ATLASSIAN PARTNER

Privacy Policy

Contact Us
Field Value

Applies to

Accxia Atlassian Cloud & Data Centre Apps

Vendor

Accxia

Last Updated

3rd June 2026

Document owner

support@accxia.com

This policy describes how Accxia (“we,” “us”) protects customer data processed by Atlassian Cloud/Datacenter Addons, apps distributed through the Atlassian Marketplace. It is intended for customers, prospective customers, and security reviewers. This document is a template — replace every bracketed placeholder with your actual practices and have it reviewed by your legal and security teams before publishing.

 

1. Overview

[Forge / Connect] apps that run on Atlassian Cloud products including [Jira, Confluence, etc.]. We are committed to protecting the confidentiality, integrity, and availability of all data the app processes on behalf of our customers.

This policy covers our data handling practices, our security controls, how we respond to security incidents, and how we manage vulnerabilities.

2. Data We Process

The app accesses and processes the following categories of data, limited to what is required for its functionality:

  • Atlassian account data such as account IDs, display names, and email addresses, used to identify users and attribute actions within the app.
  • Product content such as [issue data, page content, comments, attachments, custom fields — list only what applies] needed to deliver the app’s features.
  • Configuration and app settings that customers create when using the app.
  • Operational metadata such as timestamps, request logs, and error data used for support and reliability.

We do not collect data beyond what is necessary, and we do not sell customer data or use it for advertising. If the app uses any data for product analytics or model training, state that explicitly here, along with how customers can opt out.

3. Where Data Is Stored and Processed

Forge apps: The app runs on Atlassian’s Forge platform. Data is processed within Atlassian’s infrastructure, and any persistent data is stored using Forge storage in the customer’s selected Atlassian data residency region. We do not egress customer data to external systems except where explicitly documented in Section 4.

Connect or externally hosted apps: The app’s backend is hosted on Hetzner in Germany. Customer data stored by the app resides only in German data center. Data residency options, if offered, are described here.

4. General Security Controls

We maintain administrative, technical, and physical safeguards designed to protect customer data throughout its lifecycle.

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 or an equivalent industry-standard algorithm.
  • Encryption keys are managed via the Forge platform with restricted access and regular rotation.

Access control

  • Access to production systems and customer data follows the principle of least privilege and is granted on a need-to-know basis.
  • Administrative access requires multi-factor authentication (MFA).
  • Access is provisioned through a process, reviewed at least yearly and revoked promptly upon role change or offboarding.
  • All privileged access is logged and monitored.

Application and platform security

  • The app requests only the minimum OAuth scopes / permissions required for its functionality.
  • We follow secure software development practices, including code review and automated security checks in our CI/CD pipeline.
  • Authentication between the app and Atlassian uses Forge platform authentication / Connect JWT / OAuth 2.0 and Organization Tokens as long as permitted.
  • Secrets and credentials are stored in a dedicated secrets manager and are never committed to source control.

Network and infrastructure security

  • Production environments are segmented from development and test environments.
  • Infrastructure is protected by firewalls, security groups, and restricted ingress/egress rules.
  • Systems are hardened and patched on a regular schedule.

Logging and monitoring

  • We maintain audit logs of administrative and security-relevant events.
  • We monitor systems for anomalous activity and configure alerting for security-relevant conditions.
  • Logs are retained for 6 month and protected against tampering.

Personnel security

  • Employees with access to customer data complete security awareness training at onboarding and at least annually.
  • Background checks are performed where legally permitted.
  • All personnel are bound by confidentiality obligations.

Business continuity and backups

  • Customer data is backed up frequency with backups encrypted and stored in Germany
  • We test restoration procedures frequency and maintain a documented disaster recovery plan with target objectives of RTO and RPO.

5. Vulnerability Management

We operate a structured vulnerability management program to identify, prioritize, and remediate security weaknesses before they can be exploited.

Identification

  • We perform automated dependency and software composition analysis (SCA) to detect vulnerabilities in third-party libraries.
  • We run static application security testing (SAST) [and dynamic testing (DAST)] as part of our development pipeline.
  • We conduct [internal vulnerability scans / third-party penetration tests] at least [annually], and after significant changes.
  • We monitor security advisories from Atlassian, our cloud provider, and our dependency ecosystem.

 

Prioritization

We triage and assign severity to vulnerabilities using [CVSS] and remediate according to the following target timelines:

Severity

Remediation target

Critical

Within [e.g. 24–72 hours]

High

Within [e.g. 7 days]

Medium

Within [e.g. 30 days]

Low

Within [e.g. 90 days]

 

Remediation and verification

  • Fixes are developed, reviewed, tested, and deployed through our standard release process.
  • We verify that remediations are effective and that they do not introduce regressions.
  • We track all findings to closure in [tracking system].

 

Responsible disclosure

We welcome reports of suspected vulnerabilities from security researchers and customers.

Reports can be sent to support@accxia.com or submitted via https://helpdesk.support.accxia.com.

We commit to acknowledging reports within 1 business day and to providing status updates through resolution. We ask reporters to allow a reasonable period for remediation before public disclosure.


6. Security Incident Handling

We maintain a documented incident response plan to detect, respond to, and recover from security incidents involving customer data.

 

Detection and reporting

  • We use monitoring and alerting to detect potential incidents.
  • Employees and external parties can report suspected incidents to support@accxia.com at any time.

 

Response process

When a suspected incident is identified, we follow these phases:

  1. Triage and classification — We assess the report, confirm whether an incident has occurred, and classify its severity and scope.
  2. Containment — We take immediate steps to limit the impact, such as isolating affected systems or revoking compromised credentials.
  3. Investigation — We determine the root cause, the data and customers affected, and the timeline of events.
  4. Eradication and recovery — We remove the cause, restore affected systems from trusted sources, and verify normal operation.
  5. Post-incident review — We document lessons learned and implement corrective and preventive actions.

 

Customer notification

In the event of a confirmed security breach affecting customer data, we will notify affected customers without undue delay and, where applicable, within the timeframes required by law (for example, within 72 hours under the GDPR). Notifications will include, to the extent known, the nature of the incident, the data and customers affected, the steps we have taken, and recommended actions for the customer. We coordinate with Atlassian where an incident involves the Atlassian platform, consistent with the Atlassian Marketplace Partner Agreement.

 

Contacts

  • Security and incident reporting: support@accxia.com
  • Privacy and data protection inquiries: support@accxia.com

7. Data Retention and Deletion

  • We retain customer data only as long as necessary to provide the app or as required by law.
  • When a customer uninstalls the app, we delete or anonymize associated customer data immediately, except where retention is legally required.

8. Compliance and Certifications

  • We comply with applicable data protection laws, including the GDPR.
  • We participate in the Atlassian Marketplace [Security Self-Assessment Program / Cloud Fortified] program.

9. Customer Responsibilities

Security is a shared responsibility. Customers are responsible for managing their own Atlassian user access and permissions, configuring the app appropriately, and protecting their own credentials.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via our website, and the “Last updated” date above will be revised.