Download PDF
Download page FAQ - Security.
FAQ - Security
In addition to the information below, please review a general Stiltsoft Europe Privacy Policy and the Table Filter, Charts & Spreadsheets app's Privacy and Data Collection Policy prior to using the app.
General questions
1. Where to find app's security and compliance documents?
Stiltsoft has a Security & Compliance Portal at trust.stiltsoft.com where you can access important security and compliance documents, including the SOC 2 Type I and SOC 2 Type II reports for Table Filter, Charts & Spreadsheets for Confluence Cloud, penetration tests, the latest updates from our bug bounty program, etc.
Request access to the portal, wait for approval from our team, agree to the NDA, and get the required documents.
You can also subscribe to updates to stay in the loop about new reports and security improvements.
2. Does the app have any certifications like SOC 1, SOC 2 Type II, ISO 27001, PCI DSS compliance, Fidelity/E&O Insurance, FedRAMP?
Our app is SOC 2 Type I and SOC 2 Type II certified.
For more details, including the full report, please feel free to visit Security & Compliance Portal at trust.stiltsoft.com (see the abstract above for more details).
3. How do you audit the apps' security?
3.1. CAIQ-Lite
The CSA STAR CAIQ-Lite (self-assessment) questionnaire can be accesseed on the Whistic platform by following the corresponding link - registration on the portal is required.
3.2. Bug Bounty
Table Filter, Charts & Spreadsheets for Confluence (Cloud, Data Center, Server) is participating in the public Marketplace Bug Bounty Program. See for more details: https://bugcrowd.com/stiltsoft.
3.3. Secure Development
We follow the best practices and frameworks to ensure the highest level of security in our software:
- Regular security training for developers to learn about common vulnerabilities and threats
- Code review for security vulnerabilities
- Regular updates of the dependencies
- Static Application Security Testing (SAST) to detect vulnerabilities in our codebase
- Software Composition Analysis (SCA) tools to keep track of open-source components used by your applications
4. Is the app impacted with CVE-2021-44228 – Apache Log4j2 Vulnerability?
The Table Filter, Charts & Spreadsheets for Confluence app is not impacted with CVE-2021-44228 – Apache Log4j2 Vulnerability.
In the Server and Data Center versions of the app, we use the following logger shipped with Confluence:
org.slf4j.Logger
The Cloud version is not affected by this vulnerability because we use a different language in it.
5. Is the app impacted with CVE-2022-22965 – Spring Framework Vulnerability?
The Table Filter, Charts & Spreadsheets for Confluence app is not affected by this vulnerability. The app doesn't use Spring Framework.
About Table Filter, Charts & Spreadsheets for Confluence Cloud
1. Where is the app hosted? What options for Data Residency do we have?
The app is hosted in Amazon Web Services (AWS) in two regions:
- US East (Nothern Virginia) region (us-east-1)
- Europe (Frankfurt) region (eu-central-1)
The app's region is automatically set in accordance with the region of the parent product after installing (reinstalling) the app.
2. What data does the app store on its server?
The app doesn't access, store, or otherwise process personal data or table content except for the cases described below.
All the macros are embedded as iframes on Confluence pages. An iframe receives table data inserted in the macro body directly from Confluence without going through our server. Table data inserted in the app macros are transited through our server only in the following cases:
- - For Word export of pages
- - For PDF export of the Table Spreadsheet and Spreadsheet from Table macros
- - For the Table from CSV , Table from JSON , Table Excerpt and Table Spreadsheet Include macros parsing.
In the cases described above, the data transition is necessary to output it in a transformed view. The transited data temporarily exist in the App server's memory during the request processing only and can’t be accessed outside the App.
All data transferred to and from the app server is encrypted using TLS 1.2 or higher. When working with the Table from CSV/JSON macros, the app uses AES-256 encryption for storing data in the macro parameters in Confluence pages.
If you have the Cloud Advanced app edition, you can turn off the data transition. But note that after you disable the feature, the use cases listed above will be impossible.
3. What authentication options are available?
The app uses JWT authentication. JWT authentication is used for communication between the Atlassian host and the app server. Learn more about Atlassian Connect security.
4. Does the app meet GDPR requirements?
We’re committed to helping our customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). For this purpose, we suggest signing a Data Processing Agreement (DPA). DPA is a contract between data controllers and data processors. The main purpose of a Data Processing Addendum (DPA) is to protect the user’s data in compliance with the GDPR or any other Privacy Laws.
To request and sign DPA please contact our support at servicedesk@stiltsoft.com or at the Service Desk Portal.
5. Does the app have fixed individual IP addresses to make outgoing connections to customer services and Atlassian products APIs?
