Atlassian’s Technical and Organisational Security Measures

Introduction

Security is an essential part of Atlassian’s offerings. This page describes Atlassian’s security program, certifications, policies, and physical, technical, organizational and administrative controls and measures to protect Customer Data and, where indicated below, Customer Materials from unauthorized access, destruction, use, modification or disclosure (the “Security Measures”). The Security Measures are consistent with the commonly-accepted industry standards and practices, including NIST 800-53 controls.

Any capitalized terms used but not defined have the meanings set out in the Agreement or the Data Processing Addendum. Further details on Atlassian’s security posture can be found in our Trust Center and Compliance Resource Center.

1. Access Control

Atlassian maintains a comprehensive set of formal policies, controls, and practices for the appropriate access control when processing Customer Data and Customer Materials, which includes:

1.1. access management policy addressing access control standards, including the framework and the principles for user provisioning;

1.2. designated criticality tiers based on a Zero Trust Model architecture, including the requirements for multi-factor authentication on higher-tier services;

1.3. user provisioning for access to Atlassian systems, applications and infrastructure based on the relevant job role and on the least privilege principle that is enforced through the authentication processes, enabling only authorized personnel to have access to development and build environments (including source code repositories) associated with the Products;

1.4. strict role-based access controls for Atlassian staff, allowing access to Customer Data only on a need-to-know basis;

1.5. segregation of duties including but not limited to (i) access controls reviews, (ii) HR-application managed security groups, and (iii) workflow controls;

1.6. a prior approval of all user accounts by Atlassian’s management before granting access to data, applications, infrastructure, or network components based on the data classification level; regular review of access rights as required by relevant role;

1.7. use of technical controls such as virtual private network (VPN) and multi-factor authentication (MFA) where relevant based on information classification and Atlassian‘s Zero Trust Model architecture;

1.8. centrally managed mobile device management (MDM) solution, including defined lockout periods and posture checks for endpoints and mobile devices;

1.9. identifying and removing redundant and dormant accounts, promptly revoking access through automated and regular review processes.

2. Awareness and Training

Atlassian maintains a comprehensive set of formal policies, controls, and practices for conducting appropriate trainings and security awareness activities, which includes:

2.1. extensive awareness training on security, privacy, and compliance topics for all employees at induction and annually, utilizing diverse formats (online, in-person, and pre-recorded sessions, phishing simulations);

2.2. targeted role-specific training and documentation for employees with elevated privileges to address relevant risks and enhance their specific knowledge as required for their respective roles;

2.3. maintaining all training records in a designated learning management system;

2.4. an automated reminder for training deadlines, with a built-in escalation process to respective managers;

2.5. continuous security awareness trainings (extending to contractors and partners), covering current threats and best security practices;

2.6. secure coding trainings by security champions embedded within engineering teams;

2.7. annual mandatory security trainings and events to reinforce security principles through different activities, emphasizing the collective responsibility for security;

2.8. annual secure development training to Atlassian developers in alignment with industry standards.

3. Audit and Accountability

Atlassian maintains a comprehensive set of formal policies, controls, and practices for proper auditing and accountability purposes, which includes:

3.1. comprehensive logging standards as part of Atlassian's policy management framework, with annual reviews and senior management approvals;

3.2. secure forwarding and storage of relevant system logs to a centralized log platform of the cloud infrastructure with read-only access;

3.3. monitoring of security audit logs to detect unusual activity, with established processes for reviewing and addressing anomalies;

3.4. regular updates to the logging scope of information and system events for Cloud Products and related infrastructure in order to address new features and changes;

3.5. utilizing time sync services from relevant cloud service providers (e.g. AWS or Microsoft Azure) for reliable timekeeping across all deployed instances.

