Security
EvidencePack runs entirely on Atlassian Forge. We do not operate any server, database, or service outside the Atlassian platform.
Trust posture at a glance
| Topic | EvidencePack's position |
|---|---|
| Where data lives | Atlassian Forge KVS, region-pinned to host site |
| Sub-processors | None |
| External egress | None (no external.fetch permissions) |
| Authentication | Atlassian Forge, asUser() — no separate tokens |
| Encryption at rest | Atlassian-managed AES-256 |
| Encryption in transit | TLS via Forge product-fetch API |
| Scopes requested | 5, least-privilege (see below) |
| Data residency | Inherited from host Atlassian site |
| Runs on Atlassian badge | Targeted at launch |
| Cloud Security Participant / Cloud Fortified | Roadmap (post first customers) |
Data we process
EvidencePack stores metadata only: issue keys, summaries, statuses, labels, timestamps, author / owner display names, and source URLs from Jira issues and Confluence pages that the customer has explicitly mapped to a control. We do not collect issue descriptions, comments, attachments, page bodies, page comments, or page attachments.
Scopes
| Scope | Why it's needed |
|---|---|
read:jira-work | Read Jira issue metadata for evidence collection via JQL |
write:jira-work | Create remediation Jira issues on user request |
read:confluence-content.summary | Read page title, version, author for Confluence search hits |
search:confluence | Run user-supplied CQL queries |
storage:app | Persist app configuration and run history in Forge KVS |
We deliberately do not request read:confluence-content.all (would allow page-body access), any administrative scope, or any external-fetch scope.
Vulnerability management
Runtime dependencies are limited to the @forge/* packages plus React, minimising third-party CVE surface. Each forge deploy -e production is automatically scanned by Atlassian's Ecoscanner; critical and high-severity findings are blocking and patched before re-release.
Reporting a vulnerability
Email security@evidencepack.axons.cc. We acknowledge within 2 business days and triage against CVSS. Critical findings trigger an immediate patch deploy and version bump.
Compliance
EvidencePack is a tool that helps customers collect evidence for SOC 2 and ISO 27001 audits. It does not certify your organisation. We are not currently SOC 2 or ISO 27001 certified ourselves; that is on the roadmap once we reach the scale that customers require it. SOC 2 is a service mark of the AICPA; ISO 27001 is a standard of the International Organization for Standardization.
Documentation
The full security model (data flow, scopes justification, deletion semantics) is published in the app's GitHub repository under docs/security/. Available on request — contact security@evidencepack.axons.cc.