Atlassian Data Processing Addendum

Last updated: July 30, 2023

Atlassian makes it easy for customers to sign and submit our Data Processing Addendum (DPA). The DPA is pre-signed by Atlassian and can be found below. Once you’ve signed the DPA, email a signed copy to

Frequently Asked Questions

We created this FAQ to answer some of the most common questions customers ask about our DPA.

Legal Notice: These FAQs are for informational purposes only and do not create any contractual commitments. The responsibilities and liabilities of Atlassian towards its customers are governed by Atlassian agreements, and these FAQs are not part of, nor do they modify, any agreement between Atlassian and its customers. 

How does the DPA fit in with my organization's agreement with Atlassian? Copy link to heading Copied! show

When your organization signs the DPA,  it forms part of your organization’s applicable Atlassian agreement and it applies where any personal data is being processed in connection with our products and services.

What data protection laws and regulations are scoped in the DPA? Copy link to heading Copied! show

Our DPA is scoped to cover all data protection laws and regulations applicable to the processing of personal data under the DPA. We explicitly list Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Laws (collectively referred to as Applicable Data Protection Law in the DPA). 

When a new data protection law requires us to include specific language in our DPA, we will update the DPA as we have done for Schrems II, UK international data transfer regulations, or most recently, the amended California Consumer Privacy Act (CCPA) and the EU-U.S. Data Privacy Framework. You can sign up to receive updates to our DPA by following the link “Sign up for updates” at the top of this page

How is Atlassian's role set out in the DPA? Copy link to heading Copied! show

Our DPA provides that Atlassian predominantly acts as a processor (under the GDPR) and service provider (under the CCPA) of personal data.

In certain circumstances, Atlassian acts as a controller of a limited amount of data, for example, for billing or security purposes. For more information on our processing of personal data as a controller see our DPA and/or our privacy policy.

What can't Atlassian sign my organization's DPA? Copy link to heading Copied! show

Our DPA is carefully and specifically drafted to reflect the manner in which Atlassian offers its products and services and maintains its privacy and security programs. We provide high-quality products to a large (250,000+) global customer base under a uniform compliance program. This means that we are unable to work from your organization’s DPA or operationalize individual customer-specific requirements.

My organization signed a previous version of the DPA. Which DPA applies? Copy link to heading Copied! show

The most recently executed version of the DPA between your organization and Atlassian will apply. The latest version of our DPA states that it replaces any existing DPA we may have entered into with your organization in connection with our products and services. If you have signed an older version of our DPA, but would like to benefit from our most recent updates, we encourage you to download and follow the instructions at the top of this page for the most recent DPA version.

How does Atlassian help organizations respond to data subject requests? Copy link to heading Copied! show

Atlassian provides our customers with tools to assist them in meeting their obligations as it relates to data subject requests, including the right to deletion and the right to access. 

Information on our data management tools and processes can be found on this page.

What is a sub-processor and does Atlassian use sub-processors? Copy link to heading Copied! show

A sub-processor is a third party engaged by Atlassian who has or may have access to customer personal data for the purpose of helping us provide our products and services to you. For example, we use Amazon Web Services data centers to assist us in hosting your customer data.

Whenever we share customer personal data with a sub-processor, we remain accountable to you for how it is used. We require all sub-processors to enter into data processing agreements with us to ensure that customer personal data receives the same level of protection as set out in our DPA. 

What are Atlassian's security measures and where can I find those? Copy link to heading Copied! show

Our products and services are built and designed in accordance with widely accepted standards and certifications. These standards mirror Applicable Data Protection Law requirements and give our customers a transparent framework by which to measure our software development and data management practices.

Our DPA lists the technical and organizational measures that we implement and maintain to secure customer personal data.

We have also implemented a number of additional technical and organizational measures required under the EU Standard Contractual Clauses which are described in the Data Transfer Impact Assessment as well as our commitments under data residency.

For more information on our security practices, see the dedicated security pages on our Trust Center: Security Practices and Atlassian Cloud architecture and operational practices.

What safeguards does Atlassian use when transferring data to a different country? Copy link to heading Copied! show

Atlassian has put in place a number of measures to ensure that personal data remains protected when it is transferred to a different country. Safeguards that we use for transfers include the EU-U.S. Data Privacy Framework and Standard Contractual Clauses, including the UK International Data Transfer Addendum. These mechanisms are outlined in our DPA.

Where can I find more information about Atlassian's privacy program? Copy link to heading Copied! show
  • Trust Center: Our internal privacy processes and procedures are documented transparently, on our Trust Center here.
  • Data Transfer Impact Assessments: Information to help our customers conduct data transfer impact assessments in connection with their use of Atlassian's products can be found here.
  • Government requests: Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data. 

Subscribe to receive an email whenever we make changes

Related content

Cloud Terms of Service

Product-specific terms

Data Transfer Impact Assessment

Business Associate Agreement

Stay informed

Subscribe to receive notifications from us about updates to our legal terms (including our legal policies) and our list of sub-processors.