Filter Exposure Guard - Security Policy

Last updated: 2026-06-22

This describes how Aria Code secures Filter Exposure Guard, how we manage vulnerabilities, and how to report a security issue. What the app reads and stores is detailed in our Privacy Policy.

Platform & architecture

Filter Exposure Guard is built on Atlassian Forgeand runs entirely within Atlassian’s cloud (it qualifies for “Runs on Atlassian”). We operate no external servers or databases:

  • Data is processed and stored within Atlassian’s platform, inheriting its tenant isolation, encryption in transit and at rest, and physical/network security.
  • We hold no customer credentials or secrets; auth is handled by Forge.
  • The app requests the minimum OAuth scopes needed and is read-only.
  • It makes no third-party network calls, no external data egress.

Reporting a security issue

Report suspected vulnerabilities or incidents to hello@ariacode.dev with reproduction steps and impact. We acknowledge within 2 business days.

Vulnerability management

  • Triage: issues are assessed and assigned a severity (critical / high / medium / low) on receipt.
  • Remediation targets (from confirmation): critical within 7 days, high within 30 days, medium/low at the next scheduled release.
  • Deployment: fixes ship via Atlassian Forge and reach customers automatically; production releases are versioned.

Technical & organizational controls

  • Access control: least-privilege OAuth scopes; no standing access to customer data beyond app function; Forge developer-console access is protected by Atlassian-account authentication with multi-factor authentication.
  • Data protection: no external storage; only lightweight operational metadata in Forge storage; no issue content retained beyond what the privacy policy describes.
  • Monitoring: Forge platform logs and alerts for errors and anomalies.
  • Change management: changes reviewed and deployed via the Forge CLI with versioned production deployments.

Incident response & notification

For a confirmed incident affecting customer data, we notify affected customers without undue delay and within 72 hours of confirmation, via the support channel and contact on file, describing the incident, the data involved, and remediation. Critical incidents are escalated immediately, coordinating with Atlassian where the platform is involved.

Contact

Security and privacy: hello@ariacode.dev.