Last updated 14 July 2026
Security and data handling
Sward Sync is designed around supported APIs, narrow permissions, draft-first synchronization, and explicit data ownership.
Current architecture commitments
- Documented Confluence Cloud and Freshdesk APIs only.
- No Freshdesk session cookies, CSRF tokens, browser automation, or private editor endpoints.
- One-way synchronization with stable mappings and content hashes.
- Draft destinations by default and conflict detection before overwriting changes.
- Structured logs with secret and customer-content redaction.
- Managed images in EU-region object storage with reference-aware cleanup.
Website and beta applications
The landing application is hosted on Vercel with restrictive browser security headers. Beta submissions are size-limited, validated, same-origin checked, and written server-to-server to Supabase through its authenticated Data API. Stable idempotency keys prevent duplicate rows. The submission function and database are configured for Stockholm.
Subprocessor status
| Provider | Purpose | Status/location |
|---|---|---|
| Vercel | Website delivery and beta form compute | Compute configured for Stockholm; global delivery network |
| Amazon Web Services | Managed documentation images | Stockholm region in the technical proof; production controls pending beta |
| Supabase | PostgreSQL storage for beta applications | Stockholm, Sweden (eu-north-1); row-level security and private server access |
| Atlassian / Freshworks | Customer-directed source and destination systems | Customer accounts and vendor-selected regions |
Not yet claimed
The product is not currently represented as SOC 2 certified, ISO 27001 certified, HIPAA compliant, or suitable for regulated special-category data. A production security review, dependency monitoring, incident process, recovery exercise, and customer data-processing agreement are required before general availability.
Reporting a concern
Please report suspected vulnerabilities privately to sam@swardsolutions.com. Include reproduction steps without customer content or active secrets.