Close

Atlassian's GDPR Commitment

Our commitment to your data privacy

We are wholly invested in our customers' success and the protection of customer data. One way that we deliver on this promise is by helping Atlassian customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 25, 2018.

It is designed to give EU citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law. The GDPR not only applies to organizations located within the EU, but it also applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

On this page, we explain our approach and investment in GDPR compliance and how we help our customers comply with the GDPR.

GDPR Compliance

We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of Atlassian products and services, which is why we have devoted significant resources toward helping our customers fulfill their requirements under the GDPR and local law.

Below are several GDPR initiatives that have been implemented for our cloud products:

  • We have made significant investments in our security infrastructure and certifications (see security and certifications section).
  • We support appropriate international data transfer mechanisms by maintaining our Privacy Shield certifications, and by executing Standard Contractual Clauses through our updated Data Processing Addendum.
  • We offer data portability and data management tools including:
  • We have made required updates to relevant contractual terms.
  • We have ensured Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
  • We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.
  • We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate.
Our Security and Certifications

Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit and at rest, advanced threat detection, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.

Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the GDPR and give our customers a transparent framework by which to measure our software development and data management practices.

We have certified a number of our products for ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27018 standards as well as SOC2 Type II certifications. To learn more about our current certifications and commitments for our cloud products, please see the Compliance page on our Atlassian Trust site.

International Data Transfers

We offer customers a robust international data transfer framework as a part our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to Atlassian Cloud products outside of the European Economic Area by relying on our Privacy Shield certification or the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR. To learn more about our Data Processing Addendum and the Standard Contractural Clauses, see our GDPR FAQs.

Atlassian does not access, collect, store, or otherwise process personal data in connection with providing our Server and Data Center products, except in limited cases where such data is provided for incidental support services. As such, many of the the obligations under GDPR that apply to data processors do not apply to Atlassian in the Server or Data Center context. Atlassian does not offer a DPA when you use Atlassian Server or Data Center products, as DPAs are required where Atlassian is acting as a data processor of personal data. For more information about GDPR compliance for our Server and Data Center products, see our Guide to Server and Data Center GDPR Support.

Data Portability and the Right to Be Forgotten

We help you honor your customers' requests to export their data, should you host your customer data on Atlassian products. Atlassian provides robust data portability and data management tools for exporting product and user data. For more information on Atlassian Cloud data export see our import and export documentation.

We also help customers meet obligations under the GDPR right to be forgotten (or right to erasure) clause by making it easy to delete personal data from Atlassian Cloud products.

Atlassian Organization Admins can facilitate the account deletion of their managed users from controls in their admin portal. End users may also request that their personal data be deleted by initiating an account deletion request from their Atlassian account profile page. People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for deletion.

Privacy and Consent

Your privacy is important to us, and so is being transparent about how we collect, use, and share your information. In our Privacy Policy, we share what information we collect, how we use and store that data, and how you can access and control your information.

When you use Atlassian Server and Data Center products, Atlassian provides those products in a downloadable format. Atlassian does not access, collect, store, or otherwise process personal data in connection with providing those downloadable products to Server and Data Center customers, except in limited cases where such data is provided for incidental support services. For more information about how Atlassian handles customer data for our Server and Data Center products, see our Privacy Policy and our Guide to Server and Data Center GDPR Support.