GxP Guidance

Introduction

1.0

What is GxP?

GxP is a set of regulations and quality guidelines formulated to ensure the safety of life sciences products while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. The GxP standards were established by the Food and Drug Administration (FDA) for a range of compliance related activities. The term GxP regulations refers to the underlying international pharmaceutical requirements, such as those outlined in the US FD&C Act, US PHS Act, FDA regulations, EU Directives, Japanese regulations, or other applicable national legislation or regulations under which an organization operates.
 
The term GxP is a general abbreviation for 'good x practice' guidelines and regulations. The 'x' is a variable that depends on the application of the standards, or a particular field. For example, Manufacturing (GMP), Clinical (GCP), Laboratory (GLP), Review (GRP), Distribution (GDP), Quality (GQP), Pharmacovigilance (GVP or GPVP), etc.
 
The purpose of the guidelines is to ensure that the regulated organizations comply with the standard processes of various functions. While there is no single regulatory entity or administration and each country has its own guidelines and regulators, GxPs are mostly similar across all the countries.
 
GxP regulations include those requirements outlined in the US Food and Drug Administration (FDA) CFR Title 21 Part 11 (https://aka.ms/FDA-CFR ) and EudraLex Volume 4—GMP Guidelines, Annex 11 (https://ec.europa.eu/health/documents/eudralex/vol-4_en ) in the European Union (EU).

Atlassian Cloud Security Shared Responsibilities

Security is a top priority and we must work together to protect your mission-critical applications and make informed decisions. Atlassian products are built with security at the core and our dedicated security teams safeguard your data by monitoring risk and responding quickly.

In Cloud, Atlassian focuses on the security, compliance, and reliability of the applications, the systems they run on, and the environment those systems are hosted within. We ensure your systems and environments are compliant with relevant standards, including ISO27001, SOC2, GDPR, and many others that live with our Trust Center.

You, our customers, manage the data within your accounts, the users and user accounts accessing your data, and control which Marketplace Apps (formerly called “add-ons”) you install and trust. When using our applications, you are responsible for ensuring your organization is using our products in a compliant way.

The guidance provided will articulate the responsibilities both shared between Atlassian and you, our customer. If you would like to learn more about Atlassian’s Shared Responsibility Model, please download our white paper.

Atlassian and GxP

2.0

How does Atlassian help organizations that deal with regulated aspects of the research, clinical study, maintenance, manufacturing, and distribution of life science products and services meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP)?

Customers are solely responsible for determining the suitability of cloud services in the context of FDA 21 CFR Part 11 Subpart B and EudraLex, Volume 4, Annex 11. Organizations using Atlassian products are responsible for determining the GxP requirements that apply to their systems, based on the intended use and regulatory standard.
 
Organizations operating in the life sciences industry face stringent regulatory requirements to ensure the safety and efficacy of biotechnology, pharmaceutical, and medical device products. There is no GxP certification for cloud service providers, however, Atlassian is a industry leader in security, compliance, third party audits and certifications, which support all our customers' needs.
 
Moving to the cloud means protecting sensitive workloads while achieving and maintaining compliance with complex regulatory requirements, frameworks, and guidelines. Atlassian cloud products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards globally.
 
Atlassian also has a dedicated resource center with white paper mappings against frameworks and laws where formal certifications or attestations may not be required or applied. For more information see Atlassian Compliance information at https://www.atlassian.com/trust/compliance .

Electronic Records

11.10 Persons who use closed systems to create, modify, maintain or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

3.0

11.10 (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Customers using Atlassian products in FDA-regulated systems, are fully responsible for all software-validation activities.

Customers using Atlassian products in FDA-regulated systems, are fully responsible for all software-validation activities.
 
Atlassian has implemented practices and controls to help ensure that its infrastructure and platform services are built and tested to meet industry security, reliability, and quality standards. Atlassian is an industry leader in security, compliance, third party audits and certifications, which support all our customers' compliance needs. For more information, see Atlassian's Compliance Program (https://www.atlassian.com/trust/compliance).

3.1

11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic  form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records

Customers are responsible for maintaining the accuracy and completeness of their electronic records, and for the direct protection of their data and applications. As a cloud infrastructure provider, Atlassian generally has no insight into the data that customers store or process in Atlassian products. Atlassian has no ability to generate copies of these records. Learn more about how we embed privacy into our products by visiting How we handle your data (https://www.atlassian.com/trust/privacy/how-we-handle-your-data ).
 
