The security of Stiltsoft Europe OÜ ("Stiltsoft", "we" or "our") customers' data is our highest priority, and we follow the best practices to keep your data safe.

Overview

Handy Macros for Confluence app (the “app”) regularly undergoes checks against security vulnerabilities to increase the overall security level for our customers.

We also use CAIQ-Lite as a baseline mechanism to express our security posture and to provide security control transparency. The completed CAIQ-Lite questionnaire can be obtained upon request to our support via the Whistic platform.

If you have questions or feedback regarding security in the app or would like to report a security vulnerability, please contact our support.

Secure development

We follow the best practices and frameworks to ensure the highest level of security in our software:

  • Regular security training for developers to learn about common vulnerabilities and threats
  • Code review for security vulnerabilities
  • Regular update of the dependencies
  • Static Application Security Testing (SAST) to detect vulnerabilities in our codebase
  • Software Composition Analysis (SCA) tools to keep track of open source components used by your applications

Employee Access to Customer Data

The App’s team does not have access to user data. In cases where they have to access the user data in order to perform support services or to respond to an incident, we will ask for your consent. Our employees connect to the infrastructure via secure communication channels with several levels of protection.

Working on a support issue we only access the minimum data needed to resolve the issue.

Data Collection, Processing, and Retention

We collect some technical data, Confluence instance data, and user activity data. Such data is typically collected and generated through your interaction with us or our product. The data we collect does not include any personally identifiable information about you.

You can find out more about Data Collection and Third-Party Subprocessors in our app Privacy Policy

General questions about Product Security

How do you audit the apps' security?

CAIQ-Lite

Stiltsoft Europe has completed Security Self-Assessment Program reviewed by Atlassian. We can share the filled CAIQ-Lite questionnaire by request at our support.

Bug Bounty

Handy Macros for Confluence (Cloud) is participating in the public Marketplace Bug Bounty Program. See for more details: https://bugcrowd.com/stiltsoft.

Is the app impacted by CVE-2021-44228 – Apache Log4j2 Vulnerability?

The Handy Macros for Confluence app is not impacted by CVE-2021-44228 – Apache Log4j2 Vulnerability.

We use the logback.qos.ch framework in all our Cloud apps based on JVM. This framework isn’t vulnerable to CVE-2021-44228. 

In the Server and Data Center versions of the app, we use the following logger shipped with Confluence:

org.slf4j.Logger

You can find more information in our documentation.

Is the app impacted by CVE-2022-22965 – Spring Framework Vulnerability?

The Handy Macros for Confluence app is not affected by this vulnerability. The app doesn't use Spring Framework and WAR deploying.

Security questions about Handy Macros for Confluence Cloud

Where is the app hosted? 

The App hosts its infrastructure and data in Amazon Web Services (AWS) in the US East (Northern Virginia) region (us-east-1).

What options for Data Residency do we have?

The app doesn't support data residency.

What data does the app store on its server?

The app doesn't store personal data. The app stores only macro parameters and metadata on our servers (like Atlassian account UUID, status name, set name, etc.).

What encryption is used?

All data sent to or from Handy macros for Confluence systems is encrypted in transit using 256-bit encryption. We maintain an A+ from Qualys/SSL Labs.

All data stored by the app is located in an encrypted AWS RDS instance.

What authentication options are available?

The app uses JWT authentication. JWT authentication is used for communication between the Atlassian host and the app server. Learn more about Atlassian Connect security.

Does the app meet GDPR requirements?

We’re committed to helping our customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). For this purpose, we suggest signing a Data Processing Agreement (DPA). DPA is a contract between data controllers and data processors. The main purpose of a Data Processing Addendum (DPA) is to protect the user’s data in compliance with the GDPR or any other Privacy Laws.

To request and sign DPA please contact our support.

Does the app have fixed individual IP addresses to make outgoing connections to customer services and Atlassian products APIs?

Outgoing connections from the app to Atlassian APIs are only ever originating from these IP 44.205.77.179

What scopes does the app use?

