Does our data or content from Confluence leave our Atlassian space to provide the service of the app?
Our app only sends data to Confluence. Our app does not store this data or send this data anywhere else. The shared secret used to identify your deployment is securely stored in our DB and audited by ourselves and Atlassian as part of the security certification.
Are all security events (auth, privileged evaluations, etc) logged? Do we have access to these logs?
We log all requests, and requests must be authenticated, but there’s no explicit auth event that gets logged. Currently, there is no customer access to any logs
Is there end-to-end encryption for all data transfers?
Will the product store data? If so, for how long? For example: "The product stores data scoped to two weeks at a time."
What kind of permissions does the product need to run? For example: Is it run as a guest, admin, root, sudo, etc.
It can be used anonymously but only if placed on pages that can be viewed by anonymous users. Otherwise, it requires a logged in user to function, so it’s up to the site admins and/or page authors to control who can use it.
Will the product connect with any other systems? If so, is this required for its function?
Does your application make calls to any outside sources?
Does your application leverage cloud storage from a trusted provider?
Diagram of the data flow in Connect Apps