Flowdence
Trust Center

Security, Privacy & Compliance

At Flowdence, we build enterprise-grade Atlassian plugins with security at the foundation. This Trust Center provides transparency into our security practices, data handling, compliance posture, and the controls that protect your data.

Atlassian Forge
Encrypted Storage
SOC 2 Ready
Marketplace Verified

Architecture & Security

Security by design

All Flowdence apps are built on Atlassian Forge, a serverless compute platform that runs inside Atlassian's infrastructure. Products that connect to MuleSoft or Grafana use declared customer-configured egress from Forge.

Atlassian Forge Platform

Forge is Atlassian's serverless app hosting platform. Apps run in sandboxed environments within Atlassian's infrastructure, while connected products use declared egress to customer systems. This means:

  • No Flowdence-operated external app servers
  • Customer-configured egress limited to declared integrations
  • Sandboxed execution with scoped permissions
  • Automatic scaling and availability managed by Atlassian

Data Handling

App configuration and cached app data are stored using Forge Key-Value Storage (KVS), which resides within Atlassian's infrastructure. Sensitive values are stored using encrypted storage.

  • Secrets stored with Forge encrypted KVS (kvs.setSecret)
  • No sensitive values logged; credentials are sent only to declared customer endpoints
  • Structured redacted logging for all operations
  • Data scoped to customer Atlassian site

Access Control & Permissions

Flowdence apps follow the principle of least privilege. Each app declares only the Confluence API scopes it needs, and enforces role-based access server-side.

  • Scoped Confluence API permissions (read/write only as needed)
  • Server-side space-admin authorization on mutation paths
  • Workflow ownership RBAC for managing configurations
  • Egress allow-listing for external API calls (MuleSight and GrafanaSight)

Transparency & Audit

We maintain comprehensive compliance documentation and are committed to transparent security practices. Our apps provide built-in audit capabilities.

  • SOC 2 readiness documentation and control mapping
  • Shared-responsibility model artifacts
  • Built-in audit trails for all approval actions
  • Marketplace security review on every release

Controls

Security controls

A summary of the controls in place across our products and development practices.

  • All app compute runs on Atlassian Forge (serverless, sandboxed)
  • No Flowdence-operated external app servers
  • Egress restricted to declared, customer-configured external endpoints
  • Automatic patching and runtime updates by Atlassian
  • Environment isolation between development and production

Subprocessors

Third-party vendors

A list of third-party vendors and subprocessors that Flowdence apps interact with. We minimize external dependencies by design.

Atlassian Pty Ltd

Forge hosting platform, Confluence APIs, Jira Service Management (support tickets)

SOC 2ISO 27001HIPAAGDPR

MuleSoft (Salesforce)

External API calls for MuleSight only - Exchange, Runtime Manager, API Manager data retrieval (GET-only, read-only)

Egress restricted to anypoint.mulesoft.com

SOC 2ISO 27001GDPR

Resources

Additional resources

Flowdence Documentation

Full product documentation including setup guides, feature walkthroughs, and troubleshooting.

Documentation

Atlassian Forge Security

Learn about the security model of Atlassian Forge, the platform all Flowdence apps are built on.

External

Flowdence Blog

Read product updates, guides, and practical workflows from the Flowdence team.

Blog

Atlassian Marketplace - Flowdence

View our apps on the Atlassian Marketplace, including Privacy & Security tabs with data handling details.

Marketplace

Have a security question or need additional documentation?

support@flowdence.io

FAQ

Frequently asked questions