Close

Atlassian Data Processing Addendum

Last updated: January 25, 2023

We make it easy for Atlassian customers to sign and submit our Data Processing Addendum (DPA). The DPA helps meet onward transfer requirements under the GDPR. The DPA is pre-signed by Atlassian and can be found below. Once you’ve signed the DPA, email a signed copy to dpasubmission@atlassian.com.

Frequently Asked Questions

 Legal Notice: These FAQs are for informational purposes only and do not create any contractual commitments.  The responsibilities and liabilities of Atlassian to its customers are governed by Atlassian agreements, and these FAQs are not part of, nor does it modify, any agreement between Atlassian and its customers. 

What is the scope of the DPA? Copy link to heading Copied! show
  

Our DPA is scoped to European Data Protection Law and U.S. Data Protection Law, as these terms are defined in the DPA.

How are the roles defined under the DPA? Copy link to heading Copied! show
  

Under the DPA, Atlassian predominantly acts as a processor of personal data on behalf of our Customers in connection with the provision of our Cloud Products. However, in certain circumstances, Atlassian acts as a controller of personal data (e.g. for billing processes, to comply with applicable laws, to ensure the security of our Cloud Products etc.). Please refer to Section 2.2 as well as Exhibit A, Annex 1(B), Part B of the DPA for further information. 

Can my organization use its own DPA? Copy link to heading Copied! show
  

No, Atlassian is unable to work from a Customer’s template DPA or operationalize individual Customer-specific requirements. 

We are continually making updates to the Atlassian DPA to reflect changes to our products and services as well as several legal and regulatory requirements (for example, after Schrems II, or more recently, to comply with updated UK international data transfer regulations. If Atlassian were to contract on bespoke terms then customers would not benefit from those updates. 

My organization signed a previous version of the DPA. Which DPA applies? Copy link to heading Copied! show
  

The most recently executed version of the DPA will apply.  The latest version of our DPA states that it replaces any existing DPA we may have entered into with you in connection with Atlassian’s provision of the Cloud Products. 

If you have signed an older version of our DPA, but would like to benefit from our recent updates (e.g. EU SCCs, UK Addendum, Swiss-specific modifications, or updated Security Exhibit), we encourage you to download the most recent DPA version as of September 2022.

Does Atlassian use Sub-processors? Copy link to heading Copied! show
  

Yes, a list of our current sub-processors can be found on our Sub-processors page. Our Customers can subscribe to notifications of new Sub-processors via an RSS Feed. To subscribe, please follow the instructions on our Sub-processors page. Customers may object to the appointment of a new Sub-processor in accordance with the procedure set out in our DPA.

How about the European Data Transfers? Copy link to heading Copied! show
  

Atlassian DPA incorporates the EU Standard Contractual Clauses ("SCCs") to provide an appropriate safeguard for the transfer plus certain interpretative provisions to make the SCCs work for Switzerland, and incorporates UK Addendum (as applicable) in order to comply with relevant regulations. Under the SCCs, our Customers are the "Data Exporter" and Atlassian is acting as a "Data Importer". 

The DPA incorporates Module 1 (controller to controller transfer terms), Module 2 (controller to processor transfer terms) and Module 3 (processor to processor transfer terms) of the SCCs. Module 1 is included to address transfers of the limited personal data we process as a controller.  

By executing the DPA, your organization and Atlassian agree to abide by the SCCs, to the extent applicable. You do not need to take any additional "steps" to enter into the SCCs with us. 

Most recently (September 2022) we updated our DPA in order to include the UK-specific data transfer mechanism (so called UK Addendum), as well as made a number of updates to the language of the DPA in line with the feedback collected from our customers. The new DPA also includes an updated Security Exhibit with detailed description of our security measures.

For more information on our approach to international data transfers in light of the "Schrems II" ruling, see International Data Transfers | Atlassian | Atlassian

Do you have any additional resources? Copy link to heading Copied! show
  
  • Trust Center: Our internal privacy processes and procedures are documented transparently, on our Trust Site
  • Data Transfer Impact Assessments: Information to help our Customers conduct data transfer impact assessments in connection with their use of Atlassian's products can be found on our Transfer Impact Assessment page.
  • Government requests: Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data. 

Subscribe to receive an email whenever we make changes