Skip to main content

Security Policy

Last updated: May 19, 2026

NGPILOT, Inc. ("NGPILOT," "we," "us," or "our") is committed to protecting the security of our customers' data. This Security Policy describes the technical and organizational measures we implement to secure our Atlassian Marketplace applications and related systems.

1. Architecture Overview

All NGPILOT Apps are built on Atlassian Forge, Atlassian's serverless development platform. This means:

  • Our Apps execute within Atlassian's managed cloud infrastructure
  • All data processing occurs within the customer's Atlassian cloud tenant
  • No data is transmitted to, stored on, or processed by any external servers or infrastructure outside of Atlassian
  • Our Apps use only Atlassian's permission-scoped APIs with the minimum required access (principle of least privilege)

This "Runs on Atlassian" architecture significantly reduces the security surface area, as Atlassian manages the underlying infrastructure, networking, and platform security.

2. Data Storage and Encryption

Data at Rest

  • Customer data accessed or generated by our Apps is stored within the customer's Atlassian cloud instance (Confluence, Jira, or Forge Storage)
  • Atlassian encrypts data at rest using AES-256 encryption
  • We do not maintain any separate databases, file storage, or external backups of customer data

Data in Transit

  • All communication between our Apps and Atlassian services is encrypted using TLS 1.2 or higher
  • Atlassian enforces HSTS (HTTP Strict Transport Security) on all connections
  • No data is transmitted outside of Atlassian's infrastructure

Secrets Management

  • API keys, OAuth tokens, and other secrets are stored in Atlassian Forge Secure Storage
  • Secrets are never hardcoded in source code, committed to repositories, or included in logs or URLs
  • Secret rotation is performed following Atlassian's recommended practices

3. Access Control

App-Level Access

  • Our Apps use Atlassian Forge's scope-based permission model, requesting only the minimum scopes necessary for each App's functionality
  • Access is authenticated and authorized on every API request
  • Users can review and control App permissions through their Atlassian administration console

Organizational Access

  • Access to development tools, source code repositories, and Atlassian Marketplace accounts requires multi-factor authentication (MFA)
  • Access is granted on a need-to-know basis using the principle of least privilege
  • Unique, strong credentials are required for all systems
  • Access is reviewed periodically and revoked when no longer needed

4. Development Security

Secure Development Lifecycle

  • Peer code reviews are required for all changes before merging to production
  • Pull requests are mandatory for deploying to production environments
  • Code changes are deployed through Atlassian Forge's secure deployment pipeline, which includes app signing and verification

Code Quality and Testing

  • Automated testing is integrated into the development process
  • Source code is analyzed for security vulnerabilities during development
  • We follow secure coding practices aligned with the OWASP Top 10 guidelines

Dependency Management

  • Third-party libraries are regularly reviewed and updated
  • Libraries with known critical or high-severity vulnerabilities are promptly remediated
  • We maintain awareness of vulnerability disclosures for all dependencies

5. Vulnerability Management

Security Bug Fix Policy

We adhere to Atlassian's Marketplace Security Bug Fix Policy:

SeverityResolution Timeframe
CriticalWithin 10 calendar days
HighWithin 4 calendar weeks
MediumWithin 12 calendar weeks
LowWithin 25 calendar weeks

Reporting Vulnerabilities

We welcome and encourage responsible disclosure of security vulnerabilities:

We commit to:

  • Acknowledging vulnerability reports within 5 business days
  • Providing an initial assessment and severity classification within 10 business days
  • Keeping reporters informed of remediation progress
  • Not taking legal action against good-faith security researchers

Vulnerability Scanning

  • We perform regular vulnerability assessments of our App code
  • Dependencies are scanned for known vulnerabilities (Software Composition Analysis)
  • Static code analysis is applied to identify potential security issues

6. Incident Response

Incident Detection and Reporting

  • Security incidents may be detected through monitoring, customer reports, or third-party notification
  • All personnel are trained to report suspected security deviations immediately

Incident Handling Process

Our incident response follows these stages:

  1. Detection and Triage: Identify and classify the incident based on severity and scope
  2. Containment: Take immediate action to prevent further impact
  3. Investigation: Determine the root cause, affected systems, and scope of impact
  4. Remediation: Implement fixes to resolve the vulnerability or issue
  5. Notification: Notify affected customers and Atlassian as appropriate
  6. Post-Mortem: Conduct a review to identify improvements and prevent recurrence

Notification

  • We will notify Atlassian of security incidents through the appropriate Atlassian security channels (ECOHELP) as required by the Marketplace Partner Agreement
  • Affected customers will be notified via email or through our support portal within 72 hours of confirmed impact
  • Notifications will include the nature of the incident, what data was affected, and remediation steps taken

7. Monitoring and Logging

  • Access to development and deployment systems is logged and monitored
  • Failed authentication attempts and access control changes are tracked
  • Logs are retained for a minimum of 12 months where applicable
  • Atlassian provides platform-level monitoring and logging for the Forge runtime environment

8. Business Continuity

Because our Apps run on Atlassian Forge, business continuity for the underlying infrastructure is managed by Atlassian, including:

  • Redundant infrastructure across availability zones
  • Automated failover and recovery
  • Regular backup and disaster recovery procedures

For our development and deployment processes, we maintain:

  • Source code in distributed version control with full history
  • Documented deployment procedures
  • Ability to roll back to previous App versions through the Atlassian Marketplace

9. Compliance and Certifications

Atlassian Platform Compliance

Our Apps benefit from Atlassian's compliance certifications, including:

  • SOC 2 Type II
  • SOC 1 (SSAE 18 / ISAE 3402)
  • ISO/IEC 27001
  • CSA STAR

For full details, see Atlassian Trust & Compliance.

NGPILOT Compliance

We are committed to maintaining security best practices as a Marketplace partner. We regularly review and update our security measures in alignment with Atlassian's Security Guidelines for Marketplace Partners.

10. Human Resources Security

  • Personnel with access to development systems undergo security awareness training
  • Security responsibilities are clearly defined and communicated
  • Access to systems is promptly revoked upon role change or departure

11. Policy Review and Updates

This Security Policy is reviewed at least annually and updated as needed to reflect changes in our practices, technology, or regulatory requirements. Material changes will be communicated through appropriate channels.

12. Contact

For security-related questions, concerns, or vulnerability reports:

We aim to respond to security inquiries within 5 business days.