Security policy

Last updated: June 22, 2026

This page describes how FlowDesk Apps handles security reports, vulnerability remediation, incident response, and the technical and organizational controls used for Queue Manager, SLA Manager, and future FlowDesk Apps Marketplace products.

Reporting security issues

Security issues should be reported to [email protected]. Please include the affected app, affected Atlassian site or project if relevant, a description of the issue, reproduction steps, expected impact, and any supporting screenshots or logs. Do not include secrets, passwords, personal access tokens, or unnecessary customer data in the report.

Vulnerability management

We review reported vulnerabilities and scanner findings, including Atlassian Ecoscanner results, to determine severity, impact, and required remediation. We acknowledge security reports within two business days when possible and aim to complete an initial assessment within five business days.

Target remediation timelines depend on severity and customer impact. Critical issues are prioritized immediately and targeted for remediation as soon as practical, generally within seven days. High severity issues are targeted within 14 days, medium severity issues within 30 days, and low severity issues within 90 days or the next planned maintenance cycle. If Atlassian policy or a Marketplace ticket requires a shorter deadline, we follow the stricter requirement.

Security controls

• Platform: our apps run on Atlassian Forge and rely on Atlassian-hosted infrastructure for app execution and storage.
• Least privilege: app scopes are limited to the Jira and Forge permissions required for app functionality.
• Credential handling: our apps do not ask customers to provide Atlassian passwords, personal access tokens, or shared secrets.
• Data protection: app data is transmitted over HTTPS and stored through Atlassian platform services. Website traffic is served over HTTPS.
• Access control: access to Marketplace, developer, hosting, and support systems is limited to authorized maintainers.
• Dependency review: we review dependency and platform findings, run vulnerability checks during release preparation, and patch security issues through new Forge deployments or Marketplace versions when required.
• Logging: we avoid intentionally logging End-User Data unless needed for troubleshooting or security investigation.

Incident response

If we identify a security incident affecting an app or customer data, we investigate the report, contain the issue, assess customer impact, remediate the vulnerability, and coordinate with Atlassian where required. We document the timeline, scope, remediation actions, and follow-up prevention steps.

Notification and escalation

For incidents that materially affect customer data, app availability, or confidentiality, we notify affected customers without undue delay and within 72 hours where legally required. Notifications may include the nature of the incident, affected app or data categories, mitigation steps, remediation status, and support contact information.

Compliance

FlowDesk Apps does not currently claim independent compliance certifications for these apps. We continue to use Atlassian Marketplace security processes, Forge platform controls, vulnerability remediation practices, and customer support procedures to maintain app security.

Contact

Security reports: [email protected]. General support: [email protected].