Home
Company
Trust Center

1. ARCHITECTURE & DATA FLOW

ikuTeam apps follow a single security principle: Forge-native execution, zero content storage, and strict permission integrity. All data moves directly between the end-user’s browser, Atlassian Cloud, and—when relevant—your cloud-storage provider. No ikuTeam server ever stores customer content.

1.1 Global Encryption & Transport Controls

(Applies to every ikuTeam app; verified under Atlassian Cloud Fortified)

Control

Detail 

In-Transit Encryption

TLS 1.3 (1.2 fallback) for every network hop—browser ↔ Atlassian ↔ Microsoft / Google APIs.

Token Security

OAuth 2.0 tokens are encrypted and stored only in each tenant’s Forge key vault—never exported.

At-Rest Encryption

Content remains encrypted with AES-256 by Atlassian or the customer’s storage platform (SharePoint, Google Drive, etc.).

No Shadow Infrastructure

ikuTeam maintains zero persistent databases, caches, or content mirrors.

1.2 Global Admin Controls — at a glance

Administrators can enforce governance consistently across all product families:

  • Feature Toggles – Enable/disable AI summaries, external drives, or in-place editing per Confluence Space or Jira Project.

  • Audit-Log Export – Download the last 30 days of app events as CSV.

  • Tenant-Restriction Headers – Limit connections to approved Microsoft 365 / Google Workspace tenants.

1.3 Product Families (overview)

Choose a tab to see the security model that applies to each family.

Family 

Includes 

Core Data-Flow Model 

Key Admin Switches 

Team Files

Team Files, SharePoint / Google Drive Connectors, Box / Dropbox / Egnyte, Google Docs/Sheets, SharePoint Lists

Real-time streaming via short-lived signed URLs; tokens stored in Forge; no content cached.

Toggle editing & external drives, auto-provision folders, force read-only/download blocks

Office Editor

Office Editor, Excel Sheets, PDF Editor

Files stay stored inside Jira/Confluence attachments;

Enable/disable editing, workbook-diff rotation, PDF signature & audit export

Rovo AI

Rovo Assistant (SharePoint documents)

Documents are processed in-memory with Atlassian Rovo. Summaries are temporary and never stored or shared.

Disable per Space/Project, PII/PHI redaction presets

A detailed flow diagram for each family appears in its respective tab below.

1.4 Data Residency & Retention

Data Type 

Where Stored 

Default Retention 

Notes 

OAuth Tokens

Atlassian Forge encrypted KV

Until app uninstalled or token revoked

GDPR Art. 6(1)(b) basis

File Metadata

Confluence / Jira page storage

Life of the page

Never leaves Atlassian realm

File Content

Never stored by ikuTeam

N/A

Access via customer-signed URLs only

Operational Logs

Atlassian Log Pipeline

90 days, auto-purge

Contains no customer content

Need a deeper technical review?

Open a Security Ticket to request an Architecture Walk-through or Pen-test Report (NDA required).

2. CERTIFICATIONS, COMPLIANCE & IMMUTABLE CONTROLS

ikuTeam’s trust program is grounded in third-party audits, published road-maps, and the inherited security posture of Atlassian Forge. Unless noted otherwise, every control, certification, and commitment below applies equally to all ikuTeam product families (Team Files, Office Editor, and Rovo AI).

2.1 Global Certifications & Regulatory Alignment

Framework / Standard 

Status 

Scope & Coverage 

Next Formal Review 

ISO 27001:2022

In progress – Stage 2 audit booked

Full ISMS: product dev, cloud ops, incident response

Q1 2026 (certification), then annual surveillance

SOC 2 Type II

Road-map – gap analysis complete

Security, Availability, Confidentiality

Audit kickoff Q2 2026

GDPR / CCPA

Compliant

DPA, SCCs, data-subject rights, breach notice

DPO review every 12 months

HIPAA

Aligned (BAA pilot)

Technical & admin safeguards §164.312

BAA pilot Q1 2026

Atlassian Cloud Fortified

Certified

24 × 7 uptime, vulnerability scans, 1-hour incident updates

Verified annually by Atlassian

Regional Data Residency

Supported

EU, US, Germany, Australia (Forge zones)

Canada & UK zones H1 2026

Sub-processor Register

Public

AWS, Atlassian Cloud, Mailgun, (full list PDF)

Live; updated immediately

See the current sub-processor list → (PDF / Portal)

2.2 Immutable Security Controls

(Enforced globally; validated through Cloud Fortified and quarterly pentests)

  • Zero Content Storage – ikuTeam never stores or proxies customer files.

