# Security & Privacy Policy Application: HistoryPro for Confluence Vendor: denlad Last Updated: 07.02.2026 *** ### 1. Introduction This document outlines the security architecture, data handling practices, and privacy controls for the HistoryPro application. Our priority is to provide a secure, compliant, and transparent solution for version history management within the Atlassian ecosystem. ### 2. Infrastructure & Architecture HistoryPro is built exclusively on Atlassian Forge, Atlassian’s serverless app development platform. * Zero Infrastructure: We do not own, manage, or operate any external servers, databases, or cloud infrastructure (AWS, Azure, GCP). * Data Residency: All application data and code reside strictly within the Atlassian Cloud environment. Data never leaves Atlassian's secure perimeter. * Security Inheritance: The application inherits the industry-leading security, compliance, and availability standards of the Atlassian Cloud platform (SOC2, ISO 27001, GDPR). ### 3. Data Handling & Storage #### 3.1. Data Storage HistoryPro utilizes Forge Storage API to persist configuration and history data. This data is encrypted at rest and in transit by Atlassian. We strictly minimize data storage: * Stored Data: * Confluence Page IDs. * User-generated changelog text. * Jira Issue Keys (e.g., PROJ-123). * Timestamps. * Atlassian Account IDs (accountId) of authors. * NOT Stored (Computed on-the-fly): * User Names & Emails: We do not store Personally Identifiable Information (PII) like names or emails in our database. These are fetched in real-time via API to ensure data accuracy and privacy. * Jira Issue Details: We do not persistently store issue summaries or statuses. These are hydrated dynamically to reflect the current state of tasks. #### 3.2. Data Egress * No Third-Party Egress: HistoryPro does not transmit, sync, or backup any customer data to third-party services. * Internal Processing: Data is only processed within the Atlassian Forge Lambda environment associated with your specific tenant. ### 4. GDPR & Privacy Compliance #### 4.1. Role Definition * Data Controller: The Customer (You). You retain ownership and control over all data created using HistoryPro. * Data Processor: The Vendor (Us). We provide the software to process data on your behalf within your Atlassian instance. #### 4.2. Data Subject Rights * Right to Erasure (Right to be Forgotten): Since we store data directly attached to Confluence pages, deleting a history entry via the app interface permanently removes it from Forge Storage. * Access Control: The app respects Confluence permissions. Users can only view history for pages they have access to. ### 5. Application Security #### 5.1. Authentication & Authorization HistoryPro relies entirely on Atlassian’s native authentication mechanisms: * No separate passwords or credentials are managed by the app. * API requests are authenticated via the user’s current Confluence session (asUser() context). #### 5.2. Scopes & Permissions The app requests the minimum set of permissions required to function ("Least Privilege Principle"): * read:confluence-content: To detect page versions. * read:jira-work: To fetch issue statuses. * storage:app: To save history entries. * write:jira-work: To create remote links between issues and pages. #### 5.3. Software Development Lifecycle (SDLC) * Code Reviews: All code changes undergo review before deployment. * No Logging of PII: Application logging is configured to exclude sensitive user data and PII in the production environment. * Dependency Management: We regularly update npm dependencies to patch known vulnerabilities. ### 6. Incident Management In the unlikely event of a security breach or data leak: 1. Since data is hosted by Atlassian, we rely on Atlassian’s Incident Management framework. 2. If a vulnerability is discovered within the app logic, we will release a patch immediately. 3. We will notify affected customers via the Marketplace contact channel within 72 hours of confirming any critical security incident. ### 7. Contact Us For security questions, vulnerability reports, or privacy inquiries, please contact our support team: Email: [^1] Marketplace Vendor Profile: [^1]: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://denlad.gitbook.io/historypro/security-and-privacy-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.