The security of Stiltsoft Europe OÜ ("Stiltsoft", "we" or "our") customers' data is our highest priority, and we follow the best practices to keep your data safe.

Overview

Handy Macros for Confluence app (the “app”) regularly undergoes checks against security vulnerabilities to increase the overall security level for our customers.

We also use CAIQ-Lite as a baseline mechanism to express our security posture and to provide security control transparency. The completed CAIQ-Lite questionnaire can be obtained upon request to our support via the Whistic platform.

If you have questions or feedback regarding security in the app or would like to report a security vulnerability, please contact our support.

Secure development

We follow the best practices and frameworks to ensure the highest level of security in our software:

  • Regular security training for developers to learn about common vulnerabilities and threats
  • Code review for security vulnerabilities
  • Regular update of the dependencies
  • Static Application Security Testing (SAST) to detect vulnerabilities in our codebase
  • Software Composition Analysis (SCA) tools to keep track of open source components used by your applications

Employee Access to Customer Data

The App’s team does not have access to user data. In cases where they have to access the user data in order to perform support services or to respond to an incident, we will ask for your consent. Our employees connect to the infrastructure via secure communication channels with several levels of protection.

Working on a support issue we only access the minimum data needed to resolve the issue.

General questions about Product Security

How do you audit the apps' security?

CAIQ-Lite

Stiltsoft Europe has completed Security Self-Assessment Program reviewed by Atlassian. We can share the filled CAIQ-Lite questionnaire by request at our support.

Bug Bounty

Handy Macros for Confluence (Cloud) is participating in the public Marketplace Bug Bounty Program. See for more details: https://bugcrowd.com/stiltsoft.

Is the app impacted by CVE-2021-44228 – Apache Log4j2 Vulnerability?

The Handy Macros for Confluence app is not impacted by CVE-2021-44228 – Apache Log4j2 Vulnerability.

We use the logback.qos.ch framework in all our Cloud apps based on JVM. This framework isn’t vulnerable to CVE-2021-44228. 

In the Server and Data Center versions of the app, we use the following logger shipped with Confluence:

org.slf4j.Logger

You can find more information in our documentation.

Is the app impacted by CVE-2022-22965 – Spring Framework Vulnerability?

The Handy Macros for Confluence app is not affected by this vulnerability. The app doesn't use Spring Framework and WAR deploying.

Security questions about Handy Macros for Confluence Cloud

Where is the app hosted? 

The App hosts its infrastructure and data in Amazon Web Services (AWS) in the US East (Northern Virginia) region (us-east-1).

What options for Data Residency do we have?

The app doesn't support data residency.

What data does the app store on its server?

The app doesn't store personal data. The app stores only macro parameters and metadata on our servers (like Atlassian account UUID, status name, set name, etc.).

What encryption is used?

All data sent to or from Handy macros for Confluence systems is encrypted in transit using 256-bit encryption. We maintain an A+ from Qualys/SSL Labs.

All data stored by the app is located in an encrypted AWS RDS instance.

What authentication options are available?

The app uses JWT authentication. JWT authentication is used for communication between the Atlassian host and the app server. Learn more about Atlassian Connect security.

Does the app meet GDPR requirements?

We’re committed to helping our customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). For this purpose, we suggest signing a Data Processing Agreement (DPA). DPA is a contract between data controllers and data processors. The main purpose of a Data Processing Addendum (DPA) is to protect the user’s data in compliance with the GDPR or any other Privacy Laws.

To request and sign DPA please contact our support.

Does the app have fixed individual IP addresses to make outgoing connections to customer services and Atlassian products APIs?

Outgoing connections from the app to Atlassian APIs are only ever originating from these IP 44.205.77.179

What scopes does the app use?

READ

  • GET /rest/api/user?accountId=&expand=operations (docs)
  • GET /rest/api/content (docs
  • POST /rest/api/content/{contentId}/permission/check (docs)
  • GET /rest/api/content/{contentId}/history/{contentVersion}/macro/id/{macroId} (docs
  • GET /rest/api/content/{id}/property/{key} (docs
  • GET /rest/api/content/{id}/child/attachment (docs
  • GET /rest/api/search?cql (docs
  • GET /rest/api/user/current (docs
  • GET /rest/api/user/bulk (docs
  • GET /rest/api/user/{userId}/property (docs)
  • GET /rest/api/space/{spaceKey}/label (docs)


WRITE

  • DELETE /rest/api/content/{contentId}/label?name= (docs
  • POST /rest/api/content/{contentId}/label (docs
  • PUT /rest/api/content/{contentId}/property/{propertyKey} (docs)
  • PUT /rest/api/content/{contentId} (docs
  • POST /rest/api/space/{spaceKey}/label (docs)  
  • POST /rest/api/user/{userId}/property/{key} (docs

Security questions about Handy Macros for Confluence Data Center / Server

What data does the app store on its server?

The Data Center (Server) version of the app works inside the Confluence Java virtual machine (JVM) and uses its database. The app stores data either in the database or directly on Confluence pages. As Confluence is hosted on-premise, the customer is responsible for the Confluence infrastructure and settings. As the app's vendor, we are responsible for the compatibility with Confluence and proper app functioning. You can find more information on data collection in our Privacy Policy.

Does the app meet GDPR requirements?

When you use the Server or Data Center versions of the app, we don't access, collect, store or otherwise process your personal data, except in limited cases where such data is provided for incidental support services. Stiltsoft Europe is neither a data processor nor a data controller under GDPR for the purposes of the personal data you choose to process with the help of the app. For more details please see our Privacy Policy.