  • End-to-End Encryption – TLS 1.3 in transit; AES-256 at rest.

  • Least-Privilege OAuth – Per-user scopes only; no tenant-wide or mailbox scopes.

  • Customer Data Isolation – Forge isolates each tenant; no co-tenant access.

  • Continuous Scanning – SAST, SCA, DAST pipelines + quarterly CREST-accredited pentests.

  • Audit Logging – All actions logged; admins can export CSV (30-day window).

  • 24 × 7 Security Hotlinesecurity@ikuteam.com (PGP key available).

2.3 Family-Level Compliance Notes  

Family 

Additional Call-outs 

Team Files

Aligns with Microsoft 365 EU Data Boundary, supports Purview & Google Workspace logs.

Office Editor

All data stays inside Jira/Confluence attachments; immutable Page/Issue History.

Rovo AI

Extra PII and PHI redaction with region-aware processing through Atlassian Rovo. No customer data is stored or used for model training.

2.4 Audit Pack, Questionnaires & Proofs — Available under NDA

  • ISO 27001 Statement of Applicability (draft)

  • SOC 2 Type II control list & readiness report

  • Latest pentest executive summary

  • Sub-processor inventory & data-flow diagrams

  • SIG Lite, CAIQ, DPIA templates

  • Cloud Fortified uptime & SLA attestation

Request evidence via the Support Portal or book a 1-on-1 compliance session.

3. PRODUCT-SPECIFIC SECURITY NOTES

ikuTeam ships three product families. Each follows the global controls in Section 2 but also carries the family-level guarantees below. Tables are intentionally uniform to help auditors compare at a glance.

3.1 Team Files Family

Apps: Team Files, SharePoint Connector, Google Drive Connector, Box / Dropbox / Egnyte Connectors, Google Docs / Sheets, SharePoint Lists  

Security Aspect 

Policy & Technical Detail 

Data Residency / Storage

No file data ever stored by ikuTeam. Content stays in SharePoint, Google Drive, Box, Dropbox, Egnyte, or Atlassian. Only per-user OAuth tokens are stored in Atlassian Forge’s encrypted key-value store.

Permission Handling

Real-time mirroring of source-platform ACLs. Admin switches: force read-only, block downloads, auto-provision project folders.

Encryption & Transport

TLS 1.3 end-to-end. File access via signed URLs (< 15 min TTL) or embedded viewers.

Scoped OAuth Access

No mailbox, calendar, or directory scopes. Granular file scopes only; consent per user & tenant.

Compliance Extras

Supports Microsoft 365 EU Data Boundary, Purview audit logs, Google Workspace log events, Power Platform DLP alignment.

Admin Controls Recap

  • Toggle external drives / editing / Rovo per space or project

  • Export 30-day audit CSV

  • Tenant-restriction header

3.2 Office Editor Family

Apps: Office Editor, Excel Sheets, PDF Editor (Confluence & Jira) 

Security Aspect 

Policy & Technical Detail 

Data Residency / Storage

Files remain solely in Jira/Confluence attachment storage—never copied or cached externally.

Permission Handling

Inherits native space / project / attachment rights. Live permission check aborts editing if access is revoked mid-session.

Encryption & Transport

TLS 1.3 browser ↔ Atlassian; AES-256 at rest (handled by Atlassian). WebAssembly editor runs client-side; no outbound calls.

Scoped Access

Zero third-party scopes; execution sandboxed inside Forge. Excel Sheets diffs encrypted; rotated daily.

Compliance Extras

SOX-ready audit export (CSV), eIDAS-compliant PAdES signatures (PDF Editor), immutable edit history in Confluence / Jira.

Admin Controls Recap

  • Enable/disable editing per space/project

  • Configure diff-retention window (Excel)

  • Toggle PDF signature requirement

3.3 Rovo AI Family

App: Rovo Assistant (SharePoint-based summaries) 

Security Aspect 

Policy & Technical Detail 

Data Flow & Storage

Document streamed in 1 MB encrypted chunks; processed in-memory only. No content or summary persisted by ikuTeam or the model.

Permission Handling

Rovo inherits SharePoint ACLs; users without access cannot request or view a summary.

Encryption & Transport

TLS 1.3 Forge ↔ Azure OpenAI; processing pinned to the same region as the Atlassian tenant.

Scoped Access

Limited to SharePoint file scopes; Rovo never requests broader Graph permissions. Model never trains on customer data.

PII / PHI Safeguards

Regex-based redaction layer (15+ patterns). Requests abort on match; admin may tune rules or disable Rovo entirely.

