Atlassian’s LGPD Commitment
What is the LGPD?
The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that went into effect on September 18, 2020, and regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects.
What is Atlassian doing to comply with the LGPD?
Data subject rights
We offer data portability and data management tools including:
- Profile deletion tool: We help customers and end users delete personal information, such as names and email addresses. We help customers respond to user requests to delete personal information, and we also help end users with Atlassian accounts delete their personal information, as well as people without Atlassian accounts delete their personal information.
- Data Access requests: Atlassian Organization Admins can facilitate access of their managed users' data from Atlassian support. Unmanaged end users may also request that their personal data be accessed by initiating a data access request from Atlassian support. People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for access.
- Import and export tools: Customers may access, import, and export their Customer Data using Atlassian’s tools.
- To make a data deletion or access request via telephone, or if special accommodations are required, please leave a message at 1 (800) 804-5281 and our privacy support team will promptly be in touch.
Data Transfer Mechanisms
Atlassian supports appropriate international data transfer mechanisms by executing Standard Contractual Clauses through our updated Data Processing Addendum.
Data Security and Compliance
Like the GDPR, the LGPD requires companies to implement technical and organizational security measures to protect personal data.
Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.
Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the LGPD and GDPR and give our customers a transparent framework by which to measure our software development and data management practices. Currently, we have certified a number of our products for ISO/IEC 27001 and ISO/IEC 27018 standards as well as SOC 2 and SOC 3 certifications. Our data centers, co-location, and managed service providers also undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC 1, SOC 2, and/or ISO/IEC 27001 audits thereafter.
To learn more about our Risk Management Program, current certifications, and commitments for our Cloud products, please see the Compliance page on our Trust Center.
Other LGPD considerations
In August, 2020, the Brazilian Presidency announced a decree creating Brazil’s Data Protection Authority, the ANPD. The ANPD will ultimately be responsible for issuing clarifying guidelines regarding the LGPD, receiving and addressing complaints from data subjects, and issuing sanctions for breaches of the law. We note that the President of Brazil nominated the five Directors of the ANPD on October 15, 2020, who were just approved by the Brazilian Senate on October 20th, 2020.
We will continue to monitor developments with the ANPD for further clarification regarding LGPD requirements.