Security Policy
Last updated: June 15, 2026
Synaps is a native Atlassian Forge app. It runs entirely on Atlassian's Forge platform and communicates only with Atlassian's own APIs - there are no vendor-operated servers in the path of your Atlassian data. Our security model is built on data minimization, least privilege, and defense in depth.
01. Security model
Synaps is built as a native Atlassian Forge app and runs inside Atlassian's managed cloud platform. It does not operate its own application servers or databases for customer data: the app's backend runs as Forge functions, its data is stored in Atlassian Forge storage, and it communicates only with Atlassian's first-party Jira and Confluence APIs.
Because no customer data leaves your Atlassian Cloud instance for vendor-controlled infrastructure, the attack surface we are responsible for is deliberately small. For exactly what data Synaps accesses, see our Privacy Policy.
02. Data protection and encryption
- In transit: all communication uses TLS (HTTPS). Forge enforces encrypted transport for app traffic.
- At rest: persistent data is stored in Atlassian Forge storage (KVS), encrypted at rest on Atlassian-managed AWS infrastructure.
- No external egress: the app manifest declares no outbound network destinations. Forge blocks any egress that is not explicitly declared, so app data is never sent to third-party servers - Synaps talks only to Atlassian's Jira and Confluence APIs.
- Data residency: storage follows your Atlassian Cloud instance region. Synaps does not move data elsewhere.
- Data minimization: Synaps reads only the fields it needs to build dependency maps, and does not read Jira issue descriptions, comments, or attachments. Cached lookups (such as ticket counts and user avatars) expire automatically, and stale entries are pruned.
03. Access control and authentication
- Authentication and authorization are handled by the Atlassian Forge platform. Synaps runs within your instance under Atlassian's identity controls.
- Data access goes through Atlassian's APIs. Wherever possible, requests are made on behalf of the signed-in user, honoring their existing Jira and Confluence permissions. A small number of metadata lookups (for example, resolving the display name of a project the user cannot browse) use app-level access limited to non-sensitive metadata.
- Least privilege: the app requests only the minimum Forge scopes required for its features.
- When you use the optional Confluence export, Synaps creates a page on your behalf using your Confluence permissions; it does not otherwise modify Confluence content.
- The vendor has no standing access to your data: because data stays within your Atlassian instance, Synaps staff cannot read your projects, issues, or pages.
04. Platform and infrastructure security
Synaps relies on the Atlassian Forge platform for infrastructure security, including tenant isolation, sandboxed function execution, egress controls on outbound calls, encrypted storage, and automatic platform patching.
Atlassian's cloud platform maintains independent, third-party security certifications (such as SOC 2 and ISO/IEC 27001) and undergoes regular audits. See the Atlassian Trust Center for current certifications and platform security details.
05. Secure development
- Source code is version-controlled, and changes are reviewed before release.
- User-supplied input is validated on the server, and Jira/Confluence query strings (JQL/CQL) are built only from validated, escaped values to prevent injection.
- Dependencies are audited for known vulnerabilities and updated promptly; high- and critical-severity advisories are treated as release blockers.
- The app uses no third-party API keys or secrets; authentication to Atlassian APIs is managed by the Forge platform, and no credentials are stored in source control.
- Automated tests and static type checking run as part of the development workflow.
- The app runs on a current, supported Forge runtime.
06. Vulnerability management
- We monitor and audit third-party dependencies for known vulnerabilities and update them promptly when issues are found.
- The Atlassian Forge platform - its runtime and underlying infrastructure - is patched and maintained by Atlassian, so the foundation the app runs on stays current without manual intervention.
- Reported and discovered vulnerabilities are triaged by severity and remediated on a priority basis, with critical issues addressed as quickly as practicable.
07. Reporting a vulnerability
If you believe you have found a security vulnerability in Synaps, please report it to us at [email protected] with enough detail to reproduce the issue.
We ask that you give us a reasonable opportunity to investigate and fix the issue before any public disclosure, and that you avoid accessing or modifying other users' data while testing. We will acknowledge your report within 5 business days, keep you informed of our progress, and credit you once the issue is resolved if you wish.
08. Incident response
If a security incident occurs, our process is to identify and contain the issue, assess its scope and impact, remediate the root cause, and review what happened to prevent recurrence.
If an incident affects customer data, we will notify affected customers and, where required, Atlassian and the relevant supervisory authorities, in line with Atlassian Marketplace requirements and applicable law (including GDPR breach-notification timelines where they apply). Because Synaps holds no customer data outside your Atlassian instance, the impact of a vendor-side incident is inherently limited.
09. Third-party providers
Synaps relies on a single provider: Atlassian, which hosts the Forge platform and stores the app's data within your Atlassian Cloud instance. The app introduces no other sub-processors for your data. See our Privacy Policy for how data is handled.
10. Changes to this policy
We may update this Security Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. In the event of material changes, we will notify users via the Atlassian Marketplace listing. We encourage you to review this policy periodically.
11. Contact
For security questions or to report an issue, contact us at [email protected].