As a proud participant in the Atlassian Marketplace Security Programme, Capable apps are designed and maintained with the highest security and privacy standards, including active engagement with Atlassian’s bug bounty programme, broad app fortification, and transparent continuous improvement processes.

‍

1. Participation in Atlassian Security Programmes

‍

Capable is an active member of the Atlassian Marketplace Security Programme. Our products undergo annual security reviews as required by Atlassian’s Cloud Fortified programme, ensuring we meet the elevated standards for enterprise-grade security and compliance. Most of our apps are certified as Atlassian Fortified or, where possible, Runs on Atlassian (RoA). Our objective is to move all apps toward RoA compliance as new capabilities become available.​

‍

2. Security Practices and Controls

‍

2.1. Technical and Organizational Measures

‍

Capable implements best-in-class security measures, including:

• Use of secure coding practices and annual code reviews.
• Data-at-rest and in-transit encryption for all customer data.
• Role-based access control for Capable services and apps.
• Multi-factor authentication (MFA) and two-factor authentication (2FA) for sensitive operations and administrative access.​
• Regular infrastructure and application vulnerability scanning.
• Secure integration and storage of third-party credentials (such as Slack) in line with Atlassian’s security best practices.​
• Tight integration with native Atlassian permission models for content and data access.​

‍

2.2. Incident Response

‍

Capable maintains a zero-tolerance policy for security vulnerabilities. In the event of a security incident, affected customers will be notified without undue delay, consistent with Atlassian’s coordinated vulnerability disclosure process. Affected data will be transparently investigated and remediated as quickly as possible, following the timelines set by Atlassian’s Security Bug Fix Policy.​

‍

3. Bug Bounty and Vulnerability Disclosure

‍

Capable participates fully in Atlassian’s public bug bounty programme on Bugcrowd, offering rewards for the disclosure of valid security findings—aligned with Atlassian’s recommended bounty levels. Security researchers and users are encouraged to responsibly disclose vulnerabilities, with clear scope and reward guidelines. Compensation is paid for qualifying reports as outlined by Atlassian.​

‍

4. Fortification and Compliance

‍

4.1. App Badges and Certification

‍

• Most Capable apps are Atlassian Fortified and subject to annual third-party security assessment and review.
• Capable prioritizes migration of all products to Runs on Atlassian (RoA) for a maximally robust security boundary, as Atlassian expands the RoA program.
• Fortified apps are regularly retested through Atlassian’s bug bounty and penetration testing programs, with ongoing attestation.​

‍

4.2. Security Requirements

‍

All Capable apps meet or exceed:

• Atlassian’s security requirements for authentication, authorization, and data integrity.
• Secure storage for sensitive data (e.g. no secrets in app packaging or source code).
• Strict validation and sanitization of user input to mitigate injection attacks.​
• Remediation of all vulnerabilities according to Atlassian Security Bug Fix Policy enforcement windows.​

‍

5. Data Handling and Privacy

‍

Capable’s approach to data protection is governed by a comprehensive Data Processing Agreement (DPA) to ensure compliance with GDPR, the UK Data Protection Act, and other applicable privacy and security laws. Personal data is only processed for the operation and improvement of Capable services:​

• Data minimization and retention: Data is stored only as necessary and deleted 90 days after uninstallation or termination, unless legally required otherwise.
• Customers may request correction, deletion, or access to their data in accordance with applicable regulations.
• All third-party processing is subject to written contractual safeguards (including SCCs as needed).​

‍

5. Hosted by monday.com Programme

‍

For Capable apps offered via the monday.com "Hosted by monday.com" programme, all customer data - including processing, storage, and backups - is managed exclusively on monday.com's secure infrastructure. Capable does not host, access, or store customer data for these applications.

‍

All data governance, availability, and compliance is handled by monday.com, which is certified to leading security and privacy standards including ISO 27001, SOC 2 Type II, GDPR, and HIPAA. Data is encrypted both in transit (TLS 1.3) and at rest (AES-256), and all operational and physical security is maintained by monday.com’s dedicated teams.

‍

For technical and legal details regarding data management and security, please refer to the monday.com Trust Center.

‍

6. Commitment to Continuous Improvement

‍

Capable continuously evaluates the security posture of its products. As technology and best practices evolve, so do our controls and policies—driven by Atlassian’s guidelines, vulnerability management programs, and our own commitment to customer trust and protection.

‍

This security policy is reviewed annually and updated as our products evolve and industry standards advance. Contact our security team for more information