Admin Controls Recap

  • Global or per-space/project toggle

  • Enable healthcare / legal redaction presets

  • View summary-access events in audit log

Need deeper technical docs?

Request the scope manifest, vectorization flow, or full Graph integration spec via the Support Portal (NDA required).

4. UPTIME, INCIDENT RESPONSE & ATLASSIAN STATUS

ikuTeam apps are Cloud Fortified, so availability, maintenance, and incident comms are handled through Atlassian’s own infrastructure. You get a single source of truth—no separate dashboards to track.

4.1 Live App Status — Where to Subscribe

  • Status URL: status.atlassian.com

  • Recommended component filters

    • Team Files Apps – SharePoint, Google Drive, Box, Dropbox, Egnyte

    • Office Editor Apps – Word, Excel, PDF (Confluence/Jira)

    • Rovo AI – SharePoint-based summaries

  • Updates include real-time metrics, maintenance windows, and post-incident summaries.

4.2 SLA & Priority Definitions (Cloud Fortified Baseline) 

Severity 

Typical Impact 

First Response 

Update Cadence 

Target Resolution* 

P0 / Critical

Data loss, security breach, full outage

≤ 1 h

60 min

8 h

P1 / High

Core feature down, major perf. issue

≤ 4 h

2 h

24 h

P2 / Medium

Partial degradation, minor bug

1 biz day

Daily

3 biz days

P3 / Low

Cosmetic, docs, enhancement

2 biz days

As needed

Backlog

*Full SLA matrix—including business-hour definitions and regional exceptions—is in the SLA & Escalation Policy (PDF).

Service credits follow Atlassian Cloud Fortified Terms—submit a Support Ticket within 30 days of breach to claim.

4.3 Security Incidents & Bug Bounty

  1. Detection → Escalation

    • Automated alerts trigger at 3× baseline error rate or failed health probes.

    • Severity triaged within 15 minutes by on-call SRE.

  2. Communication

    • Status updated to Investigating / Identified / Monitoring within SLA windows.

    • Customers with open tickets receive direct notifications.

  3. Post-Incident

    • RCA (timeline, fix, preventive actions) published ≤ 72 hrs for P0/P1.

    • Logs retained 3 years for auditability.

  4. Responsible Disclosure

    • ikuTeam participates in the Atlassian Marketplace Bug Bounty—see policy ↗︎.

    • Report vulnerabilities via support@ikuteam.com (PGP key: /.well-known/security.txt). Acknow­ledgement in ≤ 24 hrs on business days.

Need clarification on uptime metrics or service-credit mechanics?
Open a Security Ticket and select “SLA / Availability Inquiry.”

5. CONFIDENTIAL DOCUMENT CENTER

Some evidence is too sensitive to publish openly (network diagrams, SoA detail, pentest results). We surface it through a time-boxed, NDA-gated portal so your auditors can verify controls without exposing production details.

5.1 What’s Inside  

Category 

Artefacts (examples) 

Refresh Cycle 

Compliance & Certifications

ISO 27001 Statement of Applicability, GDPR/CCPA DPA, Sub-processor Register

SoA ➜ quarterly
DPA ➜ annually

Security Testing

External Pen-test Executive Summary, Atlassian Forge AppSec Review Letter

Pen-test ➜ annual
Forge letter ➜ per Atlassian cycle

Cloud Architecture & BCP

High-level system diagrams (Jira/Confluence), DR/BCP plan

Annually or after major infra change

Policies & Procedures

Secure SDLC SOP, Incident-Response Plan

Semi-annual

Roadmap & Audits

SOC 2 Type II timeline, HIPAA BAA program outline

Live tracker

(All files are water-marked, read-only, and may be lightly redacted.)

5.2 How Access Works

  1. Request – Open the short “NDA Access” form in the Support Portal.

  2. e-Sign NDA – Instant DocuSign covering all trust-center artefacts.

  3. 30-Day Portal – Receive a secure link (MFA enforced, single-tenant).

  4. Auto-Expiry & Audit Log – Access closes after 30 days; all downloads logged.

Need faster clearance? Email support@ikuteam.com with subject :“Expedite NDA Docs.” We reply within 1 business day.

6. CONTACT, ESCALATION & DOCUMENTATION ACCESS

ikuTeam runs a Support-Portal–first model: every technical, compliance, or licensing request is routed and audited through the same secure queue—no email silos, no lost threads.