Atlassian facilitates customer requests to export their data, should it be hosted on Atlassian products. Robust data portability and data management tools for exporting product and user data is available. For more information on Atlassian Cloud data export, see our import and export documentation here: https://support.atlassian.com/security-and-access-policies/docs/track-storage-and-move-data-across-products/ .
 
Further, see: https://support.atlassian.com/confluence-cloud/docs/export-content-to-word-pdf-html-and-xml/ for details on exporting data into common formats such as CSV, HTML, and XML.

3.1

11.10 (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

Customers are responsible for implementing security procedures that protect against unauthorized access or changes to their systems and data.
 
Atlassian has implemented controls to help ensure that data is stored and maintained securely.

Customers can implement data backups to align with their record retention policies. To avoid data loss, we recommend making regular backups. Learn more about creating backups in the support documentation for your product: https://support.atlassian.com/ . For more information about our backup program in our Security Practices paper (https://www.atlassian.com/trust/security/security-practices#backups )
 
Atlassian uses industry standard Transport Layer Security (“TLS”) version 1.2 to create a secure connection using 256 ­bit Advanced Encryption Standard (“AES”) encryption. Servers holding user data will use full disk, industry-standard AES encryption. Tenant data is encrypted within the AWS RDS or RDS backups, and is also encrypted in long term storage (S3) as well as all attachments. For more information, see: https://www.atlassian.com/trust/security/security-practices#encryption-and-key-management
 
To help meet this requirement, Atlassian products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services. In addition, any customer data in Atlassian cloud products is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. For more information see our Security Practices paper and How Atlassian Manages Customer Data pages.

3.2

11.10 (d) Limiting system access to authorized individuals.

Customers are responsible for the direct protection of their data and applications, including implementing security procedures that protect against unauthorized access to their systems and data.
 
However, Atlassian secures access to its corporate network, internal applications and cloud environments through a concept called ZeroTrust. Simply stated, the core tenet of ZeroTrust is: “never trust, always verify.” For more information see our Security Practices paper: https://www.atlassian.com/trust/security/security-practices#managing-access-to-systems-and-services .

Customers have the ability to strengthen and enhance access security for their products by readily enforcing 2-step verification (https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/) and password policies (https://support.atlassian.com/security-and-access-policies/docs/manage-your-password-policy/). To see further documentation, please visit https://support.atlassian.com/.

3.3

11.10 (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Customers are responsible for all aspects of system data retention and integrity, which should be considered in the design and development of computerized systems. These responsibilities include implementing audit controls within the customer’s environment and logging of development history events or data changes.

Atlassian uses a SIEM platform to aggregate logs from various sources, apply monitoring rules to those aggregated logs, and then flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Key system logs are forwarded from each system where logs are read-only. The Atlassian Security Team creates alerts on our security analytics platform and monitors for indicators of compromise. Our SRE teams use this platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. For more information, see: https://www.atlassian.com/trust/security/security-practices#making-use-of-logs .

For Atlassian Cloud customers, audit logs for changes to the organization are available as part of Atlassian Access. With audit logs, you have visibility into admin actions to users, groups, permissions etc. More information can be found here: https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/

3.4

11.10 (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

Atlassian assumes responsibility for security, availability and performance of the applications we provide, the systems they run on, and the environments within which those systems are hosted. However, security is a joint responsibility between Atlassian and our customers with respect to four areas in particular:

Policy and compliance - ensuring that the system meets customer business needs and is operated in accordance with industry, regulatory and legislative compliance obligations.

Users - the creation and management of user accounts.

Information - the content customers store within Confluence Cloud, Jira Cloud, Trello or Bitbucket Cloud.

Marketplace Apps - third party services which integrate with Atlassian products.
 
 For more information about our shared responsibility, see our Security Practices page (https://www.atlassian.com/trust/security/security-practices#sharing-responsibility-for-managing-customer-data )
 
In the context of Atlassian cloud services, our customers may be responsible for some or all aspects of access management for their service users under their control.
 
Accordingly, Atlassian enables our customers to manage access by service users under the service customer’s control, such as by providing administrative rights to manage or terminate access. Atlassian also checks customers’ credentials against leaked credentials databases, and force users to update their password.
 
