Cloud Security Statement

Overview

9ByNight is committed to the security of our customers' data. This document describes the security practices and architecture of our Atlassian Marketplace apps, including Mermaid Diagrams for Jira and Mermaid Macros for Confluence.

Architecture

Our apps are built on Atlassian Forge, a serverless platform that runs within Atlassian's infrastructure. This architecture provides several security guarantees:

• •Client-side processing: All diagram rendering occurs locally in the user's browser. No content is sent to external servers.
• •Sandboxed execution: Forge apps run in isolated sandboxes within Atlassian's cloud, with no direct access to the underlying infrastructure.
• •No external servers: We do not operate any backend servers. The app runs entirely within the Atlassian platform and the user's browser.

Data Handling

• •No data collection: Our apps do not collect, store, or transmit any user data, personal information, or content.
• •No analytics or telemetry: We do not use any analytics, tracking, or telemetry services within our Atlassian apps.
• •No cookies: Our apps do not set or read any cookies.
• •No user data sent to third parties: We do not transmit user content, identifiers, or personal data to any third-party services or subprocessors. Inherited Atlassian SDK components (Atlaskit) may include feature-flag infrastructure, but our app declares no external network permissions in its Forge manifest, and no user data is included in any such requests.

Permissions

Our apps follow the principle of least privilege and request only the minimum permissions necessary:

• •Read-only access: Mermaid Diagrams for Jira requests only read permissions to Jira issues and comments. It never modifies, creates, or deletes any content.
• •Scoped permissions (Jira): Mermaid Diagrams for Jira uses read:jira-work — nothing else. No write permissions, no admin permissions, no cross-product access.
• •Zero permissions (Confluence): Mermaid Macros for Confluence requests no scopes at all — an empty scope set. You enter the diagram source directly into the macro, so the app needs no access to your content.

Authentication & Authorization

Authentication and authorization are handled entirely by the Atlassian Forge platform. Our apps do not implement any custom authentication mechanisms, store credentials, or manage user sessions. All access is governed by Atlassian's existing permission model.

Content Security

Our diagram rendering engine includes multiple security measures:

• •Strict security level: Mermaid.js is configured with securityLevel: 'strict', which prevents execution of arbitrary HTML or JavaScript within diagrams.
• •Shadow DOM isolation: Each diagram is rendered within an isolated Shadow DOM, preventing CSS and script interference between the app and the host page.

Compliance

• •GDPR: Our apps are GDPR-ready by design — no personal data is collected or processed.
• •SOC 2: As a Forge-based app, we inherit Atlassian's SOC 2 Type II compliance for infrastructure and platform security.
• •Data residency: Since no data leaves the Atlassian platform, data residency requirements are met through Atlassian's own data residency controls.

Vulnerability Reporting

If you discover a security vulnerability in any of our products, please report it responsibly:

Related Policies

For more information, see our Privacy Policy and Terms of Service.