Secure Confluence approval workflows with Runs on Atlassian

Confluence is where critical documentation lives, from policies and SOPs to technical specs and internal standards. But structured approval workflows are not supported natively, so organizations rely on third-party apps from the Atlassian Marketplace to implement document management and approval processes.

For compliance-critical use cases, this creates a problem. Adding these apps also means introducing another system that processes sensitive data, often outside Atlassian’s infrastructure.

So the important question is: how do you enforce structured approvals and governance without creating new security risks or compliance gaps?

This is where Atlassian’s “Runs on Atlassian” (RoA) program comes in.

What is a Confluence approval workflow?

A Confluence approval workflow is a structured process that defines how content is reviewed, approved, and managed throughout its lifecycle.

In practice, this means documents move through defined stages such as “Draft”, “Review required”, and “In approval”. As they move through these stages, reviewers are assigned, notifications are sent, and progress is visible to everyone involved.

These workflows and lifecycle stages are essential for teams managing policies, SOPs, and other compliance-critical documentation.

Because Confluence does not provide these capabilities natively, teams typically rely on apps from the Atlassian Marketplace to implement them.

Typical capabilities of these apps include:

• Defined approval steps and responsibilities
• Visibility into who approved what and when
• Version control and document status tracking
• Auditability for compliance and governance

However, relying on third-party apps introduces a new challenge. It raises questions about how these apps handle security and compliance.

The hidden trade-off: functionality vs. security

Once you rely on third-party apps to implement Confluence approval workflows, you’re no longer just adding functionality. You’re introducing another system that processes your data outside of Atlassian.

For organizations, this has practical implications. Security teams need to evaluate an additional vendor, data handling and storage practices must be reviewed, and data residency requirements become harder to guarantee. At the same time, procurement processes become more complex, and the time to roll out these workflows can increase.

The trade-off becomes clear. You gain more functionality with features that native Confluence does not provide, but at the cost of increased security and compliance risk.

For many enterprise teams, this is where adoption stalls. Not because workflow functionality is not needed, but because the risk introduced by external processing is too high.

Runs on Atlassian

To resolve this trade-off, third-party apps need to run entirely within the Atlassian Cloud. And this is exactly what the Runs on Atlassian (RoA) program enables.

Apps with the “Runs on Atlassian” badge operate fully on Atlassian’s infrastructure and do not transfer customer data outside the platform.

In practice, this means:

• All data stays within your Atlassian Cloud site
• There is no external processing or storage
• Apps align with Atlassian’s security and compliance model

Because RoA apps run entirely within Atlassian, this reduces risk and simplifies security reviews. It also removes one of the main barriers to adopting Confluence approval workflows by speeding up procurement and rollout, especially in enterprise and regulated environments.

Breeze: Secure Confluence approval workflows that are built on Atlassian

This is where Breeze fits in.

Today, Breeze is the only full Confluence document management and workflow app with the Runs on Atlassian badge.

It provides a full document management and workflow solution, enabling teams to define structured approvals, enforce governance, and manage document lifecycles directly within Confluence.

Because Breeze runs entirely on Atlassian infrastructure, all data remains within the platform and never leaves your Cloud site. There is no external processing and no additional systems handling sensitive information.

This means you can introduce structured approval workflows without adding security risk, compliance complexity, or procurement friction.