Security and privacy
General
External Share for Confluence is a secure solution developed by Warsaw Dynamics that stores only Atlassian licensing information and share link configurations on a dedicated server in Warsaw, Poland.
It follows OWASP guidelines and requires the following security scopes to access Confluence.
Act on a user's behalf, even when the user is offline
Delete data from the host application
Write data to the host application
Read data from the host application
External Share for Confluence provides tools and means to control access of both internal and external users, It does not share data with third parties (except Mailgun which is optional), and is regular maintained and updated to ensure security. The add-on is compliant with data privacy laws and regulations, ensuring that user data is kept secure and accessed only by authorized users.
Data Storage and Processing
The add-on stores share link configurations, space, and global share configurations, and a minimal amount of data required to provide the service. All data is located on a dedicated server in a data center in Warsaw, Poland, which is compliant with security and compliance standards provided by OVH Cloud.
The add-on does NOT store or cache Confluence page data. Instead, it requests page data from Confluence when a share link is accessed, processes it, and sends it to the web browser. This ensures that no sensitive data is ever stored on the add-on's server, providing an additional layer of security.
To learn more about how the configuration is stored you can refer to the following links:
Link options
Global space configuration
Space settings
User Access Control
The add-on allows Confluence users to create share links and then share them with external users. While this feature enables seamless collaboration between Confluence users and external collaborators, it also requires proper management and control of shared links to ensure data security.
The add-on provides tools and means to easily control access of both internal and external users.
Permission schemes and hierarchical security layers can be implemented to ensure that only authorized users (internal and external) have access to the shared links.
Email Functionality
The add-on provides an optional email functionality through Mailgun, a transactional email API service. However, users should use their own email server instead of Mailgun if they prefer.
This ensures that sensitive data is not transmitted through a third-party service, further improving the security of the add-on.
http://mailgun.com/
Third-Party Data Sharing
The add-on does not share data with any third parties, except for Mailgun (which is optional).
This means that all data is kept strictly within the user's control, providing an additional layer of security against potential data breaches.
Maintenance and Updates
As with any software, regular maintenance and updates are important to ensure that the add-on remains secure and functioning properly. It is recommended to keep the add-on up-to-date with the latest security patches and updates to ensure the highest level of security.
Privacy
The add-on should be used in compliance with data privacy laws and regulations. This includes ensuring that user data is kept secure and only accessed by authorized users. The add-on's strong focus on security and data protection means that users can rest assured that their data is safe and secure at all times.
In conclusion, "External Share for Confluence" add-on is a highly secure and reliable solution for sharing Confluence pages with external users. With a focus on data protection, user access control, and privacy, users can trust that their data is safe and secure at all times.
Security FAQ
Â
Subject | Question | Response | Further Comments |
Documentation and resources | Â |
| Â |
Admin Details | Software /Â App Name(s) | External Share for Confluence | Â |
Vendor Name | Warsaw Dynamics | Â | |
Vendor on Marketplace | |||
Vendor Head Office | Bluszczańska 34/12 |  | |
Bug Bounty Programs | Bugcrowd | Part of the initial invite-only Marketplace Apps Bugcrowd Program from Atlassian: https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program/ | |
Other programs we are part of | Cloud Fortified apps program | Atlassian Cloud Fortified Apps Program Cloud Fortified Apps is the program for a new designation of apps designed to serve our largest customers and those with more business-critical operating requirements when it comes to apps. For more information: https://developer.atlassian.com/platform/marketplace/cloud-fortified-apps-program/ | |
Development Practices | Development environment | Environments:
| Â |
Development process/philosophy | Agile / Kanban  |
| |
Main Development Tools used |
| Â | |
GIT Branching strategy | GitHub Flow Methodology | Â | |
Automated code Reviews | Yes |
| |
Test Management Platform | Zephyr Scale | Â | |
Code Review | Pull Request reviewed by Senior developer | Â | |
Release Quality Gates |
| Â | |
Supply Chain Vulnerability Monitoring |
| Â | |
Processes & Organization | Do you follow OWASP guidelines | Yes | Â |
Do you have a Security Vulnerability Communication Process | Yes | Â | |
Is logging available to capture user access activity? | Yes |
| |
Do you allow 3rd Party audits | No | Â | |
Have you had 3rd Party audits | No | Â | |
Has your company ever had a security vulnerability? | Yes | All communicated to us by responsible disclosure and verified & fixed within hours. | |
Have you provided notification to customers affected by severe or critical vulnerabilities | Yes | Â | |
Do you provide "Safe harbour" to security researches evaluating you product | Yes | Using the Bug Crowd program. | |
Does your organization maintain and update an incident response policy? | Yes | Â | |
Has your company ever experienced a security breach involving client data? | No | Â | |
Was notification provided to state agencies/law enforcement authorities? | N/A | Â | |
Do you store customer data? | No |
| |
Do you have Disaster Recovery plan | No |
| |
App specific Questions | What data does your app submit to you (Old Street Solutions)? | Â |
|
Does your App transfer any data to a 3rd party? | No | Â | |
Where is app hosted? | OVH data-center. Warsaw, Poland. | ||
Does your App need "Internet" access? | No for External Share for Confluence Server and Data Center | Â | |
Can you provide a "Pen" test report for your plugin? | N/A | Â | |
Are we allowed to Pen test your App on our instance? | Yes (notification required) | We will allow for pen tests, however it is important that you notify us upfront, as we can get false positive reports, and those can results in functionality limitations because of our proactive reactions. | |
Do you store any User passwords? | No | External user can create account in our service. We store salted and hashed password (Argon2) | |
Where does your App store it's configuration/data? |
| Â | |
How do you send emails? | We use Mailgun | ||
What Security Scopes to access our Confluence or Jira, do you require for the App to function? | "ACT_AS_USER","READ","WRITE","DELETE" | Â |