Security, Privacy & Compliance
At Flowdence, we build enterprise-grade Atlassian plugins with security at the foundation. This Trust Center provides transparency into our security practices, data handling, compliance posture, and the controls that protect your data.
Architecture & Security
Security by design
All Flowdence apps are built on Atlassian Forge, a serverless compute platform that runs inside Atlassian's infrastructure. This architecture provides strong security guarantees by default.
Atlassian Forge Platform
Forge is Atlassian's serverless app hosting platform. Apps run in sandboxed environments within Atlassian's infrastructure - not on our servers. This means:
- No customer data leaves Atlassian's cloud
- No external servers to manage or secure
- Sandboxed execution with scoped permissions
- Automatic scaling and availability managed by Atlassian
Data Handling
All app data is stored using Forge Key-Value Storage (KVS), which resides within Atlassian's infrastructure. Sensitive values are stored using encrypted storage.
- Secrets stored with Forge encrypted KVS (kvs.setSecret)
- No sensitive data logged or transmitted externally
- Structured redacted logging for all operations
- Data scoped to customer Atlassian site
Access Control & Permissions
Flowdence apps follow the principle of least privilege. Each app declares only the Confluence API scopes it needs, and enforces role-based access server-side.
- Scoped Confluence API permissions (read/write only as needed)
- Server-side space-admin authorization on mutation paths
- Workflow ownership RBAC for managing configurations
- Egress allow-listing for external API calls (MuleSight)
Transparency & Audit
We maintain comprehensive compliance documentation and are committed to transparent security practices. Our apps provide built-in audit capabilities.
- SOC 2 readiness documentation and control mapping
- Shared-responsibility model artifacts
- Built-in audit trails for all approval actions
- Marketplace security review on every release
Controls
Security controls
A summary of the controls in place across our products and development practices.
- All apps run on Atlassian Forge (serverless, sandboxed)
- No external servers or self-managed infrastructure
- Egress restricted to declared external endpoints
- Automatic patching and runtime updates by Atlassian
- Environment isolation between development and production
Subprocessors
Third-party vendors
A list of third-party vendors and subprocessors that Flowdence apps interact with. We minimize external dependencies by design.
Resources
Additional resources
Flowdence Documentation
Full product documentation including setup guides, feature walkthroughs, and troubleshooting.
Atlassian Forge Security
Learn about the security model of Atlassian Forge, the platform all Flowdence apps are built on.
Flowdence Blog
Read product updates, guides, and practical workflows from the Flowdence team.
Atlassian Marketplace - Flowdence
View our apps on the Atlassian Marketplace, including Privacy & Security tabs with data handling details.
Have a security question or need additional documentation?
support@flowdence.ioFAQ
Frequently asked questions
Flowdence does not operate its own servers. All our apps run on Atlassian Forge, a serverless platform hosted within Atlassian's infrastructure. Your data stays within Atlassian's cloud, which operates data centers globally with SOC 2, ISO 27001, and other certifications.