Atlassian Data Processing Addendum

When your organization signs the DPA,  it forms part of your organization’s applicable Atlassian agreement and it applies where any personal data is being processed in connection with our products and services.

Our DPA is scoped to cover all data protection laws and regulations applicable to the processing of personal data under the DPA. We explicitly list Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Laws (collectively referred to as Applicable Data Protection Law in the DPA). 

When a new data protection law requires us to include specific language in our DPA, we will update the DPA as we have done for Schrems II, UK international data transfer regulations, or most recently, the amended California Consumer Privacy Act (CCPA) and the EU-U.S. Data Privacy Framework. You can sign up to receive updates to our DPA by following the link “Sign up for updates” at the top of this page

Our DPA provides that Atlassian predominantly acts as a processor (under the GDPR) and service provider (under the CCPA) of personal data.

In certain circumstances, Atlassian acts as a controller of a limited amount of data, for example, for billing or security purposes. For more information on our processing of personal data as a controller see our DPA and/or our privacy policy.

Our DPA is carefully and specifically drafted to reflect the manner in which Atlassian offers its products and services and maintains its privacy and security programs. We provide high-quality products to a large (250,000+) global customer base under a uniform compliance program. This means that we are unable to work from your organization’s DPA or operationalize individual customer-specific requirements.

The most recently executed version of the DPA between your organization and Atlassian will apply. The latest version of our DPA states that it replaces any existing DPA we may have entered into with your organization in connection with our products and services. If you have signed an older version of our DPA, but would like to benefit from our most recent updates, we encourage you to download and follow the instructions at the top of this page for the most recent DPA version.

Atlassian provides our customers with tools to assist them in meeting their obligations as it relates to data subject requests, including the right to deletion and the right to access. 

Information on our data management tools and processes can be found on this page.

A sub-processor is a third party engaged by Atlassian who has or may have access to customer personal data for the purpose of helping us provide our products and services to you. For example, we use Amazon Web Services data centers to assist us in hosting your customer data.

Whenever we share customer personal data with a sub-processor, we remain accountable to you for how it is used. We require all sub-processors to enter into data processing agreements with us to ensure that customer personal data receives the same level of protection as set out in our DPA. 

A list of our current sub-processors can be found on our sub-processors page.

Our products and services are built and designed in accordance with widely accepted standards and certifications. These standards mirror Applicable Data Protection Law requirements and give our customers a transparent framework by which to measure our software development and data management practices.

Our DPA lists the technical and organizational measures that we implement and maintain to secure customer personal data.

We have also implemented a number of additional technical and organizational measures required under the EU Standard Contractual Clauses which are described in the Data Transfer Impact Assessment as well as our commitments under data residency.

For more information on our security practices, see the dedicated security pages on our Trust Center: Security Practices and Atlassian Cloud architecture and operational practices.

Atlassian has put in place a number of measures to ensure that personal data remains protected when it is transferred to a different country. Safeguards that we use for transfers include the EU-U.S. Data Privacy Framework and Standard Contractual Clauses, including the UK International Data Transfer Addendum. These mechanisms are outlined in our DPA.

• Trust Center: Our internal privacy processes and procedures are documented transparently, on our Trust Center here.
• Data Transfer Impact Assessments: Information to help our customers conduct data transfer impact assessments in connection with their use of Atlassian's products can be found here.
• Government requests: Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data.