Atlassian is committed to compliance with the General Data Protection Regulation (GDPR), which will go into effect May 25, 2018. The regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.
Our customers can trust that Atlassian has made GDPR a priority and has devoted significant and strategic resources toward our efforts to comply with GDPR. This post outlines our approach and progress to date.
What Atlassian is doing
Like many other global software companies, Atlassian is in the process of rolling out its company-wide GDPR compliance strategy leading up to May 2018 and beyond. Atlassian appreciates that our customers have requirements under GDPR that are directly impacted by their use of Atlassian products and services, and Atlassian is committed to helping our customers fulfill their requirements under GDPR and local law.
Below are a few examples of initiatives Atlassian has committed to in order to satisfy GDPR requirements that apply to both Atlassian and our customers:
- Ensuring our products are designed in accordance with ISO27001, ISO27002 and ISO27018 standards. These standards mirror many of the security and privacy requirements of GDPR and will help give our customers a transparent framework to measure our software development and data management practices. We are currently in the process of certifying the following Cloud products: Jira Software, Jira Service Desk, Jira Core, and Confluence Cloud for ISO and will pursue certifications for all other products as soon as possible thereafter. To learn about our current certifications and commitments, including our most recent SOC2 certification for our cloud products, please see Trust @ Atlassian.
- Committing to follow any additional security and privacy measures required under GDPR.
- Where we are transferring data outside of the EU, committing to appropriate data transfer mechanisms as required by GDPR. This includes our current Privacy Shield certification (see below).
- Assisting with respect to security and privacy of processing, notifying regulators of breaches, and promptly communicating any breaches to customers and user.
- Assisting with data processing security and privacy requirements, notifying regulators of personal data breaches and promptly communicating any such breaches to our customers and end-users.
- Ensuring Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
- Holding any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.
- Commiting to carrying out data impact assessments and consulting with EU regulators where appropriate.
GDPR Q&A
Does Atlassian process Personal Data of its customers?
Yes, Atlassian processes customer Personal Data to provide the products and services and for other limited purposes enumerated in our Privacy Policy.
Where does Atlassian send my data?
Our goal is to provide our customers with secure, fast, and reliable services. As a provider of global services, we run our services with common operational practices and features across multiple jurisdictions. Today, Atlassian stores data in its AWS data centers located in the US and Ireland. Data is stored based on the data center closest to the location of the majority of users accessing an instance. Atlassian may also allow employees and contractors located in the US, Europe, Australia and the Philippines access to certain data for product development, customer and technical support purposes. We disclose in our Privacy Policy that customer data may be hosted in or accessed from these countries.
Can you guarantee that my data will stay in a certain location (e.g., Europe)?
While we prioritize hosting your data in the location closest to your largest user base for performance reasons, some Atlassian service and product features will still require that data be transferred to the US and Australia. In addition, Atlassian personnel may need access to data stored in the EU from a non-EU country (e.g., US, Australia or the Philippines) for technical and support related reasons.
Is Atlassian Privacy Shield certified?
Yes. You can view our Privacy Shield certifications here.
Is Atlassian SOC2 certified?
Yes, we have recently completed SOC2 Type 1 certifications for Bitbucket, Jira Software, Jira Service Desk, Jira Core, and Confluence Cloud. You can learn more here.
More Resources
Atlassian is 100% committed to customers success and the protection of customer data, which is why our customers can count on our commitment to GDPR compliance. For more, please visit Trust @ Atlassian, including:
- Privacy – You own your data, and we’re committed to protecting your privacy.
- Security – Our customer focused culture ensures that security is a top priority.
- Compliance – We strive to adhere to widely accepted standards and regulations to keep you at ease.
- Policies and Reports – We are transparent with our policies to help you understand how we manage your data.