🔒 Trust Center Navigation

Trust Center

Legal Documents

← Back to Documentation

Security Overview

Community Questions follows a defense-in-depth security approach to protect your data and ensure the privacy of your team.

Infrastructure & Hosting

Cloud Platform:

  • Hosted on Microsoft Azure with enterprise-grade security
  • Production and development environments isolated
  • Multi-region availability for reliability

Database:

  • Azure SQL Database with encryption at rest
  • Automated backups and point-in-time recovery
  • Network isolation and firewall rules

Secrets Management:

  • Azure Key Vault for secure credential storage
  • No secrets in source code or configuration files
  • Managed identity authentication in production

Monitoring & Logging:

  • Application Insights for telemetry and diagnostics
  • Automated alerts for security events
  • Log sanitization to remove sensitive parameters

Authentication & Authorization

Atlassian Connect Framework:

  • JWT (JSON Web Token) authentication for all requests
  • Symmetric key unique to each Confluence installation
  • Automatic key rotation on app reinstall
  • No passwords stored by Community Questions

Permission Model:

  • Inherits Confluence space permissions
  • No separate authentication system
  • Users authenticated via Atlassian account

Access Levels:

Granular permissions are configured per space for Questions, Votes, and Tags with View/Add/Delete controls. See the Admin Configuration guide for details.

Data Protection

Data Minimization:

  • Store only IDs and metadata
  • Question and answer content remains in Confluence
  • No page content cached

Encryption:

  • HTTPS only - All communication encrypted in transit
  • TLS 1.2+ required for all connections
  • OAuth tokens encrypted at rest using AES-256-GCM
  • Database encryption enabled

PII Handling:

  • JWT parameters removed from logs
  • No personally identifiable information in telemetry
  • User IDs used instead of names/emails
  • Query parameters sanitized before logging

Integration Security

Slack OAuth:

  • Industry-standard OAuth 2.0 flow
  • Access tokens encrypted before database storage
  • Tokens scoped to minimum required permissions
  • Revocable at any time from Slack workspace settings

Webhook Validation:

  • HTTPS required for all webhook URLs
  • URL format validation before storage
  • Webhook URLs validated before each send
  • Failed webhooks logged and monitored

Microsoft Teams & Google Chat:

  • Webhook-based integration (no OAuth required)
  • HTTPS-only webhook URLs
  • URL validation before storage
  • Secure JSON payload delivery

Compliance

GDPR:

  • Full GDPR compliance for EU users
  • Data export capabilities via Confluence
  • User data deletion supported
  • DPA available for enterprise customers

Data Residency:

  • Data stored in Microsoft Azure regions
  • Follows Atlassian Cloud data residency policies
  • Integration data location configurable

Privacy:

Security Features

Content Security:

  • React auto-escaping prevents XSS attacks
  • Atlassian Design System components sanitize inputs
  • No dangerous HTML rendering
  • Content Security Policy headers

Network Security:

  • HTTP Strict Transport Security (HSTS) enabled
  • Firewall rules restrict database access
  • Azure network security groups
  • DDoS protection via Azure

Application Security:

  • Regular dependency updates
  • Automated security scanning
  • SQL injection prevention via ORM
  • Input validation on all user data

Incident Response

Security Monitoring:

  • Real-time application monitoring
  • Error tracking and alerting
  • Performance anomaly detection
  • Automated security incident alerts

Vulnerability Reporting:

If you discover a security vulnerability, please report it responsibly:

Email: support@communityquestions.io

Please include a description, steps to reproduce, and potential impact. We aim to respond within 48 hours.