Atlassian Data Processing Addendum

Our DPA is scoped to European Data Protection Law and U.S. Data Protection Law, as these terms are defined in the DPA.

Under the DPA, Atlassian predominantly acts as a processor of personal data on behalf of our Customers in connection with the provision of our Cloud Products. However, in certain circumstances, Atlassian acts as a controller of personal data (e.g. for billing processes, to comply with applicable laws, to ensure the security of our Cloud Products etc.). Please refer to Section 2.2 as well as Exhibit A, Annex 1(B), Part B of the DPA for further information. 

No, Atlassian is unable to work from a Customer’s template DPA or operationalize individual Customer-specific requirements. 

We are continually making updates to the Atlassian DPA to reflect changes to our products and services as well as several legal and regulatory requirements (for example, after Schrems II, or more recently, to comply with updated UK international data transfer regulations. If Atlassian were to contract on bespoke terms then customers would not benefit from those updates. 

The most recently executed version of the DPA will apply.  The latest version of our DPA states that it replaces any existing DPA we may have entered into with you in connection with Atlassian’s provision of the Cloud Products. 

If you have signed an older version of our DPA, but would like to benefit from our recent updates (e.g. EU SCCs, UK Addendum, Swiss-specific modifications, or updated Security Exhibit), we encourage you to download the most recent DPA version as of September 2022.

Yes, a list of our current sub-processors can be found on our Sub-processors page. Our Customers can subscribe to notifications of new Sub-processors via an RSS Feed. To subscribe, please follow the instructions on our Sub-processors page. Customers may object to the appointment of a new Sub-processor in accordance with the procedure set out in our DPA.

Atlassian DPA incorporates the EU Standard Contractual Clauses ("SCCs") to provide an appropriate safeguard for the transfer plus certain interpretative provisions to make the SCCs work for Switzerland, and incorporates UK Addendum (as applicable) in order to comply with relevant regulations. Under the SCCs, our Customers are the "Data Exporter" and Atlassian is acting as a "Data Importer". 

The DPA incorporates Module 1 (controller to controller transfer terms), Module 2 (controller to processor transfer terms) and Module 3 (processor to processor transfer terms) of the SCCs. Module 1 is included to address transfers of the limited personal data we process as a controller.  

By executing the DPA, your organization and Atlassian agree to abide by the SCCs, to the extent applicable. You do not need to take any additional "steps" to enter into the SCCs with us. 

Most recently (September 2022) we updated our DPA in order to include the UK-specific data transfer mechanism (so called UK Addendum), as well as made a number of updates to the language of the DPA in line with the feedback collected from our customers. The new DPA also includes an updated Security Exhibit with detailed description of our security measures.

For more information on our approach to international data transfers in light of the "Schrems II" ruling, see International Data Transfers | Atlassian | Atlassian. 

• Trust Center: Our internal privacy processes and procedures are documented transparently, on our Trust Site. 
• Data Transfer Impact Assessments: Information to help our Customers conduct data transfer impact assessments in connection with their use of Atlassian's products can be found on our Transfer Impact Assessment page.
• Government requests: Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data.