Forge-native infrastructure
AI Comment Action Inbox runs entirely on Atlassian Forge — Atlassian's own serverless platform. No external servers to compromise, no third-party hosting to approve.
Security
Security
How we build and operate AI Comment Action Inbox securely.
Section 1
Report a vulnerability
If you discover a security vulnerability in any Sivect product, please report it to [email protected]. We triage all security reports within 48 hours (Melbourne, Australia — AEST/AEDT). Critical vulnerabilities are patched and deployed within 7 days. We use responsible disclosure — please give us reasonable time to address issues before public disclosure.
Section 2
How the app is secured
Encrypted at rest and in transit
All data is encrypted at rest by Atlassian Forge Storage automatically. All data in transit uses HTTPS/TLS enforced by the Forge platform. No app-level encryption configuration required.
Multi-layer PII sanitisation
Before any comment text reaches external AI processing, it passes through a multi-layer PII detection pipeline. Emails, phone numbers, API keys, account IDs, customer names, and HR terms are all replaced with typed tokens.
API key management
The Anthropic API key is stored as an encrypted platform environment variable — never logged and never accessible to users. It is never included in error responses.
Sanitised logging
All application logs pass through a sanitisation layer before writing. Emails, tokens, account IDs, and sensitive field values are removed or anonymised before any log entry is persisted.
Dependency scanning
Automated dependency scanning is part of our development and deployment process. Known vulnerabilities are assessed and addressed before each release.
Section 3
Authentication
AI Comment Action Inbox uses Atlassian Forge's built-in OAuth system for all authentication. The app never sees, handles, or stores user credentials. Authentication is managed entirely by Atlassian's identity platform.
Section 4
Data isolation
User data in Forge Storage is strictly isolated by Atlassian account ID. No user can access another user's action items, preferences, or settings.
Section 5
Permissions
The app requests only the minimum permissions required. Every permission is declared in the Forge manifest and reviewed by Atlassian during the Marketplace review process. View the full permission list on our product page.
See full permission list