendor to answer. For our Forge apps, the answer is fixed by the platform itself: your Jira data never leaves Atlassian. As Connect winds down and data sovereignty becomes a precondition rather than a preference, that’s not just a security feature — it’s the foundation of a trustworthy enterprise app.
Explore our Forge-native apps for Jira →
Leave a Reply
Your email is safe with us.