4. Assessment, Authorisation and Monitoring

Atlassian maintains a comprehensive set of formal policies, controls, and practices for consistent system monitoring and security assessments, which includes:

4.1. extensive audit and assurance policies with annual reviews and updates;

4.2. a centralized internal policy program categorising the global policies into different domains including annual review, and senior management approval of the program;

4.3. audit management encompassing the planning, risk analysis, security control assessment, conclusion, remediation schedules, and review of past audit reports;

4.4. internal and independent external audits conducting annual evaluations of legal and contractual requirements, as well as effectiveness of controls and processes to validate compliance;

4.5. ongoing verification of compliance against relevant standards and regulations, e.g. ISO 27001 or SOC 2;

4.6. systematically addressing any nonconformities found through audit findings taking into account the root-cause analysis, severity rating, and corrective actions;

4.7. annual penetration testing on Cloud and Software Products and proactive bug bounty programs for the detection and mitigation of vulnerabilities;

4.8. continuous vulnerability scanning consistent with commonly-accepted standards and practices for security testing with subsequent remediation of identified vulnerabilities based on the Common Vulnerability Scoring System (CVSS) in line with Atlassian's Security Bugfix Policy;

4.9. security testing, privacy risk and vulnerability assessments of the relevant Cloud Products and processes at least annually.

5. Configuration Management

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate configuration management, which includes:

5.1. change management policies covering the risk management for all internal and external asset changes, reviewed annually;

5.2. standard procedures for change management applicable to encryption and cryptography for the secure handling of data (e.g. encryption keys) according to its security classification, including but not limited to key rotation, defining key ownership, secure storage;

5.3. a centralized internal policy program categorising the global policies into different domains including annual review, and senior management approval of the program;

5.4. stringent policies encompassing (i) encryption, (ii) cryptography, (iii) endpoint management, and (iv) asset tracking inline with industry standards;

5.5. established baselines and standards for change control that require testing documentation prior to implementation and authorized approval;

5.6. a peer review and green build process requiring multiple reviews and successful testing for production code and infrastructure changes;

5.7. a strict post-implementation testing and approval process for emergency changes to the code;

5.8. comprehensive automated system supplemented by an Intrusion Detection System (IDS), managing and protecting against unauthorized changes;

5.9. cataloguing and tracking of all physical and logical assets with annual reviews ensuring up-to-date asset management;

5.10. continuous monitoring and managing the health (including capacity) and availability of assets and Cloud Products, including their underlying components.

6. Contingency Planning

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate contingency planning for business continuity and disaster recovery purposes, which includes:

6.1. a skilled workforce and robust IT infrastructure, including telecommunications and technology essential for Product delivery;

6.2. business continuity and disaster recovery plans (“BCDR Plans”), including defined recovery time objectives (RTOs) and recovery point objectives (RPOs);

6.3. business continuity plans encompassing data storage and continuity of use, reasonably designed to prevent interruption to access and utilization;

6.4. geographic diversity as a result of our global workforce and cloud infrastructure;

6.5. reinforcing business operations through resilience controls, such as daily backups, annual restoration testing, and alternative cloud infrastructure storage sites;

6.6. a resilience framework and procedures for response and remediation of cybersecurity events in order to maintain business continuity;

6.7. quarterly disaster recovery tests and exercises to enhance response strategies, with post-test analyses for continuous improvement aligned with applicable BCDR Plans;

6.8. continuous capacity management across Cloud Products, with internal monitoring and adjustments to maintain service availability and processing capacity, for example distributed denial-of-service attack (DDoS) mitigation for Cloud Products and related infrastructure;

6.9. a centralized internal policy program for annual reviews and updates of all global policies related to business continuity;

6.10. robust backup protocols, including (i) data encryption, (ii) redundancy across data centers, and (iii) regular testing to bolster contingency planning.

7. Identification and Authentication

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate identification and authentication purposes which includes:

7.1. employee identification uniquely through active directory, utilising single sign-on (SSO) for application access;

7.2. utilising of MFA for secure access, specifically for VPN and application launch via SSO based on Atlassian’s Zero Trust Model architecture;

7.3. password policies following the NIST 800-63B guidelines, focusing on the security aspects of password creation and management;

7.4. ensuring the security of stored credentials using advanced encryption methods, e.g. password and secret management systems;

7.5. documented approvals, regular reviews of users and accounts, and automatic syncs between the relevant identity system and human resources systems to maintain the integrity and accuracy of identification data.

