Trust is our Operating System.
Sync-o is built on the Atlassian Forge platform, inheriting world-class security, compliance, and isolation by design.
Security Architecture
Defense in depth, leveraging the Atlassian Shared Responsibility Model.
Platform Isolation
Sync-o runs within the Atlassian Forge sandbox. We utilize our own secure AWS infrastructure for specialized processing and storage, ensuring strict isolation and control.
View Forge Security DocsNo Credential Access
We never see your passwords. Sync-o operates only within the OAuth 2.0 scopes your administrator authorizes at install time, scoped to the Atlassian products (Jira and Confluence) where the app is installed.
Enterprise Encryption
In Transit: TLS 1.2+ (TLS 1.3 where supported by client).
At Rest: All persisted data — configuration, content excerpts,
embeddings, audit logs — encrypted with AES-256 via AWS KMS.
Customer AI keys are additionally protected via Forge setSecret.
You Control the Intelligence
We treat Generative AI as a "stateless" processor. Your intellectual property is never used to train our models.
Zero Training Policy
By default, Sync-o routes all inference through Google Vertex AI (Gemini) in Belgium. Vertex AI's enterprise contract prohibits using customer prompts or responses to train Google's models. BYOM providers (OpenAI, Anthropic, Azure OpenAI) operate under their own commercial API contracts, which also exclude API data from training by default.
Version History Safety Net
Every Sync-o update is published with full Confluence version history — review exactly what changed and revert with one click if needed.
Bring Your Own Model
Advanced plan users can connect their own private Google Gemini (via Regular API or Vertex AI), OpenAI, Anthropic, or Azure OpenAI accounts.
Data Handling
Sync-o is designed to minimize the data we store. We persist configuration required to operate the app, and we log limited operational metadata needed for reliability and support.
Data Retention
For full details, please review our Privacy Policy and Data Processing Addendum.
Subprocessors
We rely on vetted third parties to deliver the service. Locations are selected to maximize GDPR compliance.
| Entity | Purpose | Location | Engagement |
|---|---|---|---|
| Amazon Web Services | Cloud hosting, data storage, serverless compute (Lambda, DynamoDB, SQS, CloudWatch) | Ireland (eu-west-1) | Always |
| Google LLC (Vertex AI) | AI content generation + embeddings (Gemini, text-embedding-004) | Belgium (europe-west1) | Default AI provider |
| OpenAI, OpCo, LLC | AI content generation | United States | Optional — when Controller selects OpenAI in BYOM |
| Anthropic PBC | AI content generation | United States | Optional — when Controller selects Anthropic Claude in BYOM |
| Microsoft Corporation (Azure OpenAI) | AI content generation | United States (legal entity); Controller-selected Azure region for processing | Optional — when Controller selects Azure OpenAI in BYOM |
Atlassian Forge is the underlying platform on which Sync-o is deployed; customers contract with Atlassian directly for the Forge platform, so Atlassian is not listed as a Sync-o sub-processor here. Operational tools that do not process customer Atlassian content (e.g., GitHub for source control, Cloudflare Pages for marketing-site hosting) are likewise excluded from this list.
Vulnerability Disclosure
Security researchers play a vital role in keeping our customers safe. If you believe you've found a vulnerability, please let us know immediately.
CSA CAIQ Lite Self-Assessment
Our published response to the Cloud Security Alliance's 124-question Consensus Assessments Initiative Questionnaire (Lite, v4.0.3) — covering encryption, IAM, change management, data handling, incident response, and 13 other security domains. Effective May 11, 2026.