For Confluence Cloud, outgoing connections from the app to Atlassian APIs and from the Table from CSV/Table from JSON macros to customer servers are only ever originating from these IP addresses:
Confluence Location | Outgoing connections IP | Domain | AWS Region |
---|---|---|---|
Global and USA |
|
|
AWS US East (Northern Virginia) Region |
Europe |
|
Europe (Frankfurt) Region |
6. Virtual Private Cloud
All our servers are located within our virtual private cloud (VPC) in a dedicated AWS account with network access controls preventing unauthorized connections to internal resources.
7. Failover and Disaster Recovery
Our systems are designed and built with disaster recovery in mind. Our infrastructure is spread across two AWS availability zones for each region. The live data is stored in one of these availability zones and will be recovered from the backup stored in the other zone in case of an infrastructure failure.
8. Backups and Monitoring
The app uses automation to back up all data stores. All our backups are encrypted.
We use AWS monitoring to detect the app nodes' failure, high CPU and memory utilization, high 4xx and 5xx error counts, and high request count anomalies. The app also uses Sentry.io, a client-side error monitoring tool that helps us discover, triage, and prioritize app errors in real time.
9. Uptime
The Table Filter, Charts & Spreadsheets for Confluence app participates in the Cloud Fortified Apps Program which obliges us to fulfill specific reliability requirements.
The app has an uptime of 99.99% or higher. You can check our current and historical status at:
- https://stats.uptimerobot.com/6Rg0Mio9L2/791314931 (EU region)
- https://stats.uptimerobot.com/6Rg0Mio9L2/788710046 (US region)
The app nodes are automatically restarted in case of failure.
The app implements autoscaling to support stability and responsiveness during high load. When the CPU utilization reaches the threshold a new app node starts, and the load balancer distributes the traffic among all running nodes.
10. Incident Response
The app implements an Incident Response Policy for handling security and operational events including escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies.
11. Standard Procedures for App's Testing before Releasing Updates to Customers
We have an automated release pipeline:
- Any code changes should be reviewed and approved by at least 2 reviewers
- All unit tests should be passed
- All integration tests should be passed
- The performance test should be passed
- The SAST test via Snyk should be passed
12. What Forge scopes and endpoints does the app use?
Scope |
Legacy Connect Scope |
Description |
---|---|---|
NA |
act-as-user:connect-confluence |
This scope ensures that data retrieved from Confluence respects the requesting user’s permissions - users only receive data they are authorized to view. It applies in specific cases where the user interacts with the app and data is transferred via the app’s server:
Used endpoints: /rest/api/content/${pageId}/history/${pageVersion}/macro/id/${macroId} Gets the macro body and parameters. /api/v2/${contentType}s/${id}/attachments Used by Table from CSV and Table from JSON to read data from the user-specified CSV and JSON attachments. Used by the Spreadsheet macros to read spreadsheet data from their attachments. The Spreadsheet macros create attachments to store data. Finds spaces by keys. /api/v2/content/convert-ids-to-types Gets the type (page, blogpost) of the given content for further requests. |
read:app-data:confluence |
NA |
/wiki/rest/atlassian-connect/1/addons/{addonKey}/properties Reads the app settings. |
read:app-user-token |
NA |
Gets the user token to request the legacy Connect app API. |
storage:app |
NA |
Enables the App storage API to store the app settings. |
read:page:confluence |
read:connect-confluence
|
/api/v2/${contentType}s/${contentId}/operations Checks page permissions. Searches a page or a blog by title. Gets a page or a blog by ID. /api/v2/${contentType}s/${id}/versions Returns the versions of a specific page when viewing the macro in the page history Returns all pages' data for the specified IDs to decorate inline page cards. |
read:attachment:confluence |
read:connect-confluence |
/api/v2/${contentType}s/${id}/attachments Used by Table from CSV and Table from JSON to read data from the user-specified CSV and JSON attachments. Used by the Spreadsheet macros to read spreadsheet data from their attachments. The Spreadsheet macros create attachments to store data. |
read:comment:confluence |
read:connect-confluence |
/api/v2/${contentType}s/${contentId}/inline-comments Gets inline comments added to the macro body. /api/v2/inline-comments/${commentId}/children Returns the children inline comments of a specific comment within the macro body. /api/v2/inline-comments/${commentId} Returns the inline comment added to the macro body. |
read:template:confluence |
read:connect-confluence |
/rest/api/template/page/${templateId}/instance Creates a page from a template when the Create from Template macro is used within the macro body. |
read:space:confluence |
read:connect-confluence |
Reads the space by ID when including content from other pages. |
read:space:confluence |
read:connect-confluence |
Finds spaces by keys. |
read:hierarchical-content:confluence |
read:connect-confluence |
/api/v2/pages/${id}/descendants Finds descendant pages for the Table Excerpt Include macro. |
read:content.metadata:confluence |
read:connect-confluence |
/api/v2/content/convert-ids-to-types Gets the type (page, blogpost) of the given content for further requests. /api/v2/${type}s/${id}/ancestors Gets the parent page of the page with the Table Excerpt macro to display as meta information in the Table Excerpt Include macro report table.
