TRUST CENTER
Transparency builds trust. Here’s exactly how Bytera protects your data, what we run on, and who we work with — across every app we publish on the Atlassian Marketplace.
Our apps run inside Atlassian Forge — a sandboxed, multi-tenant platform — inheriting Atlassian's SOC 2 Type II certified infrastructure controls.
Read-only access and data minimization by design. We store only what is strictly required to operate, and never your raw content.
GDPR-aligned as a data processor, with Standard Contractual Clauses where any cross-border processing applies.
Hosted on Atlassian Cloud’s highly available infrastructure, subject to your organization’s data residency settings.
COMPLIANCE & CERTIFICATIONS
All Bytera apps are built entirely on Forge and inherit Atlassian’s SOC 2 Type II certified, security-first cloud infrastructure.
Bytera operates as a data processor following data minimization and purpose limitation. SCCs cover any cross-border processing.
App data is stored within Atlassian’s Forge infrastructure, subject to your organization’s Atlassian data residency configuration.
DATA PROTECTION
Apps request the minimum scopes needed and read your content only when you initiate an action. They cannot modify, delete, or create content.
All data exchanged with Atlassian APIs and any processing service travels over encrypted HTTPS / TLS.
We never persist raw page or issue content. Only aggregated, app-specific data (e.g. scores or settings) is stored within Forge.
Data stays within your Atlassian Forge environment. XPress’s PDF rendering is processed in-memory in the United States and immediately discarded (zero retention).
SUBPROCESSORS
| Subprocessor | Purpose | Apps | Location | Data retention |
|---|---|---|---|---|
| Atlassian | Forge platform, storage, app runtime & Forge AI | All apps | Atlassian Cloud (your residency) | Platform-managed |
| Amazon Web Services (AWS) | Stateless PDF rendering | XPress only | United States (SCCs) | Zero — in-memory only |
| PostHog | Usage metrics via an Atlassian-approved analytics tool — feature-usage counts only, no content, no end-user data in scope | Pulse only | United States | Metrics only |
SyncUp runs entirely within Atlassian Forge with no external subprocessors. Pulse processes all customer content within Atlassian (including AI features, which use Atlassian Forge AI) — its only outbound connection is usage metrics to an Atlassian-approved analytics tool, declared in the app manifest with end-user data out of scope.
SECURITY PRACTICES
Forge’s declarative permission model and managed runtime keep our attack surface minimal. Changes ship through Atlassian’s review and distribution pipeline.
We monitor dependencies and the Forge platform for advisories and remediate promptly. Responsible disclosure is welcomed (see below).
We have a defined process to triage, contain, and communicate security incidents, coordinating with Atlassian where the platform is involved.
Operational health is monitored via AWS CloudWatch for the XPress rendering service. Logs contain metadata only — never customer content.
PER-APP DOCUMENTS
We welcome responsible disclosure. If you believe you’ve found a security issue in any Bytera app, please email us with the details and we’ll respond promptly. Please give us reasonable time to investigate and remediate before any public disclosure.