Compliance FAQ


How can I get my vendor due diligence / supplier questionnaire / security questionnaire completed? Show

In the event that you need assistance to complete a questionnaire to document portions of the Atlassian Trust programs, we have a recommended approach designed to provide you with the resources you need to answer your security and compliance questions in the context of the Atlassian cloud products. The most frequently used resources to complete security and compliance questionnaires are our general Vendor Risk Response page and our Cloud Security Alliance submissions.

Can I review your Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ)? Show

Absolutely, we hope you do.  It can be found on our Security, Trust and Assurance Registry (STAR) entry page.  We plan on updating it quarterly, or when big changes occur in our environment. Have a read through: Atlassian's STAR entry

You can also review other pre-compiled responses on our Vendor Security & Risk Response page.

Which Atlassian Products are included in the Atlassian Cloud Compliance Scope? Show

Based on roll-out, or in some cases acquisition, the Products vary per compliance program. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

Does Atlassian maintain any sub-processors? Show

Atlassian may use sub-processors, as documented on our Sub-Processor page to carry out specific activities on behalf of our customers, our products or specific data center hosting and management activities. This page also provides customers with the option to subscribe to RSS if the list of sub-processors changes or is updated.

Can you provide the locations for your data centers? Show

Atlassian does not manage any of our own data centers, all data center operations are outsourced. Primarily we rely on AWS as our data center hosting and management partner. Regional deployments differ based on product. For more information on AWS Data Center controls, see the AWS Data Center Controls site.

For Jira and Confluence Cloud : AWS regions include US-East, US-West, Ireland, Frankfurt, Singapore and Sydney.

For Opsgenie : Customers shall opt-in for AWS US (US-West in Oregon and  California and US-East in Ohio) or EU (Frankfurt and Ireland).

For Statuspage : AWS regions include US-East and US-West.

For Trello : AWS region includes US-East.

For Jira Align : AWS regions include US-East (Ohio), Europe (Frankfurt) and Australia (Sydney).

Bitbucket is hosted with NTT in both California and Virginia. For more information about NTT hosting, see the NTT Data Center page.

Compliance Reports

Are Atlassian Cloud products ISO2700x certified? Show

Based on roll-out, or in some cases acquisition, the Products in our ISO2700x scope vary. As of May 2020, Jira Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Statuspage and Opsgenie are certified under a single ISO2700x certificate. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

Where can I download your Statement of Applicability for ISO2700x certificate? Show

We have posted our Atlassian Statement of Applicability (SoA) for reference. We update this SoA on an annual basis in line with our audit preparation and validation.

Where can I download Atlassian Compliance Reports, like SOC or PCI? Show

We post all current compliance reports to our Compliance page.

How long is the Atlassian PCI certificate valid? Show

For PCI, we generally receive updated certification in September of each year and the certificate is valid for 1 year. Our current certificate is dated Sept 27, 2019 and is active for one year. Our PCI certification is only related to Atlassian processing credit cards for payments. We do not provide assurance for credit cards that our customers elect to store in our products. If that is your use case, you should review our SOC2 report to determine if the controls are satisfactory for you.

How long is the Atlassian SOC report valid? Show

SOC audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC 2 reports covering a 12-month period (November 1 through October 31). The reports are applicable for the following 12 months, when we perform the next audits. There are many factors that impact the release of new reports, but external audits typically occur in November and refreshed reports are usually available prior to 31 December each year. Therefore, our report dated 2019 is valid and current through all of 2020.

Where can I request a Bridge Letter? Show

Based on Atlassian’s full-year of coverage within our SOC 2 report cycles, we can provide a bridge letter or gap letter. This document can be downloaded under the same click-through NDA as the SOC 2 report on our Compliance Page.

Compliance Programs

Are Atlassian Cloud products HIPAA certified? Show

There is no HIPAA certification for a cloud service provider (CSP) such as Atlassian. In order to meet the HIPAA requirements applicable to our SaaS model, Atlassian aligns our risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. 

How do I request a GDPR-Compliant Data Processing Addendum with Atlassian? Show

We have posted a pre-signed Data Processing Addendum (DPA). The DPA helps meet onward transfer requirements under GDPR. See our DPA, or read more at our Privacy and GDPR FAQ.

Controls Framework

Will Atlassian share information on your internal controls? Show

We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards.  We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls.  You can view the status of any of our certifications or reports on our Atlassian Compliance page