Our app only sends data to Confluence. Our app does not store this data or send this data anywhere else. The shared secret used to identify your deployment is securely stored in our DB and audited by ourselves and Atlassian as part of the security certification.
Are all security events (auth, privileged evaluations, etc) logged? Do we have access to these logs?
We log all requests, and requests must be authenticated, but there’s no explicit auth event that gets logged. Currently, there is no customer access to any logs
Is there end-to-end encryption for all data transfers?
Will the product store data? If so, for how long? For example: "The product stores data scoped to two weeks at a time."
We only store client registration data
What kind of permissions does the product need to run? For example: Is it run as a guest, admin, root, sudo, etc.
It can be used anonymously but only if placed on pages that can be viewed by anonymous users. Otherwise, it requires a logged in user to function, so it’s up to the site admins and/or page authors to control who can use it.
Will the product connect with any other systems? If so, is this required for its function?
Aside from our supporting cloud infrastructure, it does not connect with anything else.
Does your application make calls to any outside sources?
We do use CDNs to serve some web assets.
Does your application leverage cloud storage from a trusted provider?
Yes, Heroku postgres.
Diagram of the data flow in Connect Apps