This Data Transfer Impact Assessment (“DTIA”) serves the purpose of assisting Atlassian customers as well as Forge developers in conducting a risk assessment for the transfer of personal data in connection with Atlassian’s provision of its Cloud Products, Support, and Services (together, “Services”), and Forge Platform (“Forge”), and subsequent processing of such personal data by Atlassian, its Affiliates and sub-processors in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law as defined in our Atlassian Data Processing Addendum (Atlassian DPA) and Forge Data Processing Addendum (Forge DPA).

As a provider of global services, Atlassian runs its services with common operational practices and features across multiple jurisdictions. Therefore, we store personal data in data centers located in the United States, EMEA, and APAC, further outlined in our data residency documentation, and process it in other locations worldwide for the provision of products, features, as well as customer and technical support purposes.

Under the European Data Protection Laws, personal data may not be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”

The Atlassian DPA incorporates the Standard Contractual Clauses (as defined in the DPA) as such transfer mechanism as follows:

  • Where personal data protected by the GDPR is transferred to Atlassian outside of Europe, Atlassian relies upon the EU Standard Contractual Clauses (SCCs) to provide an appropriate safeguard for the transfer. Under the SCCs, our Customers are acting as the "Data Exporter" and Atlassian is the "Data Importer".
  • Where personal data protected by the UK Data Protection Law, Atlassian relies on the UK Addendum in our DPA in accordance with the ICO guidance from 2022.
  • Where personal data is protected by the Swiss Federal Act on Data Protection is transferred to Atlassian outside of Europe, Atlassian relies upon the EU SCCs plus certain interpretative provisions to make the SCCs work for Switzerland's legal regime.

Furthermore, Atlassian participates in and certifies compliance with the Data Privacy Framework. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.” Where adequacy does not apply, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism.

2. Applicability of this BAA

2.1 Applicability. This BAA is applicable only to the extent that Customer has an active Subscription Term for a HIPAA-Qualified Cloud Product and has configured such HIPAA-Qualified Cloud Product in accordance with the specifications provided in Section 5 of this BAA. Customer must not provide PHI to any Cloud Product that is not a HIPAA-Qualified Cloud Product to which this BAA applies. For avoidance of doubt, Customer acknowledges and agrees that this BAA does not apply to (a) any Cloud Products or Support provided by Atlassian or its Affiliates other than the HIPAA-Qualified Cloud Products, (b) any Third-Party Product, including any Third Party Apps, that Customer elects to integrate or enable for use with the HIPAA-Qualified Cloud Products, or (c) Customer’s own products and services used with any HIPAA-Qualified Cloud Products.

2.2 Term. The term of this BAA commences on the Effective Date and will terminate automatically upon expiration or earlier termination of the Agreement, unless earlier terminated pursuant to the terms of this BAA.

2.3 Execution. To the extent this BAA has been pre-signed on behalf of Business Associate, for the BAA to be enforceable, Customer must:

a) complete the signature block below by completing all required fields and counter-signing;

b) submit the completed and signed BAA to Business Associate as instructed; and

c) have only a signatory who possesses legal authority to bind Customer into legally enforceable contracts execute this BAA.

Where Customer makes any deletions or other revisions to this BAA, this BAA will be null and void.   


3. Responsibilities of Business Associate

3.1 Use and Disclosure. With regard to its use or disclosure of PHI, Business Associate agrees to: 

(a) not use or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law and, to the extent that Business Associate is to carry out any of Customer’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;

(b) implement and use appropriate technical, physical and administrative safeguards to prevent use or disclosure of ePHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;

(c) report without unreasonable delay to Customer: (i) any use or disclosure of PHI of which it becomes aware that is not permitted by this BAA; or (ii) any Security Incident of which Business Associate becomes aware.  Notwithstanding the foregoing, Customer acknowledges that Business Associate routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings, port scans, phishing attempts, log-on attempts, and other unsuccessful Security Incidents.  Business Associate hereby notifies Customer of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice will be required of such unsuccessful Security Incidents;

(d) without unreasonable delay and in no case later than five (5) calendar days after discovery, notify Customer of a Breach of any Unsecured PHI, all in accordance with 45 C.F.R. § 164.410;

(e) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to no less restrictive restrictions and conditions on the use or disclosure of PHI that apply to Business Associate; including to the extent that Business Associate provides ePHI to a subcontractor, require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;

(f) make available its internal practices, books, and records relating to the use or disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Rule;

(g) within thirty (30) days after receiving a written request from Customer, make available information necessary for Customer to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528 and when directed by Customer, make that accounting directly to the Individual; 

(h) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA;

(i) if Business Associate maintains a Designated Record Set, make available Customer PHI as required to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524 and 164.526, subject to the implementation guide as defined in Section 5.1;

(j) request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure;

(k) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and   

(l) not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3). 


