Trust Center

Last updated: March 17, 2026

This Trust Center provides a transparent overview of the security practices, data handling, and privacy principles that apply to all apps published by Janek Behrens on the Atlassian Marketplace. It is intended to help customers, administrators, and security teams evaluate the trustworthiness of our apps before and after installation.

1. About the Vendor

Janek Behrens is an independent Atlassian Marketplace Partner developing productivity apps for Atlassian Cloud products. All apps are built exclusively on the Atlassian Forge platform and listed on the Atlassian Marketplace.

2. Infrastructure & Hosting

Runs on Atlassian No External Servers Forge Platform

All apps are built on Atlassian Forge, Atlassian's native cloud development platform. This means:

App code runs entirely within Atlassian's infrastructure — there are no third-party servers, no external cloud providers, and no infrastructure operated by Janek Behrens.
App logic runs within the Forge runtime on Atlassian's infrastructure. Where an app makes outbound calls (e.g., to AI or Git providers you configure), these are made via Forge's allowlisted external fetch mechanism — not through any infrastructure operated by Janek Behrens.
Apps qualify for the Runs on Atlassian designation, meaning Atlassian provides the underlying security, availability, and compliance guarantees for the hosting layer.

For Atlassian's own infrastructure security and compliance certifications (ISO 27001, SOC 2, etc.), refer to the Atlassian Trust Center.

3. Data Privacy Principles

All apps adhere to the following data privacy principles:

Data minimization: Apps only request the Atlassian API scopes strictly necessary to deliver their functionality. No speculative permissions are requested.
No personal data collection: Apps do not collect, transmit, or store personally identifiable information (PII) such as names, email addresses, user keys, or account details on any system controlled by Janek Behrens.
No data sent to Janek Behrens: No app transmits any data to servers operated by Janek Behrens. Any external calls made by an app go exclusively to services that you explicitly configure using your own credentials (Bring Your Own Key model), or to no external services at all. See the app overview table below for details per app.
No tracking: Apps do not use cookies, tracking pixels, session recording, or any form of behavioral analytics.
Configuration data only (in Atlassian storage): The only data stored by apps is app-level configuration (via Atlassian Forge Storage) — such as settings, mappings, credentials you provide, or job history metadata. This data resides on Atlassian's infrastructure and is automatically deleted upon app uninstallation.

4. App Overview

App	Platform	Stores PII	External Calls	Privacy Policy
Visual Progress Tracker for Jira	Jira Cloud	No	None	Privacy Policy
CodeDoc AI for Confluence	Confluence Cloud	No	Your Git provider (GitHub, GitLab, Bitbucket, Azure DevOps) & your AI provider (Anthropic, OpenAI, Google AI) — via BYOK, using your own credentials	Privacy Policy

For app-specific details on data access, storage, and retention, refer to the individual Privacy Policy linked above for each app.

5. GDPR Compliance

All apps are designed to be compliant with the General Data Protection Regulation (GDPR) and applicable data protection laws. Key measures include:

Lawful basis: Data access is based on the legitimate interest of delivering the app's contractual functionality to the installing organization.
Data subject rights: Since no personal data is stored outside the Atlassian platform, data subject requests (access, rectification, erasure, portability) can be addressed by uninstalling the app or contacting us directly.
Data processing location: All data is processed within Atlassian's infrastructure. Atlassian provides GDPR-compliant data processing agreements as part of its standard terms. Apps do not introduce additional data processors.
Breach notification: In the unlikely event of a security incident affecting app-related data, affected customers will be notified in accordance with GDPR Article 33/34 requirements and applicable law.

6. Data Flow

The diagrams below show exactly how data moves when each app runs. No data passes through infrastructure operated by Janek Behrens at any point.

CodeDoc AI for Confluence

Atlassian Forge Runtime Hub — sandboxed, on Atlassian infrastructure

↕ fetch code (HTTPS)

Your Git Provider GitHub / GitLab / Bitbucket / Azure DevOps
Your credentials (BYOK)

Webhook triggers: Git → Forge (inbound)

↕ send code · receive docs

Your AI Provider Anthropic / OpenAI / Google AI
Your credentials (BYOK)

↕ app UI · read/write pages

Confluence Cloud App UI rendered here
Documentation pages published here

Blue = Atlassian infrastructure | Orange = services you configure with your own credentials

Visual Progress Tracker for Jira

Jira CloudIssue & project data

→

Atlassian Forge RuntimeProgress calculation

→

Jira CloudCustom field values written

All data stays within Atlassian infrastructure. No external calls.

