Atlassian & GDPR

Secure Cloud Architecture, technically and legally

Atlassian Suite: GDPR-compliant since 2016

Cloud software was a sensitive issue in the European Union for a number of years: where does personal data flow to and where and for how long is it stored? Since May 24, 2016, however, all of this has been regulated throughout the EU in the General Data Protection Regulation, or GDPR for short. Software manufacturers who want to sell their cloud products in the EU must ensure that they are GDPR-compliant. And this naturally applies in full to the Atlassian Suite.

Atlassian relies on multi-layered security in the cloud, with strict controls in zones and environments. Data traffic from employees, customers, CI/CD and DMZ networks is restricted in every area. Positive lists for authentication regulate which services are allowed to interact.

Zero Trust approach

Atlassian uses the zero-trust approach, where nothing is automatically trustworthy, but everything is checked. Access to resources takes place at different security levels: open, low and high, depending on confidentiality. Authentication and device requirements vary accordingly.

Atlassian Gold Solution Partner

Would you like to know more?

Disaster recovery and business continuity

Atlassian actively plans for disruptions and implements redundancies in all products. Site Reliability Engineers monitor and test these regularly. Each Atlassian team has a Disaster Recovery Champion. These are specially trained employees who ensure that disaster recovery (DR) is integrated into projects. Regular DR testing improves processes and technologies.

End-to-end data security at Atlassian

Industry-leading hosting infrastructure

Atlassian hosts its products and data on Amazon Web Services (AWS), a leading global cloud hosting provider. Customer data is stored in different geographical regions to avoid outages. Customers decide in which region or country their data is stored. Data centers in different availability zones replicate the data to ensure stability.

Control of data residency

Due to data protection regulations such as the GDPR, Atlassian enables its customers to control the storage locations of their data. The data residency feature allows IT administrators to tie user-created product information to specific data regions. This is currently supported in the European Union and the US, with plans to expand to other regions.

Encryption of data

Atlassian provides comprehensive encryption for customer data and attachments in various products. Data at rest is encrypted with AES-256 and data transfers are done via TLS 1.2+ with Perfect Forward Secrecy to ensure security.

Working together to protect data

Atlassian takes responsibility for the security of its systems, but requires customer cooperation to protect data. There are shared responsibilities in the areas of policies, users and information. Third-party marketplace apps are reviewed and security standards such as Forge are offered.

Compliance with global data protection regulations

Atlassian Cloud Enterprise enables IT administrators to monitor and ensure global data protection compliance in third-party technology portfolios.

Data protection program

Atlassian's data protection program offers customers a high standard of data protection that goes beyond legal requirements. Atlassian's cloud products comply with generally recognized data protection standards and certifications. Employees who work with customer data are regularly trained in security and confidentiality protocols.

Customers have controls to manage user profiles and delete accounts of managed users. Non-managed users can also request the deletion of their data.

Atlassian publishes an annual transparency report that includes regulatory requests and how they are handled. The company is transparent about government requests for user data and follows policies and procedures. Authorities must follow the legal process to obtain customer information from Atlassian.

Atlassian's cloud products are GDPR compliant and committed to data privacy and security.

International data transfers

Atlassian offers a data protection addendum that complies with GDPR requirements and serves as a mechanism for the lawful transfer of personal data outside the European Economic Area. In addition, Atlassian invests in modern encryption features such as Bring Your Own Key (BYOK).

Individual data protection rights and consent

Administrators can easily delete user data from Atlassian's cloud products. Both managed and unmanaged users can request the deletion of their data.

Atlassian provides a data protection addendum that complies with GDPR requirements and serves as a mechanism for the lawful transfer of personal data outside the European Economic Area. In addition, Atlassian invests in modern encryption features such as Bring Your Own Key (BYOK).

Choice and consent

Users in the EU receive transparent insights and can decide how Atlassian uses their data. Consent for cookies and marketing messages is obtained at all collection points.

Customer data and third parties

Atlassian works with external service providers who have access to personal data in order to provide services. Atlassian informs customers about the use of subcontractors that may process personal data. A list of the external sub-processors Atlassian works with can be found on Atlassian's Sub-processors page. Visitors can subscribe to an RSS feed to receive notifications about new sub-processors.

Integrated controls for identity and access management

Using Atlassian's built-in controls, IT administrators can enforce enterprise-level authentication protocols such as SAML single sign-on(SSO) and multi-factor authentication(MFA), among others. Administrators can also customize authentication policies for different user groups and automate user provisioning and deprovisioning. This reduces the risk of unauthorized access and allows the enforcement of security controls for mobile usage and support for mobile device and mobile app management (MDM/MAM).

Proactive threat monitoring and prevention

Atlassian offers comprehensive security testing and vulnerability management programs to prevent threats. In addition, Atlassian Access customers benefit from enterprise audit logs that provide detailed insights into administrator activities, such as changes to users, groups and permissions within the organization. This makes it easier to identify suspicious activity.

We are happy to support you with your individual requirements.

The companies in the ISO-Gruppe have been using Atlassian products for their own software developments and for customers for many years. Our wealth of experience is correspondingly large, which we are happy to share with you. We will be happy to advise you - without obligation and without risk.