Customers of our Enterprise and Premium Cloud offerings have access to a centralized administration control panel. Your organization's admins can manage user access and permissions across all your product instances. See our blog post here: https://www.atlassian.com/blog/platform/cloud-enterprise-centralized-admin-controls .
 
Atlassian customers can use their chosen third party identity provider if supported by Atlassian. An Atlassian Support page details these features and how to connect your chosen identity provider, see: https://support.atlassian.com/provisioning-users/docs/supported-identity-providers/
 
Atlassian provides customers with the role of 'Organization Admin' who administers users and groups for the customer's products. For more information see: https://support.atlassian.com/user-management/docs/give-users-admin-permissions/

3.5

11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Access permissions: While our products are by nature designed to enable collaboration, customers do need to exercise caution in the permissions they grant to users within their organization regarding access to data. In some cases they can also grant public access to data – Atlassian has no control over this and cannot in these cases prevent such data being copied or further distributed.
 
Centralized access: Our customers are strongly encouraged to use Atlassian Access for centralized administration and enhanced security across all Atlassian products they use (including use of enforced 2FA and single sign-on).
 
For more information, see our paper on Cloud Security Shared Responsibilities.
 
Internally, Atlassian treats all customer data as equally sensitive and have implemented stringent controls governing this data. Within Atlassian, only authorized Atlassians have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections from Atlassian and internal data center locations. All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA.

3.6

11.10 (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

This control is not applicable to Atlassian. Customers are responsible for the data hosted in Atlassian, including verifying the validity of the source of data.

3.7

11.10 (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

Customers are responsible for implementing a formal screening, training, and education program to help ensure that personnel have the knowledge and experience required to meet GxP requirements in their environment.
 
At Atlassian, we make sure all staff undergo security awareness training during the onboarding process and then on an ongoing basis so that security remains ‘front of mind’ (https://www.atlassian.com/trust/security/security-practices#security-awareness-training ).

3.8

11.10 (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

This control is not applicable to Atlassian. Customers are responsible for establishing and enforcing their own internal policies and procedures to hold their employees or other users accountable and responsible for their individual actions.
 
Internally, Atlassian treats all customer data as equally sensitive and have implemented stringent controls governing this data. Within Atlassian, only authorized Atlassians have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and servers only accept incoming SSH connections from Atlassian and internal data center locations. All access is restricted to privileged groups unless requested and reviewed, with additional authentication requiring 2FA (https://www.atlassian.com/trust/security/security-practices#controlling-access-to-customer-data ).

3.9

11.10 (k) (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

Customers are responsible for implementing and managing procedural controls that govern the access to and use of system documentation within their environment. Atlassian provides documentation for the use and management of cloud tenancies. For more information, see how Atlassian keeps data secure: https://www.atlassian.com/trust/security/security-practices#tenant-separation .

3.10

11.10 (k) (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

Customers are responsible for changes made to their own systems, including the maintenance of appropriate documentation and change management procedures.
 
Atlassian has a Change Management Process that is based on a "Peer Review, Green Build" approach. For more information, see our Security Practices paper: https://www.atlassian.com/trust/security/security-practices#managing-changes-in-our-environment .

EudraLex, Volume 4, Annex 11: Computerized Systems

4.0

The following table details key considerations for customers running their medicinal products regulated by the European Commission on computerized systems and/or applications on Atlassian. This information includes a brief summary of customer responsibilities, Atlassian practices and controls, and Atlassian services and features that might help customers meet their obligations under the EudraLex, Volume 4 Good Manufacturing Practice (GMP), Annex 11 Computerized Systems Guidelines

Risk Management

5.0

Risk management should be applied throughout the lifecycle of the computerized system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.

Customers are responsible for identifying and assessing environmental, regulatory, and technological changes and, if necessary, updating the design and deployment of its internal controls to help ensure the continuing security, availability, and confidentiality of their applications and workloads.
 
However, Atlassian has implemented a Trust Management Program (TMP) which is based on the ISO 27001 Information Security Management System Standard. Our TMP his multiple layers:
 - Our Policy Management Program (PMP) – consists of a series of security policies covering the domains listed in both the ISO 27001 standard as well as the Cloud Security Alliance’s Cloud Controls Matrix (CCM).
 - Our Risk Management Program (RMP) – We undertake on-going risk assessments to our environments and products in order to evaluate the current risks we face and ensure the controls we have in place effectively manage those risks.
 