6.1 Support & Documentation Requests

Open a ticket to obtain:

  • Security white-papers & high-level architecture diagrams

  • Data Processing Addendum (DPA) – GDPR/CCPA

  • External Pen-test Executive Summary (NDA)

  • ISO 27001 / SOC 2 control matrices (in progress)

  • Risk questionnaires (CAIQ, SIG Lite)

  • Licensing & enterprise pricing

Open a Support Ticket →

GDPR data-subject requests: email support@ikuteam.com.
We acknowledge within 72 h and fulfil within 30 days (Art. 12 & 15).

6.2 Vulnerability Disclosure

ikuTeam participates in the Atlassian Marketplace Bug Bounty – see policy → (link).
We target: <24 h acknowledgment, <72 h CVSS scoring, and status updates until resolution.

6.3 Escalation & SLA References

For priority tiers, response targets, and service-credit terms, consult:

SLA & Escalation Policy (PDF) →

Service-credit claims: open a support ticket within 30 days of the breach (per Atlassian Cloud Fortified terms).

6.4 Enterprise Security Reviews

  • All gated artefacts (SoA, pentest, control mappings) released under NDA via the Confidential Document Center.

  • Live architecture or compliance calls can be booked via your Account Manager or the Support Portal.

  • Custom questionnaires? Attach them to your ticket—we aim for 5-business-day turnaround.

Need something not listed?
Tell us in the Support Portal and we’ll route it to the right engineer, CISO, or account team.

7. FREQUENTLY ASKED QUESTIONS (FAQ)

Below are the questions most security, compliance, and admin teams ask during evaluations.
If you need deeper detail, open a Support Ticket—we’ll turn it around fast. 

Question 

Short Answer 

Does ikuTeam ever store our files or document contents?

No. All ikuTeam apps run on Atlassian Forge’s zero-storage model. Files remain in Atlassian attachment storage or your own SharePoint / Google Drive.

How are permissions enforced for external cloud files?

We mirror the native ACLs from SharePoint, Google Drive, Box, Egnyte, etc. The app performs every API call in the current user’s context—no service or admin accounts, no ACL duplication.

What encryption do you use in transit and at rest?

TLS 1.3 (or TLS 1.2 where a vendor has not yet enabled 1.3) for every hop; AES-256 at rest, handled by Atlassian or the source storage provider.

Where is data processed, and can we pin residency?

Forge executes in the same geographic zone as your Atlassian site (EU, US, Germany, Australia). Canada & UK zones arrive H1 2026. External storage calls stay inside their respective vendor regions.

Can we disable features like Rovo AI, external drives, or in-place editing?

Yes—each can be toggled per space / project in the admin UI. Tenant-restriction headers can also block specific external domains.

Do your apps support IP allow-listing or Atlassian access policies?

Forge apps respect your existing Atlassian IP Allowlist (Premium/Enterprise) and SSO enforcement. No additional endpoints need to be whitelisted.

What certifications do you hold today?

GDPR & CCPA compliant, Atlassian Cloud Fortified, ISO 27001 Stage 2 audit Q1 2026, SOC 2 Type II audit Q2 2026. Sub-processor list is always current in the Trust Center.

How long do you keep operational logs?

90 days, automatically purged. Logs contain no customer content—only system metadata for audit and troubleshooting.

What is your vulnerability-response target?

Acknowledge < 24 h, severity-rated via CVSS < 72 h, fix/mitigate according to SLA (P0 ≤ 8 h). Coordinated via Atlassian Marketplace Bug Bounty.

How do we request gated docs or sign an NDA quickly?

Submit the NDA form via the Confidential Document Center. DocuSign is instant; a 30-day portal link with MFA is issued automatically.

Still have questions?
Reach our security team any time at security@ikuteam.com or open a ticket in the Support Portal.

Ready to Collaborate Securely in Atlassian?

ikuTeam already powers secure file collaboration for 12,000 + teams worldwide—from regulated healthcare providers to Fortune-500 engineering orgs. If you’re ready to validate us for your own environment, everything you need is just a click away. 

What you want 

How to get it 

Micro-copy 

Deep-dive security collateral (ISO SoA draft, pen-test summary, DPIA templates)

View Security White-paper →

Opens a public PDF in a new tab

Custom audit evidence or NDA content

Open a Security Ticket →

Portal form auto-routes to Security & Compliance

Live architecture / risk review with our CISO

Book a Security Review Call →

Calendly link—pick any 30 min slot

Need something bespoke? Email us: support@ikuteam.com or drop a note in the portal—we answer in < 24 h on business days.

IkuTeam Trust Center

Last updated: 17 June 2025 • Maintained by the ikuTeam Security & Compliance Group • All claims independently reviewed under the Atlassian Cloud Fortified program.