Page tree

In addition to the information below, please review a general Stiltsoft Europe Privacy Policy and the Table Filter, Charts & Spreadsheets app's Privacy and Data Collection Policy prior to using the app.

General questions

1. How do you audit the apps' security?

1.1. CAIQ-Lite

The CSA STAR CAIQ-Lite (self-assessment) questionnaire can be accesseed on the Whistic platform by following the corresponding link - registration on the portal is required.

1.2. Bug Bounty

Table Filter, Charts & Spreadsheets for Confluence (Cloud, Data Center, Server) is participating in the public  Marketplace Bug Bounty Program. See for more details:  https://bugcrowd.com/stiltsoft.

2. Does the app have any certifications like SOC1, SOC2 Type 2, ISO 27001, PCI DSS compliance, Fidelity/E&O Insurance, FedRAMP?

The app doesn’t have these certifications and audits. 

3. Is the app impacted with CVE-2021-44228 – Apache Log4j2 Vulnerability?

The Table Filter, Charts & Spreadsheets for Confluence app is not impacted with CVE-2021-44228 – Apache Log4j2 Vulnerability.

In the Server and Data Center versions of the app, we use the following logger shipped with Confluence:

org.slf4j.Logger

The Cloud version is not affected by this vulnerability because we use a different language in it.

4. Is the app impacted with CVE-2022-22965 – Spring Framework Vulnerability?

The Table Filter, Charts & Spreadsheets for Confluence app is not affected by this vulnerability. The app doesn't use Spring Framework. 

About Table Filter, Charts & Spreadsheets for Confluence Cloud

1. Where is the app hosted? What options for Data Residency do we have?

The app is hosted in Amazon Web Services (AWS) in two regions:

  • US East (Nothern Virginia) region (us-east-1)
  • Europe (Frankfurt) region (eu-central-1)

The app's region is automatically set in accordance with the region of the parent product after installing (reinstalling) the app.

2. What data does the app store on its server?

All the macros are embedded as iframes on Confluence pages. An iframe receives table data inserted in the macro body directly from Confluence without going through our server. Table data inserted in the app macros are transited through our server in the following cases:

All data transferred to and from the app  server is encrypted using TLS 1.2 or higher. When working with the Table from CSV/JSON macros, the app uses AES-256 encryption for storing data in the macro parameters in Confluence pages.

3. What authentication options are available?

The app uses JWT authentication. JWT authentication is used for communication between the Atlassian host and the app server. Learn more  about Atlassian Connect security.

4. Does the app meet GDPR requirements?

We’re committed to helping our customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). For this purpose, we suggest signing a Data Processing Agreement (DPA). DPA is a contract between data controllers and data processors. The main purpose of a Data Processing Addendum (DPA) is to protect the user’s data in compliance with the GDPR or any other Privacy Laws.

To request and sign DPA please contact our support at servicedesk@stiltsoft.com or at the Service Desk Portal.

5. Does the app have fixed individual IP addresses to make outgoing connections to customer services and Atlassian products APIs?

Outgoing connections from the app to Atlassian APIs and from the Table from CSV and Table from JSON macros to customer servers are only ever originating from these IP addresses:

Confluence Location Outgoing connections IP Domain AWS Region
Global and USA
  • 34.224.43.160
  • 54.235.153.229


stiltsoft.net

AWS US East (Nothern Virginia) Region
Europe
  • 3.78.200.64
  • 52.57.27.108
Europe (Frankfurt) Region

6. What scopes and endpoints does the app use?

Backend (the app server side) Frontend (the app client side)

ACT_AS_USER


This scope retrieves data from Confluence under user restrictions so that the user who requested the data will get only permitted data.


This scope is used in a few cases when a user interacts with the app and makes the data transfer through the app server:



Used endpoints:


GET /rest/api/content/${contentId}/history/${pageVersion}/macro/id/${macroId} (docs)

GET /rest/api/content (docs)

GET /rest/api/content/${contentId}/child/attachment?expand=children.attachment (docs)


READ


This scope is used to read the app system user ID and to read the app settings from its properties. 