For more information on our approach to Enterprise Risk Management, visit our Atlassian Trust Center: https://www.atlassian.com/trust/security/security-practices#compliance-and-risk-management .

Personnel

6.0

There should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties

Customers are responsible for implementing a formal training, and education program to help ensure that personnel have the knowledge and experience required to meet GxP requirements in their environment. Customers are responsible for establishing and enforcing their own internal policies and procedures to hold their employees or other users accountable and responsible for their individual actions. Customers should maintain records of personnel qualifications and training and, where applicable, disciplinary or corrective actions.
 
For information about Atlassian training and certification, see our Security Practices paper: https://www.atlassian.com/trust/security/security-practices#securing-our-people .

Suppliers and Service Providers

7.0

When third parties (e.g., suppliers, service providers) are used e.g., to provide, install, configure, integrate, validate, maintain (e.g., via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party.

Customers are responsible for ensuring that they have formal, written agreements with all third parties (for example, suppliers and service providers) that clearly define the roles of each party.
 
Where Atlassian engages any third-party suppliers (including contractors and cloud service providers) we are intent on making sure those engagements do not in any way jeopardise our customers or their data. To this end, a review process is undertaken by our legal and procurement teams for any proposed third-party supplier engagements. Atlassian also requires its suppliers to comply with minimum security requirements as part of their engagement with us. These are enforced via inclusion in our supplier contracts. For more information see Supplier Risk Management: https://www.atlassian.com/trust/security/security-practices#securing-our-ecosystem-and-supply-chain-partners .

7.1

The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

Customers are responsible for identifying and assessing the competence and reliability of their suppliers based on their system requirements and risk assessment.
 
Atlassian has published several documents to assist its customers in conducting necessary risk assessments and due diligence. Atlassian provides customers with the Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CAIQ - https://cloudsecurityalliance.org/research/cloud-controls-matrix/ ), audit reports, and other information regarding Atlassian’s operational and security practices.
 
We provide several resources to assist its customers in conducting the necessary risk assessments and due diligence they require. For more information on Atlassian's security and operational practices, visit Atlassian's Trust Center (https://www.atlassian.com/trust ) where you will find:

• Security practices - https://www.atlassian.com/trust/security

• Compliance program - https://www.atlassian.com/trust/compliance

• Audit reports/security questionnaires - https://www.atlassian.com/trust/compliance/resources

7.2

Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled

Customers are responsible for developing and maintaining an appropriate quality-management system of their suppliers and their suppliers’ products and services. This system should include procedures for risk assessments and quality audits.

7.3

Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request

Customers are responsible for developing and maintaining an appropriate quality-management system of their suppliers and their suppliers’ products and services. This system should include procedures for risk assessments and quality audits.
 
Atlassian maintains a quality-management system to help ensure that Atlassian services and features help enable the customer to meet security, availability, confidentiality, and integrity requirements. Atlassian’s quality-management system is audited by an independent third party and certified in accordance with ISO 9001 standards. For more information see our Compliance and Risk Management in our Security Practices paper, https://www.atlassian.com/trust/security/security-practices#compliance-and-risk-management .

Validation

8.0

The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment

Customers are responsible for all system-validation documentation of their GxP systems, including protocols, acceptance criteria, and procedures.

8.1

Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process

Customers are responsible for all system-validation documentation and testing of their GxP systems, including change control records.

8.2

An up to date listing of all relevant systems and their GMP functionality (inventory) should be available.

Customers are responsible for all system-validation documentation of their GxP systems, including relevant system inventory.

8.3

User Requirements Specifications should describe the required functions of the computerized system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle

Customers are responsible for all system-validation documentation of their GxP systems, including user requirement specifications.

8.4

The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately

Customers are responsible for all system-validation documentation and testing of their GxP systems, including the implementation of an appropriate quality-management system.

8.5

For the validation of bespoke or customized computerized systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system

Customers are responsible for all system-validation documentation and testing of their GxP systems, including the assessment and reporting of quality and performance measures.

8.6

Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy

Customers are responsible for all system-validation documentation and testing of their GxP systems, including system parameter limits, data limits, and error handling.

8.7

If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process

Customers are responsible for all system-validation documentation and testing of their GxP systems, including data-integrity checks.

Data

9.0

Computerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.

Customers are responsible for the direct protection of their data and applications, including implementing appropriate security controls for secure processing of data. Customers are responsible for encrypting data in transit within their on-premises environment.
 
