Atlassian Apps / Security
Security statement for Confluence AI Hygiene.
This page describes the current security posture for AI Readiness & Content Hygiene Inspector for Confluence. It is intentionally specific and tied to the current Forge-based implementation.
Security Architecture
- The app runs entirely on Atlassian Forge.
- The current app runtime does not use external servers, external databases, or external network egress.
- App state is stored in Forge hosted storage only.
- Interactive product access runs in user context.
- Background continuation uses the Forge app user for documented scan reads, while Confluence permissions and restrictions still apply.
Scopes And Access Model
The app is designed around least-privilege scopes that match the current product behavior.
| Scope | Why it is needed |
|---|---|
| storage:app | Store policy settings, scan state, checkpoints, findings, and review decisions. |
| read:space:confluence | Verify the current space context and confirm the initiating user can administer that space. |
| read:page:confluence | Read page bodies, metadata, and labels needed to score stale, thin, placeholder-like, or otherwise low-trust content. |
| write:confluence-content | Apply or remove the `rovo-ignore` label when an admin chooses to manage a page that way. |
Logging And Operational Data
The current public security position is that the app avoids logging page bodies, credentials, secrets, and unnecessary personal data.
Logs may contain operational metadata such as scan identifiers, space keys, error codes, retry behavior, and similar runtime events needed for troubleshooting and security review.
Storage And Retention
App state is stored in Forge hosted storage. The current implementation applies a 30-day TTL to scan artifacts and findings. Policy settings and review decisions persist until changed or removed with installation data.
Post-uninstall storage lifecycle follows Atlassian Forge hosted-storage behavior rather than a separate vendor-run storage system.
Vulnerability Management And Incidents
CodeTailor aims to align with Atlassian Marketplace security expectations for vulnerability triage and remediation timing.
If a security incident is identified, the current policy is to investigate and contain it, notify Atlassian and affected customers when required, and remediate it as quickly as practical for the severity of the issue.
Security Contact
Report suspected vulnerabilities to support@codetailor.com.
The same address is also the public contact path for support and privacy questions. Full support details are on the support page.