Security Statement
Last updated: February 27, 2026
1. Overview
CodeDoc AI for Confluence ("the App") is built on the
Atlassian Forge platform
and follows the principle of minimal data access, zero external infrastructure, and
user-controlled credentials. This document describes the security architecture, data
protection measures, and operational practices of the App.
2. Architecture & Runtime Environment
The App runs entirely within Atlassian's Forge runtime:
- No developer-operated servers: There is no external backend, database, or infrastructure operated by us. All compute and storage is hosted by Atlassian.
- Sandboxed execution: Forge functions execute in isolated, sandboxed containers with restricted system access.
- Network isolation: Outbound network requests are restricted to domains explicitly declared in the App's manifest and allowlisted by Atlassian. The App cannot make arbitrary network calls.
- No ingress: The App does not expose any endpoints to the public internet except a Forge webtrigger URL for Git webhook events (validated and scoped).
3. Credential Management (BYOK)
The App operates on a Bring Your Own Key model. Users provide their own API
keys (AI providers) and access tokens (Git providers). These credentials are handled as follows:
| Measure |
Details |
| Storage |
All credentials stored via Atlassian Forge's encrypted secret storage (storage.setSecret()), encrypted at rest by Atlassian. |
| Access scope |
Credentials are only read by the App's backend functions during job execution. They are never exposed to the frontend UI after initial save. |
| Developer access |
None. We cannot read, export, or access your credentials. They reside in your Confluence instance's Forge storage. |
| Logging |
Credentials are never logged, included in error messages, or transmitted to us. |
| Deletion |
Credentials are removed when the App is uninstalled or when you delete a provider configuration. |
4. Data Protection
Data in transit:
- All communication between the App and external services (Git providers, AI providers) uses TLS encryption (HTTPS only).
- The App rejects non-HTTPS Git provider URLs at configuration time.
- Forge-to-Confluence API calls use Atlassian's internal secured transport.
Data at rest:
- Sensitive credentials: Encrypted via Forge secret storage (AES-256, managed by Atlassian).
- Configuration data: Stored in Forge app storage within the customer's Confluence instance.
- Source code: Never stored. Fetched on demand, processed in memory, and discarded after each job execution.
Data minimization:
- The App only accesses the minimum data needed: source code files (read-only), Confluence space/page metadata (for publishing).
- Generation history stores only metadata (job name, status, timestamp, token count) — no source code or documentation content.
- Webhook deduplication stores only event IDs (last 50), not payload content.
5. Network Security & Allowlisted Domains
The App's Forge manifest declares the following external domains. Outbound requests are
only possible to these domains — no other network communication can occur:
| Service |
Domains |
| GitHub |
api.github.com |
| GitLab |
gitlab.com |
| Bitbucket |
api.bitbucket.org |
| Azure DevOps |
dev.azure.com, *.visualstudio.com, app.vssps.visualstudio.com |
| Anthropic |
api.anthropic.com |
| OpenAI |
api.openai.com |
| Google AI |
generativelanguage.googleapis.com |
IP blocking: The App validates Git provider URLs and blocks connections to private, reserved, and loopback IP ranges to prevent SSRF attacks.
6. Authentication & Authorization
- Confluence access: Uses Atlassian Forge's built-in OAuth. User-initiated actions run with the user's permissions (
api.asUser()); background jobs run with app-level permissions (api.asApp()).
- Minimal API scopes: The App requests only the scopes it needs:
storage:app, read:space:confluence, read:page:confluence, write:page:confluence.
- Webhook verification: Supports optional webhook signature verification (HMAC) using a user-configured secret to prevent unauthorized trigger events.
- Permission pre-flight: Before publishing, the App verifies write permissions on the target Confluence space to fail early with a clear message.
7. Input Validation & Output Safety
- URL validation: Git provider URLs must be HTTPS and are checked against private IP ranges.
- Content sanitization: AI-generated documentation passes through a multi-layer XML validation and repair pipeline before publishing to Confluence, preventing malformed content from being injected.
- Token budget limits: File fetching is bounded by configurable token budgets (~120,000 tokens) and content size limits (~1 MB) to prevent resource exhaustion.
- Webhook deduplication: Duplicate webhook events are detected and rejected to prevent replay-style abuse.
8. Dependency Management
- The App has zero runtime npm dependencies. All logic is self-contained to minimize supply chain risk.
- The only dependencies are Atlassian's Forge packages (
@forge/api, @forge/ui, @forge/resolver) which are maintained by Atlassian.
- Build and development dependencies are kept to a minimum and are not shipped in the production runtime.
9. Vulnerability Management
- We monitor for security issues in the App and Forge platform updates.
- Security patches are deployed promptly via Forge's deployment mechanism.
- The Forge runtime is maintained and patched by Atlassian, including the Node.js environment.
10. Incident Response
If a security issue is discovered in the App:
- We will investigate and remediate promptly.
- Affected customers will be notified via the Atlassian Marketplace listing and/or direct contact.
- Fixes will be deployed as a priority update.
To report a security vulnerability, please contact
support@janekbehrens.de with the subject line
"Security Report — CodeDoc AI".
11. Compliance
- GDPR: The App does not collect or process personal data. See our Privacy Policy for details.
- Atlassian Security: The App follows Atlassian Forge security requirements and runs within Atlassian's "Runs on Atlassian" trust boundary.
- No sub-processors: We do not engage sub-processors. All third-party data transmission is initiated by the user via their own credentials.
12. What We Do NOT Have Access To
For complete transparency:
- Your API keys or Git access tokens
- Your source code or repository contents
- The generated documentation content
- Your Confluence instance data beyond what the App's scopes allow
- User identity, email addresses, or personal data