Compliance FAQ


How can I get my vendor due diligence / supplier questionnaire / security questionnaire completed? Show +

If you need assistance to complete a questionnaire to document portions of our Atlassian Trust programs, we have an approach designed to provide you with the resources you need to answer your security and compliance questions about our Atlassian cloud products. We have pre-compiled security and compliance resources at our general Vendor Risk Response page and our Cloud Security Alliance submissions. If those resources don’t satisfy your need, submit a request to Atlassian Support.

Have you completed a Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ)? Show +

Absolutely, we hope you do.  It can be found on our Security, Trust and Assurance Registry (STAR) entry page.  We plan on updating it quarterly, or when big changes occur in our environment. Have a read through: Atlassian's STAR entry

You can also review other pre-compiled responses on our Vendor Security & Risk Response page.

Which Atlassian Products are included in the Atlassian Cloud Compliance Scope? Show +

Based on roll-out, or in some cases acquisition, the Products vary per compliance program. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

Does Atlassian maintain any sub-processors? Show +

Atlassian may use sub-processors, as documented on our Sub-Processor page to carry out specific activities on behalf of our customers, our products or specific data center hosting and management activities. This page also provides customers with the option to subscribe to RSS if the list of sub-processors changes or is updated.

Can you provide the locations for your data centers? Show +

Atlassian does not manage any of our own data centers, all data center operations are outsourced. Primarily we rely on AWS as our data center hosting and management partner. Regional deployments differ based on product. For more information on AWS Data Center controls, see the AWS Data Center Controls site.

For Jira and Confluence Cloud : AWS regions include US-East, US-West, Ireland, Frankfurt, Singapore and Sydney.

For Halp : AWS regions include US-East and US-West.

For Opsgenie : Customers shall opt-in for AWS US (US-West in Oregon and  California and US-East in Ohio) or EU (Frankfurt and Ireland).

For Statuspage : AWS regions include US-East and US-West.

For Trello : AWS region includes US-East.

For Jira Align : AWS regions include US-East (Ohio), Europe (Frankfurt) and Australia (Sydney).

Bitbucket is hosted with NTT in both California and Virginia. For more information about NTT hosting, see the NTT Data Center page.

Compliance Reports

Are Atlassian Cloud products ISO27001 certified? Show +

Based on roll-out, or in some cases acquisition, the Products in our ISO27001 and ISO27018 scope vary. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

How long is the Atlassian PCI certificate valid? Show +

For PCI, we generally receive updated certification in September of each year and the certificate is valid for 1 year. Our current certificate is dated Sept 30, 2021 and is active for one year. Our PCI certification is only related to Atlassian processing credit cards for payments. We do not provide assurance for credit cards that our customers elect to store in our products. If that is your use case, you should review our SOC2 report to determine if the controls are satisfactory for you.

How long is the Atlassian SOC2 report valid? Show +

SOC2 Type 2 audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC2 reports covering a 12-month period (October 1 through September 30). The reports are applicable for the following 12 months, when we perform the next audits.

There are many factors that impact the release of new reports, but our external audits typically occur in November and refreshed reports are usually available by end of December each year. We also issue a 3-month bridge letter in January/February of each year that extends the coverage period through the end of January.

All SOC2 reports (and the bridge letter) can be downloaded on the Compliance Resource Center.

Where can I request a Bridge Letter? Show +

Based on Atlassian’s full-year of coverage within our SOC2 report cycles, we can provide a bridge letter or gap letter. This document can be downloaded under the same click-through NDA as the SOC2 report on our Compliance Resource Center - SOC 2.

Compliance Programs

Are Atlassian Cloud products HIPAA certified? Show +

There is no HIPAA certification for a cloud service provider (CSP) such as Atlassian. In order to meet the HIPAA requirements applicable to our SaaS model, Atlassian aligns our risk management program with FedRAMP, NIST CSF, ISO27001 and SOC 2 which are higher security standards that map to the HIPAA Security Rule.

Atlassian has official HIPAA readiness for Jira and Confluence Cloud on the cloud roadmap. Please reference the roadmap for updated timeline expectations.

How do I request a GDPR-Compliant Data Processing Addendum with Atlassian? Show +

We have posted a pre-signed Data Processing Addendum (DPA). The DPA helps meet onward transfer requirements under GDPR. See our DPA, or read more at our Privacy and GDPR FAQ.

Controls Framework

Will Atlassian share information on your internal controls? Show +

We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards.  We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls.  You can view the status of any of our certifications or reports on our Atlassian Compliance page