Security Policy

1. Platform & Infrastructure

1.1 Atlassian Forge

All DataPingo apps are built on Atlassian Forge — Atlassian's hosted serverless platform. This means:

• No external servers: DataPingo does not run or manage any servers, databases, or cloud infrastructure outside of Atlassian.
• No data egress: App code runs inside Atlassian's infrastructure. Data never leaves Atlassian's environment to reach DataPingo systems.
• Atlassian-managed security: Encryption, network security, runtime isolation, and infrastructure hardening are all handled by Atlassian.
• Automatic updates: The Forge runtime receives security patches from Atlassian automatically.

For full details on Atlassian's infrastructure security, see atlassian.com/trust/security.

2. Data Handling

2.1 What Data Each App Accesses

Bulk Page Cloner for Confluence

• Read scope: Reads the selected template page (content, formatting, macros, labels) only at the moment of cloning. No page data is retained by the app after the operation completes.
• Write scope: Creates new Confluence pages in the destination space/parent chosen by the user.
• App storage: Uses Forge KV Storage for app state (e.g. UI preferences). This storage is isolated per Atlassian tenant and not accessible outside of Atlassian.
• No personal data stored: The app does not collect, log, or store Confluence page content, user identifiers, or metadata on any external system.

Handoff for Jira

• Read scope: Reads Jira issue details (summary, status, assignee) to populate the queue and handoff views.
• Write scope: Posts ADF comments on Jira issues to record handoff history, and writes queue state to Forge storage.
• App storage: Queue order and handoff records are stored in Forge KV Storage — isolated within your Atlassian tenant.
• No external transmission: No Jira issue data, user names, or queue contents are sent to DataPingo or any third party.

2.2 Data Minimization

Both apps request only the Atlassian API scopes necessary to deliver their core functionality. Scopes are listed in each app's Marketplace listing under the Privacy & Security tab.

2.3 GDPR & Personal Data

DataPingo reports personal data usage to Atlassian's Personal Data Reporting API as required for Marketplace apps. This includes declaring what categories of personal data (e.g. Atlassian account IDs) each app processes and for what purpose. No personal data is stored outside of Atlassian's infrastructure.

3. Atlassian Marketplace Trust & Compliance

All DataPingo apps are reviewed and listed on the Atlassian Marketplace. By listing on the Marketplace, apps must comply with:

• Atlassian Marketplace Partner Agreement
• Atlassian Privacy Policy
• Atlassian's data residency, security, and personal data reporting requirements

DataPingo does not hold independent certifications such as SOC 2 Type II, ISO 27001, or PCI-DSS. Security assurances are provided through Atlassian's platform compliance.

4. Access & Permissions

DataPingo team members do not have access to your Atlassian data. App code runs in an isolated Forge sandbox within Atlassian's infrastructure — DataPingo cannot query or extract tenant data outside of what the app surfaces to the authenticated user.

5. Incident Response

If you discover a security vulnerability or data concern related to a DataPingo app:

• Email contact@datapingo.com with a description of the issue.
• We aim to acknowledge reports within 2 business days and provide a resolution timeline.
• For platform-level security issues (Forge infrastructure, Atlassian APIs), please also report to Atlassian's bug bounty program.

6. Policy Updates

This page is updated when DataPingo's data handling practices change. Material changes will be announced via our website. Continued use of our apps constitutes acceptance of the current policy.

Last updated: June 29, 2026