Data Security in Atlassian Cloud: Audits, Certifications, and Compliance

As organizations continue adopting cloud-based services and solutions, the need for security and compliance has become increasingly important. With more company data and operations moving to the cloud, there is understandable concern around ensuring that cloud platforms and providers meet key security and compliance standards. So you should consider data security in Atlassian Cloud, which stores and sensitive business, customer, or employee information.

Atlassian Cloud offers a variety of compliance certifications and frameworks to provide transparency into its security controls and help customers meet their own compliance requirements. Key certifications like SOC 2, ISO 27001, and GDPR readiness demonstrate Atlassian’s commitment to security. They also assure customers that Atlassian Cloud has the appropriate safeguards and controls in place for data protection, access controls, auditing, and other critical areas. 

This article will provide an overview of some of the major security compliance certifications and frameworks applicable to Atlassian Cloud. Understanding Atlassian Cloud’s compliance posture can help customers evaluate if the service meets their organization’s security, governance, and compliance needs. The certifications and audits also showcase Atlassian’s dedication to ensuring their cloud services maintain robust security well into the future.

SOC compliance

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of CPAs (AICPA) that focuses on “evaluating security, availability, processing integrity, confidentiality, and privacy” of a service organization. Obtaining SOC 2 certification requires rigorous audits by accredited third-party auditors that analyze the design and operating effectiveness of internal controls.

Atlassian Cloud has obtained two key SOC 2 compliance certifications:

• SOC 2 Type II certification – This attests that Atlassian has strong controls in place that are operating effectively. Type II includes detailed auditor testing.
• SOC 3 certification – This certifies that Atlassian Cloud meets the SOC 2 Trust Services Criteria for security, availability, and confidentiality. The SOC 3 report summarizes the SOC 2 findings.

These SOC 2 compliance certifications are extremely important for building trust in Atlassian Cloud’s security. They provide current, independent validation that Atlassian Cloud has implemented critical security controls and practices per the SOC 2 standards. Customers can feel confident that Atlassian has the proper safeguards in place for access control, network security, encryption, vulnerability management, and more based on the rigorous SOC 2 audits.

The SOC 2 reports provide transparency into Atlassian’s security efforts. This helps customers assess risks and meet security and compliance obligations around using Atlassian Cloud to store business-critical data. Maintaining SOC 2 compliance also demonstrates Atlassian’s commitment to constantly monitoring and improving cloud security.

ISO compliances

ISO/IEC 27001 is an international standard published by the International Organization for Standardization (ISO) that focuses on information security management. It outlines requirements “for establishing, implementing, maintaining, and continuously improving an organization’s information security management system (ISMS).”

Atlassian Cloud has obtained the ISO/IEC 27001 compliance certification. This rigorously audited certification demonstrates that Atlassian has implemented comprehensive information security policies, procedures, and controls per the ISO standard.

Specifically, ISO/IEC 27001 compliance shows that Atlassian has appropriate security controls surrounding:

• Information security policies: Atlassian has organization-wide policies and procedures governing information security.
• Asset management: Security practices are in place to manage information assets properly.
• Access control: Authentication, authorization, and access controls are implemented securely.
• Encryption: Sensitive data is encrypted properly both at rest and in transit.
• Physical and environmental security: Atlassian data centers are physically protected.
• Operational security: Security procedures are integrated into IT operations and system/data backups.

By implementing security per ISO/IEC 27001, Atlassian reassures customers that their information assets and data are safeguarded according to rigorous global security standards. The ISO/IEC 27001 certification is proof that Atlassian takes a holistic, enterprise-wide approach to protecting the confidentiality, integrity, and availability of Atlassian Cloud.

GDPR readiness

The General Data Protection Regulation (GDPR) is a European Union data privacy regulation that went into effect in 2018. It imposes obligations on organizations to protect EU citizens’ data privacy and security.

GDPR requirements relevant to Atlassian Cloud include:

• Data encryption: Sensitive data must be encrypted both in transit and at rest.
• Access controls: Stringent controls on data access, storage limitation, and data minimization.
• Breach notification: Breaches must be reported within 72 hours of discovery.
• Privacy by design: Products must have privacy features baked in by design.

Atlassian Cloud offers capabilities to help customers meet GDPR requirements:

• Atlassian Access controls: Fine-grained controls on data access and permissions.
• Encryption: Data encrypted in transit and at rest. Customers control encryption keys.
• Audit logs: Detailed logs for monitoring access and breaches.
• Data deletion: Tools to fully delete data upon request.

Atlassian also provides GDPR-focused resources including:

• GDPR FAQ outlining Atlassian’s commitments
• GDPR overview guide for Atlassian Cloud customers
• Documentation on managing data requests and deletions

These resources demonstrate Atlassian’s commitment to GDPR compliance across its cloud products and provide transparency to customers. Atlassian’s proactive GDPR readiness helps customers fulfill their own GDPR obligations.

Other compliance frameworks

In addition to SOC 2, ISO 27001, and GDPR, Atlassian Cloud also supports compliance with other key frameworks:

• HIPAA: Atlassian enables HIPAA compliance for healthcare customers via BAAs and security controls. Plans are in the works to upgrade to full certification.
• PCI DSS: Atlassian meets requirements for storing payment card data securely.
• FERPA: Atlassian Cloud can help education customers follow FERPA data privacy regulations.
• FedRAMP: Atlassian Cloud’s Trello meets FedRAMP requirements for federal agency cloud deployments.

While Atlassian may not have explicit certifications for these frameworks, its security controls and capabilities allow customers in regulated industries like healthcare, retail, and education to leverage Atlassian Cloud while still maintaining compliance.

Additionally, Atlassian is constantly expanding its data residency capabilities. Currently, Cloud customers can choose where their data is stored from among their US, EU, Australia, Germany, or Singapore locations. This allows many regulated organizations to comply with data residency restrictions. More locations are being added over time.

For details on how Atlassian enables compliance with industry-specific frameworks, customers can visit the Atlassian Cloud Compliance page. This provides an overview of various regulations and standards supported by Atlassian’s security practices. Resources like Trust Security documents also outline Atlassian’s approach to security controls, audits, and compliance.

Ongoing audits and assurance

It’s important to note that Atlassian does not just conduct audits and verify compliance once, but instead regularly undertakes assessments to maintain certifications and ensure security controls remain effective over time.

Atlassian is continually audited by independent third-party firms to validate continued compliance with standards like SOC 2, ISO 27001, and others. These recurring comprehensive audits examine factors like:

• Review of new security policies, procedures, and controls
• Testing security mechanisms like encryption and access management
• Evaluating physical and environmental safeguards
• Ensuring security training and awareness for personnel
• Confirming incident response preparedness

In addition, Atlassian frequently conducts internal audits between third-party assessments. Rigorous internal audits complement external ones to provide assurance that security practices are being followed consistently.

Customers can rely on Atlassian Cloud to fulfill a diverse array of security obligations and requirements thanks to its strong compliance framework, which empowers them to handle their own security responsibilities. As threats and regulations evolve, Atlassian’s focus on compliance ensures customers have access to cloud services they can trust with their most sensitive data.

Learn more about Atlassian Cloud’s security and compliance offerings and how they apply to your business by reading our white paper, Your Quick Hit Guide to Atlassian Cloud Security.

Ashley McNeal, Delivery Director-Cloud Migrations