Trust Center
Transparency about how we handle your data, secure our products, and comply with regulations. This page covers all LeanZero products, including CogniRunner for Atlassian Jira.
Last updated: March 12, 2026
Application Security
- Atlassian Forge platform — apps run in Atlassian’s sandboxed, enterprise-grade infrastructure. We do not operate our own backend servers for Marketplace apps.
- Encryption in transit — all API communications use HTTPS/TLS 1.2+.
- Secrets management — API keys stored as encrypted Forge environment variables, never in source code.
- Open-source — CogniRunner source code is publicly available under AGPL-3.0, enabling independent security review.
- Minimal permissions — apps request only the Atlassian scopes required for their functionality.
Data Privacy
- GDPR compliant — LeanZero SRL is a Romanian company subject to EU data protection law.
- No data storage outside Atlassian — CogniRunner processes data in-memory during validation. Logs and configuration remain in Forge Storage within your tenant.
- No advertising or profiling — we never use your data for ads, profiling, or automated decision-making.
- Data subject rights — access, rectification, erasure, portability, and objection rights fully supported.
AI Data Processing
- OpenAI as sub-processor — field content is sent to OpenAI’s API only when a validation rule is triggered by an admin-configured workflow transition.
- No model training — OpenAI does not use API inputs or outputs to train its models. Data may be retained up to 30 days for abuse monitoring, then deleted.
- DPA in place — LeanZero has executed OpenAI’s Data Processing Addendum for GDPR-compliant processing.
- EU AI Act transparency — CogniRunner uses AI for advisory validation only. Outputs are probabilistic, not deterministic. Human review is recommended.
Compliance
- GDPR — full compliance as both data controller (website) and data processor (Marketplace apps).
- EU AI Act — transparent disclosure of AI usage, limitations, and human oversight requirements.
- International data transfers — protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
- Romanian corporate law — LeanZero SRL is a registered Romanian company (CUI: 51336260, EUID: ROONRC.J2025012835002).
Sub-Processors
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Atlassian (Forge) | Hosts and runs Marketplace apps | Jira issue data, configuration, logs | Atlassian global infrastructure |
| OpenAI | AI-powered field validation | Field content and attachments sent for validation | US (EU data residency options available) |
| PostHog | Website analytics | Usage data, IP address (consent-based) | EU (PostHog Cloud EU) |
Incident Response
- Security issues can be reported to office@leanzero.net.
- Critical vulnerabilities are triaged within 8–12 business hours.
- We will notify affected customers of confirmed data breaches without undue delay, and within 72 hours to the supervisory authority as required by GDPR Article 33.
Documentation & Resources
- Privacy Policy — Full GDPR-compliant data handling policy
- Terms of Service — Licensing, usage terms, AI disclaimers
- Support SLA — Response times, support channels, business hours
- CogniRunner Documentation — Architecture, features, and usage guide
- Source Code (GitHub) — AGPL-3.0 licensed, open for review
Security & Privacy Contact
For security concerns, privacy requests (including GDPR data subject rights), DPA inquiries, or to request documentation not listed above, contact us at:
LeanZero SRL
Email: office@leanzero.net
Str. Toamnei 23 G, CAM. 1, Loc. Bragadiru, Jud. Ilfov, Cod 077025, Romania