Security Policy

Last updated: May 2026

This Security Policy describes how Votazz Software (“Votazz”, “we”, “us”) protects customer data and manages security across all our apps published on the Atlassian Marketplace, including DaySignal, Diagrams Now for Confluence, Filter & Dashboard Manager for Jira, Threaded Comments for Jira, Sub-tasks Manager for Jira, Release Manager for Jira, and our Bitbucket integrations. The policy applies to vendor systems, source code, and the way our apps interact with the Atlassian platform.

1. Handling Security Issues and Incidents

We treat reported security issues with the same priority as production outages. Our incident handling process:

• Acknowledgement. All security reports received at security@votazz.co are acknowledged within 24 hours (excluding weekends and public holidays).
• Triage. A maintainer assesses the report, reproduces the issue, and assigns severity using CVSS v3.1.
• Containment. If active exploitation is suspected, we deploy a hotfix or temporarily disable the affected feature.
• Root cause analysis. The fix and underlying cause are documented in our internal incident log.
• Remediation. A patched release is published to the Atlassian Marketplace; for Cloud apps, the update rolls out automatically.
• Customer notification. In the event of a confirmed Personal Data Breach, we notify affected Customers without undue delay and in any event within 72 hours of becoming aware, in alignment with GDPR Article 33. Notice is sent to the Customer’s Atlassian contact email and through the Marketplace.

2. Vulnerability Management

We welcome security research and operate a responsible-disclosure programme.

• Reporting channel. security@votazz.co. Encrypted reports via PGP can be arranged on request.
• Marketplace channel. Customers of our Atlassian Marketplace apps can also raise security and privacy reports through the “Security and privacy support” channel available on each app’s Marketplace listing. Reports submitted through that channel are routed to the same security inbox and follow the same triage process described above.
• Acknowledgement SLA. Within 1 business day of receipt.
• Severity scoring. CVSS v3.1.
• Patch SLA targets (measured from confirmation):
  • Critical (CVSS ≥ 9.0) — 7 days
  • High (7.0–8.9) — 30 days
  • Medium (4.0–6.9) — 90 days
  • Low (< 4.0) — next regular release
• Responsible disclosure. We ask reporters to refrain from public disclosure until a patched version is generally available. With the reporter’s permission, we credit them in our release notes.
• Bug bounty. Votazz Software participates in the Atlassian Marketplace Security Bug Bounty Program. Eligible findings against our Marketplace apps may qualify for monetary rewards under that programme’s terms.

3. Security Controls

3.1 Access Control

• DaySignal and any future Forge apps are hosted exclusively on the Atlassian Forge platform; runtime, storage, and outbound calls are mediated by Atlassian.
• Production deployments are performed via the Atlassian Forge Developer Console, accessible only to authorised Votazz personnel.
• Vendor systems use principle-of-least-privilege role assignments. Long-lived credentials are kept in encrypted vaults; secrets are rotated on schedule and after any personnel change.
• Multi-factor authentication is enforced on all developer accounts (Atlassian, source-control, package registries).

3.2 Data Protection

• All app data — user settings, cached issue data, sprint and velocity records, digest delivery logs — is stored in Atlassian-managed Forge SQL within the customer’s Atlassian Cloud region. We operate no external customer-data storage.
• Email delivery uses the Atlassian Notify API; emails are dispatched from Atlassian-managed infrastructure. We do not use third-party email-service providers for digest delivery.
• Data in transit is protected with TLS 1.2 or higher.
• Data at rest is encrypted with AES-256 within Atlassian’s hosting infrastructure.
• Retention is enforced by automated cleanup jobs aligned with the periods documented in our Privacy Policy (Section 12).

3.3 Monitoring and Logging

• Application logs are recorded by the Atlassian Forge platform with a 30-day retention window.
• Logs are reviewed periodically for anomalous patterns (unexpected error spikes, scope-permission failures, abnormal traffic).
• On-call alerting is configured for production incidents; alerts reach the engineering team within minutes of trigger.

3.4 Secure Software Development Lifecycle (SDLC)

• All code changes go through peer review before merge.
• Automated unit and integration tests run on every change.
• Dependencies are scanned for known vulnerabilities; advisories are triaged on receipt and remediated within the SLA targets listed in Section 2.
• Releases are versioned and accompanied by changelog entries; security-relevant changes are explicitly flagged in release notes.

4. Compliance and Certifications

Our apps run on the Atlassian Forge platform, which inherits Atlassian’s compliance posture. Atlassian Cloud is independently certified under SOC 2 Type II and ISO/IEC 27001. These certifications cover the compute, storage, networking, and email-delivery infrastructure on which our apps run.

Votazz Software does not currently maintain independent SOC 2 or ISO 27001 audits at the vendor level; our internal scope is limited to vendor-side personnel, processes, and source-code custody. Customers requiring audit evidence for the underlying platform may rely on Atlassian’s published reports at https://www.atlassian.com/trust/compliance.

5. Contact

For security-related questions, vulnerability reports, or audit-evidence requests:

Security: security@votazz.co
General support: support@votazz.co
Privacy Policy: https://votazz.co/privacy-policy-terms-of-use/

For our Atlassian Marketplace apps, customers can also use the “Security and privacy support” option on the app’s Marketplace listing to submit reports. All channels reach the same security team.

We aim to respond to all security correspondence within one business day.