8. Security Incident Response

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate Security Incident response purposes, which includes:

8.1. security Incident response plans emphasizing preparedness, containment, eradication and recovery, as well as focus on data protection and other regulatory requirements;

8.2. dedicated cross-functional teams handling Security Incidents, ensuring effective communication and collaboration, including well-defined processes for triaging security events;

8.3. regular testing of response plans with established metrics to track and improve Security Incident management effectiveness;

8.4. annual reviews of company-wide incident response plans and policies to reflect and share current best practices across the company;

8.5. post-incident review with root cause analysis conducted for high-severity Security Incidents, focusing on systemic improvements and learning;

8.6. incident response procedures and plans embedded in critical business processes to minimize downtime and security risks;

8.7. published system availability information to aid in Security Incident handling and reporting at https://status.atlassian.com/ , and https://www.loomstatus.com/, as applicable;

8.8. the ability for Customer to report incidents, vulnerabilities, bugs, and issues, ensuring prompt attention to concerns related to system defects, availability, security, and confidentiality;

8.9. commitment to Customer notification of the Security Incident without undue delay as set forth in Atlassian’s Data Processing Addendum, including the obligation to promptly assist the Customer with necessary information for compliance with Applicable Data Protection Laws.

9. Maintenance

Atlassian maintains a comprehensive set of formal policies, controls, and practices for continued effectiveness of its Cloud Products, which includes:

9.1. regular testing of BCDR Plans with quarterly evaluations, validated by external auditors;

9.2. real-time monitoring of the availability of multiple regions with performing of regular tests for infrastructure availability and reliability;

9.3. measures outlined in Section 4 (Assessment, Authorisation and Monitoring), Section 6 (Contingency Planning) and Section 18 (System and Communications Protection).

10. Media Protection

Atlassian maintains a comprehensive set of formal policies, controls, and practices to ensure the protection of media (internal and external), which includes:

10.1. using reliable third party services (e.g. Microsoft Azure or AWS) to operate the physical infrastructure for processing Customer Data as a Sub-processor;

10.2. sanitization and degaussing of used equipment by the third party cloud service providers, including hard drives with Customer Data in line with industry standards (e.g. NIST 800-88);

10.3. full disk encryption using industry standards (e.g. AES-256) employed for data drives on servers and databases storing Customer Data, Customer Materials, and on endpoint devices;

10.4. access to Customer Data and Customer Materials is strictly limited to Atlassian-owned machines configured under a mobile device management solution, following Atlassian’s Zero Trust Model architecture;

10.5. internal bring your own device (BYOD) policy ensuring that access to permitted Atlassian networks and systems is only possible via secure and compliant devices;

10.6. unattended workspaces are required to have no visible confidential data, aligning with the secure workplace guidance.

11. Physical and Environmental Protection

Atlassian maintains a comprehensive set of formal policies, controls, and practices for the physical and environmental protection of Customer Data and Customer Materials, which includes:

11.1. a safe and secure working environment with controls implemented globally at Atlassian's offices;

11.2. employing badge readers, camera surveillance, and time-specific access restrictions for enhanced security;

11.3. implementing and maintaining access logs at office buildings for investigative purposes;

11.4. multiple compliance certifications and robust physical security measures, including biometric identity verification and on-premise security, implemented by third party data center providers;

11.5. controlled access points and advanced surveillance systems as well as protective measures for power and telecommunication cables, alongside with environmental control systems, implemented by third party data center providers;

11.6. positioning critical equipment in low-risk environmental areas for added safety (both by Atlassian and its third party data center providers);

11.7. precautions to protect physical infrastructure of facilities where Customer Data or Customer Materials are hosted or otherwise processed against environmental threats, both naturally occurring and man-made, such as excessive ambient temperature, fire, flood, humidity, theft, and vandalism.

12. Planning

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate planning of business operations, which includes:

12.1. active monitoring and documentation by legal and compliance teams on regulatory obligations;

12.2. a detailed system security plan with comprehensive documentation on system boundaries and product descriptions;

12.3. communication to internal users and customers about significant changes to key products and services;

12.4. periodic reviews and updates of the security management program.

