In the event that you need assistance to complete a questionnaire to document portions of the Atlassian Trust programs, we have a recommended approach designed to provide you with the resources you need to answer your security and compliance questions in the context of the Atlassian cloud products. The most frequently used resources to complete security and compliance questionnaires are our general Vendor Risk Response page and our Cloud Security Alliance submissions.
Atlassian may use sub-processors, as documented on our Sub-Processor page to carry out specific activities on behalf of our customers, our products or specific data center hosting and management activities. This page also provides customers with the option to subscribe to RSS if the list of sub-processors changes or is updated.
Atlassian does not manage any of our own data centers, all data center operations are outsourced. Primarily we rely on AWS as our data center hosting and management partner. Regional deployments differ based on product. For more information on AWS Data Center controls, see the AWS Data Center Controls site.
For Jira and Confluence Cloud : AWS regions include US-East, US-West, Ireland, Frankfurt, Singapore and Sydney.
For Halp : AWS regions include US-East and US-West.
For Opsgenie : Customers shall opt-in for AWS US (US-West in Oregon and California and US-East in Ohio) or EU (Frankfurt and Ireland).
For Statuspage : AWS regions include US-East and US-West.
For Trello : AWS region includes US-East.
For Jira Align : AWS regions include US-East (Ohio), Europe (Frankfurt) and Australia (Sydney).
Bitbucket is hosted with NTT in both California and Virginia. For more information about NTT hosting, see the NTT Data Center page.
Based on roll-out, or in some cases acquisition, the Products in our ISO27001 and ISO27018 scope vary. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.
For PCI, we generally receive updated certification in September of each year and the certificate is valid for 1 year. Our current certificate is dated Sept 25, 2020 and is active for one year. Our PCI certification is only related to Atlassian processing credit cards for payments. We do not provide assurance for credit cards that our customers elect to store in our products. If that is your use case, you should review our SOC2 report to determine if the controls are satisfactory for you.
SOC audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC 2 reports covering a 12-month period (November 1 through October 31). The reports are applicable for the following 12 months, when we perform the next audits. There are many factors that impact the release of new reports, but external audits typically occur in November and refreshed reports are usually available prior to 31 December each year. Therefore, our report dated 2019 is valid and current through all of 2020.
Based on Atlassian’s full-year of coverage within our SOC 2 report cycles, we can provide a bridge letter or gap letter. This document can be downloaded under the same click-through NDA as the SOC 2 report on our Compliance Page.
There is no HIPAA certification for a cloud service provider (CSP) such as Atlassian. In order to meet the HIPAA requirements applicable to our SaaS model, Atlassian aligns our risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule.
We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards. We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls. You can view the status of any of our certifications or reports on our Atlassian Compliance page.