Home
Data Protection & Security Toolkit for Jira · by Actonic · since 2018

The data protection toolkit
every Jira admin needs.

We protect 500K+ users across 300+ Jira instances.

The four jobs, in detail
DATA CENTER · CLOUD|30-DAY TRIAL · NO CARD
DPT campaign creative: Jira remembers. Be ready before the audit.
§ 02 — Five common situations

Five things every Jira admin has
put off until next quarter.

DPT was built for the work nobody volunteers for — the cleanup that has to happen before the audit, after the leaver, when the regulation changes.

01 / 05USER ANONYMIZATION

Inactive users and "delete my data" requests, processed in bulk

Anonymize one user, a group, or everyone inactive over two years — in a single run. Replace with a service user or roll all into "Former employee." Issue history, comments, and worklogs stay. The personal data goes.

Read how it works
02 / 05CONTENT SCANNING

Emails, passwords, credit cards, phone numbers, API tokens — find them all

RegEx-based scan across issues using built-in templates or your own patterns. Then redact, replace, comment, notify, restrict access, or fire a webhook. Run once, or schedule weekly.

Read how it works
03 / 05YOUR RULES

Tune it to your regulation, not the other way around

GDPR, CCPA, HIPAA, LGPD, or your own internal policy. Your compliance team writes the rules; the toolkit runs them. No fixed "GDPR mode" you have to bend your reality into.

Read how it works
04 / 05AUDIT EVIDENCE

Every run logged. Every change recorded. Evidence when the auditor asks.

Every operation the app performs is logged — anonymization runs, content scans and redactions, rule changes, consent acceptances — with timestamp, operator, scope, and outcome. The audit trail builds itself as you work.

Read how it works
05 / 05ANNOUNCEMENTS & CONSENT

Tell users about a new policy — and prove they accepted it

Dialog, banner, or login-blocking screen. Target by project, group, or logged-in vs anonymous. Track who accepted, who declined, and when — exportable to CSV for your compliance file.

Read how it works
01 / 05 User anonymization

How user anonymization
actually works.

Data Cleaner module · Data Center, Cloud

Pick users individually, by group, by directory, or by activity (inactive since a date). Choose your anonymization method per run: redact email, scramble name, replace with a target user, or roll everyone into a single "Former employee" account.

The toolkit replaces references across issues, comments, worklogs, and JSD customer accounts. Issue history stays intact — the audit trail survives, the personal data doesn't.

Before and after user anonymization in Jira
Before / after — an active user’s identity replaced across the People panel and the activity stream, while issue history stays intact.

What it can't do: users stored in external directories (LDAP, Crowd, Azure AD) have to be removed from the directory and re-synced first. Same constraint as native Jira. The toolkit tells you which users this applies to so you know what to do next.

02 / 05 Content scanning

Finding what
shouldn't be there.

Data Cleaner · content search · Recurring Tasks

Sensitive data ends up in Jira because work happens in Jira. A production incident at 2 AM, someone pastes a password in a comment "just for a minute." A customer ticket includes a credit card number in the description. Nobody notices, nobody removes it, and Jira keeps it forever — including in the issue history, where editing the comment doesn't remove the earlier version.

The toolkit scans for it with RegEx. Built-in templates cover the common patterns. Custom patterns cover your own — API tokens, internal IDs, employee numbers, anything you can describe as a regular expression.

Data Cleaner field-search rules with RegEx patterns
Built-in and custom RegEx rules — passwords, credit cards, emails, national IDs — each with its own status, pattern, and action.

Found items get actions: redact in place, replace with placeholder text, add a comment explaining what was removed, add a label, notify the reporter or assignee, restrict view and edit access, or send a webhook to your own system.

Honest about scope: attachment scanning — filenames and content, via OCR — is handled by a dedicated companion app, Attachment Scanner.

03 / 05 Your rules

Tune it to your regulation,
not the other way around.

Rule engine · per-team, per-policy

Compliance products that ship with a fixed "GDPR mode" or "HIPAA mode" make a bet about what your auditor will ask. That bet is almost always wrong, because what your auditor asks depends on your industry, your contracts, your jurisdiction, and the auditor's own checklist.

So we don't make the bet. The toolkit gives your compliance team the building blocks — RegEx patterns, anonymization methods, scheduling, audit logging — and your team writes the rules that match your regulation.

