Compliance at Atlassian
Don't just take us at our word - we encourage you to inspect and verify our security and privacy practices and operations. Our team is constantly working to expand coverage to help organizations meet compliance needs.
Our compliance program

SOC 2
SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
We currently offer SOC 2 reports for Jira and Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Statuspage, and Jira Align.
Non-disclosure agreement
Ernst & Young LLP (“EY”) has prepared the attached report (the “Report”) for the sole benefit and use of Atlassian Pty Ltd (“Company”), and, for limited purposes in accordance with the relevant standards of the American Institute of Certified Public Accountants (the “AICPA”), Company’s existing user entities and their auditors. In addition, certain prospective user entities, identified by the Company (collectively with existing user entities, each a “Recipient”), may have access to the Report subject to the terms of this agreement. Your access to the Report is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your company, then “Recipient” or “you” means your company, and you are binding your company to this agreement.
By clicking on the “I ACCEPT” button below, you signify that you and the Recipient agree to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, on behalf of yourself and the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below.
Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
- The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Recipient has requested that Company provide Recipient a copy of the Report.
- The Services were undertaken, and the Report was prepared, solely for the benefit and use of Company, its existing user entities, and their auditors, and was not intended for any other purpose, including the use by prospective user entities of Company. EY has made no representation or warranty to the Recipient as to the sufficiency of the Services or otherwise with respect to the Report. Had EY been engaged to perform additional services or procedures, other matters might have come to EY’s attention that would have been addressed in the Report.
- The Services did not (a) constitute an audit, review or examination of financial statements in accordance with generally accepted auditing standards of the AICPA or the standards of the Public Company Accounting Oversight Board, (b) constitute an examination of prospective financial statements in accordance with applicable professional standards or (c) include procedures to detect fraud or illegal acts to test compliance with the laws or regulations of any jurisdiction.
- The Recipient (a) does not acquire any rights against EY, any other member firm of the global Ernst & Young network, or any of their respective affiliates, partners, agents, representatives or employees (collectively, the “EY Parties”), the Company or any of their respective affiliates, partners, agents, representatives or employees (together with EY Parties, the “Report Parties”), and the Report Parties assume no duty or liability to the Recipient, in connection with the Services or its access to the Report hereunder; (b) may not rely on the Report; and (c) will not contend that any provisions of United States or state securities laws could invalidate or avoid any provision of this agreement.
- Except where compelled by legal process (of which the Recipient shall promptly inform EY and the Company so that they may seek appropriate protection), the Recipient will not disclose, orally or in writing, any Report or any portion thereof or any other Confidential Information received from EY or the Company in connection therewith, or make any reference to EY or Company in connection therewith, in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the Company in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
- Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security, regulatory and other business policies. This agreement does not create or imply an agreement to complete any transaction or an assignment by Company of any rights in its intellectual property.
- The Recipient (for itself and its successors and assigns) hereby releases each of the Report Parties, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or EY’s performance of the Services. The Recipient shall indemnify, defend and hold harmless the Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
- Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
- This agreement shall be governed by, and construed in accordance with, the laws of the State of New York applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by any of Report Parties, individually or collectively.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
Please download the report you want to view:

SOC 3
SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, and confidentiality of a cloud service.
Download SOC3 for:

PCI DSS
The Payment Card Industries Data Security Standard is an information security standard for the handling of credit card information.
Download our PCI Attestations of Compliance (AoC) for:

ISO/IEC 27001
ISO 27001 is specification for an information security management system (ISMS), which is a framework for an organization's information risk management processes.
Products included in certification: Jira Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align and Statuspage

ISO/IEC 27018
ISO 27018 is a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
Products included in certification: Jira Cloud, Confluence Cloud, Bitbucket Cloud, Trello, Opsgenie, Jira Align and Statuspage

VPAT
The Voluntary Product Accessibility Template is a document used by providers to self-disclose the accessibility of a particular product.

FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
View individual status on the FedRAMP Marketplace for the following products:
Vendor Management and Security Assessment Program
Our data centers, co-location, and managed service providers undergo a thorough security assessment as a part of the evaluation process and then undergo regular SOC1, SOC2 and/or ISO/IEC 27001 audits thereafter. In the event these audits have material findings, which present risks to Atlassian or our customers, we work closely with the vendor to track their remediation efforts until the issue has been resolved.
The Atlassian Controls Framework
Our Common Controls Framework is a set of security activities and controls Atlassian implements across our global product and infrastructure teams. To create this framework, we analyzed the requirements of all the certifications that apply to Atlassian customers around the world. This holistic and structured approach to compliance enables us to consistently implement these controls across Atlassian’s products and infrastructure.
Cloud Security Alliance Membership
Atlassian is a member of the Cloud Security Alliance (CSA), a not-for-profit organization whose mission is to promote best practices for security assurance in cloud computing. CSA’s Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents industry-verified security controls. We routinely update a Consensus Assessment Initiative (CAI) Questionnaire and make it publicly available to view.

Risk Management Program
Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. Atlassian’s risk management program is at the focal point of our Risk and Compliance team and serves as foundational element of our decision making process. Our program is modeled after ISO31000-2009 “Risk Management - Principles and Guidelines” and assessments are performed annually as well as on an as needed basis, throughout the year.
Get more visibility into our cloud platform roadmap
We're committed to providing visibility into our upcoming security, compliance, privacy, and reliability releases wherever possible.
Have more questions about our Compliance program?
Do you have cloud certifications? Can you complete my security & risk questionnaire? Where can I download more information?
We’re here and ready to answer all of your questions.
Trust & Security Community
Join the Trust & Security group on the Atlassian Community to hear directly from our Security team and share information, tips, and best practices for using Atlassian products in a secure and reliable way.
Atlassian Support
Reach out to one of our highly-trained support engineers to get answers to your most specific security questions. You may find the answers to many of your questions on our pre-filled security questionnaires.