Frequently asked questions
We get asked a lot of questions, we've gathered them together to make it easier for you. This page is regularly updated, so be sure to check back for our latest updates.
Does Atlassian adhere to Information security standards
ISO27001 - The Atlassian Security Team has achieved ISO27001 Certification. We are now working to expand the scope of the certificaiton to our product and cloud services portfolio. You can read more about the structure of our Security Management Program and you can review the ISO27001 Certificate on our Trust Compliance page.
PCI – Atlassian uses tokens with PCI DSS certified credit card processors; we never see or store your credit card details. For use of our products within PCI environments you need to assess in terms of your own PCI compliance requirements.
Can I see your Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ)?
Absolutely, we hope you do. It can be found on our Security, Trust and Assurance Registry (STAR) entry page. We plan on updating it quarterly, or when big changes occur in our environment. Have a read through: Atlassian's STAR entry.
Will Atlassian share information on your internal controls?
We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards. We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls. We will share external certification as it is attained.
Who has access to our data?
Is our data encrypted?
Is TLS always used?
Yes, all Atlassian Cloud systems only use TLS, along with PFS, for communication. In line with Industry standards, we have removed support for SSL 3.
How are our passwords stored?
Passwords are cryptographically hashed within Atlassian Cloud, which enables user management.
Does Atlassian audit its Cloud security?
We have an extensive security program that includes ongoing testing of our our hosted systems and products. We also undertake third party independent assessments of our Cloud products.
Can we see the testing reports?
We are migrating our third party security testing to a bug bounty model. Private bug bounties generally do not result in reports however when the bounties go public, general statistics will be available via our bug bounty partner platform.
Can we undertake our own security testing?
I found a vulnerability in one of your products, how do I report it?
If you discovered a vulnerability in one of our products, we appreciate if you let us know so we can get it fixed ASAP. Have a read through our instructions for how to report it and you could get some Atlassian swag or be added to our Hall of Fame.
Can you complete my Security Questionnaire?
We are committed to being open and transparent and sharing information. Part of this goal is to publish as much information as we can to enable you to be comfortable with your decision to use our products and services. We are not able to answer each individual questionnaire.
What responsibilities does Atlassian maintain during a security incident?
Here at Atlassian, we try our best to ensure our customers don't experience an outage or a security incident. However, we acknowledge that a security incident has the potential to happen. We have written down our responsibilities during a security incident and what our customers should plan to manage.