Privacy & Security Policy

Vendor: Dirty Agile · dirtyagile.net
Effective date: June 2, 2026
Contact: support@dirtyagile.net

Data protection by architecture

Every Dirty Agile app is built on Atlassian Forge and qualifies for the Runs on Atlassian designation. This is not a compliance checkbox — it is an architectural constraint with concrete consequences for how your data is handled.

What Runs on Atlassian means in practice:

  • App code executes inside Atlassian’s infrastructure (AWS Lambda environments managed by Atlassian).
  • All content your users create with our macros is stored in Atlassian Forge Storage — encrypted at rest, scoped per installation, and segregated between tenants by the platform.
  • Data residency follows your Atlassian instance. If your Confluence data is pinned to the EU, data stored by our apps is too.
  • No user-generated content ever reaches Dirty Agile’s servers. We have no mechanism to extract it.

The technical basis for these guarantees is documented in Atlassian’s Shared Responsibility Model.

What data we hold

App content

None. Content created with our apps — equations, chemical structures, Markdown documents — is stored exclusively in Atlassian Forge Storage. We cannot read it, export it, or access it outside of the invocation triggered by your users.

License data

Atlassian provides us with the data required to validate your subscription: your Atlassian Cloud instance identifier and license status. This data is stored in Google Cloud (europe-west region) and used solely for license verification. It is not shared with third parties.

Analytics

Where permitted by your site administrator, our apps may send anonymized usage events (for example: “macro was rendered”, “editor was opened”) to help us understand how the product is used. This data contains no personally identifiable information and no user-generated content. Administrators can disable analytics egress from the app management settings at any time — disabling it does not affect app functionality.

Website

dirtyagile.net uses standard access logs (including IP addresses) and functional cookies to understand site traffic. We do not use advertising trackers or sell browsing data.

Direct contact

If you contact us by email, we retain the content of that correspondence to handle your request. We do not add you to marketing lists without consent.

What we cannot access

Because our apps run on Forge:

  • We cannot access your Atlassian credentials or session tokens.
  • We cannot read content outside the OAuth scopes explicitly granted during installation.
  • We have no standing access to your Atlassian instance — our code only runs when a user triggers it.
  • Cross-tenant access is structurally prevented by the Forge platform. Your data cannot be accessed in the context of another customer’s installation.

Security

Shared responsibility model

Security for Forge apps is divided between Atlassian and Dirty Agile. The full breakdown is published by Atlassian. In summary:

Atlassian is responsible for: runtime and server security, network security (TLS/HSTS), DDoS protection, user authentication and identity management, encryption of data at rest in Forge Storage, and cross-tenant data segregation.

Dirty Agile is responsible for: application logic correctness, input validation and output encoding, secure software development practices, dependency vulnerability management, and security incident response for our apps.

Secure development practices

  • Third-party dependencies are scanned for known vulnerabilities using OWASP Dependency-Check and Snyk. Apps are not shipped with third-party libraries containing known High or Critical CVEs.
  • API keys and secrets are stored in encrypted Forge environment variables — never in source code or version control.
  • We follow the OWASP secure coding guidelines and Atlassian’s Forge security guidance.
  • Tenant data is never stored in module-level (global) variables. All data that must persist across invocations uses Forge Storage, which is automatically scoped per installation.

Vulnerability management

We monitor our apps and their dependencies for security vulnerabilities. Vulnerabilities reported through Atlassian’s Marketplace Security (AMS) project, the Marketplace Bug Bounty Program (Bugcrowd), or direct disclosure are triaged and tracked to resolution. Severity is assessed using the CVSS v3 scoring framework.

SeverityCVSS ScoreRemediation target
Critical≥ 9.04 days
High≥ 7.07 days
Medium≥ 4.030 days

We maintain a registered security contact in the Atlassian Marketplace Security (AMS) system to receive and respond to vulnerability disclosures. We do not delay disclosure to protect reputation.

To report a vulnerability in our apps, contact support@dirtyagile.net. We will acknowledge receipt within 2 business days.

Security incident response

If we become aware of a security incident affecting our apps or any data we hold:

  1. We investigate to identify the root cause, scope, and whether any end user data was affected.
  2. We raise a P1 severity ticket in the Atlassian Marketplace Security (AMS) project no later than 24 hours after becoming aware of the incident.
  3. We contain the incident as rapidly as possible, including temporarily delisting the affected app if necessary.
  4. If personal data held by Dirty Agile is involved, we notify affected customers within 72 hours of identifying the incident, as required by GDPR.
  5. We conduct a post-incident review to confirm full containment, identify root cause, and update internal processes to prevent recurrence. Findings are shared with Atlassian via the AMS ticket.

Since user-generated content is stored in Atlassian’s infrastructure, security incidents affecting that data are handled by Atlassian under their own incident response plan. We coordinate with Atlassian as required.

Your rights

GDPR (EEA and UK users)

You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. For data stored in Atlassian’s infrastructure (app content), requests should be directed to Atlassian, as we do not hold or have access to that data. For data we hold directly (license data, contact correspondence), contact support@dirtyagile.net.

CCPA (California users)

You have the right to know what personal data we collect, to request its deletion, and to opt out of its sale. We do not sell personal data.

Changes to this policy

We will post any material changes to this page and update the effective date above. For significant changes, we will notify users via the Atlassian Marketplace listing or by email where we hold a contact address.

Contact

For privacy or security enquiries: support@dirtyagile.net