Scroll Viewport adheres to the Atlassian Marketplace security requirements for Cloud apps to pull and upload content from Confluence Cloud to a scrollhelp.site - site.
All the content that has been uploaded to a scrollhelp.site is publicly available to anyone on the web.
How Viewport accesses your content on Confluence
When you install the app, a new technical Confluence user called "Scroll Viewport for Confluence Cloud" is added as a user to your Confluence instance.
This app user pulls the given content to your public Viewport site. What content the user can pull is limited by the permissions you give to this user on your Confluence instance and spaces.
Only a logged in Confluence admin or a Confluence user that is a member of a special Scroll Viewport administrator group can trigger the process to pull content from Confluence space(s) to a Scroll Viewport site. This can only be done from the Confluence instance where the site has been created from.
How Viewport pulls and stores content to make it public
Viewport pulls content from Confluence using a Confluence REST API with HTTPS and JWT based authentication. The content is stored on AWS in a multi-tenant architecture as soon as you generate a preview of your site.
When you generate a preview, anyone with a link to it will be able access the site. While leaking this link is technically possible, it’s practically impossible for someone without the link to guess the URL since it contains 32 random characters.
Only the Confluence instance that the site is created from can make changes to the site. Content is only made available to the public if an authorised Confluence users updates or takes the site live by clicking the Go live button in the app.
Any content which was published to the web can be taken offline again by clicking the Take offline button in the app.