Jama Connect Interchange™ Security FAQ

Published Date: May 13, 2026
Validated: Yes
Audience: Everyone
Products and Versions Covered:

Jama Connect Interchange™
- All deployments

Summary

Jama Connect Interchange (JCI) security behavior varies depending on deployment architecture and customer-managed infrastructure. This article explains how JCI handles communication security, credential storage, data persistence, and logging across supported deployment models (Jama Software's SaaS-hosted deployment and customer-managed self-hosted deployment).

Key Takeaways:

JCI is deployed with Docker, so its effective security posture depends partly on the surrounding host, network, and runtime, and environment settings.
JCI secures system-to-system communication over HTTPS using TLS.
JCI does not store sensitive customer data from Jama Connect in the JCI database; it stores only limited integration metadata, and connector credentials are encrypted at rest.
Audit coverage is selective today: integration actions are logged, but logging is not comprehensive across all application actions.
Organizations with strict requirements for account lockout, FIPS validation, or tamper-resistant audit logging should review the current product behavior carefully.

Because JCI runs in customer-controlled environments, the overall security posture is shared between the application and customer-managed infrastructure controls.

Resolution

Deployment Models

Self-hosted Docker on Linux	AWS EC2 with MySQL
Runs on a dedicated customer-managed Linux host using Docker Engine and Docker Compose. Customer teams manage OS hardening, Docker runtime policy, ingress, TLS certificates, persistent storage, secrets injection, and log forwarding.	Runs as a Jama-operated cloud deployment for customers. Jama hosts and operates the JCI application in Jama's cloud VPC, including the cloud infrastructure, runtime, network controls, database operations, TLS/ingress configuration, logging, monitoring, and backup/retention controls for the hosted service.

Shared Responsibility Matrix

JCI security is a combination of product behavior and the controls applied by the deployment environment. This matrix summarizes who owns the major control areas for customer reviews.

Control Area	JCI / Jama Responsibility	Customer Environment Responsibility
Application Behavior	JCI provides the application services, integration workflows, credential encryption behavior, and product-level security controls.	Customers configure and govern how the deployed application is exposed, accessed, monitored, and operated in their environment.
Deployment Runtime	JCI is delivered as a Docker-based application deployment.	For self-hosted deployments, customers manage the Linux host, Docker Engine, Docker Compose, runtime policy, patching, and image governance. For Jama SaaS-hosted JCI, Jama operates the hosted cloud runtime.
Network and Ingress	JCI supports HTTPS/TLS-based system-to-system communication.	Customers manage firewalling, routing, proxying, DNS, certificates, allowed ingress paths, and network segmentation for self-hosted deployments. Jama manages these controls for Jama SaaS-hosted JCI.
Secrets and Credentials	JCI encrypts stored connector credentials and does not return saved credentials in normal API responses or show them back in the UI.	The deployment environment controls secret injection, access policy, rotation process, backup protection, and monitoring of secret-handling paths.
Data Storage	JCI stores limited integration metadata and related identifiers, and does not store sensitive Jama Connect customer data in the JCI database.	The environment owner manages persistent storage protection, database backup and restore, encryption policy, retention, and infrastructure access controls.
Logging and Monitoring	JCI records integration-related activity, with selective audit coverage today.	The environment owner manages centralized log forwarding, SIEM integration, log retention, alerting, and tamper-resistant storage when required.

Frequently Asked Questions

Question	Answer
How is communication protected?	JCI uses HTTPS/TLS for system-to-system REST API communication. For self-hosted deployments, customers configure the externally trusted TLS certificate and surrounding ingress controls.
Does JCI store sensitive Jama Connect customer data?	No. JCI does not store sensitive customer data from Jama Connect in the JCI database. It stores limited integration metadata and related identifiers needed for integration operation.
How does JCI handle and store credentials for connected repositories?	JCI stores connected repository credentials securely in its configuration database. Connection details such as repository URL, connection type, and username are stored as part of the connection record. Sensitive values such as passwords, access tokens, and client secrets are stored in encrypted form and are decrypted only when JCI needs them to authenticate to the connected system. Credentials are not returned in normal API responses or shown back in the UI after they are saved. The surrounding deployment environment controls how secrets are injected, protected, rotated, and monitored.
Who controls account lockout, host hardening, and log retention?	These are deployment-environment controls. Customers should configure Linux, Docker, AWS, network, and security logging controls according to their internal policies.
Is JCI FIPS certified?	JCI is not currently represented as FIPS certified. Customers with strict FIPS requirements should review this behavior during security assessment.
What audit/logging limitations should reviewers know?	JCI logs integration-related actions, but audit coverage is selective and not currently a comprehensive tamper-protected audit system for all privileged or application actions.

Additional Resources

Feedback:
We welcome your input! Please sign in to leave any comments, suggestions, or ideas for improvement below.

Related to