This document details the technical specifics of our security practices (encryption, backups, hosting, monitoring and access control). If you are looking for high-level commitments and responsibilities, please refer to the Security Policy. |
These practices are accurate on July 5th, 2025.
“App” means the cloud-based software application provided by us, including its user interface, underlying infrastructure, APIs, and associated services, through which Users access and manage requirement-related data and collaborate within integrated platforms such as Confluence.
“Data Residency” means a feature of the App that allows Customers to select the geographic region where their Application Data is hosted and stored. Data Residency applies exclusively to Application Data and does not extend to Support Data, License Data, or Website Analytics.
The app is deployed on Amazon AWS,
This app is integrated with Atlassian using the Atlassian Connect Spring Boot framework, with a Forge descriptor as required by Atlassian. It means, when the user interacts with Atlassian Confluence and Jira where the app is installed, Atlassian notifies the app of changes, the app downloads the relevant information, extracts the necessary information and stores it in AWS.
“Data Residency” supports 2 regions:
Default: The data is stored in Europe,
US: The data is stored in the USA.
The app is deployed in the AWS Region eu-west-1 (Ireland) for the default Data Residency, and in USA (North Virginia) for the US Data Residency,
The data is stored in AWS RDS, with encryption enabled, in the same AWS Region.
AWS RDS is configured with automatic backups and 30-day retention period. The backups are encrypted. There is no granularity: Restoring the data for all customers to a point in time would be easy, while restoring a subset or a single customer would be time-consuming.
Data in transit is encrypted in HTTPS over the worldwide internet, and TLS between the application servers and the database. The database is on a private subnet with no direct route from the worldwide internet to the database itself.
The logs are stored in AWS CloudWatch using encryption enabled,
The change events are stored in AWS CloudTrail,
Employees under confidentiality agreement can access the live data in the database, the live servers, and the backups.
The data that the app stores is subject to constant changes depending on features we develop. For the moment, the data is:
The key and body of requirements,
The keys and titles of Jira issues,
The page IDs, and sometimes the page titles and page body, specifically if there is an error and the support might need to investigate,
Data which the users create in the app, notably reports they create, transformation templates, etc.,
The userKey associated with changes, which is an anonymized identifier provided to us by Atlassian,
The clientKey, which is the key of the instance, and its URL,
License information provided by Atlassian,
We only retrieve information made accessible to us by Atlassian or edit information that Atlassian allows us to, and we don't recoup this information with other sources.
This information is subject to change in case of architectural change: if we decide to migrate the app to another provider, or if we decide to change databases inside of AWS, or if we decide to add/remove availability zones, or if we decide of another architecture. In any case, we will ensure that the data is encrypted at rest.
We may update this policy without notice, for the purposes of being more specific, reflecting a new practice or complying to legal requirements.
Change log:
July 5th 2025: Moved a section from the Privacy Policy to create this document.