To help meet this requirement, Atlassian products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services. In addition, any customer data in Atlassian cloud products is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. For more information see our Security Practices paper (https://www.atlassian.com/trust/security/security-practices#keeping-data-secure ) and How Atlassian Manages Customer Data (https://www.atlassian.com/trust/security/data-management ).

Accuracy Checks

10.0

For critical data entered manually, there should be an additional check on the accuracy of the data. This check maybe done by a second operator or by validated electronic means. The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management

Customers are responsible for ensuring that appropriate checks are in place to validate the accuracy of source data entered into their GxP systems.
 
As cloud provider, Atlassian generally has no insight into the data that customers store or process in Atlassian products, or the accuracy of such data.

Data Storage

11.0

Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data should be ensured throughout the retention period.

Customers are responsible for directly protecting their data and applications, including implementing security measures that restrict access to their own facilities and locations where they operate. This responsibility includes physically securing access to and transmission of data, and restricting the display of data, to authorized individuals.
 
To help meet this requirement, any customer data in Atlassian cloud products is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser. For more information, see our Security practices paper: https://www.atlassian.com/trust/security/security-practices#keeping-data-secure .

11.1

Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.

Customers are responsible for implementing a backup process, a replication process, or both in line with their requirements and policies.
 
To help meet this requirement, with respect to our Atlassian Cloud offerings, and specifically referring to customer and application data, we also have extensive backup measures in place. Atlassian uses the snapshot feature of Amazon RDS (Relational database service) to create automated daily backups of each RDS instance.
 
Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups. For more information, see our Security Practices paper: https://www.atlassian.com/trust/security/security-practices#backups .

Printouts

12.0

It should be possible to obtain clear printed copies of electronically stored data.

Customers are responsible for ensuring that printed copies of electronically stored data are available.

12.1

For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.

Customers are responsible for the integrity and accuracy of data generated, stored, or processed by their systems.

Audit Trails

13.0

Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

Customers are solely responsible for meeting this requirement.
 
As cloud provider, Atlassian generally has no insight into the data that customers store or process in Atlassian products, or whether the data has been altered. However, to help meet this requirement, Atlassian uses a SIEM platform to aggregate logs from various sources, apply monitoring rules to those aggregated logs, and then flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Key system logs are forwarded from each system where logs are read-only. The Atlassian Security Team creates alerts on our security analytics platform and monitors for indicators of compromise. Our SRE teams use this platform to monitor for availability or performance issues. Logs are retained for 30 days in hot backup, and 365 days in cold backup. For more information see our Security Practices paper for "making use of logs" (https://www.atlassian.com/trust/security/security-practices#making-use-of-logs ) and how we "track organisation activities from the audit log" (https://support.atlassian.com/security-and-access-policies/docs/track-organization-activities-from-the-audit-log/ ).

Change and Configuration Management

14.0

Any changes to a computerized system including system configurations should only be made in a controlled manner in accordance with a defined procedure.

Customers are responsible for any changes made to their environment, including, but not limited to, virtual networks, operating systems, virtual machines, databases, storage, and applications.
 
Atlassian has a Change Management Process that is based on a "Peer Review, Green Build" approach. For more information, see our Security Practices paper: https://www.atlassian.com/trust/security/security-practices#managing-changes-in-our-environment .

Periodic Evaluation

15.0

Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports.

Customers are responsible for periodically evaluating computerized systems in their environment and complying with GMP requirements.
 
Periodic evaluation of computerized systems in the context of GMP is not applicable to Atlassian. However, Atlassian performs comprehensive security evaluations as part of our annual compliance audits (e.g., SOX, SOC2), which also involve an independent assessment by external audit firm(s). In addition, we perform internal operational audits in areas that are deemed high risk, including a variety of security topics. The results of these audits are reported to the Audit Committee of our Board of Directors, and are fed into a continuous improvement cycle that helps us keep sharpening the overall security program. For more information see https://www.atlassian.com/trust/security/security-practices#compliance-and-risk-management

Security

16.0

Physical and/or logical controls should be in place to restrict access to computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

Customers are responsible for directly protecting their data and applications. This protection includes physical and logical security measures that restrict access to its own facilities, systems, and data from unauthorized individuals.
 
Atlassian offices are guided by our internal Physical and Environmental Security Policy including monitoring physical ingress and egress points. We have published excerpts of all of our internal technology operations and security policies at: https://www.atlassian.com/trust/security/ismp-policies
 
Atlassian offices have access controls including badge readers, as well as camera surveillance, and have the ability to restrict access to specific times/days as needed. Logs of access to office buildings are maintained by Building Management, and are available to Workplace Experience for investigation purposes.
 
Our partner data centers maintain multiple compliance certifications. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management. Access to the data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures include: on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures. AWS physical protection assurance information can be found at: http://aws.amazon.com/compliance/

16.1

The extent of security controls depends on the criticality of the computerized system.

Customers are responsible for determining the criticality of their systems and implementing appropriate controls.
 
Atlassian has implemented physical and logical security controls to provide a highly secure, hosted environment with high performance and availability. For more detailed information about Atlassian security controls, see our compliance certifications at Compliance at Atlassian.

16.2

Creation, change, and cancellation of access authorizations should be recorded.

Customers are responsible for implementing logical and physical access management policies and procedures in their environment, and for recording changes in access status.
 
Atlassian assumes responsibility for security, availability and performance of the applications we provide, the systems they run on, and the environments within which those systems are hosted. However, security is a joint responsibility between Atlassian and our customers with respect to four areas in particular: Policy and compliance; Users; Information, and Marketplace Apps. For more information see Atlassian Security practices relating to sharing the responsibility for managing customer data (https://www.atlassian.com/trust/security/security-practices#sharing-responsibility-for-managing-customer-data ).

16.3

Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.

Customers are responsible for restricting access to confidential information stored or processed in their applications and workloads to authorized parties, in accordance with their confidentiality commitments and requirements. Customers shall implement the appropriate processes and procedures for access management, including access logs and monitoring.

Incident Management

17.0

All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions.

Customers are responsible for implementing incident-management plans in their systems. Incident-management procedures for reporting and tracking incidents and implementing corrective and preventative actions should be documented and tested no less than annually.
 
In addition to the customers responsibility, Atlassian also employs However, Atlassian employs a robust and comprehensive approach to handling security incidents, centred around the use of the same tools we make available to our customers. This enables us to respond to incidents with a high degree of consistency, predictability and effectiveness and minimize the potential for damage to our customers, our partners, and Atlassian itself. For more information, see Atlassian Security Incident Management: https://www.atlassian.com/trust/security/security-incident-management .

Electronic Signature

18.0

Electronic records may be signed electronically. Electronic signatures are expected to: a. have the same impact as hand-written signatures within the boundaries of the company, b. be permanently linked to their respective record, c. include the time and date that they were applied.

Customers are responsible for maintaining all electronic records and implementing electronic signature policies and procedures to meet this requirement.

Batch Release

19.0

When a computerized system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature.

Customers are responsible for all certification activities as it relates to batch releases and qualified personnel.
 
Atlassian's applications require a Peer Review and Green Build (PRGB) after which the applications artifacts are cryptographically signed, automatically deployed by our CI/CD pipeline, and only Atlassian signed applications are able to be run in our Production Environment (https://www.atlassian.com/trust/security/security-practices#security-in-day-to-day-operations ).

Business Continuity

20.0

For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g., a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.

Customers are responsible for designing and implementing a cloud architecture that meets their own requirements for availability, business continuity, and disaster recovery.
 
Atlassian's Business Continuity and Disaster Recovery programs ensure the impact on our customers is minimised. Our BC and DR planning activities strive to achieve the right balance between cost, benefits and risk through an analysis of ‘recovery time objectives’ (RTO) and ‘recovery point objectives’ (RPO) of services. This analysis has led to us establishing a simple 4-tier system to help group services based on their respective recovery requirements – details of this approach can be found on our page on How Atlassian Manages Customer Data, https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management .

Archiving

21.0

Data may be archived. This data should be checked for accessibility, readability, and integrity. If relevant changes are to be made to the system (e.g., computer equipment or programs), then the ability to retrieve the data should be ensured and tested

Customers are responsible for architecting, implementing, and testing a data archive strategy to meet their requirements.
 
As cloud provider, Atlassian generally has no insight into the data that customers store or process in Atlassian. However, to help meet this requirement, Atlassian has import and export tools so that our customers can access, import and export their data using Atlassian’s tools. For more information see Retention and Deletion of data, https://www.atlassian.com/trust/security/security-practices#retention-and-deletion-of-data .