4. Other Permitted Uses and Disclosures of PHI

4.1 Other Permitted Uses and Disclosures. Unless otherwise limited in this BAA, in addition to any other uses or disclosures permitted or required by this BAA, Business Associate may:

(a) use and disclose to subcontractors, the PHI in its possession as necessary to provide the HIPAA-Qualified Cloud Products to Customer pursuant to the Agreement; 

(b) use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate, provided that any such disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides written assurances that:

(i)  such PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party; and 

(ii) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.

(c) de-identify the PHI in accordance with 45 C.F.R. § 164.514.


5. Obligations of Customer

5.1. Product Configuration. Customer is solely responsible for configuring all HIPAA-Qualified Cloud Products according to the implementation guide found here (or successor hyperlink), as may be updated from time to time:

Customer must configure all HIPAA-Qualified Cloud Products in accordance with the implementation guide prior to entering any PHI into the applicable product.

5.2 Authorizations and Consents. Customer must obtain and maintain any and all authorizations and consents by individuals or other parties required for Business Associate’s use or disclosure of PHI contemplated by this BAA.

5.3 Permissible Requests by Customer. Customer must not request Business Associate to access, use, or disclose PHI, nor act in any manner, that would not be permissible under HIPAA if done by Business Associate. Without limiting the foregoing, Customer must not provide to the HIPAA-Qualified Cloud Products any PHI that is subject to a restriction on the use or disclosure of PHI requested by the Individual pursuant to 45 C.F.R. § 164.522 and that may affect Business Associate’s use or disclosure of such PHI.

6. Termination

6.1 Termination.  If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this BAA then the non-breaching Party must provide notice of such breach or violation to breaching Party.  Such notice must clearly specify the nature of the breach or violation.  If, after a reasonable time period, which will not be less than 30 days, following the notice to breaching Party, the breaching Party has not cured the breach or ended the violation, the non-breaching Party may terminate this BAA.

6.2 Effect of Expiration or Earlier Termination.  Within sixty (60) days after the expiration or earlier termination of this BAA, Business Associate must return or destroy all PHI, if feasible to do so, including all PHI in possession of Business Associate’s subcontractors.  If return or destruction of the PHI is not feasible, Business Associate must extend any and all protections, limitations and restrictions contained in this BAA to Business Associate’s use or disclosure of any PHI retained after the termination or expiration of this BAA, and limit any further uses or disclosures solely to the purposes that make return or destruction of the PHI infeasible.  

7. Miscellaneous

7.1 Construction of Terms.  To the extent they are not clear, the terms of this BAA are to be construed to allow for compliance by the Parties with HIPAA implementing regulations as applicable and as promulgated and amended from time to time.

7.2 No Third Party Beneficiaries.  Nothing in this BAA confers upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

7.3 Survival.  Sections 3.1(d), 3.1(g), 6.2, and 7.1 through 7.7 survive the termination for any reason or expiration of this BAA.

7.4 Notice. Notices to Customer as required under this BAA must be made in writing via email in accordance with the applicable provisions in the Agreement. Notices to Atlassian as required under this BAA must be in writing to the addresses set forth below: 

Atlassian Pty Ltd, c/o Atlassian US, Inc.
350 Bush Street, Floor 13
San Francisco, CA 94104
Attn: Privacy Officer

With copy to:

7.5. Relationship to the Agreement.

(a) Except for the changes made by this BAA, the Agreement remains unchanged and in full force and effect.  If there is any conflict between the provisions of this BAA and the provisions of the Agreement (including the Atlassian Data Processing Addendum (if applicable)), the provisions of this BAA prevail over the provisions of the Agreement only to the extent of that conflict in connection with the use or disclosure of PHI to the HIPAA-Qualified Cloud Product; in all other cases, the provisions of the Agreement prevail over the provisions of this BAA.

(b) Notwithstanding anything to the contrary in the Agreement or this BAA, the liability of each Party and each Party’s Affiliates under this BAA is subject to the exclusions and limitations of liability set out in the Agreement. 

7.6 Claims. Any claims against Atlassian or its Affiliates under this BAA may only be brought by the Customer entity that is a party to the Agreement against the Atlassian entity that is a party to the Agreement.

7.7 Governing Law. This BAA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Federal Laws.

Related content

Atlassian Customer Agreement

Условия для конкретных продуктов

Advisory Services

Приложение об обработке данных

Stay informed

Subscribe to receive notifications from us about updates to our legal terms (including our legal policies) and our list of sub-processors.