Security Policy
Security Policy for TechLead Atlassian Forge Cloud Apps
Effective Date: Jul 1, 2025
Applies To: All Atlassian Forge-based Cloud Apps developed by TechLead
Products Covered: All Atlassian Cloud products
Related terms and documentation
Introduction
At TechLead, we take the security of our customer’s data seriously. All our Atlassian Cloud Apps are built on the Forge platform and adhere strictly to Atlassian’s security architecture and industry-leading best practices. This policy outlines how we design, develop, and maintain secure Forge apps.
https://developer.atlassian.com/platform/forge/
Built on Atlassian Forge
All TechLead apps are built using Atlassian Forge, a cloud-native platform hosted and secured by Atlassian.
Key Forge Security Features:
Sandboxed Execution: Apps run in an isolated, serverless environment managed by Atlassian.
Scoped API Access: Permissions are explicitly declared and limited to only what the app needs.
No External Servers: All logic and storage remain within Atlassian's cloud, eliminating custom backend risks.
Data Security
Minimal Data Handling
Our Forge apps follow a “no unnecessary data” principle.
We only store or process data when strictly required for app functionality.
Encryption
Data in Transit: Encrypted using HTTPS/TLS 1.2+.
Data at Rest: Encrypted automatically by Atlassian Forge infrastructure using AES-256.
Encrypted Storage API
Sensitive values (e.g., tokens or config) are stored securely using the Forge
@forge/storageAPI with encryption.
Data Residence
Our apps inherit Atlassian's data residency model.
No data is stored or processed outside Atlassian’s compliant regions unless explicitly noted.
Application Security
Secure Development
Code is reviewed and tested through an internal CI/CD pipeline using Bitbucket Pipelines.
Forge CLI tools are used to tunnel and test apps securely in development.
Dependency Management
We continuously monitor dependencies for known vulnerabilities (e.g., using
npm audit, Dependabot) usingSnyk AI-powered Developer Security Platform | AI-powered AppSec Tool & Security Platform | Snyk
Critical patches are applied within 72 hours.
Access Control
Our apps respect user-level and product-level permissions provided by Atlassian.
We do not override or bypass native Jira or Confluence permission schemes.
Incident Response
Vulnerability Reporting
We encourage ethical security research and responsible disclosure.
Report issues to:
email: atlassian@techlead.vn
support portal: https://techlead-cloud.atlassian.net/servicedesk/customer/portal/1
Response time: within 1 business day
Critical fixes deployed: within 72 hours
Compliance & Atlassian Marketplace Standards
All TechLead Forge apps comply with:
Atlassian Marketplace Security Requirements
Atlassian’s annual Security Self-Assessment Questionnaire (SSAQ)
Atlassian Forge architecture & hosting policies
Applicable data protection standards (e.g., GDPR)
Customer Responsibilities
As an Atlassian customer using our Forge apps, you are responsible for:
Reviewing app permissions during installation.
Managing user roles and permissions within your Atlassian products.
Monitoring Marketplace app activity as part of your organization's broader security program.
Contact details
TechLead
Floor 4 - No. 11 Nguyen Xien
Thanh Xuan - 10000 Hanoi, Vietnam
atlassian@techlead.vn
https://techlead.vn
TechLead | All rights reserved. | © Copyright 2025