Golpo AIGolpo AI/Confluence Docs
Support
🏠 Overview🚀 Getting Started📄 Confluence Features⚙️ Configuration FAQ🔒 Privacy Policy🛡️ Security Policy📜 Terms of Service
Docs/Confluence/Security Policy

Security Policy

How Golpo AI secures the Golpo AI for Confluence app and the data it processes.

Last updated: June 2026

Overview

Golpo AI for Confluence ("the App") is developed by Golpo AI - Red Tree Inc. ("Golpo AI", "we", "us"). We are committed to protecting customer data and the security of the App and its supporting systems. This policy summarizes how we handle security issues and incidents, our vulnerability management process, and the key security controls we have in place. It complements our Privacy Policy, which describes what data we process and how.

Reporting a Security Issue

If you discover a potential security vulnerability or have a security concern, please report it to us at support@golpoai.com. Where possible, include steps to reproduce, affected components, and any supporting details.

We acknowledge security reports promptly and will keep you informed as we investigate and remediate. We ask that reporters allow us reasonable time to remediate before any public disclosure.

Security Incident Handling

We maintain an incident response process to detect, respond to, and learn from security incidents:

  • Detection & triage: security reports and monitoring signals are reviewed and assessed for severity and impact.
  • Containment & remediation: we act to contain the issue, remediate the root cause, and validate the fix.
  • Notification: where an incident affects customer data, we notify affected customers and the relevant authorities as required by applicable law, and we notify Atlassian of security incidents via ECOHELP.
  • Post-incident review: we conduct a review to identify and apply improvements that reduce the likelihood of recurrence.

Vulnerability Management

  • Reporting: vulnerabilities can be reported to support@golpoai.com; we also monitor and act on Atlassian Marketplace Security (AMS) tickets.
  • Triage: reported issues are prioritized by severity (using CVSS where applicable) and potential impact.
  • Remediation: we remediate within timeframes aligned with Atlassian's Security Bug Fix Policy — Critical within 10 days, High within 4 weeks, Medium within 12 weeks, and Low within 25 weeks of being reported or triaged.
  • Dependency management: we scan dependencies for known vulnerabilities and keep third-party libraries up to date, avoiding versions with known critical or high severity issues in shipped code.

Key Security Controls

Authentication & authorization

  • The app is built on Atlassian Forge, running in Atlassian's sandboxed runtime with platform-enforced egress controls.
  • Requests from the app to our backend carry an Atlassian-signed Forge Invocation Token (FIT), which our backend verifies (signature, issuer, audience, and expiration) before processing; the tenant is derived only from the verified token.
  • We follow the principle of least privilege for app scopes, and configuration actions are restricted to authorized site administrators.
  • Tenant isolation: data is scoped per Atlassian site so one customer's data cannot be accessed by another.

Data protection

  • Encryption in transit: all traffic uses TLS 1.2 or higher.
  • Encryption at rest: stored data is encrypted at rest (AWS S3 server-side encryption, database encryption, and Atlassian Forge encrypted storage for secrets).
  • Data minimization: we do not store Atlassian account IDs or user identities, and we do not include contributor names in the content sent for video generation.

Secrets management

  • You generate your API key in your Golpo AI account and enter it in the app. We use it to authenticate the integration to your Golpo AI account and to identify and meter your usage.
  • The API key is stored in Atlassian Forge encrypted storage and in our encrypted backend database — the same database that stores your Golpo AI account — with access restricted to service-role only. It is never committed to source code, exposed in client-side code, or returned by any API.
  • We do not collect or store Atlassian user passwords or API tokens.
  • Secrets and the API key are excluded from the Forge app's logs.

Monitoring & secure development

  • We monitor application health and errors. The Forge app does not log content prompts or secrets; we minimize personal data in our operational logs, and access to those logs is restricted to authorized personnel.
  • Changes are reviewed before release, and dependencies are scanned for known vulnerabilities.

Data Handling & Sub-Processors

Details of the data we process, where it is stored, our sub-processors, international transfers, and retention are documented in our Privacy Policy. End-User Data can be deleted on request; see the Privacy Policy for how to make a request.

Security Contact

For security questions, vulnerability reports, or incident notifications, contact:

← Privacy PolicyBack to Overview →