Security Policy
How we secure our apps, manage vulnerabilities, and respond to security issues.
This Security Policy describes how CloudScript.io secures its apps for Confluence Cloud, how it manages vulnerabilities, and how it handles security issues and incidents. It is written to be honest about the size and shape of our operation: CloudScript.io is an independent, single-operator vendor that builds narrow, single-purpose apps, and our security posture rests far more on a deliberately minimal design and on the controls of the Atlassian Forge platform than on a large security organisation.
Scope
This policy applies to all CloudScript.io apps built on Atlassian Forge, which currently means CloudScript.io Mermaid and any future Forge apps we publish. Our two earlier apps, NikoNiko Calendar and CloudScript for Confluence, are built on the previous-generation Atlassian Connect framework and are being retired; their data handling is described on their respective Atlassian Marketplace listings and summarised in our Trust Center, and they are outside the scope of this policy.
Our security model
Our apps run on Atlassian Forge, which means they execute inside Atlassian's own hosted, sandboxed environment rather than on any server we operate. Because we run no servers of our own in the path of your data, a large class of security risks (server compromise, misconfigured infrastructure, exposed databases, and the like) does not apply to our Forge apps: the runtime isolation, network egress controls, and platform logging are provided and enforced by Atlassian. The Forge platform blocks any outbound network request an app has not declared in advance, and any data an app stores is held within Atlassian's infrastructure under Atlassian's data-residency and security controls.
We pair that platform with a principle of least privilege in how each app is built: an app should request the smallest set of permissions it needs, and wherever possible store nothing at all. CloudScript.io Mermaid, for example, requests a single read-only permission (read:page:confluence) so it can read the diagram source on the page it is placed on; it declares no outbound network access and no storage, so it is technically incapable of transmitting your content anywhere or retaining it, and diagrams are rendered in your browser within the Forge sandbox. Each app we publish is designed to the same standard, and the specific permissions and data behaviour of each app are documented in that app's privacy policy.
Data protection
One guarantee holds across all of our Forge apps: we operate no database or backend of our own, and we copy none of your content to CloudScript.io systems. Everything an app does happens within Atlassian's platform.
Beyond that, our apps differ by design. Some store nothing and transmit nothing at all — CloudScript.io Mermaid is an example: it holds no data and makes no outbound network request, so your content is read only transiently to draw a diagram in your browser. Other apps may store data, or move content between Atlassian sites, when you instruct them to. In every case that data stays within Atlassian's infrastructure, under Atlassian's own security, encryption, and data-residency controls, and never reaches a system operated by CloudScript.io. The specific data behaviour of each app — what, if anything, it stores, and whether it moves content — is described in that app's own privacy policy.
This website itself runs no advertising and no third-party trackers, and we self-host our fonts. The only measurement on the site is GoatCounter, a privacy-first, cookie-free page counter that stores no personal data; our Trust Center describes exactly what it records, why we use it, and how to opt out.
Access control
The accounts used to develop and publish our apps — the Atlassian developer and Marketplace account, and the source-code repository on GitHub — are protected by multi-factor authentication. Access to those accounts is limited to the two people who operate CloudScript.io, which keeps the number of people who can change or publish app code to a practical minimum. We do not hold administrative access to your Confluence site; our Forge apps act only within the limited permissions you grant at installation.
Vulnerability management
We welcome reports of suspected security vulnerabilities in any CloudScript.io app. If you believe you have found one, please email support@cloudscript.io with a description of the issue and the steps to reproduce it. We will acknowledge your report and keep you informed as we investigate. We do not operate a paid bug-bounty program, but we take every report seriously and are grateful for responsible disclosure; we ask that you give us a reasonable opportunity to investigate and remediate an issue before disclosing it publicly.
When a report or our own monitoring identifies a potential vulnerability, we triage it by confirming the issue and assessing its severity and the data and customers it could affect, we prioritise remediation according to that severity, and we publish a corrected version of the app through the Atlassian Marketplace. Because our apps are distributed and updated through Atlassian's platform, fixes reach installations through Atlassian's app-update mechanism. As part of keeping the apps sound, the third-party libraries our apps depend on — including the Mermaid rendering library — are refreshed when we update an app, rather than being left frozen at the version first shipped.
Security incidents
If we become aware of a security incident affecting one of our apps, we investigate promptly to understand and contain it, remediate the underlying cause, and publish any fix required through the Atlassian Marketplace. As a single-operator vendor we do not commit to a fixed response-time service level, but we treat security incidents as a priority and act on them as quickly as we reasonably can. If a confirmed incident affects customer data, we will notify the affected customers without undue delay and provide the information they need to understand what happened and what, if anything, they should do.
Reporting a concern
Security questions, vulnerability reports, and other concerns can be sent to support@cloudscript.io. For a broader overview of how our apps handle data, see our Trust Center; for the data handling of a specific app, see that app's privacy policy.
Changes to this policy
We will update this Security Policy as our apps and practices change — for example, when we publish a new Forge app, or if a future app introduces data storage or external network access that the current apps do not have. When we make a material change, we will update the effective date above.