Skip to main content
Skip table of contents

How Secure Is Scroll Viewport?

Scroll Viewport adheres to the Atlassian Marketplace security requirements for Cloud apps to pull and upload content from Confluence Cloud to a scrollhelp.site - site hosted in Oregon, USA.

All the content that has been uploaded to a scrollhelp.site is publicly available to anyone on the web – unless you choose to restrict your site.

How Viewport Accesses Your Content on Confluence

When you install the app, a new technical Confluence user called "Scroll Viewport for Confluence Cloud" is added as a user to your Confluence instance.

The app user is used by Scroll Viewport to pull the content from the content sources to your Viewport site. What content the user can pull is limited by the permissions you give to this user on your Confluence instance and spaces.

Only a logged in Confluence admin or a Confluence user that is a member of the Scroll Viewport administrator group can trigger the process to pull content from Confluence space(s) to a Scroll Viewport site. This can only be done from the Confluence instance which was used to create the site.

How Viewport Pulls and Stores Content To Make It Public

Viewport pulls content from Confluence using a Confluence REST API with HTTPS and JWT based authentication. The content is stored on AWS in a multi-tenant architecture as soon as you generate a preview of your site. We host your data in AWS region us-west-2 (Oregon, USA).

Viewport only pulls, stores and publishes the content that you have added as a content source to your Viewport site (unless custom restrictions are set).

For Scroll Documents, only the versions you have selected are pulled, stored and published. Also note that images uploaded asset library in the theme editor are only pulled if they are selected and used in the theme for your site.

When you generate a preview, anyone with a link to it will be able access the site. While leaking this link is technically possible, it’s practically impossible for someone without the link to guess the URL since it contains 32 random characters.

Only the Confluence instance that the site is created from can make changes to the site. Content is only made available to the public if an authorized Confluence users updates or takes the site live by clicking the Go live button in the app.

Live sites are constituted as static sites (as opposed to dynamic sites) on own domains, which greatly limits any outside interference and possible attack vectors.

Any content which was published to the web can be taken offline again by clicking the Take offline button in the app.

How Viewport Secures Your Data

Scroll Viewport and K15t take data security seriously.

You can find more information about our company-wide data policies in the K15t data security statement. To find out more about the sort of data we process, please refer to K15t's Data Processing Addendum (DPA).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.