Skip to main content

Security Policy

Last updated: June 29, 2026

This Security Policy describes how Usługi IT Michał Krysiuk ("Terano Apps", "we", "us", or "our") protects the applications we distribute on the Atlassian Marketplace, the systems that support them, and the customer data they process. It explains the security controls we apply, how we manage software vulnerabilities, and how we detect and respond to security incidents.

Security is a shared responsibility. Our apps run on the Atlassian cloud platform, so the security of the underlying infrastructure is provided by Atlassian under the Atlassian Trust Center. This policy covers the parts that are our responsibility as a Marketplace Partner.

Application Architecture and Hosting

Our Atlassian Cloud applications — including File Field, Templify, Time Tracking Fields, Formify, Worklog Reminder, and Restorify — are built on Atlassian Forge, Atlassian's managed serverless platform for cloud apps.

Building on Forge means:

  • Apps run on Atlassian-operated infrastructure, not on our own servers. Compute, storage, and networking are hosted within Atlassian's cloud environment, which is covered by Atlassian's SOC 2, SOC 3, ISO/IEC 27001, ISO/IEC 27018, and PCI DSS programs.
  • Customer data stays within the Atlassian cloud boundary. Our Forge apps store data using Atlassian-hosted storage and do not transfer customer data to external servers operated by us, unless a feature explicitly requires it and is disclosed in the app's documentation and Privacy & Security listing.
  • Data residency follows the residency of the customer's Atlassian product where Forge supports it.
  • Permission scopes are least-privilege. Each app requests only the OAuth 2.0 scopes it needs to function. Scopes are declared in the app manifest, reviewed by Atlassian during the Marketplace approval process, and shown to administrators before installation.

Data Protection

  • Encryption in transit. All communication between the user's browser, the Atlassian product, and our app is encrypted using TLS (HTTPS). We do not expose unencrypted endpoints.
  • Encryption at rest. Data persisted through the Forge platform is encrypted at rest by Atlassian's infrastructure.
  • Data minimization. We process only the data required to deliver the app's functionality. We do not sell customer data, and we do not use customer content for advertising.
  • No standing access to customer data. We do not maintain a copy of customer content on our own systems and do not access customer instances in the normal course of business. Where troubleshooting requires access, it is performed only with the customer's consent and within the scope granted to the app.

For details on what personal data we collect and how it is used, see our Privacy Policy.

Access Controls

  • Access to development accounts, the Atlassian Marketplace Partner portal, and app publishing keys is restricted to authorized personnel on a need-to-know basis.
  • Administrative and developer accounts are protected with multi-factor authentication (MFA) and strong, unique credentials.
  • Production deployments are performed through Atlassian's Forge CLI and tooling; app secrets and environment variables are managed through Forge's encrypted environment storage rather than embedded in source code.
  • Access rights are reviewed and revoked promptly when no longer required.

Secure Development Practices

  • We follow secure coding practices aligned with the OWASP guidelines and Atlassian's Forge security model.
  • Forge enforces an egress control list, a strict content security policy, and sandboxed execution, which reduces the risk of common web vulnerabilities.
  • Third-party dependencies are kept to a minimum, monitored for known vulnerabilities, and updated regularly.
  • Changes are reviewed before release, and each release is published through Atlassian's Marketplace approval pipeline.

Vulnerability Management

We take a proactive approach to identifying and remediating security weaknesses:

  • Dependency monitoring. Application dependencies are continuously monitored for publicly disclosed vulnerabilities, and affected packages are updated as fixes become available.
  • Platform updates. Because our apps run on Forge, security patches to the underlying runtime and infrastructure are applied by Atlassian, reducing our exposure to infrastructure-level vulnerabilities.
  • Remediation targets. When a vulnerability affecting our apps is identified, we triage it by severity and aim to remediate critical and high-severity issues as a priority, typically within days of confirmation, and lower-severity issues in a subsequent release.
  • Coordinated review. All app updates pass through Atlassian's Marketplace review process before being made available to customers.

Security Incident Response

We maintain a process to detect, respond to, and recover from security incidents:

  1. Detection and reporting. Potential incidents may be identified through platform monitoring, Atlassian notifications, dependency alerts, or external reports submitted to our security contact.
  2. Assessment. We assess the scope and severity of the incident, including whether customer data is affected.
  3. Containment and remediation. We work to contain the issue, deploy a fix, and, where applicable, coordinate with Atlassian's security and Marketplace teams.
  4. Notification. If an incident affects the confidentiality, integrity, or availability of customer data, we will notify affected customers and the relevant authorities without undue delay, in line with applicable law (including the GDPR where it applies) and Atlassian Marketplace Partner requirements.
  5. Post-incident review. After resolution, we review the root cause and take steps to prevent recurrence.

Reporting a Security Vulnerability

We welcome reports from security researchers and customers, and we are committed to working with you to verify and address any legitimate issue.

If you believe you have found a security vulnerability in any Terano Apps product, please contact us at:

When reporting, please include enough detail to reproduce the issue (for example, the affected app, steps to reproduce, and any proof-of-concept information). We ask that you:

  • Give us a reasonable opportunity to investigate and remediate before any public disclosure.
  • Avoid privacy violations, data destruction, and any disruption to Atlassian or customer systems while testing.
  • Limit testing to your own accounts and data.

We will acknowledge legitimate reports, keep you informed of our progress, and notify you when the issue has been resolved. We do not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

Business Continuity and Availability

Because our apps run on Atlassian's cloud platform, availability and resilience benefit from Atlassian's infrastructure, including its redundancy, backup, and disaster recovery capabilities. Application status and any Atlassian platform incidents can be tracked through the Atlassian Statuspage.

Sub-processors and Third Parties

Our apps rely on the Atlassian Forge platform and Atlassian-hosted services to operate. We do not share customer content with third parties for their own purposes. Where additional service providers are used to support our business (for example, email or analytics for our website), they are described in our Privacy Policy.

Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices, our products, or the platform. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Contact

If you have any questions about this Security Policy or about the security of our applications, please contact us: