Close

Compliance FAQ


General

How can I get my vendor due diligence / supplier questionnaire / security questionnaire completed? Copy link to heading Copied! Show +
  

If you need assistance to complete a questionnaire to document portions of our Atlassian Trust programs, we have an approach designed to provide you with the resources you need to answer your security and compliance questions about our Atlassian cloud products. We have pre-compiled security and compliance resources at our general Vendor Risk Response page and our Cloud Security Alliance submissions. If those resources don’t satisfy your need, submit a request to Atlassian Support.

Have you completed a Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ)? Copy link to heading Copied! Show +
  

Absolutely, we hope you do.  It can be found on our Security, Trust and Assurance Registry (STAR) entry page.  We plan on updating it quarterly, or when big changes occur in our environment. Have a read through: Atlassian's STAR entry

You can also review other pre-compiled responses on our Vendor Security & Risk Response page.

Which Atlassian Products are included in the Atlassian Cloud Compliance Scope? Copy link to heading Copied! Show +
  

Based on roll-out, or in some cases acquisition, the Products vary per compliance program. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

Does Atlassian maintain any sub-processors? Copy link to heading Copied! Show +
  

Atlassian may use sub-processors, as documented on our Sub-Processor page to carry out specific activities on behalf of our customers, our products or specific data center hosting and management activities. This page also provides customers with the option to subscribe to RSS if the list of sub-processors changes or is updated.

Can you provide the locations for your data centers? Copy link to heading Copied! Show +
  

Atlassian does not manage any of our own data centers, all data center operations are outsourced. Primarily we rely on AWS as our data center hosting and management partner. Regional deployments differ based on product. For more information on AWS Data Center controls, see the AWS Data Center Controls site.

For Jira and Confluence Cloud : AWS regions include US-East, US-West, Ireland, Frankfurt, Singapore and Sydney.

For Halp : AWS regions include US-East and US-West.

For Opsgenie : Customers shall opt-in for AWS US (US-West in Oregon and  California and US-East in Ohio) or EU (Frankfurt and Ireland).

For Statuspage : AWS regions include US-East and US-West.

For Trello : AWS region includes US-East.

For Jira Align : AWS regions include US-East (Ohio), Europe (Frankfurt) and Australia (Sydney).

Bitbucket : AWS regions include US-East and US-West.

Compliance Reports

Are Atlassian Cloud products ISO27001 certified? Copy link to heading Copied! Show +
  

Based on roll-out, or in some cases acquisition, the Products in our ISO27001 and ISO27018 scope vary. For the most up to date Products and their associated compliance program, see the Atlassian Compliance page.

How long is the Atlassian PCI certificate valid? Copy link to heading Copied! Show +
  

For PCI, we generally receive updated certification in September of each year and the certificate is valid for 1 year. Our PCI certification is only related to Atlassian processing credit cards for payments. We do not provide assurance for credit cards that our customers elect to store in our products. If that is your use case, you should review our SOC2 report to determine if the controls are satisfactory for you.

How long is the Atlassian SOC2 report valid? Copy link to heading Copied! Show +
  

SOC2 Type 2 audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC2 reports covering a 12-month period (October 1 through September 30). The reports are applicable for the following 12 months, when we perform the next audits.

There are many factors that impact the release of new reports, but our external audits typically occur in November and refreshed reports are usually available by end of December each year. We also issue a 3-month bridge letter in January/February of each year that extends the coverage period through the end of January.

All SOC2 reports (and the bridge letter) can be downloaded on the Compliance Resource Center.

Where can I request a Bridge Letter? Copy link to heading Copied! Show +
  

Based on Atlassian’s full-year of coverage within our SOC2 report cycles, we can provide a bridge letter or gap letter. This document can be downloaded under the same click-through NDA as the SOC2 report on our Compliance Resource Center - SOC 2.

Compliance Programs

Can I use Atlassian Cloud products in compliance with HIPAA? Copy link to heading Copied! Show +
  

Yes, Atlassian Cloud does offer solutions for customers that require HIPAA compliance, please visit this page for more information.

How do I request a GDPR-Compliant Data Processing Addendum with Atlassian? Copy link to heading Copied! Show +
  

We have posted a pre-signed Data Processing Addendum (DPA). The DPA helps meet onward transfer requirements under GDPR. See our DPA, or read more at our Privacy and GDPR FAQ.

Controls Framework

Will Atlassian share information on your internal controls? Copy link to heading Copied! Show +
  

We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards.  We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls.  You can view the status of any of our certifications or reports on our Atlassian Compliance page