Skip to main content

Security Overview

Sander Improvement Software AB
Flare Plugin Suite – Security Overview
Document Type: Security & Risk Overview
Applies To: Current Flare Plugin Suite versions
Version: 2025-11-19
Status: Informational – subject to change

This document describes the security posture of the Flare Plugin Suite produced by Sander Improvement Software AB. It is intended as a high-level, informational overview aligned with common vendor assessments such as SIG Lite and the Cloud Security Alliance CAIQ, and applies to currently supported versions at the time of publication.

Highlights

  • Local desktop extensions
  • Data minimization by design
  • Code-signed binaries
  • Minimal external communication
  • Low vendor risk profile

1. Product Overview

The Flare Plugin Suite consists of locally installed plugins that run inside MadCap Flare. They are workflow and productivity tools rather than hosted platforms or data repositories.

  • The plugins are designed so that customer documents and Flare project content remain within the customer’s Flare environment.
  • Under normal operation, the plugins do not intentionally send customer document content to Sander Improvement Software AB or its sub-processors.
  • The only routine outbound communication initiated by the plugins is for license validation and version checking.
  • No central hosted data store is used for customer document content.

Operating systems, security tools, or other software on the customer’s machine may create their own diagnostic artifacts (e.g. crash dumps) outside the control of the plugins.

2. Data Handling & Privacy

Customer data processed

The plugins themselves are designed not to process personal data beyond what is strictly required for license validation. Any personal or billing information related to purchases is handled by:

  • Gumroad
  • LemonSqueezy
  • Direct transaction channels where applicable

Sander Improvement Software AB does not use plugin runtime behavior to collect personal data for profiling, analytics, or marketing. Outside license and transaction contexts, no intentional personal data processing is performed by the plugins.

Local logs

Some plugins may generate error or diagnostic logs on the user’s system for troubleshooting purposes:

  • Logs are written locally (e.g. Temp or application folders) on the user’s machine.
  • Logs are not automatically uploaded by the plugins to Sander Improvement Software AB infrastructure.
  • Users may choose to share logs manually (e.g. via email) when requesting support.

Telemetry and tracking

  • The plugins are not designed to include analytics, behavior tracking, or telemetry features.
  • No tracking scripts or web beacons are embedded by the plugins.
  • Customer content is not intentionally harvested or transmitted by the plugins for analytics or advertising.

3. External Communications

Under normal operation, the plugins initiate a small number of controlled outbound requests for:

  • License key validation
  • Version update checks

Data transmitted (by the plugins)

  • License key used to activate the plugin.
  • Plugin version information (where applicable).
  • No customer document content is intentionally included in these requests.

Destinations

  • Gumroad (license and payment platform).
  • LemonSqueezy (license and payment platform).
  • Improvementsoft services hosted at Loopia (Sweden/EU).

These requests are made over HTTPS/TLS. Network behavior beyond these plugin-initiated requests (e.g. OS-level services, antivirus, proxies) is outside the scope of this document.

4. Infrastructure & Hosting

Hosting

Services controlled directly by Sander Improvement Software AB (for example, license validation endpoints) are hosted by:

  • Loopia AB – web hosting located in Sweden (EU).

Access control

  • Access to hosting and related configuration is limited to a single responsible owner role.
  • Access is protected with strong, unique credentials and Two-Factor Authentication (2FA) where available.
  • No shared credentials are used; access can be delegated if required through documented handover procedures.

License cache

For performance, the license validation service may store a lightweight cache of active license keys:

  • Used solely to speed up subsequent license checks.
  • Does not store customer document content.

5. Software Integrity, Signing & Dependencies

Code signing

All DLLs and installers in the Flare Plugin Suite are digitally signed using a Sectigo Code Signing Certificate.

  • Helps ensure the authenticity of the software origin.
  • Helps provide tamper detection, as modification of binaries can invalidate the signature.

Dependencies

The plugins are implemented as standard .NET assemblies compatible with MadCap Flare’s plugin model:

  • Rely primarily on .NET and libraries appropriate for Flare integration.
  • Some plugins ship with third-party libraries (most commonly under the MIT license or similar permissive licenses).
  • Third-party components are listed in a dedicated license document.
  • No external runtimes such as Python, Node, or Java are required by the plugins.
  • The plugins are not designed to fetch additional code dependencies dynamically at runtime.
  • Everything needed is bundled into the signed plugin distribution or already present in the Flare installation.

6. Development Practices (SDLC)

The development process is intended to keep the plugin codebase small, auditable, and predictable.

