Security

Security

How we build and operate AI Comment Action Inbox securely.

Section 1

Report a vulnerability

If you discover a security vulnerability in any Sivect product, please report it to [email protected]. We triage all security reports within 48 hours (Melbourne, Australia — AEST/AEDT). Critical vulnerabilities are patched and deployed within 7 days. We use responsible disclosure — please give us reasonable time to address issues before public disclosure.

Section 2

How the app is secured

Forge-native infrastructure

AI Comment Action Inbox runs entirely on Atlassian Forge — Atlassian's own serverless platform. No external servers to compromise, no third-party hosting to approve.

Encrypted at rest and in transit

All data is encrypted at rest by Atlassian Forge Storage automatically. All data in transit uses HTTPS/TLS enforced by the Forge platform. No app-level encryption configuration required.

Multi-layer PII sanitisation

Before any comment text reaches external AI processing, it passes through a multi-layer PII detection pipeline. Emails, phone numbers, API keys, account IDs, customer names, and HR terms are all replaced with typed tokens.

API key management

The Anthropic API key is stored as an encrypted platform environment variable — never logged and never accessible to users. It is never included in error responses.

Sanitised logging

All application logs pass through a sanitisation layer before writing. Emails, tokens, account IDs, and sensitive field values are removed or anonymised before any log entry is persisted.

Dependency scanning

Automated dependency scanning is part of our development and deployment process. Known vulnerabilities are assessed and addressed before each release.

Section 3

Authentication

AI Comment Action Inbox uses Atlassian Forge's built-in OAuth system for all authentication. The app never sees, handles, or stores user credentials. Authentication is managed entirely by Atlassian's identity platform.

Section 4

Data isolation

User data in Forge Storage is strictly isolated by Atlassian account ID. No user can access another user's action items, preferences, or settings.

Section 5

Permissions

The app requests only the minimum permissions required. Every permission is declared in the Forge manifest and reviewed by Atlassian during the Marketplace review process. View the full permission list on our product page.

See full permission list

Security enquiries

Security enquiries: [email protected]

Email security teamPrivacy Policy