Security & Data Handling

Last updated 14 June 2026 · Applies to the Evergreen AI for Confluence Forge app.

Evergreen AI is built on Atlassian Forge and is designed so that the strongest security claim is also the simplest: nothing the app touches leaves Atlassian’s environment. This page summarizes how that is achieved and what controls are in place.

Zero egress — Runs on Atlassian

The app declares no egress permissions of any kind — no external fetch, no remote resources, and no third-party analytics. All processing, including AI inference via Forge LLMs (Atlassian-hosted Claude models), occurs within Atlassian’s environment. This is what makes the app eligible for the Runs on Atlassian badge.

Least-privilege, read-only on content

The app requests read-only access to the page content it analyzes and the metadata it needs to scan efficiently. It does not request permission to modify, archive, or delete page content, and it requests no Jira scopes.

It holds exactly two narrow write capabilities, both off by default and enabled only at an administrator’s choice. Neither one edits the body of a page:

Audit-status property — when enabled, the app stores a small “audit status” indicator (status, open-finding count, last-scan time) as page metadata.
Assignment comment — when enabled, the app posts a single structured comment that @mentions an assignee so Confluence delivers its own native notification. The app writes no other comments.

Aside from these optional, admin-enabled features, the app’s only writes are to its own data: findings, assignments, and configuration.

Permission-safe rendering

Before showing any evidence excerpt, page title, or deep link, the app checks the viewing user’s own permission on the source page. If the viewer cannot see the page, the app shows a redacted row — the finding type and space only, with no title, no quote, and no link. A finding can never be used to leak content a user is not already entitled to read.

Spend is a hard wall

AI usage is bounded by monthly budget caps enforced server-side, in resolver code rather than in the interface. When a budget is reached, the app scans fewer pages and tells the administrator; it never responds by spending more. A misconfigured or hostile administrator cannot push usage past the cap.

How AI input is handled defensively

Because page content is untrusted input to a language model, the app treats it accordingly:

Findings are advisory and human-triaged; the model cannot take action on its own.
Model output is schema-constrained and free-text fields are length-capped.
Reasoning, quotes, and dismiss reasons the model produced are rendered strictly as text, never as markup.
A prompt-injection attempt in a page cannot cause a write to content (the app holds no such scope) or any egress (none exists).

Secure development

Evergreen AI is built and maintained by a single independent developer with a secure SDLC and CI gates on every change:

Forge linting and forge eligibility checks (which enforce the zero-egress posture) run in CI; a failure blocks the change.
Schema validation and an evaluation-regression suite guard the analysis quality and the finding contract.
The manifest scope list is frozen in CI — adding a permission requires an explicit, reviewed, major-version change.
Dependencies are scanned on every build, with an allowlist that blocks known phone-home/analytics packages.

We intend to join the Atlassian Marketplace Bug Bounty program once eligible.

Availability

The app runs entirely on Atlassian’s Forge platform — compute, storage, and AI inference are all Atlassian-hosted, with no vendor-operated infrastructure. Availability therefore follows Atlassian Cloud itself; there is no separate vendor uptime dependency, and no vendor outage can take the app down independently of Confluence.

Reporting a vulnerability

Security reports are prioritized ahead of all other work. Please email andrewmleroux@gmail.com with [SECURITY] in the subject line. Coordinated disclosure is welcome.

For data storage, retention, and deletion details, see the Privacy Policy.