/rest/api/content/${pageId}/history/${pageVersion}/macro/id/${macroId} Gets the macro body and parameters.
/rest/api/contentbody/convert/async/${asyncId}
Converts the macro body from the storage to the view format. |
read:content-details:confluence
|
read:connect-confluence |
Returns the current user.
Searches for content using CQL.
Searches for content using CQL. Reads user details to show in user mentions, avatars, etc.
Searches for users by partial user name in the inline comments editor.
/rest/api/content/${pageId}/child/attachment
Stores spreadsheet data in an attachment. /rest/api/template/page/${templateId}/instance Creates a page from a template when the Create from Template macro is used within the macro body. |
read:content:confluence |
read:connect-confluence |
Gets a page or a blog post by ID. |
read:inlinetask:confluence |
read:connect-confluence |
Reads inline tasks placed within the macro body. |
read:task:confluence |
read:connect-confluence |
Reads tasks placed within the macro body. |
read:label:confluence |
read:connect-confluence |
Gets page labels when retrieving pages for the Table Excerpt Include macro. |
read:relation:confluence |
read:connect-confluence |
Gets the parent page when retrieving pages for the Table Excerpt Include macro. |
read:user:confluence |
read:connect-confluence |
Reads user details for displaying user mentions, avatars, etc. |
read:user.property:confluence |
read:connect-confluence |
/rest/api/user/${accountId}/property Reads user personal app settings, such as in-app pop-up settings. |
read:content.property:confluence |
read:connect-confluence |
/attachments/{$attachmentId}/properties/{$property} Reads the attachment property used as a lock when storing spreadsheet data. |
read:content.permission:confluence |
read:connect-confluence |
Reads page permissions. |
read:database:confluence |
read:connect-confluence |
Reads the Database macro data placed within the macro body. Not implemented. Blocked by CONFCLOUD-78267. |
read:embed:confluence |
read:connect-confluence |
Returns the Smart Link data placed within the macro body. Not implemented. |
write:page:confluence |
write:connect-confluence |
Updates the macro parameters in the page. |
write:content:confluence |
write:connect-confluence |
Updates the macro parameters in the blog post. |
write:attachment:confluence |
write:connect-confluence |
/api/v2/${contentType}s/${contentId}/properties Uses attachment properties to set the update lock when storing spreadsheet data.
/rest/api/content/${pageId}/child/attachment
Stores spreadsheet data in an attachment. |
write:comment:confluence |
write:connect-confluence |
Creates a new inline comment within a macro body. /api/v2/inline-comments/${commentId} Updates the inline comment added to the macro body. |
write:inlinetask:confluence |
write:connect-confluence |
Updates the state of the inline tasks placed within the macro body. |
write:task:confluence |
write:connect-confluence |
Updates the state of the tasks placed within the macro body. |
write:content.property:confluence |
write:connect-confluence |
/api/v2/${contentType}s/${contentId}/properties Uses attachment properties to set the update lock when storing spreadsheet data. |
write:user.property:confluence |
write:connect-confluence |
/rest/api/user/${accountId}/property/${CONFIGURATION_KEY} Sets user personal app settings, such as in-app pop-up settings. |
delete:attachment:confluence |
delete:connect-confluence |
/rest/api/content/${attachmentId}/version/${version} Deletes old spreadsheet attachment versions. |
delete:comment:confluence |
delete:connect-confluence |
/api/v2/inline-comments/${commentId} Deletes the inline comment added to the macro body. |
About Table Filter, Charts & Spreadsheets for Confluence Data Center (Server)
1. What data does the app store on its server?
The Data Center (Server) version of the app works inside the Confluence Java virtual machine (JVM) and uses its database. The app stores data either in the database or directly on Confluence pages. As Confluence is hosted on-premise, the customer is responsible for the Confluence infrastructure and settings. As the app's vendor, we are responsible for the compatibility with Confluence and proper app functioning.
2. Does the app meet GDPR requirements?
When you use the Server or Data Center versions of the app, we don't access, collect, store or otherwise process your personal data, except in limited cases where such data is provided for incidental support services. Stiltsoft is neither a data processor nor a data controller under GDPR for the purposes of the personal data you choose to process with the help of the app. For more details please see our Privacy and Data Collection Policy.
3. Standard Procedures for App's Testing before Releasing Updates to Customers
We have an automated release pipeline:
- Any code changes should be reviewed and approved by at least 2 reviewers
- All unit tests should be passed
- All integration tests should be passed
- The SAST test via Snyk should be passed