Skip to content
Ovrid Labs
Back to home

Last updated: June 6, 2026

Security Policy

Security is fundamental to how we build at Ovrid Labs. This document describes our security practices and architecture.

1. Architecture

All Ovrid Labs apps are built on Atlassian Forge, Atlassian’s cloud-native app platform. This architecture provides security guarantees by design:

  • No external servers: Our apps run entirely within Atlassian’s infrastructure
  • No data egress: Your data never leaves Atlassian’s cloud environment (except API calls to Atlassian’s own services where required)
  • Sandboxed execution: Each app runs in an isolated Forge runtime environment
  • Managed authentication: Atlassian handles all authentication and authorization

2. Data Security

  • Encryption in transit: All data transmission uses Atlassian’s TLS-encrypted channels
  • Encryption at rest: Data stored in Forge Storage (SQL/KVS) is encrypted by Atlassian
  • Minimal scopes: Each app requests only the minimum API scopes required for its functionality
  • Read-only where possible: Apps like UserLens operate with exclusively read-only permissions

3. Development Practices

  • All code is version-controlled and reviewed before deployment
  • Dependencies are regularly audited for known vulnerabilities
  • We follow Atlassian’s Forge development security guidelines
  • Apps pass Atlassian’s automated security scanning before Marketplace listing

4. Compliance

  • Our apps are designed to be compatible with Atlassian’s compliance frameworks
  • Forge-native architecture supports SOC 2, GDPR, and other compliance requirements through Atlassian’s infrastructure
  • We target the Runs on Atlassian (ROA) badge for all apps

5. Incident Response

If we become aware of a security vulnerability in any of our apps:

  1. We will investigate and assess the impact within 24 hours
  2. We will deploy a fix as soon as practically possible
  3. We will notify affected users if the vulnerability exposed sensitive data
  4. We will publish a post-incident summary

6. Responsible Disclosure

If you discover a security vulnerability in any Ovrid Labs app, please report it to:

We appreciate responsible disclosure and will acknowledge reports within 48 hours.

7. Contact