13. Program Management

Atlassian maintains a comprehensive set of formal policies, controls, and practices for appropriate program management, which includes:

13.1. supporting the security management program at the executive level, encompassing all security-related policies and practices;

13.2. documented information security policies, including (i) defined roles, (ii) risk mitigation, and (iii) service provider security management program;

13.3. periodic risk assessments of systems processing Customer Data, with prompt reviews of Security Incidents for corrective action;

13.4. formal security controls framework aligning to standards such as SOC 2, ISO27001, and NIST 800-53;

13.5. processes for identifying and quantifying security risks, with mitigation plans approved by the Chief Trust Officer and regular tracking of implementation;

13.6. comprehensive and diverse approach to security testing to cover a wide range of potential attack vectors;

13.7. regular review, testing and updating of the information security management program and policies integral to Atlassian’s business (annually, at a minimum);

13.8. an information security management program that requires security by design approach, secure development, secure engineering, and secure operations that are consistent with industry standards;

13.9. development program for security staff with regular trainings; organizational chart that delineates roles and responsibilities;

13.10. setting and review of strategic operational objectives by the executive management;

13.11. annual review of the Enterprise Risk Management (ERM) framework, including the risk management policy, risk assessments, and fraud risk assessments, by the Head of Risk and Compliance.

14. Personnel Security

Atlassian maintains a comprehensive set of formal policies, controls and practices for the security of all Atlassian’s employees who have access to Customer Data and Customer Materials, which includes:

14.1. pre-hire background checks, including criminal record inquiries, for all in-scope employees, with heightened reviews performed for senior executive and accounting roles to the extent permissible under applicable local laws;

14.2. an onboarding process that includes in-scope employees’ execution of confidentiality agreements, employment contracts, and acknowledgement of applicable policies and codes of conduct;

14.3. global and local employment policies, maintained and reviewed annually;

14.4. processes for role changes and terminations including automatic de-provisioning and checklists for employee exits, with managerial approval required for re-provisioning the access;

14.5. ongoing security and compliance training for employees, with targeted training for specific roles and the presence of security champions in teams;

14.6. established disciplinary processes to manage violations of Atlassian's policies.

15. Personal Data Processing and Transparency

Atlassian maintains a comprehensive set of formal policies, controls, and practices for the compliance of personal data processing in line with Applicable Data Protection Laws, which includes:

15.1. a global privacy compliance program for reviewing and adapting to applicable data protection laws including necessary safeguards and processes;

15.2. maintaining an internal personal data processing policy with clear definitions of personal data categories, processing purposes, and processing principles;

15.3. detailed standards for processing of various categories of personal data covering the topics such as processing principles, applicable legal basis, privacy by design/by default principles, retention, and destruction;

15.4. an established method to create pseudonymised data sets using industry standard practices and appropriate technical and organisational measures governing the systems capable of remapping pseudonymous identifiers;

15.5. transparent privacy policies for its users and customers, as well as internal guidelines for employees;

15.6. comprehensive compliance documentation, including but not limited to, and where applicable, (i) a record of processing activities, (ii) privacy impact assessments, (iii) transfer impact assessments, (iv) consents, and (v) data processing agreements with customers and vendors;

15.7. secure development practices across all development lifecycle stages, focusing on security and data protection from the initial design phase;

15.8. ensuring Atlassian’s compliance with data subjects' rights to access, correct, and delete their personal data in accordance with applicable data protection laws.

16. Risk Assessment

Atlassian maintains a comprehensive set of formal policies, controls, and practices for a robust Information Security Management System, which includes:

16.1. a comprehensive risk management program for identifying, assessing, and addressing various risks to support informed risk management decisions;

16.2. a policy program aligning company-wide policies with ISO 27001 and other relevant standards to mitigate associated risks;

16.3. continuous security testing and vulnerability identification, including (i) penetration tests, (ii) bug bounties, and (iii) proactive threat mitigation;

16.4. processes and metrics for reporting vulnerability management activities;

16.5. thorough security evaluations, including independent external and internal audits.

