Security Policy — Magrathea Software

This policy describes how Magrathea Software, LLC (“Magrathea,” “we,” “us”) approaches the security of our applications distributed through the Atlassian Marketplace (each, an “App”), and how to report a security concern to us.

1. Security architecture

Our Apps are built natively on Atlassian Forge and run entirely within Atlassian’s cloud infrastructure. We operate no external servers that receive your Atlassian data — a posture often described as “no egress” or “Runs on Atlassian.” This intentionally keeps the security exposure surface minimal: there is no separate Magrathea-operated backend, database, or network to attack.

Least privilege. Background operations act as the user who launched them, so an App can only read or change what that user could already do manually. We request the minimum Atlassian scopes needed to function.
Minimal data. Apps store only the operational metadata required to function, and reference users solely by their Atlassian account ID — not names, usernames, or email addresses.
Encryption. Data in transit and at rest is protected by the Atlassian Forge platform, which encrypts stored data and uses TLS for all in-platform communication.
Data residency. App data is stored in Atlassian Forge storage, which is pinned to the host product’s data residency location.
Deletion. All App data is automatically deleted when the App is uninstalled.

Because our Apps run on Atlassian Forge, they inherit the security controls and certifications of Atlassian’s underlying cloud platform (for example, SOC 2, ISO 27001). Those certifications are held by Atlassian as the platform provider.

2. Reporting a vulnerability

We welcome reports from security researchers and customers. If you believe you have found a security vulnerability in one of our Apps, please email security@magratheasoftware.com.

To help us respond quickly, please include:

the affected App (and version, if known);
a description of the issue and its potential impact;
clear steps to reproduce, including any proof-of-concept; and
your contact details so we can follow up.

3. Our commitment

When you report an issue in good faith, we will:

acknowledge your report, typically within a few business days;
investigate and keep you reasonably informed of our progress;
work to remediate confirmed vulnerabilities promptly, prioritized by severity; and
credit you for the discovery if you wish, once the issue is resolved.

4. Responsible disclosure

We ask that you give us a reasonable opportunity to investigate and remediate an issue before disclosing it publicly. Please make a good-faith effort to avoid privacy violations, data destruction, and any degradation of service during your research, and only test against Atlassian instances that you own or are authorized to use. Do not access, modify, or retain data belonging to other users or organizations.

We will not pursue legal action against researchers who act in good faith and in accordance with this policy.

5. Scope

This policy covers the Apps published by Magrathea Software, LLC on the Atlassian Marketplace. Vulnerabilities in the underlying Atlassian platform (Jira, Confluence, Forge, and related services) should be reported to Atlassian.

6. Contact

Magrathea Software, LLC
Missouri, USA
Security: security@magratheasoftware.com
General: hello@magratheasoftware.com