🔒 Security Policy

1. Information Security Framework

1.1 Security Governance

DataPingo maintains a comprehensive information security program based on industry best practices and regulatory requirements. Our security framework is continuously reviewed and updated to address emerging threats and maintain compliance with relevant standards.

1.2 Security Policies and Procedures

We maintain documented security policies covering:

• Data classification and handling procedures
• Access control and identity management
• Incident response and business continuity
• Vendor risk management
• Security awareness and training

2. Data Protection and Privacy

2.1 Data Encryption

All customer data is protected using industry-standard encryption:

• Data in Transit: TLS 1.3 encryption for all data transmission
• Data at Rest: AES-256 encryption for stored data
• API Communications: HTTPS with certificate pinning
• Database Encryption: Encrypted database storage with key rotation

2.2 Data Minimization

DataPingo follows the principle of data minimization, collecting and processing only the data necessary to provide our services. We implement automated data retention policies and secure data disposal procedures.

2.3 Privacy Compliance

Our data handling practices comply with major privacy regulations:

• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• PIPEDA (Personal Information Protection and Electronic Documents Act)
• SOC 2 Type II compliance framework

3. Infrastructure Security

3.1 Cloud Security

DataPingo leverages enterprise-grade cloud infrastructure with multiple layers of security controls:

• Multi-factor authentication for all administrative access
• Network segmentation and micro-segmentation
• Distributed Denial of Service (DDoS) protection
• Real-time security monitoring and threat detection
• Regular security assessments and penetration testing

3.2 Access Controls

We implement comprehensive access control measures:

• Role-Based Access Control (RBAC): Principle of least privilege
• Multi-Factor Authentication: Required for all system access
• Session Management: Automatic session timeouts and secure tokens
• Audit Logging: Comprehensive logging of all access and actions

4. Application Security

4.1 Secure Development Lifecycle

DataPingo follows secure coding practices and implements security throughout the development lifecycle:

• Security code reviews and static analysis
• Dynamic application security testing (DAST)
• Dependency vulnerability scanning
• Regular security updates and patch management

4.2 API Security

Our APIs are secured using industry best practices:

• OAuth 2.0 and OpenID Connect authentication
• Rate limiting and throttling
• Input validation and sanitization
• API versioning and deprecation policies

5. Third-Party Integrations

5.1 Atlassian Marketplace Security

DataPingo apps in the Atlassian Marketplace undergo rigorous security reviews and comply with Atlassian's security requirements:

• Secure data handling for Jira, Confluence, and other Atlassian products
• Compliance with Atlassian's data residency requirements
• Regular security assessments and updates
• Transparent data usage and permissions

5.2 Atlassian Forge Platform Security

Our applications are built on and hosted by Atlassian's secure Forge platform:

• Leverages Atlassian's enterprise-grade infrastructure security
• Automatic security updates and patches through Forge platform
• Isolated execution environment for enhanced security
• Secure API access using Atlassian's authentication mechanisms
• Compliance with Atlassian's security and privacy requirements

5.3 Handoff for Jira — Data Handling

Handoff for Jira is built with a security-first, zero-external-server approach:

• Storage: All app data (queues, handoffs, and team data) is stored exclusively in Atlassian Forge KV Storage — no data leaves Atlassian's cloud infrastructure
• Minimum Permissions: Only four scopes are requested, each with a specific purpose:
  • read:jira-work — read Jira issues and project data for queue browsing and handoff workflows
  • write:jira-work — post ADF comments to Jira issues for handoff audit trails only; the app does not create, edit, or delete issues
  • read:jira-user — fetch user display names for sender attribution in handoff records and @mentions in comments
  • storage:app — read and write Forge KV Storage for all app state
• Audit Trail: Handoff events post rich ADF comments (with @mentions and hyperlinks) directly to Jira tickets, keeping a full history on the issue itself with no external log storage
• GDPR Compliance: Sender display names stored in handoff records are tracked in a personal data index. A weekly Forge scheduled trigger reports all stored account IDs to Atlassian's Personal Data Reporting API — handling automatic erasure when an account is closed and display name refresh when a user updates their profile
• Licensing: Access is gated through Atlassian Marketplace licensing — only licensed Jira Cloud users on an active subscription can access the app
• Runtime: nodejs24.x on arm64, 256 MB memory — fully managed and sandboxed by Atlassian Forge
• App ID: b64e8d8a-a3f6-4692-8c1b-279f0c30b74b

5.4 Bulk Page Cloner for Confluence — Data Handling

Bulk Page Cloner is built on the same zero-external-server approach:

• Read scope only: The app reads the selected template page's content, formatting, macros, and labels in order to generate clones. No page data is stored by the app — it is read from Confluence, used to create the clones, and immediately discarded
• Permissions:
  • read:confluence-content.all — read the selected template page to copy its content, formatting, macros, and labels
  • write:confluence-content — create the cloned pages in the chosen Confluence space
  • storage:app — read and write Forge KV Storage for app state
• No personal data stored: The app does not store any Confluence page content, user data, or metadata on external servers
• Licensing: Access is gated through Atlassian Marketplace licensing — only licensed Confluence Cloud users on an active subscription can access the app

6. Incident Response and Business Continuity

6.1 Security Incident Response

DataPingo maintains a comprehensive incident response plan:

• Detection: 24/7 security monitoring and alerting
• Response: Defined escalation procedures and response team
• Containment: Immediate isolation and mitigation procedures
• Recovery: Systematic restoration and validation processes
• Communication: Timely notification to affected customers

6.2 Business Continuity

We maintain robust business continuity measures:

• Automated backup systems with 99.9% durability
• Disaster recovery sites in multiple geographic regions
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Regular disaster recovery testing

7. Vulnerability Management

7.1 Vulnerability Assessment

DataPingo conducts regular security assessments:

• Regular security code reviews
• Dependency and library vulnerability monitoring

7.2 Patch Management

We maintain an active patch management practice:

• Security patches applied promptly upon release
• Regular updates for all dependencies
• Change management processes for security updates

8. Employee Security

8.1 Security Awareness Training

All DataPingo employees receive comprehensive security training:

• Initial security orientation for new employees
• Annual security awareness training
• Phishing simulation exercises
• Incident response training for relevant personnel

8.2 Background Checks

All employees with access to customer data undergo background verification appropriate to their role and local regulations.

9. Data Breach Notification

9.1 Notification Timeline

In the event of a security incident affecting customer data:

• Internal notification: Immediate (within 1 hour)
• Customer notification: Within 72 hours of confirmation
• Regulatory notification: As required by applicable laws
• Public disclosure: As legally required or appropriate

9.2 Notification Content

Security incident notifications will include:

• Nature and scope of the incident
• Types of data potentially affected
• Steps taken to contain and remediate the incident
• Recommended actions for affected customers
• Contact information for questions and support

10. Third-Party Security

11.1 Vendor Risk Management

DataPingo evaluates and monitors the security practices of all third-party vendors:

• Security questionnaires and assessments
• Contractual security requirements
• Regular vendor security reviews
• Business associate agreements where applicable

11. Policy Updates and Review

This Security Policy is reviewed annually and updated as necessary to reflect changes in our security practices, regulatory requirements, and industry standards. Customers will be notified of material changes through our website and direct communication.