Zum Hauptinhalt springen
Petabyte IT Services - Scalable Web and Ecommerce Solutions

Security Statement for Doc Review Manager

Last Updated: November 3, 2025

App Version: 2.0.0

Overview

Doc Review Manager is built on the Atlassian Forge platform, which provides enterprise-grade security by design. This document outlines our security practices, architecture, and commitment to protecting your data.

Security Architecture

1. Platform Security (Atlassian Forge)

Our app leverages Atlassian Forge's built-in security features:

Isolated Execution Environment:

  • Runs in Atlassian's secure, sandboxed environment
  • No direct server access or infrastructure management required
  • Automatic security patches and updates from Atlassian

Secure by Default:

  • OAuth 2.0 authentication handled by Atlassian
  • No credential storage in app code
  • All API requests authenticated via Forge framework
  • Automatic HTTPS/TLS encryption for all communications

Platform Compliance:

  • SOC 2 Type II certified infrastructure
  • ISO 27001 certified
  • GDPR compliant
  • Regular security audits by Atlassian

2. Data Security

Data Storage:

  • All data stored within your Atlassian Cloud instance
  • Uses Confluence Content Properties API (page-specific data)
  • Uses Forge Storage API (application settings)
  • No external databases or storage systems
  • Data encrypted at rest by Atlassian Cloud

Data Transmission:

  • All API calls use HTTPS/TLS 1.2+
  • No data transmitted outside Atlassian infrastructure
  • Only communicates with *.atlassian.com domains
  • No third-party API integrations

Data Access:

  • Respects Confluence permission model
  • Users only see data they have permission to access
  • Admin features restricted to Confluence administrators
  • No backdoor access or privileged accounts

3. Application Security Practices

Secure Development:

  • Modern React 18 and Forge UI Kit 2
  • No deprecated dependencies
  • Regular dependency updates
  • Code follows Atlassian security guidelines

Input Validation:

  • All user inputs validated using Zod schemas
  • Type-safe TypeScript interfaces
  • Protection against injection attacks
  • Sanitized data storage and retrieval

Error Handling:

  • Errors logged without exposing sensitive information
  • User-friendly error messages without security details
  • Retry logic with exponential backoff (prevents abuse)
  • Graceful degradation on failures

API Security:

  • Minimum required permission scopes
  • Scope-based access control
  • No overly broad permissions requested
  • Regular permission audits

Permissions and Scopes

Required Permissions

The app requires the following Confluence API scopes:

Scope Purpose Justification
read:confluence-content.all Read page metadata Scan pages for review tracking
read:confluence-content.summary Read page summaries Display page information in dashboard
write:confluence-content Update page properties Store review metadata
read:confluence-props Read content properties Retrieve review schedules
write:confluence-props Write content properties Save review schedules
read:user:confluence Read user profiles Display reviewer names
read:comment:confluence Read comments Verify reminder comments
write:comment:confluence Create comments Post reminder notifications
storage:app App-level storage Store global settings

No Write Access To:

  • Page content or body
  • User accounts or profiles
  • Space settings or configuration
  • System settings

External Network Access

The app is configured to communicate only with:

  • *.atlassian.com (Confluence and Forge APIs)

No connections to:

  • External analytics services
  • Third-party APIs
  • External databases
  • Marketing or tracking platforms

Data Privacy and Protection

What We Store

Page-Level Data (Content Properties):

  • Review schedule configuration (interval, unit)
  • Next review date (ISO 8601 timestamp)
  • Review owner (Atlassian account ID only)
  • Review history (max 10 entries: dates, reviewer IDs, versions)
  • Reminder tracking (dates and types of reminders sent)

Application-Level Data (Forge Storage):

  • Global reminder settings (thresholds, enabled status)
  • Default review interval preferences
  • Job execution statistics (timestamps, counts)

What We Don't Store

  • ❌ Page content or text
  • ❌ User passwords or credentials
  • ❌ Personal information beyond Atlassian account IDs
  • ❌ Email addresses
  • ❌ IP addresses
  • ❌ Session data or cookies
  • ❌ Usage analytics or telemetry

Data Minimization

We follow the principle of data minimization:

  • Only collect data necessary for functionality
  • Store account IDs, not personally identifiable information
  • Limit review history to 10 most recent entries
  • Automatic cleanup when pages are deleted

Vulnerability Management

Security Updates

Dependency Management:

  • Regular updates to npm packages
  • Automated dependency vulnerability scanning
  • Prompt patching of known vulnerabilities
  • Use of stable, maintained libraries only

Forge Platform Updates:

  • Automatic platform security patches from Atlassian
  • Runtime environment automatically updated
  • No infrastructure maintenance required

Vulnerability Disclosure

If you discover a security vulnerability:

Please Report To:

Please Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)

Our Commitment:

  • Acknowledge receipt within 48 hours
  • Investigate and respond within 5 business days
  • Fix critical vulnerabilities within 30 days
  • Provide updates on resolution progress

Responsible Disclosure:

  • Please allow us reasonable time to fix issues before public disclosure
  • We will credit security researchers (with permission)
  • No legal action for good-faith security research

