attachmentAV for Atlassian Confluence: Security
attachmentAV for Atlassian Confluence is secure by default. When you upload an attachment, our scanners are notified, download the attachment, scan it, and delete it. We don’t keep a copy of your data.
Jurisdiction (#)
attachmentAV for Atlassian Confluence scans attachments (process your data) in the jurisdiction/region/location of your choice to help you meet data residency requirements.
To choose a jurisdiction, follow Atlassian Support.
Permissions (#)
OAuth 2.0 scopes (#)
attachmentAV for Atlassian Confluence requests the following OAuth 2.0 scopes during installation to access your Confluence instance:
| Category | Scope | Atlassian description | attachmentAV description |
|---|---|---|---|
| Forge platform scope | storage:app | Enables the App storage API. | to store scan results & configuration on the Atlassian platform |
| Forge platform scope | read:app-system-token | Enables Forge to pass a token to a remote backend, that can be used to invoke Atlassian product REST APIs with the permissions of the app “bot” user. | to run the full scan outside of Forge on our backend |
| Confluence granular scope | read:attachment:confluence | View and download content attachments | to list attachments in backend & get download URL for attachment |
| Confluence granular scope | read:custom-content:confluence | View custom content | to get space id for custom content id in backend |
| Confluence granular scope | read:label:confluence | View labels | to add labels to attachments |
| Confluence granular scope | read:page:confluence | View pages | to get space id for page id & blogpost id in backend |
| Confluence granular scope | read:space:confluence | View spaces | to get space key for space id in backend |
| Confluence granular scope | delete:attachment:confluence | Delete content attachments | to delete infected/unscannable attachments |
| Confluence granular scope | write:comment:confluence | Create and update comments | to add a comment to a page |
| Confluence granular scope | write:label:confluence | Add and remove labels | to add labels to attachments |
| Confluence classic scopes | read:confluence-content.summary | Read Confluence content summary | required by events avi:confluence:created:attachment & avi:confluence:updated:attachment to trigger real-time scans |
Confluence permissions (#)
Confluence provides a second layer of permissions called content-level permissions. If you use content-level permissions, ensure that attachmentAV has appropriate access.
Space permissions (#)
In your space settings, go to user access.
Check if attachmentAV has permissions to view all content, add comments, and delete attachments.
Page restrictions (#)
A page is restricted if you can see the lock icon at the top right 
.
Click on the icon to see the details. Expand the Specific access section to check if attachmentAV has edit permissions.
If attachmentAV is missing in the list, search for attachmentAV and select the attachmentAV app.
Ensure that the permissions are set to Can edit and click Share.
Encryption (#)
In transit (#)
All network communication is TLS encrypted using HTTPS.
At rest (#)
Your attachments are temporarily stored on encrypted disks on our scanners. Attachments are deleted right after the scan.