Close
View this page in your language?
All languages
Choose your language
Products
For teams
Support
Try now
Buy now
Search Toggle menu
Close search

Plan, Track, & Support

Jira Software

Project and issue tracking

Jira Work Management

Business team collaboration

Jira Service Management

High-velocity ITSM

Opsgenie

Modern incident response

Statuspage

Incident communication

Jira Align

Enterprise agile planning

Collaborate

Confluence

Document collaboration

Trello

Collaborate visually on any project

Code, Build, & Ship

Bitbucket

Git code management

Sourcetree

Git and Mercurial desktop client

Bamboo

Integration and release management

SECURITY & IDENTITY

Atlassian Access

Security and control for cloud

Crowd

User management for self-managed environments
View all products
Close dropdown

By team size

Startups

Great for startups, from incubator to IPO

Small business

Get the right tools for your growing business

Enterprise

Learn how we make big teams successful

By team function

Software

Plan, build, & ship quality products

Marketing

Bring together a winning strategy

HR

Streamline people management

Legal

Operate securely and reliably

Operations

Run your business efficiently

IT

Provide great service and support

Finance

Simplify all finance processes

Incident Response

Respond, resolve, & learn from incidents
View all products
Close dropdown

Resources

Documentation

Guides to all of our products

Atlassian Migration Center

Tools and guidance for migrating

Cloud roadmap

Upcoming feature releases

Purchasing & licensing

FAQs about our policies

Support services

Enterprise services

Personal support for large teams

Partner support

Trusted third-party consultants

Atlassian Support

A resource hub for teams and admins

Learn & connect

About us

Our mission and history

Careers

Job openings, values, and more

Atlassian University

Training and certifications for all skill levels

Atlassian Community

A forum for connecting, sharing, and learning
Close dropdown

Frequently asked questions

Get answers to our top questions around security, reliability, privacy, and compliance.

Does Atlassian adhere to information security standards? Show
  

ISO/IEC 27001 - Jira and Confluence cloud have achieved ISO/IEC 27001 Certification. You can read more about the structure of our Security Management Program and you can review the ISO/IEC 27001 Certificate on our Atlassian Compliance page.

ISO/IEC 27018 - We have also acheived ISO/IEC 27018 certification for protection of personally identifiable information (PII) or personal data (PD) in our cloud environments. Our ISO/IEC 27018 Certificate can also be found on our Atlassian Compliance page.

Cloud Security Alliance - We have completed our Cloud Control Matrix CAIQ Self Assessment for the CSA Security, Trust, & Assurance Registry

HIPAA / HITECH – For our Cloud products, we are not able to sign a Business Associate agreement and we recommend our Data Center products for companies that need to comply. We have more information on this in our Privacy Policy.

PCI – Atlassian uses tokens with PCI DSS certified credit card processors; we never see or store your credit card details. For use of our products within PCI environments you need to assess in terms of your own PCI compliance requirements.

FedRAMP - Trello Enterprise has achieved FedRAMP Low-Tailored Authority to Operate (ATO). Atlassian products Jira, Confluence, and Jira Align are being evaluated for FedRAMP authorization. Contact your Atlassian sales representative for more information.

See more on our Atlassian Compliance Page and our Atlassian Compliance FAQ.
Where can I find Atlassian's security and technology policies? Show
  

We have put a lot of work into building out an internal Policy Central inside our own Confluence. All of our policies have a similar format and structure, defined owners, and committed review cycles. You can read through the tl;dr for each of our internal Technology Domain policies.
Has Atlassian defined responsibilities for cloud security and cloud operations? Show
  

We have published a whitepaper outlining the responsibilities that we manage, and the responsibilities that each of our customers should manage. We've written it with our customers in mind, and we've detailed the particular security topics that each customer should manage. Read through the whitepaper.
Who has access to our data? Show
  

For Atlassian Cloud Customers, we've outlined our approach in our Security Practices page and our Privacy Policy.
Is data stored on Atlassian cloud products encrypted? Show
  

Atlassian encrypts customer data in transit and at rest.

All customer data stored within Atlassian cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.

Data drives on servers holding customer data and attachments in Jira Cloud, Confluence Cloud, Bitbucket Cloud, Statuspage, Opsgenie, Jira Align, Halp and Trello use full disk, industry-standard AES-256 encryption at rest. 

To learn more, please see our Security Practices page.
Is Transport Layer Security (TLS) always used for data encryption on Atlassian cloud products? Show
  

Yes, all Atlassian Cloud systems only use TLS 1.2+, along with PFS, for communication. In line with Industry standards, we have removed support for SSL 3.
How are passwords for Atlassian cloud products stored? Show
  

Passwords are cryptographically hashed within the Atlassian cloud, which enables user management.
Does Atlassian audit its cloud security? Show
  

We have an extensive security program that includes ongoing testing of our our hosted systems and products. We also undertake third party independent assessments of our Cloud products. Our primary testing approach is through our public bug bounty for all of our cloud products and our server products. All compliance certificates can be found on our Atlassian Compliance Resource Center
Can I review Atlassian's testing reports? Show
  

Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and any findings from the Bug Bounty will be triaged and remediated according to our Public Security Vulnerability SLA.

The most current reports are published at the bottom of our Security Testing page.

 
Can we undertake our own security testing? Show
  

In line with our Terms of Use for our cloud products, we now allow customer-initiated testing. We are committed to being open and will continue to publish statistics from our bug bounty program on a regular basis. 

While we believe our Bug Bounty is a more efficient and economical approach for assessing security of our products and services, we understand that you might want to test the security on your own. We allow for security assessments (pen tests, vulnerability assessments) to be performed by customers, we just ask that you follow a few rules to keep all of us safe. If you do find an issue that you would like to report, instructions on how to report a vulnerability are on our site as well.
I found a vulnerability in one of your products, how do I report it? Show
  

If you discovered a vulnerability in one of our products, we appreciate if you let us know so we can get it fixed ASAP.  Have a read through our instructions for how to report it and you could get some Atlassian swag or be added to our Hall of Fame.
What is Atlassian's data privacy policy? Show
  

Please see our Privacy Policy on Atlassian’s main site, and refer to this page or our Privacy page on our Trust Center for answers to common questions.
How do you make sure US law enforcement/agencies won't access customer data? Show
  

Atlassian responds to government requests in accordance with our Guidelines for Law Enforcement, Privacy Policy, customer agreements, Acceptable Use Policy, and any applicable Product-Specific Terms. Your trust is important to us, and we provide Customer Information in response to law enforcement requests only when we reasonably believe that we are legally required to do so. To protect our customers’ rights, we carefully review requests to ensure that they comply with the law.

To obtain Customer Information from Atlassian, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. For example, Atlassian will not provide non-public customer content unless served with a valid search warrant, issued on a showing of probable cause by a federal or state court authorized to issue search warrants, which requires Atlassian to disclose the content. We publish an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts.

For more information around how we encrypt and protect your data in transit and at rest, see our Security Practices page.
What responsibilities does Atlassian maintain during a security incident? Show
  

Here at Atlassian, we try our best to ensure our customers don't experience an outage or a security incident. However, we acknowledge that a security incident has the potential to happen. We have written down our responsibilities during a security incident and what our customers should plan to manage.