READ

  • GET /rest/api/content/search (docs) - we use this method to find Confluence pages for Handy Cards and Page Status Report
  • POST /rest/api/content/{id}/permission/check (docs) – we use this method to check for the Confluence page view permission
  • GET /rest/api/content/{id}/history/{version}/macro/id/{macroId} (docs) – we use this method to fetch parameters of macros while the user is configuring any app's macro
  • GET /rest/api/content/{id}/history/{version}/macro/id/{macroId}/convert/{to} (docs) - we use this method to fetch rendered Excerpt Macro body for Handy Cards
  • GET /rest/api/content/{id}/restriction/byOperation/{operationKey}/user (docs) – we use this method to check that the app has read access to a page while the user submitting a vote for Handy Poll
  • GET /rest/api/content/{id}/restriction (docs) - we use this method to ensure that our app has a content view permission while the user is submitting Handy Poll vote
  • GET /api/v2/blogposts (docs) – we use this method to find a Confluence blog post by spaceId / title (Handy Button)
  • GET /api/v2/blogposts/{id} (docs) - we use this method to fetch a Confluence blog post by Id (Handy Status, Handy Date, Handy Button, Handy Timestamp)
  • GET /api/v2/blogposts/{blogpost-id}/properties (docs) - we use this method to fetch stored app data
  • GET /api/v2/blogposts/{id}/attachments (docs) – we use this method to fetch attachment links for Handy Cards macro
  • GET /api/v2/pages (docs) – we use this method to find a Confluence page by spaceId / title (Handy Button)
  • GET /api/v2/pages/{id} (docs) - we use this method to fetch a Confluence page by Id (Handy Status, Handy Date, Handy Button, Handy Timestamp)
  • GET /api/v2/pages/{page-id}/properties (docs) - we use this method to fetch stored app data
  • GET /api/v2/pages/{id}/attachments (docs) – we use this method to fetch attachment links for Handy Cards macro
  • GET /api/v2/spaces (docs) - we use this method to fetch a Confluence Space by Key (Handy Button)
  • GET /api/v2/spaces/{id} (docs) - we use this method to fetch a Confluence Space by Id (Handy Button)
  • GET /rest/api/space/{spaceKey}/label (docs) – we use this method to fetch space labels for a label picker while the user is configuring the Handy Cards macro
  • GET /rest/api/search?cql (docs) – we use this method to fetch Confluence page details for the drop-down menu while the user is configuring the Handy Button macro
  • GET /rest/api/search/user (docs) - we use this method to show Confluence users via the user picker on the Page Status Report page and to fetch Confluence users related to the app for Handy Poll
  • GET /rest/api/user/current (docs) – we use this method to fetch information about the current user
  • GET /rest/api/user/bulk (docs) – we use this method to fetch information about users to show them in the Handy Status History
  • GET /rest/api/user/{userId}/property/{key} (docs) – we use this method to fetch user preferences
  • GET /rest/api/settings/systemInfo (docs) - we use this method to fetch a Confluence default time zone (Handy Timestamp)


WRITE

  • DELETE /rest/api/content/{contentId}/label?name= (docs) – we use this method to delete a label of a Confluence page while the user is changing Handy Status in the page view mode
  • POST /rest/api/content/{contentId}/label (docs) – we use this method to add a label to a Confluence page while the user is changing Handy Status in the page view mode
  • PUT /rest/api/content/{id}/restriction/byOperation/{operationKey}/user (docs) – we use this method to grant a page read access to the app while the user submitting a vote for Handy Poll
  • PUT /api/v2/blogposts/{id} (docs) - we use this method to update the Handy Status/Date macro parameters in the page view mode
  • POST /api/v2/blogposts/{blogpost-id}/properties (docs) - we use this method to create the app's additional information in the Content Property
  • PUT /api/v2/blogposts/{blogpost-id}/properties/{property-id} (docs) - we use this method to update the app's additional information in the Content Property
  • DELETE /api/v2/blogposts/{blogpost-id}/properties/{property-id} (docs) - we use this method to delete a content property related to the Handy Page Status
  • PUT /api/v2/pages/{id} (docs) - we use this method to update the Handy Status/Date macro parameters in the page view mode
  • POST /api/v2/pages/{page-id}/properties (docs) - we use this method to create the app's additional information in the Content Property
  • PUT /api/v2/pages/{page-id}/properties/{property-id} (docs) - we use this method to update the app's additional information in the Content Property
  • DELETE /api/v2/pages/{page-id}/properties/{property-id} (docs) - we use this method to delete a content property related to the Handy Page Status
  • POST /rest/api/space/{spaceKey}/label (docs)  – we use this method to create a new label while the user is configuring the Handy Cards macro
  • POST /rest/api/user/{userId}/property/{key} (docs) – we use this method to create the app's additional information in the User Property
  • PUT /rest/api/user/{userId}/property/{key} (docs) – we use this method to update the app's additional information in the User Property

Security questions about Handy Macros for Confluence Data Center / Server

What data does the app store on its server?

The Data Center (Server) version of the app works inside the Confluence Java virtual machine (JVM) and uses its database. The app stores data either in the database or directly on Confluence pages. As Confluence is hosted on-premise, the customer is responsible for the Confluence infrastructure and settings. As the app's vendor, we are responsible for the compatibility with Confluence and proper app functioning. You can find more information on data collection in our Privacy Policy.

Does the app meet GDPR requirements?

When you use the Server or Data Center versions of the app, we don't access, collect, store or otherwise process your personal data, except in limited cases where such data is provided for incidental support services. Stiltsoft Europe is neither a data processor nor a data controller under GDPR for the purposes of the personal data you choose to process with the help of the app. For more details please see our Privacy Policy.