GrafanaSight Security Policy
Platform Controls
Section titled “Platform Controls”GrafanaSight runs on Atlassian Forge runtime and storage services. The app manifest uses least-privilege scopes for app storage and Confluence page reads.
GrafanaSight follows Flowdence’s company security baseline for access review, incident response, vulnerability management, dependency review, and business continuity.
External Connectivity
Section titled “External Connectivity”Backend egress is limited to customer Grafana Cloud tenants matching https://*.grafana.net.
Customer Grafana Cloud tenants are customer-configured upstream systems. Flowdence maintains the Forge app manifest and egress configuration for GrafanaSight; customers and Grafana maintain their own Grafana domains, certificates, access controls, and Grafana-hosted data.
Credential Protection
Section titled “Credential Protection”Grafana service account tokens are stored with Forge secret storage. Tokens are used only for customer-requested Grafana API and render operations.
License Protection
Section titled “License Protection”Production paid features require an active Atlassian Marketplace license. Runtime guards protect macros, refresh, scheduled sync, Rovo actions, and data access.
Vulnerability Reporting
Section titled “Vulnerability Reporting”Report suspected vulnerabilities through https://flowdence.io/support and include affected app, tenant, space, timestamp, and sanitized reproduction steps.
Flowdence triages GrafanaSight vulnerabilities according to the Flowdence vulnerability management process and follows Atlassian Marketplace notification guidance when a security incident or critical vulnerability requires notification.