Compliance and Certifications

Platform Compliance

The app inherits compliance from Atlassian Forge:

  • SOC 2 Type II - Security and availability controls
  • ISO 27001 - Information security management
  • ISO 27018 - Cloud privacy protection
  • ISO 27017 - Cloud security controls

Privacy Compliance

  • GDPR - EU General Data Protection Regulation
  • CCPA - California Consumer Privacy Act
  • Privacy Shield - EU-US data transfer framework
  • Australian Privacy Principles

Security Standards

  • TLS 1.2+ - Encrypted data transmission
  • OAuth 2.0 - Secure authentication
  • Principle of Least Privilege - Minimal permissions
  • Defense in Depth - Multiple security layers

Incident Response

Security Incident Protocol

In the event of a security incident:

Detection:

  • Monitor app errors and anomalies
  • Review Atlassian security advisories
  • Track dependency vulnerabilities

Response:

  1. Assess scope and impact
  2. Contain the incident
  3. Notify affected users (if applicable)
  4. Implement fixes
  5. Deploy updates
  6. Conduct post-incident review

Notification:

  • Critical incidents: Notify within 24 hours
  • Major incidents: Notify within 72 hours
  • Updates posted to Marketplace listing
  • Direct communication for data breaches

Data Breach Response

If personal data is compromised:

  • Immediate investigation and containment
  • Notification to affected users within 72 hours
  • Notification to regulatory authorities (if required)
  • Remediation and prevention measures
  • Transparent communication of impact and actions

Security Best Practices for Users

Administrator Recommendations

Installation:

  • ✅ Install only from official Atlassian Marketplace
  • ✅ Review permissions before installation
  • ✅ Test in non-production environment first
  • ✅ Review security and privacy documentation

Configuration:

  • ✅ Grant access only to authorized users
  • ✅ Regularly review reminder settings
  • ✅ Monitor job execution statistics
  • ✅ Remove app if no longer needed

Monitoring:

  • ✅ Review Confluence audit logs regularly
  • ✅ Monitor app update notifications
  • ✅ Check for unusual reminder activity
  • ✅ Verify reminder comments are legitimate

User Best Practices

For Page Owners:

  • Only enable review tracking on appropriate pages
  • Set reasonable review intervals
  • Confirm reviews only when actually completed
  • Report suspicious reminder comments

For Administrators:

  • Use Confluence permissions to control dashboard access
  • Regularly review tracked documents
  • Remove tracking from archived/obsolete pages
  • Keep global settings current

Third-Party Dependencies

Open Source Components

The app uses these vetted dependencies:

Package Version Purpose Security
@forge/api ^6.1.5 Forge platform API Atlassian-maintained
@forge/react ^11.6.0 UI framework (UI Kit 2) Atlassian-maintained
react ^18.2.0 UI library Meta-maintained, audited
zod ^3.23.8 Schema validation Well-maintained, audited
date-fns ^3.0.0 Date manipulation Well-maintained, audited
uuid ^10.0.0 Unique ID generation Well-maintained, audited

Dependency Security:

  • All dependencies from npm registry
  • Regular security audits via npm audit
  • Prompt updates for security patches
  • No dependencies with known critical vulnerabilities

No Third-Party Services

  • ✅ No external analytics (Google Analytics, etc.)
  • ✅ No external logging services
  • ✅ No CDN dependencies
  • ✅ No third-party authentication providers
  • ✅ No marketing or tracking pixels

Audit and Monitoring

Security Monitoring

Automated:

  • npm audit for dependency vulnerabilities
  • Forge lint for code quality and security
  • Atlassian platform security monitoring

Manual:

  • Code review before releases
  • Permission scope audits
  • API usage pattern reviews
  • Error log analysis

Audit Trail

Confluence Audit Logs:

  • Forge function invocations logged
  • API calls recorded by Atlassian
  • User actions tracked in Confluence audit log
  • Admin configuration changes visible

App-Specific Logging:

  • Job execution timestamps
  • Reminder sending events
  • Error occurrences (without sensitive data)

Contact and Support

Security Contact

For security issues:

For general support:

Security Updates

Stay informed about security updates:

  • Monitor Atlassian Marketplace listing for updates
  • Review release notes for security fixes
  • Subscribe to app update notifications
  • Follow Atlassian security advisories

Attestations

Developer Commitment

We commit to:

  • ✅ Following Atlassian security best practices
  • ✅ Promptly addressing security vulnerabilities
  • ✅ Transparent communication about security
  • ✅ Regular security reviews and updates
  • ✅ Responsible data handling
  • ✅ Compliance with privacy regulations

Limitations

What We Control:

  • App code and logic
  • Permission scope requests
  • Data storage patterns
  • Update deployment

What Atlassian Controls:

  • Platform infrastructure security
  • Data encryption at rest
  • Network security
  • Authentication and authorization
  • Data center physical security
  • SOC 2 / ISO compliance

Additional Resources

Atlassian Security:

App Documentation:

Document Version: 1.0

Last Security Review: November 3, 2025

Next Scheduled Review: March 1, 2026

For questions about this security statement, contact: support@petabyte.de