Security – How Secure Is Scroll Sites?

Scroll Sites adheres to the Atlassian Marketplace security requirements for Cloud apps to pull and upload content from Confluence Cloud to a Scroll site hosted in Oregon, USA.

All the content that has been uploaded to Scroll site is publicly available to anyone on the web – unless you choose to protect your site with a login.

How Scroll Sites Accesses Your Content on Confluence

When you install the app, a new technical Confluence user called ‘Scroll Viewport for Confluence Cloud’ is added as a user to your Confluence instance.

The app user is used by Scroll Sites to pull the content from the content sources to your Scroll site. What content the user can pull is limited by the permissions you give to this user on your Confluence instance and spaces.

Only a logged in Confluence admin or a Confluence user that is a member of the Scroll Sites administrator group can trigger the process to pull content from Confluence space(s) to a Scroll site. This can only be done from the Confluence instance which was used to create the site.

You can configure the app’s access to your Confluence content and decide which users can use the app.

How Scroll Sites Pulls and Stores Content To Make It Public

Scroll Sites pulls content from Confluence using a Confluence REST API with HTTPS and JWT based authentication. The content is stored on AWS in a multi-tenant architecture as soon as you create a site and add content to it. We host your data in AWS region us-west-2 (Oregon, USA).

Scroll Sites only pulls, stores and publishes the content that you have added as a content source to your Scroll site (unless custom restrictions are set).

For Scroll Documents, only the versions you have selected are pulled, stored and published. Also note that images uploaded in the theme configurator are only pulled if they are selected and used in the theme for your site.

Only the Confluence instance that the site is created from can make changes to the site. Content is only made available to the public if an authorized Confluence users creates a site and adds content to it.

Live sites are constituted as static sites (as opposed to dynamic sites) on own domains, which greatly limits any outside interference and possible attack vectors.

Any content which was published to the web can be taken offline again by deleting the site in the app.

How Scroll Sites Secures Your Data

Scroll Sites and K15t take data security seriously.

• As an Atlassian Marketplace vendor we adhere to the Marketplace Security Program.

• We also take part in Atlassian’s Cloud Fortified Security Self-Assessment Program which is verified on our Vendor profile.

• Our Atlassian marketplace app listing has more extensive information about privacy, data storage and management, and security and compliance. Please refer to the Privacy & Security information provided in the Atlassian marketplace.

• Scroll Sites additionally participates in the Marketplace Bug Bounty Program which can be verified by hovering over the “CLOUD SECURITY PARTICIPANT” badge on our app listing. This means security researchers are continuously testing our app for vulnerabilities.

You can find more information about our company-wide data policies in the K15t data security statement. To find out more about the sort of data we process, please refer to K15t's Data Processing Addendum (DPA).