  • All changes are reviewed by the responsible developer before release.
  • Libraries and dependencies are updated as part of ongoing maintenance.
  • Each release is built and then code-signed prior to distribution.
  • Plugins are tested against supported versions of MadCap Flare.

Updates

  • Plugins periodically check for available updates.
  • Users are notified of new versions, but downloads and installation are performed manually.
  • Update cadence typically follows:
    • New MadCap Flare releases (compatibility updates).
    • Bug fixes and reliability improvements.
    • Occasional feature or performance enhancements.

7. Logging, Monitoring & Incident Response

Error handling & logging

  • Errors are surfaced locally to the user by the plugins where appropriate.
  • Optional diagnostic logs may be written locally (e.g. Temp/app folders) on the customer system.
  • No logs or content are uploaded automatically by the plugins to Sander Improvement Software AB servers.
  • Users may elect to share logs manually (for example, via email) when requesting support.

Monitoring

Uptime and operational status of licensing and payment services relies primarily on:

  • Gumroad’s infrastructure and status reporting.
  • LemonSqueezy’s infrastructure and status reporting.
  • Loopia’s hosting reliability for Improvementsoft services.

Monitoring and status information is provided on a best-effort basis and may depend on third-party platforms and their own status notifications.

Security incidents

If Sander Improvement Software AB becomes aware of a security issue affecting licenses or distribution, typical response steps may include:

  • Assessing impact and isolating affected components.
  • Revoking or rotating affected license keys where appropriate.
  • Notifying impacted customers, where contact details are available.
  • Issuing new license keys or updated versions of affected plugins.
  • Hardening or redeploying affected services as needed.

Security contact (best-effort)

Email: security@improvementsoft.com

This inbox is monitored by the product owner; response times are on a best-effort basis.

8. Business Continuity & Disaster Recovery

Backups

Sander Improvement Software AB maintains backups of the assets needed to rebuild and redistribute the Flare Plugin Suite:

  • Plugin release binaries.
  • Source code repositories.
  • Website and distribution assets.

Backup locations

  • Encrypted local NAS.
  • Google Drive (Business account).
  • Private GitHub repositories.

Recovery approach

  • If the current hosting provider (Loopia) experiences extended downtime, services can be redeployed to an alternative hosting provider using the stored artifacts.
  • Build artifacts and code are stored in multiple independent locations to reduce the risk of complete data loss.

9. Personal Data & Regulatory Considerations

Data minimization

The plugins are designed with a data minimization approach: they do not act as a central store for customer document content, and only limited information related to licensing is processed.

Personal data

Personal and billing information associated with purchases is processed primarily by Gumroad and LemonSqueezy under their own terms of service and privacy policies. Customers should review those providers’ documentation for details of their compliance posture.

Nothing in this document is intended to serve as a formal legal attestation of compliance with any specific regulation (such as GDPR). Legal obligations are governed by the applicable license agreements and terms of service.

10. Sub-Processors

ProviderRoleRegion
GumroadLicense management and payment processing for certain purchasesUS
LemonSqueezyLicense management and payment processing for certain purchasesUS
Loopia ABWeb hosting for Improvementsoft services (e.g. license validation)Sweden / EU

These providers operate under their own terms, policies, and compliance frameworks. Sander Improvement Software AB does not control their internal security or legal posture and relies on them as independent service providers.

11. Standard Security Questionnaires

To support vendor risk and procurement processes, Sander Improvement Software AB can, where appropriate, provide responses aligned with:

  • SIG Lite questionnaires
  • Cloud Security Alliance CAIQ (including CAIQ-Lite)

Requests can be made by emailing:
security@improvementsoft.com

Detailed responses may require an appropriate non-disclosure agreement (NDA) and are subject to availability and scope.

12. Legal Notice & Disclaimer

This document is provided for informational purposes only and reflects the current design intentions and typical behavior of the Flare Plugin Suite at the time of publication. It does not create any contractual rights, warranties, or guarantees, and does not amend or override any applicable license agreement, terms of service, or other written contract between you and Sander Improvement Software AB.

All descriptions are subject to change without notice as the software and its environment evolve. Actual behavior may vary based on configuration, operating system behavior, third-party software, and deployment choices outside the control of Sander Improvement Software AB.

To the maximum extent permitted by law, the information in this document is provided “as is”, without any express or implied warranties. For binding terms, please refer to the applicable end-user license agreement, purchase terms, and any other executed contracts.