top of page

Security Policy

Owner and Data Controller
Nutshell (Juw
er Reserach OU)

Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117

Owner contact email:

Security Policy for Nutshell for Confluence

1. Introduction

This Security Policy outlines how Nutshell for Confluence treats your data and ensures its security. It's important to understand that Atlassian's privacy policy does not apply to Nutshell for Confluence. Please refer to this policy and the provided partner privacy policy for complete details.

2. Data Storage and Management

Nutshell for Confluence processes but does not store the following types of end-user data:

  • Confluence page content (text, images, etc.)

  • Audio files

  • Video files

This data is processed to deliver the app's functionality of generating summaries and extracting key points, but it is not retained within the app itself.

Data Residency

Nutshell for Confluence does not currently offer data residency options. Your data may be processed or stored outside your region.

3. Permissions

Nutshell for Confluence requires the following permissions to function within Atlassian products:

  • Access and interact with your data from outside of Atlassian: This allows the app to process your data to generate summaries and key points from your videos.

  • Access and interact with your data as the logged-in user from outside of Atlassian: This allows the app to function seamlessly within your Confluence environment.

  • View and download attachments of a page or blog post that you have access to: This allows the app to process relevant video attachments within your Confluence pages.

4. Privacy

Data Controller vs. Data Processor:

Nutshell for Confluence acts as a data processor under the General Data Protection Regulation (GDPR) for the following types of end-user data:

  • Confluence page content explicitly shared with the app (specifically video content)

  • Audio files explicitly shared with the app

  • Video files explicitly shared with the app

This means Nutshell for Confluence processes this data on behalf of the data controller (Atlassian and the Confluence user).

Security Measures

Nutshell is a multi-tenant SaaS product that ensures the separation of customer data through logical partitioning and robust security checks at our API endpoints. These checks, verified through automated testing, ensure users can only access data they are permitted to view based on the least-privileges principle.

To proactively identify potential vulnerabilities, we operate vulnerability scanners for third-party packages and ensure all security-related changes are thoroughly peer-reviewed. Our team is also trained in secure coding practices, reinforcing our commitment to maintaining a secure environment.

As we introduce new features, we perform risk assessments that consider both reliability and security, ensuring all additions to Nutshell meet our high standards.

Nutshell primarily utilizes Microsoft services hosted in the Ireland (eu-west-1) region. If there's a need for Nutshell to be hosted in another region, please email

For summary executions, Nutshell uses technology for secure isolation and the information is immediately destroyed afterward. This is the same technology that powers Chromium-based browsers and is used in shared cloud resources like Cloudflare Workers

Access to Nutshell Microsoft account and to other cloud services is strictly limited to the Nutshell engineering team.

We also use private network subnets for added security where appropriate.

Data Retention and Security

Operational and user-facing logs are retained for six months and can only be accessed by the Nutshell team. Analytical logs, however, are kept indefinitely, enabling us to understand trends over time that we can leverage to improve our service. 

In terms of data security, we only use cloud services that offer encryption both at rest and in transit. Sensitive information like end-user authentication keys is additionally encrypted using Microsoft Azure symmetric encryption with key rotation (256-bit AES-GCM). TLS version 1.2 with strong ciphers is used with HTTPS by default.

Incident Management

Nutshell has a robust incident-management process with a post-incident review process to learn from prior incidents, including a multitude of monitoring and alerting systems. Our team also runs automated tests periodically to detect incidents as early as possible.


Nutshell is GDPR compliant and en route to achieving ISO 27001 certification and SOC Type 2 compliance. 

While we aim to reduce the PII (Personally Identifiable Information) data in our logs, we may occasionally temporarily increase our logging levels, which could contain PII data, for troubleshooting reasons.


We do not retain user data so we do not have backups.


At Nutshell, we deeply understand the significance of security, privacy, reliability, and trustworthiness in our digital era. Our steadfast values in these domains drive us to continuously refine our practices and maintain stringent security and privacy controls. The measures outlined in this document underscore our commitment to offering a reliable and secure platform, giving our customers peace of mind and the freedom to focus on building their summaries.


bottom of page