Security Policy

Security you can rely on.

How we protect your data, handle vulnerabilities, and respond to incidents.

Effective date: April 11, 2026  ·  Geauxvee

Overview

Geauxvee takes the security of Inventory Guardian and the data entrusted to it seriously. This policy describes our security practices, our vulnerability disclosure process, and how we respond to incidents. If you have a security concern, contact us immediately at support@geauxvee.com.

Platform and infrastructure security

Inventory Guardian is built on Atlassian’s Forge platform. For the Jira Cloud version, all application logic runs inside Atlassian’s secure Forge sandbox, and all data is stored in Atlassian-hosted Forge storage. Geauxvee does not operate its own application servers or databases for the Jira Cloud version of the product. Security controls at the infrastructure level — including physical security, network isolation, and data center compliance — are governed by Atlassian’s own security program, which is certified under SOC 2 Type II, ISO 27001, and other frameworks. As we expand to additional platforms (Microsoft Teams, ServiceNow, web, and mobile), this policy will be updated to reflect the security posture of each platform.

Data encryption

All data transmitted between Inventory Guardian and Atlassian’s platform is encrypted in transit using TLS 1.2 or higher. Data stored in Forge storage is encrypted at rest by Atlassian’s infrastructure. Geauxvee does not store inventory data outside of the platform infrastructure associated with your installation.

Data isolation

All inventory data is scoped to a single app installation. Data from one customer installation is not accessible to any other installation. Forge’s storage architecture enforces installation-level isolation at the platform level. Geauxvee does not aggregate or commingle customer data across installations.

Access controls

Access to Inventory Guardian is controlled by Atlassian identity (or the identity provider of the relevant platform). Within the application, role-based access controls allow administrators to restrict what actions individual users can perform. Administrators are responsible for managing user roles and permissions within their installation. Geauxvee personnel do not have access to customer inventory data stored in Forge storage under normal operating conditions.

Application security

Geauxvee follows secure development practices including:

  • Input validation and output encoding to prevent injection attacks
  • Dependency management with regular updates to address known vulnerabilities
  • Code review for security-sensitive changes before deployment
  • Adherence to Atlassian’s Forge security guidelines and API permission scoping
  • Principle of least privilege for all API and storage scopes requested by the application

Permissions and scopes

Inventory Guardian requests only the Atlassian API scopes necessary to operate the application. The app does not request access to Jira project data, customer support tickets, or other data outside the scope of inventory management. A full list of scopes requested by the application is available in the Atlassian Marketplace listing for Inventory Guardian.

Vulnerability disclosure

Geauxvee operates a responsible disclosure program. If you discover a security vulnerability in Inventory Guardian, we ask that you report it to us privately before public disclosure to give us time to investigate and remediate.

To report a vulnerability:

  • Email support@geauxvee.com with a description of the issue
  • Include steps to reproduce, affected versions or environments, and potential impact if known
  • Do not include actual customer data in your report
  • Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue

We will acknowledge receipt within 2 business days and provide an estimated remediation timeline within 5 business days. We will not pursue legal action against researchers who follow this disclosure policy in good faith.

Incident response

In the event of a confirmed security incident affecting customer data, Geauxvee will:

  • Investigate and contain the incident as quickly as possible
  • Notify affected customers without undue delay, and in any case within 72 hours of confirming that customer data has been affected
  • Provide information on the nature of the incident, data affected, and steps taken or recommended
  • Cooperate with Atlassian and relevant authorities as required

Notifications will be sent to the administrator email address on file for the affected installation.

Third-party dependencies

Inventory Guardian uses third-party open-source libraries as part of its frontend. These dependencies are reviewed and updated regularly. Geauxvee monitors for known vulnerabilities in dependencies using automated tooling and addresses critical issues on a priority basis. The application does not transmit customer data to any third-party analytics, advertising, or tracking services.

Employee and contractor access

Geauxvee employees and contractors with access to production systems are subject to confidentiality obligations. Access is granted on a need-to-know basis and reviewed periodically. No Geauxvee personnel have routine access to customer inventory data stored in Forge storage.

Compliance

Inventory Guardian is designed to support customers’ compliance obligations by providing audit logs, role-based access controls, and data retention controls. For the Jira Cloud version, the application inherits Atlassian’s platform-level compliance posture. Customers with specific regulatory requirements (HIPAA, SOC 2, GDPR, FedRAMP, etc.) should evaluate Atlassian’s compliance documentation as it applies to Forge apps, and contact us at support@geauxvee.com with any questions.

GDPR and data subject rights

Geauxvee processes personal data (specifically, platform user identifiers and associated role assignments) as a data processor on behalf of customers, who are the data controllers. Customers are responsible for ensuring their use of Inventory Guardian complies with applicable data protection law. Geauxvee will assist customers in responding to data subject requests to the extent possible given the architecture of the platform. For data deletion requests, contact support@geauxvee.com.

Security updates

Security patches and updates are deployed to Inventory Guardian on an ongoing basis. Critical security fixes are prioritized and deployed as quickly as possible. Customers on the Jira Cloud version receive updates automatically through Atlassian’s Forge deployment mechanism without requiring manual action.

Contact

For all security-related inquiries, vulnerability reports, or incident notifications:

support@geauxvee.com

For general support: support@geauxvee.com