🎄 Advent Calendar Day 6: Compliance, But Make It Cozy 🎁

SaaSJet Advent Calendar — The Postcards We Never Sent

Marketplace apps don’t just extend features — they extend data paths. That means the real question isn’t only “Does it work?” but also:

“Can we defend this choice when security, legal, and audit ask the obvious follow-ups?”

That’s where certifications help. Not as a flex — as a shared language between vendors, users, and risk teams.

Where to find these certifications (quick check)

If you’re doing a fast first-pass review of a Marketplace app, start with the app’s Privacy & Security tab. Atlassian’s Marketplace listing questionnaire includes a field where vendors can specify whether the app has compliance certifications (for example, SOC 2 and ISO 27K / ISO 27001, among others).

It won’t replace a full vendor assessment — but it’s a quick way to spot which apps are ready for deeper questions.

Tiny follow-up checklist (30 seconds, not a spreadsheet):

• Scope: what part of the product/service is covered?

• Recency: how recent is the report/certification?

• Evidence: can the vendor share a report summary or supporting details, if needed?

What these certifications signal (in practice)

✅ SOC 2 (especially Type II)

Think of SOC 2 as: “Show me the receipts.”
It’s evidence that controls exist and operated consistently over a period of time. The useful signals are usually around:

• Access controls (least privilege, reviews, offboarding)
• Audit trails (what happened, when, and by whom)
• Change management (how releases are approved and tracked)
• Incident response (how issues are detected, handled, and documented)

✅ ISO 27001

ISO 27001 is about having a working security management system — not a “security hero” who remembers everything. It typically signals:

• Ongoing risk management (not once-a-year panic)
• Clear ownership + policies (who decides what, and why)
• Training + internal checks (security as habit)
• Continuous improvement (because threats don’t stand still)

✅ GDPR

GDPR is the reminder that privacy is not a checkbox — it’s governance. It pushes clarity on:

• Roles and responsibilities (who’s the controller/processor)
• Data minimization (collect what you need, not what you can)
• Data subject requests (deletion/export without drama)
• Data transfers and safeguards (where data goes, under what protection)
  
  

Certifications don’t guarantee perfection — but they reduce uncertainty and speed up due diligence when choices need to scale across teams and regions.

💌 Dear SOC 2, thanks for turning “we should probably check that” into “we can prove that.”

P.S. It’s not paranoia if it’s protocol. 🔒✨