Scroll Viewport adheres to the Atlassian Marketplace security requirements for Cloud apps to pull and upload content from Confluence Cloud to a scrollhelp.site - site.
All the content that has been uploaded to a scrollhelp.site is publicly available to anyone on the web – unless you choose to restrict your site.
How Viewport accesses your content on Confluence
When you install the app, a new technical Confluence user called "Scroll Viewport for Confluence Cloud" is added as a user to your Confluence instance.
The app user is used by Scroll Viewport to pull the content from the content sources to your Viewport site. What content the user can pull is limited by the permissions you give to this user on your Confluence instance and spaces.
Only a logged in Confluence admin or a Confluence user that is a member of the Scroll Viewport administrator group can trigger the process to pull content from Confluence space(s) to a Scroll Viewport site. This can only be done from the Confluence instance which was used to create the site.
How Viewport pulls and stores content to make it public
Viewport pulls content from Confluence using a Confluence REST API with HTTPS and JWT based authentication. The content is stored on AWS in a multi-tenant architecture as soon as you generate a preview of your site.
For Scroll Documents, only the versions you have selected are pulled, stored and published. Also note that images uploaded asset library in the theme editor are only pulled if they are selected and used in the theme for your site.
When you generate a preview, anyone with a link to it will be able access the site. While leaking this link is technically possible, it’s practically impossible for someone without the link to guess the URL since it contains 32 random characters.
Only the Confluence instance that the site is created from can make changes to the site. Content is only made available to the public if an authorized Confluence users updates or takes the site live by clicking the Go live button in the app.
Live sites are constituted as static sites (as opposed to dynamic sites) on own domains, which greatly limits any outside interference and possible attack vectors.
Any content which was published to the web can be taken offline again by clicking the Take offline button in the app.
How Viewport secures your data
Scroll Viewport and K15t take data security seriously.
As an Atlassian Marketplace vendor we adhere to the Marketplace Security Program.
Viewport additionally participates in the Marketplace Bug Bounty Program which can be verified by hovering over the “CLOUD SECURITY PARTICIPANT” badge on our app listing. This means security researchers are continuously testing our app for vulnerabilities.
You can find more information about our company-wide data policies in the K15t data security statement. To find out more about the sort of data we process, please refer to K15t's Data Processing Addendum (DPA).