Test Management – Who Do You Trust?

Test management is not only about test cases, executions, and reports. It is also about data. And test data is more sensitive than many teams think.

Test cases describe how your application works. They show business logic, integrations, edge cases, and user flows. But there is another side: test management data also shows what has not been tested. For someone with bad intentions, this is extremely valuable information. It can reveal weak points in your application and in your processes.

So the key question is simple, but very important:

Test data = sensitive data

Many organizations focus on protecting production data, while test data is treated as “less important”. We can read this in this article published in Forbes. This is a common mistake.

Test management extensions for Jira, like Zephyr or Xray, often contain:

• Detailed descriptions of system behavior
• Information about integrations and APIs
• Known risks and untested areas
• Sometimes even real user data copied from production

From a security point of view, this makes test management data sensitive data. Protecting this data should as important as protecting production data.

To understand the real risk, we need to look at where and how this data is stored.

Where is your data really stored?

For any app from Atlassian Marketplace, we can clearly see three main architecture models for data storage. This applies also to Jira-based test management tools that teams are using.

1. Data Center – you are the hosting company

In the Data Center model, data is stored in your own infrastructure or in infrastructure managed by a provider you choose. You are fully responsible for security, access, backups, and compliance.

The biggest advantage of this model is maximum control. In extreme cases, Jira Data Center can even work without direct internet access, which gives very strong protection against external threats.

However, there is an important context: Atlassian has announced end-of-life (EOL) plans for Data Center in the long term. Because of this, we will not focus on this architecture further. From a 7–10 year perspective, it is not seen as a future-proof option. Maybe the idea will return one day, but in a different form.

2. Legacy Cloud – data managed by the vendor

This is currently the most common model. Based on our analysis, around 99 out of 100 cloud apps in the Atlassian Marketplace still use this approach.

In this model:

• Data is stored where the vendor decides
• Most often this means AWS, sometimes via related services like Heroku

Vendors invest a lot in security certifications and audits such as ISO or SOC. These standards help maintain good security practices and reduce risk. But they do not change one key fact:

Even if access is limited, temporary, or well-controlled, it still exists. No marketing statement can fully remove this risk. Sometimes, even the principle of least privilege does not work.

3. New Cloud – data stored by Atlassian

This is the newest and most secure model, and also the one recommended by Atlassian.

In this approach:

• Data is stored on Atlassian infrastructure via Forge platform.
• The vendor has no access to your data.

The vendor cannot change this, under any circumstances.

Most often, data is stored using Forge SQL or Forge Storage. Both solutions are secure and designed for different data volumes and use cases. The key point is simple: only Atlassian controls access to the data.

When this model is combined with Atlassian Data Residency, which allows you to choose one of 12 regions worldwide, it becomes the safest option available today for Marketplace apps.

This is currently the only model that truly guarantees that the vendor cannot access your test management data.

Where is my test management data stored?

Below is an overview of popular Jira test management tools and where their data is stored today.

This difference is not only technical. It directly affects data ownership, access control, compliance, and risk.

Which model does the app currently use

To check where your test management data is stored, go to Data residency under Data management in Organization settings.

If your Jira site is already pinned to a location, you will see Marketplace apps listed there as well. If not, apps will appear in one of two tabs: Eligible or Not eligible.

Apps marked as Eligible can be pinned to your Jira data residency location. Apps marked as Not eligible cannot be pinned and store data outside your selected region.

Conclusion – trust is an architectural decision

When choosing a test management tool, teams often compare features, UI, and price. Data security is discussed much less often. But in today’s world, this should change.

If your data is stored by the vendor, you must trust the vendor and their internal processes.

If your data is stored by Atlassian, access is technically blocked for the vendor.

For organizations that care about:

• Data security
• Compliance
• Data residency
• Long-term risk reduction

The New Cloud model is clearly the best choice.

Test management data describes how your system works – and where it is weak. The question is not if this data is valuable. The question is: Who do you trust to keep it safe?