Forge-native infrastructure
AI Mention Triage runs entirely on Atlassian Forge — Atlassian's own serverless platform. No external servers to compromise, no third-party hosting to approve.
Security
Security
How we build and operate AI Mention Triage securely.
Section 1
Report a vulnerability
If you discover a security vulnerability in any Sivect product, please report it to [email protected]. We triage all reports within 48 hours (Melbourne, Australia · AEST/AEDT). Critical vulnerabilities are patched and deployed within 7 days. We follow responsible disclosure — please allow reasonable time to address issues before any public disclosure.
Section 2
How the app is secured
Encrypted at rest and in transit
All data is encrypted at rest by Atlassian Forge Storage automatically. All data in transit uses HTTPS/TLS enforced by the Forge platform. No app-level encryption configuration required.
Multi-layer PII sanitisation
Before any comment text reaches external AI processing, it passes through a multi-layer PII detection pipeline. Emails, phone numbers, API keys, account IDs, customer names, and HR terms are all replaced with typed tokens.
No third-party AI credentials
AI classification uses Atlassian Forge AI, Atlassian's in-platform LLM service. No external AI provider API keys are held by the app, so there is no key to leak, log, or rotate — credential management is handled by the Forge platform.
Sanitised logging
All application logs pass through a sanitisation layer before writing. Emails, tokens, account IDs, and sensitive field values are removed or anonymised before any log entry is persisted.
Dependency scanning
Automated dependency scanning is part of our development and deployment process. Known vulnerabilities are assessed and addressed before each release.
Section 3
Authentication
AI Mention Triage uses Atlassian Forge's built-in OAuth system for all authentication. The app never sees, handles, or stores user credentials. Authentication is managed entirely by Atlassian's identity platform.
Section 4
Data isolation
User data in Forge Storage is strictly isolated by Atlassian account ID. No user can access another user's action items, preferences, or settings.
Section 5
Permissions
The app requests only the minimum permissions required. Every permission is declared in the Forge manifest and reviewed by Atlassian during the Marketplace review process. View the full permission list on our product page.
See full permission list