A comprehensive overview of how we protect your data, handle security incidents, manage vulnerabilities, and the security controls we have in place for XPress.
Last updated: April 2026
XPress runs entirely within Atlassian's secure Forge platform — a sandboxed, multi-tenant environment with enterprise-grade security controls. Your data stays within the Atlassian cloud ecosystem.
We do not collect, store, or process any personal user data. XPress accesses Confluence content only when you initiate an action, and only through official Atlassian APIs.
We follow the principle of least privilege — XPress only requests the minimum API scopes necessary for its functionality. No unnecessary data access.
We do not use any third-party analytics, advertising, or tracking services within XPress. Your usage data is never shared with external parties.
How XPress accesses, processes, and stores data
When you initiate an export, XPress reads your Confluence pages through official Atlassian APIs within the Forge sandbox.
Document layout and styling are processed by our secure, cloud-hosted rendering service over encrypted HTTPS. The service processes data in-memory only and immediately discards all content — zero data retention.
Generated documents are stored within Forge SQL (Atlassian's cloud infrastructure). All content reading and storage remains within the Atlassian environment.
| Data Type | Location | Retention | Encrypted |
|---|---|---|---|
| Generated documents | Forge SQL (Atlassian cloud) | Until deleted by user or app uninstalled | ✅ At rest & in transit |
| App configuration | Forge App Storage | Until app uninstalled | ✅ At rest & in transit |
| Personal user data | — | — | Not collected |
Third-party services involved in data processing
| Service | Provider | Purpose | Data Location | Data Stored |
|---|---|---|---|---|
| Atlassian Forge | Atlassian | App runtime, SQL database, storage, queues | Per customer's Atlassian data residency | App config, generated PDFs |
| Cloud Rendering Service | Amazon Web Services | Document rendering engine | United States | None — zero data retention |
We do not use any other third-party services for data processing, analytics, or tracking within XPress.
Every permission explained
Measures we implement to protect your data
How we handle security incidents and vulnerabilities
Report a security issue: admin@bytera.tech — Subject: "Security Incident" or "Vulnerability Report"
Support Portal: Bytera Support
| Phase | Action | Timeline |
|---|---|---|
| Acknowledgment | Confirm receipt and assign severity level | Within 24 hours |
| Triage | Assess scope, impact, and affected systems | Within 48 hours |
| Containment | Isolate affected components; disable features if necessary | Immediate upon confirmation |
| Remediation | Develop and deploy a fix | Based on severity |
| Notification | Notify affected customers with details and remediation steps | Within 72 hours of confirmation |
| Post-Mortem | Document root cause, lessons learned, and preventive measures | Within 2 weeks |
| Severity | Description | Target Resolution |
|---|---|---|
| Critical | Active exploitation, data breach, or complete service compromise | Within 24 hours |
| High | Vulnerability with significant impact potential but no active exploitation | Within 72 hours |
| Medium | Vulnerability with limited impact or requiring specific conditions | Within 1 week |
| Low | Minor issue with minimal security impact | Next scheduled release |
Our severity timelines align with the Atlassian Security Bug Fix Policy for Marketplace Partners.
Proactive and reactive security measures
We support responsible disclosure. If you discover a vulnerability, report it to admin@bytera.tech before public disclosure. Allow reasonable time for investigation and patching. We will acknowledge your contribution (with your permission) once resolved.
Regulatory and platform compliance
Bytera operates as a data processor. We follow data minimization, purpose limitation, and respect data subject rights. Our rendering sub-processor (AWS) maintains GDPR compliance through Standard Contractual Clauses (SCCs).
XPress adheres to all Atlassian Marketplace Partner requirements for security, privacy, and the Security Bug Fix Policy.
By building on Forge, XPress inherits Atlassian's SOC 2 Type II certified infrastructure controls and benefits from their security-first platform architecture.
No. XPress accesses your content only during the export process. Generated documents are stored within Forge SQL (Atlassian's infrastructure), but the original page content is never permanently copied or stored outside of Confluence.
During the export process, document layout and styling data is processed by our secure, cloud-hosted rendering service over encrypted HTTPS. This service operates as a stateless engine — it processes data in-memory only and immediately discards all content upon completion. The generated document is returned to Forge and no data is retained.
No. We do not collect, store, or process any personal user data. We only access the Atlassian Account ID provided in the app context to process your request. No user profiles, emails, or personal information is stored.
App data is hosted within Atlassian's Forge infrastructure, subject to your organization's Atlassian data residency settings. Our rendering service is hosted on secure cloud infrastructure in the United States.
Yes. We follow GDPR principles including data minimization, purpose limitation, and respect for data subject rights. Since we don't store personal data, the compliance surface is minimal. Users can request data access, correction, or deletion at any time by contacting us.
When XPress is uninstalled, all app-related data (configuration, generated documents in Forge SQL) is automatically removed by the Atlassian Forge platform. No residual data remains.
Please contact us immediately at admin@bytera.tech with the subject line "Security Concern". We take all security reports seriously and will respond within 24 hours.
We're committed to transparency. If you have any questions about our security practices, data handling, or need additional information for your security review, please don't hesitate to contact us.