Security Policy

At Yamuno, the trust and security of our customers are our top priorities. We design our apps for the Atlassian Marketplace with a strong commitment to data privacy, secure architecture, and responsible development practices.

This security policy applies to all Yamuno applications distributed via the Atlassian Marketplace.

Data Handling and Storage

Atlassian Marketplace Apps

We do not store or process any End-User Data outside of Atlassian's infrastructure.
All content rendered or processed by our Atlassian apps remains within the Atlassian ecosystem.
Our apps are built on the Atlassian Forge platform, ensuring data stays within Atlassian's secure, managed infrastructure.

General Data Protection

No external servers are used to store, transmit, or cache user-generated content.
We do not log or collect any personally identifiable information (PII) or document content.
All data remains within the respective platform's secure environment.

Encryption Standards

In transit: All data is transmitted using TLS 1.2 or higher. Older protocol versions are not supported.
At rest: Data stored within Atlassian's infrastructure is encrypted using AES-256.
We do not operate any external storage or database infrastructure for app data.

Application Security

Our apps operate entirely within the Atlassian Forge sandbox environment.
We follow the principle of least privilege — our apps request only the permissions strictly necessary to function.
We do not integrate with or transmit data to unauthorized third-party services.
Authentication and authorization are managed entirely by Atlassian.
All production code undergoes peer code review before deployment.
We use automated dependency scanning to identify and address known vulnerabilities in third-party libraries.
All third-party dependencies are regularly audited for license compliance to ensure no intellectual property conflicts.

Secure Development Lifecycle (SDLC)

Our development process includes security at every stage:

Security requirements are defined at the start of each feature cycle
Code review is mandatory for all changes, including security-sensitive paths
Dependencies are regularly audited and updated to eliminate known CVEs
We do not store secrets, credentials, or API keys in source code
Releases follow a staged rollout process with automated testing

Data Residency and Compliance

Platform Compliance

Atlassian Apps: All processing occurs within Atlassian's cloud infrastructure, complying with Atlassian's data handling policies. Data residency follows your Atlassian Cloud instance settings.

Regulatory Compliance

Our apps are built in compliance with the Atlassian Marketplace Partner Agreement.
Data protection is managed by Atlassian in accordance with their compliance certifications (SOC 2, ISO 27001, GDPR, and others).
We follow industry best practices in secure development and deployment.

Certifications Roadmap

We are actively working toward SOC 2 Type II certification to meet the requirements of enterprise procurement and security reviews. Please contact us at [email protected] for our current security posture documentation or to complete a vendor security questionnaire.

Vulnerability Management

Severity SLAs

We follow a structured vulnerability response process based on severity:

Severity	Definition	Target Remediation
Critical	Exploitable, potential data exposure	24 hours
High	Significant risk, likely exploitable	7 days
Medium	Moderate risk, limited exploitability	30 days
Low	Minimal risk, informational	90 days

We monitor for new CVEs in our dependencies on a continuous basis.
Security patches are prioritized above feature development for Critical and High issues.
We conduct periodic internal security reviews and penetration testing of our infrastructure and apps.

Incident Response

In the event of a security incident:

We will assess and contain the incident as rapidly as possible.
Affected customers will be notified within 72 hours of confirmed impact, in accordance with GDPR requirements.
We will provide a post-incident summary including the nature of the issue, scope, and remediation steps taken.
We cooperate fully with Atlassian's security team and relevant regulatory authorities as required.

Responsible Disclosure

If you believe you've found a security vulnerability in one of our apps, we encourage responsible disclosure. Please contact us at:

[email protected] or visit our Support Portal

Please include:

A detailed description of the vulnerability
Steps to reproduce (if applicable)
Any supporting materials (screenshots, logs, proof-of-concept)

We aim to acknowledge all reports within 48 hours and will keep you informed throughout our investigation. We will not take legal action against researchers who follow responsible disclosure guidelines.

Enterprise Security Inquiries

For enterprise customers requiring a security review, vendor questionnaire, or Data Processing Agreement, please contact:

[email protected]

We are happy to provide supporting documentation to assist with your procurement and compliance processes.

Last Updated: April 4, 2026

HTML Macro for Confluence

LaTeX Math for Confluence

Markdown Importer for Confluence & Markdown Exporter

Charts - Reports and Graphs for Jira Dashboard

Markdown Renderer for Confluence

Advanced Attachment Manager for Confluence

PDF Exporter for Confluence