ISO/IEC 27018 - We have also acheived ISO/IEC 27018 certification for protection of personally identifiable information (PII) or personal data (PD) in our cloud environments. Our ISO/IEC 27018 Certificate can also be found on our Atlassian Compliance page.
PCI – Atlassian uses tokens with PCI DSS certified credit card processors; we never see or store your credit card details. For use of our products within PCI environments you need to assess in terms of your own PCI compliance requirements.
Where can I find Atlassian's security and technology policies?Show
We have put a lot of work into building out an internal Policy Central inside our own Confluence. All of our policies have a similar format and structure, defined owners, and committed review cycles. You can read through the tl;dr for each of our internal Technology Domain policies.
Has Atlassian defined responsibilities for cloud security and cloud operations?Show
We have published a whitepaper outlining the responsibilities that we manage, and the responsibilities that each of our customers should manage. We've written it with our customers in mind, and we've detailed the particular security topics that each customer should manage. Read through the whitepaper.
Is data stored on Atlassian cloud products encrypted?Show
Atlassian encrypts customer data in transit and at rest.
All customer data stored within Atlassian cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.
Data drives on servers holding customer data and attachments in Jira Software Cloud, Jira Service Desk Cloud, Jira Core Cloud, Confluence Cloud, Statuspage, OpsGenie, and Trello use full disk, industry-standard AES-256 encryption at rest. Customer data on Bitbucket Cloud is not fully encrypted at rest.
Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and any findings from the Bug Bounty will be triaged and remedated according to our Public Security Vulnerability SLA.
While we believe our Bug Bounty is a more efficient and economical approach for assessing security of our products and services, we understand that you might want to test the security on your own. We allow for security assessments (pen tests, vulnerability assessments) to be performed by customers, we just ask that you follow a few rules to keep all of us safe. If you do find an issue that you would like to report, instructions on how to report a vulnerability are on our site as well.
I found a vulnerability in one of your products, how do I report it?Show
To obtain Customer Information from Atlassian, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. For example, Atlassian will not provide non-public customer content unless served with a valid search warrant, issued on a showing of probable cause by a federal or state court authorized to issue search warrants, which requires Atlassian to disclose the content. We publish an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts.
What responsibilities does Atlassian maintain during a security incident?Show
Here at Atlassian, we try our best to ensure our customers don't experience an outage or a security incident. However, we acknowledge that a security incident has the potential to happen. We have written down our responsibilities during a security incident and what our customers should plan to manage.