17. System and Services Acquisition

Atlassian maintains a structured, security-centric methodology for the system development, maintenance, and change management, which includes:

17.1. an agile secure software development life cycle, including the review and documentation of system and infrastructure changes;

17.2. secure, standardized application deployment with automated processes for system configuration changes and deployment;

17.3. defined development process with peer-reviewed pull requests and mandatory automated tests prior to merging;

17.4. segregated responsibilities for change management among designated employees;

17.5. emergency change processes, including "break glass" procedures, ensuring readiness for rapid response during critical incidents;

17.6. robust compliance settings in Atlassian’s source code and deployment systems preventing unauthorized alterations;

17.7. clear documentation and monitoring of all configuration changes, with automatic alerts for non-compliance or alterations in peer review enforcement;

17.8. supporting documentation for Cloud and Software Products including instructions on how to securely use and configure them;

17.9. strict controls over modifications to vendor software;

17.10. regular scanning and updates of third-party or open-source libraries as well as ongoing scanning of the code base.

18. System and Communications Protection

Atlassian maintains a comprehensive set of formal policies, controls, and practices for system and communication protection which includes:

18.1. cryptographic mechanisms to safeguard sensitive information stored and transmitted over networks, including public internet, using reliable and secure encryption technologies;

18.2. encryption of Customer Data at rest using AES-256 and in transit using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) across public networks;

18.3. zone restrictions and environment separation limiting connectivity between production and non-production environments;

18.4. continuous management of workstation assets including (i) security patch deployment, (ii) password protection, (iii) screen locks, and (iv) drive encryption through asset management software;

18.5. restricting access to only known and compliant devices enrolled in the MDM platform, adhering to the principles of Zero Trust Model architecture;

18.6. maintaining firewalls at corporate edges for both platform and non-platform hosted devices for additional layers of security;

18.7. maintaining network and host defense, including operating system hardening, network segmentation, and data loss prevention technologies;

18.8. established measures to ensure Customer Data and Customer Materials are kept logically segregated from other customers' data.

19. System and Information Integrity

Atlassian maintains formally established policies and practices that include the following controls and safeguards relevant for system and information integrity, in particular:

19.1. adherence to stringent data disposal protocols in line with applicable laws, reasonably ensuring that data from storage media is irrecoverable post-sanitization;

19.2. strict policies to prevent the use of production data in non-production environments, ensuring the data integrity and segregation;

19.3. centrally managed, read-only system logs; monitoring for Security Incidents; retention policies aligned with security best practices;

19.4. generating and retaining logs that record access by Atlassian personnel to Customer Data or Customer Materials with respect to systems used in providing the Products, and protection of such logs against unauthorized access, modification, and accidental or deliberate destruction;

19.5. managing endpoint compatibility with systems and applications, enhancing network security and reliability;

19.6. deploying anti-malware strategies on the relevant infrastructure and Atlassian devices for robust protection against malware threats with regular updates to malware protection policies and detection tools;

19.7. unique identifiers and token-based access control to ensure logical isolation of, and secure, limited access to, Customer Data;

19.8. segregation of production and non-production environments;

19.9. protection of Customer Data within a sandbox environment (for example, to reproduce an error) utilising similar measures to those in the production environment.

20. Supply Chain Risk Management

Atlassian maintains formally established policies and practices for supply chain risk management, which includes:

20.1. a formal framework for managing vendor relationships, and aligning the security, availability, and confidentiality standards of suppliers throughout their lifecycles;

20.2. a robust third party risk management (TPRM) assessment process including risk assessments, due diligence, contract management, and ongoing monitoring of all third parties;

20.3. dedicated teams, including legal, procurement, security, and risk departments for the review of contracts, service level agreements, and security measures to manage risks related to security and data confidentiality;

20.4. functional risk assessments of suppliers before onboarding and periodically, based on risk levels, with revisions during policy renewals or significant relationship changes;

20.5. an inventory of all suppliers detailing ownership and risk levels associated with the services provided to Atlassian;

20.6. annual review of audit reports (e.g. SOC 2) and regular reviews of information technology governance policies and security assessments of supply chain providers to ensure applicable controls are compliant;

20.7. measures to secure third-party endpoints, focusing on compliance monitoring and selective restrictions.