Configuring a field-search template
Your compliance team builds the template: pick the fields, set up the rules to detect PII, define ignore lists, and choose the action on data found.
Example: two regulations, one instance, different schedules
GDPR Art. 17Redact email addresses in comments older than 6 months · weekly · service-desk projects only
HIPAA §164.514Remove PHI matching custom patient-ID pattern · daily · two specific projects · notify privacy officer
Internal policyQuarantine API tokens matching sk_* · on every comment · webhook to secrets vault

If you need email addresses redacted under GDPR Article 17, you write the rule. If you need PHI removed for HIPAA §164.514, you write a different rule. The toolkit runs both, on the same instance, on different schedules, without forcing you to pick a "mode."

If you want help building the rules, our data protection consulting service is available.

04 / 05 Audit evidence

Evidence the auditor
will accept.

Activity log · Run history

Most compliance tools help you do the work. Fewer help you prove you did it. The auditor asking "show me your data protection process" doesn't want your config — they want the artifacts.

Everything the toolkit does is written to a log. The entries an auditor cares about:

data-protection / activity-log · last 24h live
14:02:17Anonymization run completed · scope: inactive > 2y · 47 users · 0 failed · 0 skipped@s.weber
11:48:03Rule template updated · PII — EU · 2 rules added · 1 disabled@admin
09:30:00Content scan · 1,284 issues · 23 findings · 21 redacted, 2 quarantinedscheduler
08:11:42Consent accepted · announcement "Updated DPA v3.2" · acceptance rate 94.2%@a.kowalska
07:00:00Scheduled scan started · template Credentials · 8 projects queuedscheduler
What the log captures
AnonymizationEvery Data Cleaner run: timestamp, operator, scope, outcome — what changed, what failed, what was skipped.
Content scansEvery scan and redaction: what was found, what was redacted or quarantined, and where.
Rule changesTemplate edits logged — who changed which detection rule, and when.
ConsentNotifications & Announcements track who saw which policy, who accepted, who declined, and when.

Together: a documentation trail for a SOC 2, ISO 27001, GDPR, or HIPAA audit that the toolkit produces as a side effect of normal operation. Not something you have to assemble retroactively the week before the auditor arrives.

05 / 05 Announcements & consent

When the policy change matters,
the banner doesn't.

Notifications & Announcements · Data Center, Cloud

The default Jira announcement banner sits at the top of the page and gets ignored within a week. It's fine for "we're upgrading tonight." It's not enough for "we updated our privacy policy and we need you to accept it before you do anything else in Jira."

Configuring a privacy-policy announcement
Author a privacy-policy announcement: set type, name, title and a rich-text body — then target specific users or groups.

The Notifications & Announcements module gives you the formats the native banner doesn't:

Display
Center-screen dialog, footer banner, or full-screen login-blocking page users have to acknowledge before they can use Jira at all. Pick per announcement.
Scope
Show to everyone, or scope to specific projects, specific groups, logged-in vs anonymous. Independence Day to your US group; cookie policy to anonymous service-desk visitors; security training to developers only.
Buttons
Single "Accept" for informational, "Accept / Decline" for consent. Optional short feedback field.
Schedule
"Always shown," or only during a specific date range. The toolkit hides the announcement automatically when the window closes — you don't have to remember to turn it off.
Tracking
Who accepted, who declined, IP address, timestamp. Exportable to CSV — what your DPO needs when a regulator asks "prove you got consent before processing."
Templates
Two built-in templates (Privacy Policy, Cookie Policy) you can clone and modify. Drafts and version history per announcement. Prior consent rates stay attached to the prior version when you update wording.

Deleted announcements stay in the recycle bin for 30 days before permanent deletion — because someone always deletes the wrong one.

Built by Actonic, Stuttgart — part of Seibert Group. Security and compliance details at the Actonic Trust Center →
500K+
Users protected
300+
Jira instances
Customers in:TelecommunicationsInsuranceFinancePublic sector
§ 08 — Pricing

Standard Atlassian
Marketplace tiers.

Pricing scales with your Jira user tier. No surprises, no per-seat add-ons. Uninstall removes all stored data within 30 days.

Trial30 days · no credit card
BillingAtlassian Marketplace — annual or monthly
ScalingBy Jira user tier (10, 25, 50, 100, 250, …)
HostingData Center · Cloud
UninstallAll stored data removed within 30 days
Current ratesSee Marketplace →
§ 09 — Two ways to start

See what a scan would find in your instance.

Option A · No install

The sandbox

A hosted Data Center demo with the toolkit installed and seeded with realistic data. No signup, no install. See what the modules look like before you commit to anything.

Try the sandbox
Option B · Your data

The free trial

Install from Marketplace, run a scan against your own instance. 30 days, no card. Uninstall removes all stored data within 30 days.

Would rather have a conversation first?Book a 30-minute walkthrough with our team →