At Atlassian we empower more than 119,000 teams around the world to do their best work. Our efforts are made possible by customer trust: trust that our systems are reliable, functional, secure, and private. Trust that we have the processes and practices in place to properly handle customer data.
Central to earning your trust is using well-recognized and credible third-parties to verify and certify our approach. Today, we are excited to announce the next milestone in our continued pursuit of Trust: SOC2 Type II certification for the Trust Services Criteria of security, availability, and confidentiality of Jira, Confluence, Stride, and Bitbucket (the first and only Git cloud solution with this certification), as well as ISO27001 and ISO27018 certifications for Jira and Confluence.
We publish a lot of documentation, answer questionnaires, and speak to customers – we are an open company, after all. But those that entrust us with their data and rely on us for critical functionality still ask, “How do I really know that you’re doing what you say you do?”
While ongoing communication is vital, equally important is achieving certifications from industry-leading organizations to validate our approach.
Here are the different reports and certifications:
- SOC2 is an accredited third-party certified report that provides details and assurance around our processes and controls. We elected to focus on Security, Confidentiality and Availability – areas that are of critical importance for our customers.
- ISO27001 describes our Information Security Management System (ISMS), which includes people, processes, and systems to maintain security around our services.
- ISO27018 outlines our processes and controls to protect Personally Identifiable Information (PII).
Trust in the Cloud with SOC2 Type II and ISO
We understand that companies expect a level of trust when working in the cloud. With server products, customers have full control of their environment – they decide when and what to install, who will have access, and how and when to upgrade. But when operating in the cloud, customers relinquish some of those controls by enlisting Atlassian as a trusted partner, with shared responsibilities.
Because of this, our customers are increasingly interested not only in what we do functionally, but also how we do it. We want to be prepared to answer questions like:
- How do I know that only the appropriate people have access to my data?
- What guarantees do you have that you will not leak my data?
- Do you know how to keep your services up and running?
- How good is your practice around finding and resolving issues – including security vulnerabilities?
- How do you keep my private data private?
Certifications help us externally validate that we are, in fact, doing what we say to protect customers and their data. In order to obtain SOC2 Type II certification, we had an independent, trusted third party open the hood, closely examine our practices, and certify that we have appropriately designed processes that we’re actually following. The review spanned several months and left no stone unturned while delivering hard evidence of compliance.
To further underline our commitment to security of our cloud services we also decided to certify in ISO27001. This is a well respected, globally-recognized standard for Information Security Management System (ISMS). Having a well functioning, third-party verified, ISMS means that we have a systematic approach to managing confidentiality, integrity, and availability of sensitive data. This applies not only to Atlassian’s sensitive data but also to data you store in our Jira and Confluence cloud services.
All that would be incomplete if we do not consider data privacy – especially, in the light of GDPR. That’s why we decided to certify in ISO27018. This is another internationally recognized standard that provides assurance that we are a competent data processor for PII data that you entrust to us in Jira and Confluence cloud services.
Those reports and certificates are available for download at our trust site. In addition to providing the necessary assurance, it will also give you detailed information about our infrastructure, technology, and practices.
You’re already familiar with the cutting edge technology we provide, and now you can learn more about how we provide it.