We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of Atlassian products and services, which is why we have devoted significant resources toward helping our customers fulfill their requirements under the GDPR and local law.
Below are several GDPR initiatives that have been implemented for our cloud products:
- We have made significant investments in our security infrastructure and certifications (see security and certifications section).
- We support appropriate international data transfer mechanisms by maintaining our Privacy Shield certifications, and by executing Standard Contractual Clauses through our updated Data Processing Addendum.
- We offer data portability and data management tools including:
- Profile deletion tool: We help customers and end users delete personal information, such as names and email addresses. We help customers respond to user requests to delete personal information, and we also help end users with Atlassian accounts delete their personal information, as well as people without Atlassian accounts delete their personal information.
- Import and export tools: Customers may access, import, and export their Customer Data using Atlassian’s tools.
- We have made required updates to relevant contractual terms.
- We have ensured Atlassian staff that access and process Atlassian customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.
- We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.
- We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate.
Protecting our customers' information and their user's privacy is extremely important to us. We are entrusted with some of our customer's most valuable data, which is why we have built security into every layer of the Atlassian Cloud architecture. We provide replication, backup, and disaster recovery planning, encryption in transit, advanced threat detection, and more. Visit the Atlassian Security Practices page to learn more about our approach to security.
Additionally, we have devoted significant resources towards ensuring our cloud products are built and designed in accordance with widely accepted standards and certifications. These standards mirror many of the security and privacy requirements of the GDPR and give our customers a transparent framework by which to measure our software development and data management practices.
We have certified Jira Software, Jira Service Desk, Jira Core, and Confluence Cloud for ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27018 standards and will pursue certifications for all other products as soon as possible. We have also completed SOC2 Type II certifications for Bitbucket, Jira Software, Jira Service Desk, Jira Core, and Confluence Cloud. To learn more about our current certifications and commitments for our cloud products, please see the Compliance page on our Atlassian Trust site.
We offer customers a robust international data transfer framework as a part our Data Processing Addendum. This addendum ensures that our customers can lawfully transfer personal data to Atlassian Cloud products outside of the European Economic Area by relying on our Privacy Shield certification or the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR. To learn more about our Data Processing Addendum and the Standard Contractural Clauses, see our GDPR FAQs.
Atlassian does not access, collect, store, or otherwise process personal data in connection with providing our Server and Data Center products, except in limited cases where such data is provided for incidental support services. As such, many of the the obligations under GDPR that apply to data processors do not apply to Atlassian in the Server or Data Center context. Atlassian does not offer a DPA when you use Atlassian Server or Data Center products, as DPAs are required where Atlassian is acting as a data processor of personal data. For more information about GDPR compliance for our Server and Data Center products, see our Guide to Server and Data Center GDPR Support.
We help you honor your customers' requests to export their data, should you host your customer data on Atlassian products. Atlassian provides robust data portability and data management tools for exporting product and user data. For more information on Atlassian Cloud data export see our import and export documentation.
We also help customers meet obligations under the GDPR right to be forgotten (or right to erasure) clause by making it easy to delete personal data from Atlassian Cloud products.
Atlassian Organization Admins can facilitate the account deletion of their managed users from controls in their admin portal. End users may also request that their personal data be deleted by initiating an account deletion request from their Atlassian account profile page. People who have provided their personal data or had their personal data provided to Atlassian, but do not have Atlassian accounts, may also initiate a request for deletion.