OST Labs OST Labs
Process Templates Easy Clone HTML Macro Pro Trust Center Support Atlassian Marketplace

Trust Center

Security & data protection at OST Labs

OST Labs builds apps for Jira and Confluence on Atlassian Forge. Smart Label Manager runs entirely on Atlassian (Runs on Atlassian); our other apps use a Forge backend hosted in the European Union. All vendor-hosted data stays in the EU, encrypted in transit and at rest.

Our Cloud Fortified status, Bug Bounty participation and published whitepaper give reviewers the assurance they need.

Request documents Read the whitepaper (PDF)

Compliance

Trust signals

For a Forge vendor, the platform is the audit surface. These are the programs and standards our apps are built and operated under.

Cloud Fortified Runs on Atlassian Marketplace Bug Bounty GDPR-aligned EU data residency

Controls

Security at a glance

The essentials. For the full detail behind each, see the Security Whitepaper.

Encryption in transit

All connections use HTTPS/TLS.

Encryption at rest

Persisted data is encrypted with AES-256.

Least-privilege scopes

Permission scopes are declared in the Forge manifest and reviewed at each release.

Admin access

Production access is restricted, MFA-protected, logged and monitored.

EU hosting

Our backend runs on DigitalOcean in Frankfurt, Germany.

Backups & monitoring

Restore procedures for persisted data, plus system and error monitoring.

Secrets handling

Tokens are protected and never exposed to support staff in plaintext.

Data deletion

Backend data is removed on uninstall or on request, subject to short backup cycles.

Architecture

Per-app data handling

Each app's hosting model differs, so we state it explicitly. By design, our apps process the minimum data needed; most content stays inside the host platform.

App Platform Hosting model Where data lives Badge
Smart Label Manager Jira Pure Forge, no remote backend Stays in Atlassian's cloud Runs on Atlassian
Process Templates for Jira Jira Forge + EU remote backend DigitalOcean, Frankfurt (EU) Cloud Fortified
Easy Clone for Jira Jira Forge + EU remote backend DigitalOcean, Frankfurt (EU) Cloud Fortified
HTML Macro Pro Confluence Forge + EU remote backend In transit via Frankfurt (EU); not stored Cloud Fortified
Calendar Embed & Sync monday.com monday platform + EU backend DigitalOcean, Frankfurt (EU) n/a

Subprocessors

Who processes your data

We keep our subprocessor footprint deliberately minimal. We give notice of material changes in line with our Data Processing Agreement.

Subprocessor Role Location Applies to
DigitalOcean Application backend hosting and storage Frankfurt, Germany (EU) Apps with a backend (Process Templates, Easy Clone, HTML Macro Pro, Calendar Embed & Sync)
Cloudflare Edge network: WAF, TLS termination, CDN and DDoS protection (processes traffic in transit) Global edge network (US-headquartered; EU localisation available) The website and the apps with an EU backend
Atlassian Support helpdesk (Jira Service Management) and the Forge platform that runs the apps EU (per Atlassian data residency) Support, and all Atlassian apps
  • Smart Label Manager stores no customer data outside Atlassian and engages no backend storage subprocessor.
  • Error monitoring is performed on de-identified diagnostic data only, so it is not a data subprocessor.
  • Where a subprocessor operates outside the EEA (such as Cloudflare's global edge), transfers are covered by EU Standard Contractual Clauses and the provider's data processing terms.

Documents

Security & legal documents

Available now

Security & Data Protection Whitepaper Our full security posture for technical and procurement reviewers. PDF · Download Data Processing Agreement (DPA) GDPR Article 28 terms for customers whose data we process. PDF · Download Provider-Specific Terms Our terms layered on the Bonterms Standard EUA. PDF · Download Service Level Agreement (SLA) Support response targets and our availability commitment. PDF · Download Support Policy How to get support: channels, hours and scope. PDF · Download

Available on request

Sensitive evidence is shared through our support portal, watermarked and under NDA where appropriate. Tell us your company and which documents you need.

  • Information Security Policy Our internal controls in operational detail (classified Internal).
  • Security questionnaire responses Our completed CAIQ-Lite (Cloud Security Alliance self-assessment).
  • A signed Data Processing Agreement Download the standard DPA above to review, then request a countersigned copy for your organisation.
Request access

Disclosure

Vulnerability disclosure & remediation

We welcome good-faith reports. Report a vulnerability through our support helpdesk, or via our Atlassian Marketplace Bug Bounty program on Bugcrowd. Reports via the bug bounty have a two-week triage window before the remediation clock begins.

Severity CVSS Remediation target (cloud apps)
Critical ≥ 9.0 Within 10 days of report or triage
High ≥ 7.0 Within 4 weeks
Medium ≥ 4.0 Within 12 weeks
Low < 4.0 Within 25 weeks

Support response targets are set out in the SLA.

Legal

Policies & terms

Privacy Policy Terms & Conditions Provider-Specific Terms Data Processing Agreement

OST Consulting SRL (OST Labs), Belgium · VAT BE 0741 577 074 · info@ost-consulting.be

Need something specific for a security review?

Request our gated documents through our support portal.

Request documents