Partner Security Policy

Effective date: 13 May 2026 Last updated: 13 May 2026

This Policy describes the security practices of the Marketplace partner (“Partner”) behind the Wheel of Fortune for Jira Forge app. It is intended for Atlassian Marketplace reviewers and prospective customers. It complements the Marketplace Privacy & Security statement, which covers the App’s runtime; this Policy covers the Partner’s own organisation and development lifecycle.

1. Scope

This Policy applies to all activities the Partner performs to develop, publish, and maintain the App on the Atlassian Marketplace. It does not extend to Atlassian’s platform, which is governed by Atlassian’s own Trust Center and contractual commitments.

Because the App runs entirely on Atlassian Forge and stores no data outside Atlassian’s infrastructure, the Partner’s environment is not a processor of customer data. This Policy nevertheless documents the controls the Partner applies to its development pipeline.

2. Organisational controls

• The Partner is a small independent publisher. All people with access to the App’s source code and Marketplace listing operate under confidentiality obligations.
• Access to development tools (source repository, Marketplace vendor account, package registries) is granted on a least-privilege basis.
• Access is revoked promptly when a contributor leaves the team.

3. Source code and build pipeline

• The App’s source code is hosted in a private repository.
• The main branch is protected: changes are merged through reviewed pull requests.
• The repository is configured so that secrets (Atlassian tokens, npm tokens) are never committed; sensitive values are stored in encrypted CI secret stores or local environment variables only.
• Dependencies are pinned via lockfiles and audited with npm audit --audit-level=high for both the resolver and frontend packages on every change.
• The Forge CLI is the sole publishing channel; deployments are signed and uploaded directly to Atlassian.

4. Development practices

• The App is written in TypeScript / JavaScript and follows standard linting and type-checking. Frontend builds pass through tsc and a test suite before release.
• Code touching authentication or storage is reviewed with extra care; the App relies on Forge’s built-in authentication and never implements its own.
• The App makes no outbound HTTP calls to Partner-controlled services and embeds no third-party scripts.

5. Endpoint security

Contributors developing the App must:

• Use up-to-date, vendor-supported operating systems with disk encryption enabled.
• Run anti-malware controls native to the platform (e.g. Windows Defender, macOS XProtect).
• Lock the workstation when unattended.
• Store credentials in a reputable password manager; secrets are never copied to plain-text files.

6. Identity and access

• Multi-factor authentication (MFA) is enforced on the Atlassian Marketplace vendor account, the source-control account, and the npm publishing account.
• The Marketplace vendor account is used exclusively for managing the App’s listing.

7. Vulnerability management

• The Partner monitors GitHub Dependabot alerts and npm audit reports for the App’s dependency tree.
• High-severity vulnerabilities affecting the App are addressed in a new release as soon as practicable, with a target of patching within 30 days for production releases.
• The Partner tracks Atlassian Forge platform release notes and migrates the App when Atlassian deprecates a runtime or SDK version.

8. Incident response

• Reports may be submitted to support@florenco.tech. The Partner aims to acknowledge security reports within five business days.
• Because the App does not operate any Partner-side data store, an incident in the Partner’s environment cannot expose customer data directly. The most plausible incident type is a malicious change to the App’s source or release artifact; the Partner mitigates this with branch protection, MFA, and audited dependencies.
• In the event of a confirmed App-level security issue, the Partner will: (a) ship a patched release through the Marketplace, (b) update the Marketplace listing’s release notes, and (c) coordinate disclosure with Atlassian as required by the Partner Agreement.

9. Sub-processors and third parties

The Partner uses no sub-processors to deliver the App. The only infrastructure involved in handling customer data is Atlassian’s own Forge platform. Development tooling (source hosting, CI, package registries) does not handle customer data.

10. Data subject and customer assistance requests

The Partner will assist customers, on a best-effort basis, with reasonable requests related to:

• Confirming what data the App processes
• Deleting App data (see Data Retention and Deletion)
• Responding to data-subject access, correction, or erasure requests

Requests should be sent to support@florenco.tech. The App is offered as a free Marketplace listing and the Partner does not commit to a paid support SLA.

11. Changes to this Policy

Material changes will be reflected in the “Last updated” date above. We recommend that Marketplace customers re-read this Policy when evaluating major version updates of the App.

12. Contact

Security inquiries: support@florenco.tech.