7. Data Processing Agreement (DPA)

No separate DPA with Janek Behrens is required. Janek Behrens does not act as a data processor for your organization's data under GDPR Article 4(8), because no personal data is transmitted to or processed on systems controlled by Janek Behrens.

All data processing occurs within Atlassian's platform (Forge runtime, Forge Storage, Jira and Confluence APIs). Atlassian acts as the data processor for this infrastructure layer, governed by Atlassian's Data Processing Addendum, which is part of Atlassian's standard Cloud Terms of Service.

For CodeDoc AI: outbound calls to your Git and AI providers are made using credentials you supply (Bring Your Own Key). You hold the direct contractual relationship with those providers — Janek Behrens is not a party to that data flow.

If your organization's procurement process requires a written confirmation of this arrangement, please contact support@janekbehrens.de.

8. Subprocessors

The table below lists all third-party services involved in data processing per app. "Customer-configured" means Janek Behrens has no contractual relationship with that provider — you supply your own credentials and your organization is the controller of that connection.

App	Subprocessor	Purpose	Type	Data Center
All apps	Atlassian	Forge runtime, Forge Storage, Jira & Confluence APIs, identity	Mandatory	Per your Atlassian instance region
CodeDoc AI	GitHub / GitLab / Bitbucket / Azure DevOps	Repository access to fetch source code for documentation generation	Customer-configured (BYOK)	Per provider / customer account
CodeDoc AI	Anthropic / OpenAI / Google AI	AI-powered documentation generation using your API key	Customer-configured (BYOK)	Per provider / customer account
Visual Progress Tracker	None	No external calls — all processing within Atlassian Forge	—	—

This subprocessor list is reviewed and updated whenever a new integration is introduced. Last reviewed: March 17, 2026.

9. Compliance & Certifications

Janek Behrens does not independently hold SOC 2 or ISO certifications. However, because all apps run exclusively on Atlassian Forge, they operate within Atlassian's certified infrastructure. Atlassian maintains the following certifications for its cloud platform:

SOC 2 Type II Security, Availability, Confidentiality — independently audited annually

ISO 27001 Information security management system

ISO 27018 Protection of PII in public cloud environments

CSA STAR Level 1 Cloud Security Alliance self-assessment

Full certificates and audit reports are available via the Atlassian Trust Center.

In addition, all apps undergo Atlassian's Marketplace security review before each version is made publicly available. This includes automated security scanning, scope justification review, and privacy guideline compliance checks.

10. Security Practices

All apps are developed following Atlassian's security guidelines for Marketplace Partners:

Least privilege: Only the minimum required Atlassian API scopes are requested. Permission justifications are provided during the Marketplace approval process.
Sandboxed execution: Forge apps run in a sandboxed environment with no access to the underlying host system.
No credential storage: Apps do not store API keys, tokens, passwords, or secrets.
Dependency management: Dependencies are kept up to date to minimize exposure to known vulnerabilities.
Atlassian security review: All versions submitted to the Atlassian Marketplace undergo Atlassian's security review process before becoming publicly available.

11. Vulnerability Disclosure

If you discover a security vulnerability in any of our apps, please report it responsibly by contacting us directly at the email address below. We commit to:

Acknowledging your report within 5 business days.
Investigating and addressing confirmed vulnerabilities in accordance with Atlassian's security bug fix SLAs.
Keeping you informed of progress during remediation.

Please do not publicly disclose vulnerabilities until a fix has been released.

12. Atlassian Marketplace Compliance

All apps comply with the Atlassian Marketplace App Approval Guidelines and the Atlassian Data Privacy Guidelines for Developers. Each app version is reviewed and approved by Atlassian before being made available to customers.

13. Changes to This Document

This Trust Center may be updated as new apps are published or practices evolve. Material changes will be reflected in the "Last updated" date above. We recommend periodically reviewing this page if you have ongoing compliance requirements.

Contact & Security Inquiries

For security disclosures, privacy questions, data subject requests, or any trust-related inquiries:

Email: support@janekbehrens.de
Vendor Profile: marketplace.atlassian.com/vendors/92692174