Cloud Security Statement

Last updated: March 2026

Overview

9ByNight LLC is committed to the security of our customers' data. This document describes the security practices and architecture of our Atlassian Marketplace apps, including Mermaid Diagrams for Jira & Confluence.

Architecture

Our apps are built on Atlassian Forge, a serverless platform that runs within Atlassian's infrastructure. This architecture provides several security guarantees:

  • Client-side processing: All diagram rendering occurs locally in the user's browser. No content is sent to external servers.
  • Sandboxed execution: Forge apps run in isolated sandboxes within Atlassian's cloud, with no direct access to the underlying infrastructure.
  • No external servers: We do not operate any backend servers. The app runs entirely within the Atlassian platform and the user's browser.

Data Handling

  • No data collection: Our apps do not collect, store, or transmit any user data, personal information, or content.
  • No analytics or telemetry: We do not use any analytics, tracking, or telemetry services within our Atlassian apps.
  • No cookies: Our apps do not set or read any cookies.
  • No third-party services: We do not share data with or send data to any third-party services or subprocessors.

Permissions

Our apps follow the principle of least privilege and request only the minimum permissions necessary:

  • Read-only access: Our apps only request read permissions to Jira issues and Confluence pages. They never modify, create, or delete any content.
  • Scoped permissions: Specifically, we use read:jira-work and read:confluence-content.all — nothing else.

Authentication & Authorization

Authentication and authorization are handled entirely by the Atlassian Forge platform. Our apps do not implement any custom authentication mechanisms, store credentials, or manage user sessions. All access is governed by Atlassian's existing permission model.

Content Security

Our diagram rendering engine includes multiple security measures:

  • Strict security level: Mermaid.js is configured with securityLevel: 'strict', which prevents execution of arbitrary HTML or JavaScript within diagrams.
  • Shadow DOM isolation: Each diagram is rendered within an isolated Shadow DOM, preventing CSS and script interference between the app and the host page.

Compliance

  • GDPR: Our apps are GDPR-ready by design — no personal data is collected or processed.
  • SOC 2: As a Forge-based app, we inherit Atlassian's SOC 2 Type II compliance for infrastructure and platform security.
  • Data residency: Since no data leaves the Atlassian platform, data residency requirements are met through Atlassian's own data residency controls.

Vulnerability Reporting

If you discover a security vulnerability in any of our products, please report it responsibly:

9ByNight LLC

Email: contact@9bynight.com

Please include a description of the vulnerability, steps to reproduce, and any potential impact. We will acknowledge receipt within 48 hours and work to address the issue promptly.

Related Policies

For more information, see our Privacy Policy and Terms of Service.