In addition to the information below, please review a general Stiltsoft Europe Privacy Policy and the Privacy and Data Collection Policy prior to using the app.

General questions

1. Does the app have any certifications like SOC 1, SOC 2 Type II, ISO 27001, PCI DSS compliance, Fidelity/E&O Insurance, or FedRAMP?

No, the app has no certifications.

2. How do you audit the apps' security?

2.1. CAIQ-Lite

The CSA STAR CAIQ-Lite (self-assessment) questionnaire can be accesseed on the Whistic platform by following the corresponding link  - registration on the portal is required.

2.2. Bug Bounty

Live Tables from CSV & JSON for Confluence is participating in the public Marketplace Bug Bounty Program. See for more details:  https://bugcrowd.com/stiltsoft.

2.3. Secure Development

We follow the best practices and frameworks to ensure the highest level of security in our software:

  • Regular security training for developers to learn about common vulnerabilities and threats
  • Code review for security vulnerabilities
  • Regular updates of the dependencies
  • Static Application Security Testing (SAST) to detect vulnerabilities in our codebase
  • Software Composition Analysis (SCA) tools to keep track of open-source components used by your applications

3. Does the app have an Export Control Classification Number (ECCN)?

No, the Live Tables from CSV & JSON for Confluence app does not have an Export Control Classification Number (ECCN). It is a cloud-based service that runs on remote servers, is not shipped or exported as a physical product, and does not contain any hardware components.

4. What controls are in place to manage add-on permissions, and how do they connect to the application?

The app operates strictly within the permission scopes granted by Atlassian. It requires the following permissions:

  • storage:app - Enables the App storage API to store the app settings.
  • read:attachment:confluence - Used by Live Table from CSV and Live Table from JSON to read data from the user-specified CSV and JSON attachments.
  • read:content.metadata:confluence - Used to get the type (page, blogpost) of the given content for further requests.
  • read:content-details:confluence - Used to search for content using CQL.
  • read:page:confluence - Used to check page permissions.
  • read:space:confluence - Used to find spaces by keys.
  • read:content:confluence - Used to get a page or a blog post by ID.

These permissions are used solely to support the app’s intended functionality and do not grant access beyond the defined scope.

For more information on how Atlassian manages app permissions and scopes, please refer to the official documentation.

About Table Filter, Charts & Spreadsheets for Confluence Cloud

1. Where is the app hosted? What options for Data Residency do we have?

The app is built on the Forge platform. It is hosted by Atlassian in the same Data Residency realm as the customer's Confluence instance. 

2. What data does the app store on its server?

Live Tables from CSV & JSON for Confluence (the “App”) doesn't access, store, or otherwise process any personal or end user data outside the Atlassian environment. The app is built on the Forge platform

Data egress: Live Table from CSV and Live Table from JSON macros can be configured by the end user to fetch data from external URLs with or without authentication.

Login and password, or a custom authentication header, are encrypted with the AES-256 algorithm using a secret key and saved in the macro parameters on the page. The secret key is generated uniquely for each installation. It is stored in the encrypted Forge storage and rotated yearly. The encrypted authentication data can be used only in your Confluence instance and only for the URL you specified when configuring the macro, so it is impossible to steal and reuse it elsewhere. 

To ensure users re-enter credentials when a macro is copied to another page, ask your Confluence administrator to enable the Live Table from CSV & JSON: Prevent macro copy with credentials option in the Administration console.

3. What authentication options are available?

Forge apps use OAuth 2.0 when authenticating with Confluence.

4. Does the app meet GDPR requirements?

We’re committed to helping our customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). For this purpose, we suggest signing a Data Processing Agreement (DPA). DPA is a contract between data controllers and data processors. The main purpose of a Data Processing Addendum (DPA) is to protect the user’s data in compliance with the GDPR or any other Privacy Laws.

To request and sign a DPA, please contact our support at  servicedesk@stiltsoft.com or at the Service Desk Portal.

5. Uptime

The app participates in the Cloud Fortified Apps Programwhich obliges us to fulfill specific reliability requirements.

6. Incident Response

The app implements an Incident Response Policy for handling security and operational events, including escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies.

7. Standard Procedures for App's Testing before Releasing Updates to Customers

We have an automated release pipeline:

  1. Any code changes should be reviewed and approved by at least 2 reviewers
  2. All unit tests should be passed
  3. All integration tests should be passed
  4. The performance test should be passed
  5. The SCA and SAST tests via Snyk should be passed

8. Does the app run on Forge?

Yes, the app is built on the Forge platform.

9. What Forge scopes and endpoints does the app use?

The actual list of the app permissions is available on the Marketplace. Below is the description of each scope:

Scope Description

storage:app

Enables the  App storage API to store the app settings.

read:page:confluence

/api/v2/${contentType}s/${contentId}/operations

Checks page permissions.

/api/v2/${type}s

Searches a page or a blog by title.

/api/v2/${contentType}s/${id}

Gets a page or a blog by ID.

/api/v2/${contentType}s/${id}/versions

Returns the versions of a specific page when viewing the macro in the page history

read:attachment:confluence

/api/v2/${contentType}s/${id}/attachments

Used by Live Table from CSV and Live Table from JSON to read data from the user-specified CSV and JSON attachments.

read:space:confluence

/api/v2/spaces/${spaceId}

Reads the space by ID when including content from other pages.

/api/v2/spaces

Finds spaces by keys.

read:content.metadata:confluence

/api/v2/content/convert-ids-to-types

Gets the type (page, blogpost) of the given content for further requests.

/rest/api/content/${pageId}/history/${pageVersion}/macro/id/${macroId}

Gets the macro body and parameters.

read:content-details:confluence

 /rest/api/search

Searches for content using CQL.

/rest/api/content/search

Searches for content using CQL.

read:content:confluence

/api/v2/${contentType}s/${id}

Gets a page or a blog post by ID.