Used endpoints:

GET /rest/api/user/${accountId}/property/${key} (docs)

GET /rest/api/user/${accountId}/property (docs)

GET /rest/api/user/current/ (docs


WRITE


This scope is used to write the app settings to the app system user properties. 


Used endpoints:


DELETE /rest/api/user/${accountId}/property/${CONFIGURATION_KEY} (docs)

POST /rest/api/user/${accountId}/property/${CONFIGURATION_KEY} (docs)

PUT /rest/api/user/${accountId}/property/${CONFIGURATION_KEY} (docs)

READ


This scope is used to read macro data, spreadsheet attachments, and metadata from the content and user properties.


Used endpoints:


GET /rest/api/search (docs)

GET /rest/api/content (docs)

GET /rest/api/content/search (docs)

GET /rest/api/content/${contentId} (docs)

GET /rest/api/content/${contentId}/child/page (docs)

GET /rest/api/content/${contentId}/descendant/page (docs)

GET /rest/api/content/${contentId}/version (docs)

GET /rest/api/content/${contentId}/history/${pageVersion}/macro/id/${macroId} (docs)

GET /rest/api/content/${contentId}/child/attachment (docs)

POST /rest/api/content/${contentId}/permission/check (docs)

POST /rest/api/contentbody/convert/export_view (docs)

POST /rest/api/contentbody/convert/async/export_view (docs)

GET /rest/api/contentbody/convert/async/${asyncId} (docs)

GET /rest/api/user (docs)

GET /rest/api/user/current (docs)

GET /rest/api/user/${userId}/property (docs)

GET /api/v2/attachments/${attachmentId}/properties (doc)

GET /api/v2/attachments/${attachmentId} (doc)

GET /api/v2/pages/${pageId}/attachments (doc)

GET /api/v2//blogposts/${blogpostId}/properties (doc)

GET /api/v2/blogposts/${blogpostId}/properties/${propertyId} (doc)

GET /api/v2//pages/${pageId}/properties (doc)

GET /api/v2/pages/${pageId}/properties/${propertyId} (doc)


WRITE


This scope is used to update macro parameters from the page view, store spreadsheet data as attachments on the page, and store metadata in the content and user properties.


Used endpoints:


PUT /rest/api/content/${contentId} (docs)

PUT /rest/api/content/${context.pageId}/child/attachment (docs)

POST /rest/api/template/page/${templateId}/instance (docs)

POST /rest/api/user/${userId}/property/${key} (docs)

POST /api/v2/attachments/${attachmentId}/properties (doc)

DELETE /api/v2/attachments/${attachmentId}/properties/${propertyId} (doc)

POST /api/v2/blogposts/${blogpostId}/properties (doc)

PUT /api/v2/blogposts/${blogpostId}/properties/${propertyId} (doc)

POST /api/v2/pages/${pageId}/properties (doc)

PUT /api/v2/pages/${pageId}/properties/${propertyId} (doc)


DELETE 


This scope is used to keep the last 10 versions and delete the rest of the older versions of the Spreadsheet attachment when the Retain all spreadsheet revisions option is disabled.


Used endpoints:


DELETE /rest/api/content/${attachmentId}/version/${version} (docs)

About Table Filter, Charts & Spreadsheets for Confluence Data Center (Server)

1. What data does the app store on its server?

The Data Center (Server) version of the app works inside the Confluence Java virtual machine (JVM) and uses its database. The app stores data either in the database or directly on Confluence pages. As Confluence is hosted on-premise, the customer is responsible for the Confluence infrastructure and settings. As the app's vendor, we are responsible for the compatibility with Confluence and proper app functioning.

2. Does the app meet GDPR requirements?

When you use the Server or Data Center versions of the app, we don't access, collect, store or otherwise process your personal data, except in limited cases where such data is provided for incidental support services.  Stiltsoft is neither a data processor nor a data controller under GDPR for the purposes of the personal data you choose to process with the help of the app.  For more details please see our Privacy and Data Collection Policy .  

  • No labels