Atlassian's GDPR Commitment
Dedication to your data privacy
We are wholly invested in our customers' success and the protection of data. One way that we deliver on this promise is by helping Atlassian customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law. The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The following sections outline our approach and investment in GDPR compliance in service of our customers and individual data subjects.
Security and certifications
Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, common controls, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.
Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the GDPR and give our customers a transparent framework by which to measure our software development and data management practices. Currently, we have certified a number of our products for ISO/IEC 27001 and ISO/IEC 27018 standards as well as SOC 2 and SOC 3 certifications. Our data centers, co-location, and managed service providers also undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC 1, SOC 2, and/or ISO/IEC 27001 audits thereafter.
To learn more about our Risk Management Program, current certifications, and commitments for our Cloud products, please see the Compliance page on our Trust Center.
International data transfers
As a company with a global customer base and operations, Atlassian must be able to transfer and access data around the world. We understand and respect the rules for onward transfers of personal data outside of the European Economic Area (EEA), and offer customers a robust international data transfer framework as a part our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to Atlassian Cloud products outside of the EEA by relying on the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR.
Whenever we share your data with Atlassian service providers, we remain accountable to you for how it is used by any of these organizations. We require all service providers to undergo a thorough diligence process and enter into contracts which ensure our customers' personal data receives adequate protection and safeguards. We are aware that the European Data Protection Board recently issued further guidance on supplementary measures to meet the adequacy requirement of GDPR. We will continue to analyze these requirements and any others issued by European data protection authorities as they arise. In the meantime, please note that Atlassian:
- encrypts data in transit and at rest
- publishes an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts
- provides additional information about our policies and procedures for responding to requests for user data in our Guidelines for Law Enforcement
To learn more about our Data Processing Addendum and the Standard Contractural Clauses, see our Privacy FAQs. For more information on how we transfer and process personal data, see our Privacy Policy. For news about latest developments (including around data transfer laws), please visit our Privacy Updates page.
Data location and portability
Data hosting location determinations are based on reducing latency and achieving optimal performance for you and your users. We optimize where to host customer data based on how it is accessed around the world (rather than upon request). Though we don't guarantee that your data will be hosted in a specific location by default, if you’re an organization admin with a new Standard or Premium subscription, or Enterprise products (Jira or Confluence) you can now pin in-scope product content at rest to a location. Planned expansions to our data residency program (including data residency for apps and additional locations), are highlighted in Atlassian’s cloud roadmap.
We’re also ready to facilitate your customers' requests to export their data, should you host your customer data on Atlassian products. Atlassian provides robust data portability and data management tools for exporting product and user data. For more information on Atlassian Cloud data export, see our import and export documentation.
Individual privacy rights and consent
Data subject rights
Our tools help customers meet obligations under the GDPR right to be forgotten (or right to erasure) clause by making it easy to delete personal data from Atlassian Cloud products.
- Atlassian Organization Admins can facilitate the account deletion of their managed users from controls in their admin portal
- Unmanaged end users may also request that their personal data be deleted by initiating an account deletion request from their Atlassian account profile page
- People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for deletion
Similar tools are available for access requests.
- Atlassian Organization Admins can facilitate access of their managed users' data from Atlassian support
- Unmanaged end users may also request that their personal data be accessed by initiating a data access request from Atlassian support
- People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for access
Both deletion and access requests can be serviced via telephone by leaving a message at 1 (800) 804-5281.
Did you know? Atlassian has prepared user-facing information about how to initiate a data access or deletion request here.
Choice and consent
We value choice and transparency around how we collect, use, and share information, and provide optionality within different product or account settings. Our Privacy Policy summarizes those choices, how to exercise them, and any relevant limitations.
For more information around end user data rights, see “Manage your personal data privacy”.
Please note for our EU end users, we surface consents for cookies and marketing messages to provide clarity and control at points of collection. Our internal processes centralize consents to ensure we’re consistently honoring your choices across our product suite.
Other commitments
Below are several other GDPR initiatives that have been implemented within our Cloud:
- We have ensured Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data
- We provide a list of our subprocessors on our Subprocessors page, and offer an RSS feed subscription so you can stay up-to-date on any changes
- We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate
- We will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users
