BoomiSight Security Policy
Last updated: 2026-06-02 Owner: BoomiSight Security Applies to app: BoomiSight for Confluence Review cadence: Quarterly and before Marketplace submission Status: Publication-ready for Marketplace submission
Security Model
Section titled “Security Model”BoomiSight is an Atlassian Forge app. Atlassian hosts the app runtime, storage, and user interface surfaces. BoomiSight stores app configuration and cached operational data in Forge-managed storage, stores Boomi API tokens in Forge-managed secret storage, and sends configured Boomi API requests only to the Boomi REST API.
Controls
Section titled “Controls”| Control | Implementation |
|---|---|
| Authentication | Forge invokes app functions in authenticated Atlassian contexts. |
| Authorization | Configuration saves and connection tests are restricted to the Confluence space settings module. |
| Licensing | Paid product features check the Atlassian Marketplace license context before returning functionality. |
| Secret storage | Boomi API tokens are stored in Forge-managed secret storage and are not returned to the browser after saving. |
| Least privilege | App permissions are limited to storage and Confluence access needed by BoomiSight. |
| Egress | Backend fetch is limited to https://api.boomi.com. |
| Retry/backoff | Boomi API requests use bounded retry behavior for throttling and transient upstream failures. |
| Vulnerability management | CI runs lint, tests, forge lint, npm audit, and weekly CycloneDX SBOM generation. |
| Logging | Operational errors are logged without intentionally emitting Boomi API tokens. |
Vulnerability Reporting
Section titled “Vulnerability Reporting”Report suspected security issues to [email protected]. Include the affected site, app surface, reproduction steps, and any relevant timestamps. Do not include secrets in the report.
Assurance Summary
Section titled “Assurance Summary”| Area | Public assurance |
|---|---|
| Platform hosting | BoomiSight runs on Atlassian Forge, using Atlassian-managed runtime and storage services. |
| Customer credentials | Boomi API tokens are stored with Forge-managed secret storage and can be rotated or removed by customers through app configuration. |
| External data access | The app sends configured Boomi API requests to https://api.boomi.com and does not use a Flowdence-hosted backend for product data processing. |
| Access boundaries | Configuration and diagnostics are scoped to the Confluence space context where the app is configured. |
| Vulnerability management | Flowdence uses automated CI checks, dependency review, Forge validation, npm audit, and SBOM generation as part of release readiness. |
| Incident handling | Security reports are triaged through Flowdence support and security processes, with customer communication based on severity and impact. |