Region
EMEA
Industry
Government and public sector
Type
Alignments / Frameworks
Documentation
The Cloud Computing Compliance Criteria Catalogue (C5) is a security framework developed by Germany's Federal Office for Information Security (BSI) that establishes minimum requirements for secure cloud computing. First published in 2016 and revised in 2019, C5 provides an independent assessment mechanism rather than a certification, enabling transparent evaluation of cloud service security controls across areas including identity management, data protection, incident response, and operational resilience. The framework supports German regulatory requirements such as the German IT Security Act, with healthcare cloud services mandated to meet C5 criteria since July 2024.
C5 assessment types
C5 assessments, conducted by independent auditors, evaluate security controls either at a specific point in time (Type 1) or over an extended period (Type 2). These standardized reports provide transparency into Atlassian’s security practices and risk management, enabling organizations to systematically compare cloud providers and make informed decisions about cloud adoption and ongoing risk management.
Shared responsibility in compliance
C5 assessments follow a shared responsibility model where Atlassian provides comprehensive security controls and transparent reporting, while customers retain responsibility for analyzing assessment reports within their own risk management frameworks and determining alignment with their specific security requirements. We encourage customers to review C5 reports annually as part of their vendor risk assessment processes.
Relevant products
Our team is here to help
Have more questions about our compliance program?
Do you have cloud certifications? Can you complete my security & risk questionnaire? Where can I download more information?
Trust & security community
Join the Trust & Security group on the Atlassian Community to hear directly from our Security team and share information, tips, and best practices for using Atlassian products in a secure and reliable way.
Atlassian support
Reach out to one of our highly-trained support engineers to get answers to your questions.
Non-disclosure agreement
Coalfire Controls, LLC (“Coalfire”) has prepared the attached report (the “Report”) for the sole benefit and use of Atlassian Corporation Plc (“Company”), and, for limited purposes in accordance with the relevant standards of the American Institute of Certified Public Accountants (the “AICPA”), Company’s existing user entities and their auditors. In addition, certain prospective user entities, identified by the Company (collectively with existing user entities, each a “Recipient”), may have access to the Report subject to the terms of this agreement. Your access to the Report is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your company, then “Recipient” or “you” means your company, and you are binding your company to this agreement.
By clicking on the “I ACCEPT” button below, you signify that you and the Recipient agree to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, on behalf of yourself and the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below.
Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Recipient has requested that Company provide Recipient a copy of the Report.
The Services were undertaken, and the Report was prepared, solely for the benefit and use of Company, its existing user entities, and their auditors, and was not intended for any other purpose, including the use by prospective user entities of Company. Coalfire has made no representation or warranty to the Recipient as to the sufficiency of the Services or otherwise with respect to the Report. Had Coalfire been engaged to perform additional services or procedures, other matters might have come to Coalfire’s attention that would have been addressed in the Report.
The Services did not (a) constitute an audit, review or examination of financial statements in accordance with generally accepted auditing standards of the AICPA or the standards of the Public Company Accounting Oversight Board, (b) constitute an examination of prospective financial statements in accordance with applicable professional standards or (c) include procedures to detect fraud or illegal acts to test compliance with the laws or regulations of any jurisdiction.
The Recipient (a) does not acquire any rights against Coalfire, any other member firm of the global Coalfire Controls, LLC network, or any of their respective affiliates, partners, agents, representatives or employees (collectively, the “Coalfire Parties”), the Company or any of their respective affiliates, partners, agents, representatives or employees (together with Coalfire Parties, the “Report Parties”), and the Report Parties assume no duty or liability to the Recipient, in connection with the Services or its access to the Report hereunder; (b) may not rely on the Report; and (c) will not contend that any provisions of United States or state securities laws could invalidate or avoid any provision of this agreement.
Except where compelled by legal process (of which the Recipient shall promptly inform Coalfire and the Company so that they may seek appropriate protection), the Recipient will not disclose, orally or in writing, any Report or any portion thereof or any other Confidential Information received from Coalfire or the Company in connection therewith, or make any reference to Coalfire or Company in connection therewith, in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the Company in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security, regulatory and other business policies. This agreement does not create or imply an agreement to complete any transaction or an assignment by Company of any rights in its intellectual property.
The Recipient (for itself and its successors and assigns) hereby releases each of the Report Parties, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or Coalfire’s performance of the Services. The Recipient shall indemnify, defend and hold harmless the Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
This agreement shall be governed by, and construed in accordance with, the laws of the State of Colorado applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by any of Report Parties, individually or collectively.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
KPMG Report NDA
KPMG Assurance and Consulting Services LLP (“KPMG) has prepared the attached report (the “Report”) for the sole benefit and use of Atlassian Corporation Limited, Atlassian Australia 1 Pty Limited, and Atlassian India LLP (“Company”), and, for limited purposes in accordance with the relevant standards of the American Institute of Certified Public Accountants (the “AICPA”), Company’s existing user entities and their auditors. In addition, certain prospective user entities, identified by the Company (collectively with existing user entities, each a “Recipient”), may have access to the Report subject to the terms of this agreement. Your access to the Report is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your company, then “Recipient” or “you” means your company, and you are binding your company to this agreement.
By clicking on the “I ACCEPT” button below, you signify that you and the Recipient agree to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, on behalf of yourself and the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below.
Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Recipient has requested that Company provide Recipient a copy of the Report.
The Services were undertaken, and the Report was prepared, solely for the benefit and use of Company, its existing and prospective user entities, and their auditors, and was not intended for any other purpose.
The Services did not (a) constitute an audit, review or examination of financial statements in accordance with generally accepted auditing standards of the AICPA or the standards of the Public Company Accounting Oversight Board, (b) constitute an examination of prospective financial statements in accordance with applicable professional standards or (c) include procedures to detect fraud or illegal acts to test compliance with the laws or regulations of any jurisdiction.
The Recipient (a) does not acquire any rights against KPMG, any other member firm of the global KPMG, LLP network, or any of their respective affiliates, partners, agents, representatives or employees (collectively, the “KPMG Parties”), the Company or any of their respective affiliates, partners, agents, representatives or employees (together with KPMG Parties, the “Report Parties”), and the Report Parties assume no duty or liability to the Recipient, in connection with the Services or its access to the Report hereunder; (b) may not rely on the Report; and (c) will not contend that any provisions of United States or state securities laws could invalidate or avoid any provision of this agreement.
Except where compelled by legal process (of which the Recipient shall promptly inform KPMG and the Company so that they may seek appropriate protection), the Recipient will not disclose, orally or in writing, any Report or any portion thereof or any other Confidential Information received from KPMG or the Company in connection therewith, or make any reference to KPMG or Company in connection therewith, in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the Company in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security, regulatory and other business policies. This agreement does not create or imply an agreement to complete any transaction or an assignment by Company of any rights in its intellectual property.
The Recipient (for itself and its successors and assigns) hereby releases each of the Report Parties, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or KPMG’s performance of the Services. The Recipient shall indemnify, defend and hold harmless the Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
This agreement shall be governed by, and construed in accordance with, the laws of the State of California applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by any of Report Parties, individually or collectively.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
Please download the report you want to view:
MUTUAL NON-DISCLOSURE AGREEMENT
This Mutual Non-Disclosure Agreement (this "Agreement"), entered into by and between Loom, Inc. ("Loom") and the party agreeing to this Agreement ("Counterparty") is effective as of the date Counterparty clicked-through to accept this Agreement ("Effective Date"). The parties hereby agree:
1. Purpose. In order to evaluate a potential business opportunity ("Purpose") the parties may disclose information to each other that they each consider confidential (the party disclosing the information is the "Discloser" and the party receiving the information is the "Recipient").
2. Definition. "Confidential Information" means: any information, including the existence of this Agreement, disclosed orally or in writing by Discloser to Recipient pursuant to this Agreement that is designated as confidential or would reasonably be considered confidential. Confidential Information does not include any information that: (a) was known to Recipient without restriction before receipt from Discloser; (b) is publicly available through no fault of Recipient; (c) is rightfully received by Recipient from a third party without a duty of confidentiality; or (d) is independently developed by Recipient without reference to any Confidential Information.
3. Non-Use and Non-Disclosure. Recipient may only use Confidential Information for the Purpose. Recipient will use at least a reasonable degree of care to protect Confidential Information and prevent its unauthorized use or disclosure. Recipient will not disclose any Confidential Information to anyone except to its employees, directors, contractors, and agents ("Representatives") who need to know it and who are bound by confidentiality obligations at least as protective of the Confidential Information as those of this Agreement. Recipient will be responsible for any breach of this Agreement by its Representatives. Recipient will promptly notify Discloser of any unauthorized use or disclosure of Confidential Information.
4. Compelled Disclosure. Recipient may disclose Confidential Information to the extent compelled to do so by law if it provides reasonable prior notice to Discloser, unless legally prohibited
5. No Obligation. This Agreement imposes no obligation to proceed with any transaction or discussion. ALL CONFIDENTIAL INFORMATION IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY.
6. No License. This Agreement does not grant any intellectual property rights to Recipient except the limited rights necessary to use Confidential Information for the Purpose.
7. Term. This Agreement will remain in effect for a period of two (2) years from the Effective Date except: (a) the obligations under this Agreement will survive for five (5) years after termination; and (b) confidentiality obligations regarding trade secrets will apply until the information is no longer considered a trade secret under applicable law. On termination, the Recipient will delete or destroy all Confidential Information of Discloser.
8. Injunctive Relief. Any violation of this Agreement may cause irreparable injury to Discloser, entitling Discloser to seek injunctive relief in addition to all legal remedies.
9. Governing Law and Venue. This Agreement is governed by the laws of the State of California, excluding its conflict-of-laws principles. All disputes arising out of this Agreement will be subject to the exclusive jurisdiction and venue of the state and federal courts located in San Francisco, California and each party hereby consents to the personal jurisdiction thereof.
10. Miscellaneous. This Agreement is not assignable or transferable without the prior written consent of the other party except to an affiliate or in connection with a merger, reorganization, or sale of all or substantially all of the assigning party's assets. This Agreement contains the entire agreement between the parties and supersedes any prior agreements between the parties regarding the Purpose. If any provision of this Agreement is found to be invalid or unenforceable, the provision will be enforced to the maximum extent permissible and the remainder of this Agreement will continue in effect. This Agreement can only be amended in writing signed by both parties. Failure to enforce a provision is not a waiver.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.