Security Statement
How we protect your data and maintain your trust
Last updated: June 2, 2026
Need a security questionnaire?
See our CAIQ (Lite) self-assessment, covering Aevon Timesheets, Argon, and AgentGate against the CSA Cloud Controls Matrix.
Our Security Commitment
At Orbiscend, security is foundational to how we build and operate our products. Our Forge-native apps — Aevon Timesheets, Argon, and AgentGate — run entirely on Atlassian Forge, so customer data stays inside Atlassian. Theia (coming soon) and Dike are Forge apps that integrate with GitHub via OAuth, with data flowing directly between Atlassian Forge and the GitHub API.
We do not operate our own data storage servers. App customer data is stored and processed within Atlassian's secure cloud environment, benefiting from their comprehensive security controls and compliance certifications.
Security Features
Atlassian Forge Infrastructure
All our apps run on Atlassian Forge, leveraging Atlassian's enterprise-grade security infrastructure. No customer data is stored on our own servers.
Data Encryption
Data is encrypted in transit using TLS 1.2+ and at rest using AES-256, as provided by Atlassian Forge's security standards.
Minimal Data Access
Our apps request only the permissions necessary for their functionality. We follow the principle of least privilege.
Customer data stays in Atlassian
Our Forge-native apps process and store customer data only within Atlassian's infrastructure. The subprocessors we use for business operations (website hosting, business email, development tooling) do not receive any customer data.
Product-Specific Information
Aevon Timesheets
Aevon Timesheets is Forge-native. Time tracking, approvals, and billing-prep all run inside Atlassian’s infrastructure; worklogs are stored as native Jira worklogs (no proprietary data store). No external services or subprocessors receive Aevon customer data.
Argon
Argon operates entirely within the Atlassian ecosystem. JQL functions and calculated fields are computed on Atlassian Forge with Forge SQL backing the index. No external services or APIs are called from the app.
AgentGate
AgentGate is Forge-native and provides supervised access for AI agents to Jira: every write proposed by an agent goes through human approval before being applied as the approving user (asUser impersonation). A full audit log of token activity, change proposals, and decisions is stored in Forge SQL.
TheiaComing soon
Theia will integrate with GitHub to provide repository visibility. GitHub connections will be OAuth-authorized and data will flow directly between Atlassian Forge and the GitHub API, without intermediate storage.
Dike
Dike integrates with GitHub for code review and quality management. GitHub connections are OAuth-authorized and data flows directly between Atlassian Forge and the GitHub API, without intermediate storage.
Data Processing & Subprocessors
Customer data stays in Atlassian
Our Forge-native apps process and store customer data exclusively within Atlassian’s infrastructure (Forge storage and native Jira). No third-party processor receives Jira content, account information, or any other customer data from our apps. Customer data is:
- Stored exclusively within Atlassian Forge infrastructure
- Not transmitted to any third-party data processor
- Not sold, shared, or used for purposes beyond providing our Services
- Accessed only by Orbiscend personnel when necessary for support
Business-operations subprocessors
Orbiscend uses a small set of providers to run its day-to-day business. None of them receive customer data from our Forge apps — they handle hosting, email, and development tooling for Orbiscend itself.
- Atlassian — Forge platform; hosts our apps and their customer data.
- Cloudflare — marketing-website hosting, CDN, and DNS.
- Proton — business email and communications.
- Anthropic (Claude) — AI assistance for Orbiscend’s own development; no customer data is sent.
Atlassian Forge Security
By building on Atlassian Forge, our apps inherit Atlassian's comprehensive security measures:
- SOC 2 Type II certified infrastructure
- ISO 27001, 27017, 27018, and 27701 certifications
- CSA STAR Level 2 attestation
- GDPR compliance controls
- Regular third-party security audits and penetration testing
- Secure development lifecycle practices
- 24/7 security monitoring and incident response
For more details on Atlassian's security practices, visit the Atlassian Trust Center.
Data Processing Agreement (DPA)
For organizations requiring a Data Processing Agreement under GDPR or other data protection regulations, we offer a DPA that covers:
- Nature and purpose of data processing
- Types of personal data processed
- Data subject categories
- Your rights and our obligations as a data processor
- Security measures and breach notification procedures
- Sub-processor list and purposes, plus our notification process for any changes
- Data transfer mechanisms for international transfers
Our DPA is available to view and download (PDF) and is incorporated automatically when you install the app. For an editable or counter-signed copy, contact legal@orbiscend.com.
Security Vulnerability Reporting
We take security vulnerabilities seriously. If you discover a potential security issue in any of our products, please report it responsibly:
Email: security@orbiscend.com
Please include a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots or proof-of-concept code.
Contact Us
For security-related questions or concerns, please contact our team:
Orbiscend OÜ
Ahtri 12
Tallinn, 15551
Estonia
- Security inquiries: security@orbiscend.com
- Privacy inquiries: privacy@orbiscend.com
- Legal inquiries (DPA requests): legal@orbiscend.com