We get it, you need to validate compliance to trust a cloud service provider. We strive to adhere to widely accepted standards and regulations. Our independent third-party advisors test our operations, our environment and our controls and provide their reports and opinions — which we share with you whenever possible.
Payment Card Industries Data Security Standard
We care about the security of your credit card and we despise fraudsters! When you pay with your credit card for Atlassian products or services you can rest assured that we handle the security of that transaction with appropriate attention. We are a Level 2 merchant and we engage with Qualified Security Assessor (QSA) to assess our compliance with PCI DSS. We are currently compliant with PCI DSS v3.2, SAQ A.
Cloud Security Alliance - Security, Trust, and Assurance Registry
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping customers assess the security of cloud providers they currently use or are considering contracting with. Atlassian is a CSA STAR registrant and Corporate Member of the Cloud Security Alliance (CSA) has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to over 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider
Our Atlassian CIAQ entry covers our JIRA and Confluence Cloud, HipChat and Bitbucket Cloud offerings.
Our Service Providers
We hold our service providers to very high standards. Data centers, co-location and managed service providers undergo regular SOC1, SOC2 and/or ISO 27001 audits to verify their practices. Atlassian reviews the results of these audits at least annually as part of our vendor management program. In the event these audits have material findings which we determine present risks to Atlassian or our customers, we work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.
Validating our Practices
Independent third-party audits
We use independent third-parties to audit our practices against most sought after standards and regulations in the world. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their evaluations. We take their reports very seriously and have processes in place to address any issues that present risks to us or our customers.
External and internal application security testing
Our security team performs automated and manual application security testing and network vulnerability testing on an on-going basis to identify and patch potential security vulnerabilities and bugs on our desktop, web, and mobile applications. We also work with third-party security specialists, as well as other industry security research community members. See our guidelines on submitting a vulnerability and our submission form for reporting security vulnerabilities.
A critical part of any information security management program is the continual improvement of security and compliance programs, systems, and controls. Atlassian is committed to soliciting feedback from different internal teams, customers, internal and external auditors, and improving our security, privacy and compliance processes and controls over time.