Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Atlassian's Data Contribution change lands Aug 17th – have you decided what to do?

If you administer a cloud instance, you've probably seen the notices by now: from 17 August 2026, Atlassian is changing how it uses customer metadata and in-app data to improve its apps and AI experiences across all customers. The settings began rolling out in April and were fully available from 19 May, which means the decision window is already open... and closing.

This isn't a post telling anyone what to decide! It's more of a nudge to make sure you decide at all, rather than letting the defaults decide for you.

What's actually changing

Two categories of data come into scope for Jira, Confluence and Jira Service Management (plus platform apps like Rovo, and certain Teamwork Graph connectors):

  • Metadata – content attributes like story-point counts and page complexity, and "common patterns" (phrases, keywords and topics) extracted from things like search and Rovo Chat.
  • In-app data – the actual content: Confluence page titles and bodies, Jira work item titles, descriptions and comments, custom workflow and status names.

Atlassian de-identifies and aggregates this data before it's used, and has published clear documentation on the safeguards. The defaults, though, vary by plan. Metadata is on for everyone and can only be switched off on Enterprise. In-app data is on by default for Free and Standard, off for Premium and Enterprise, and can be opted out of on any plan. Some instances are excluded entirely, such as those using customer-managed encryption keys, Government Cloud, Isolated Cloud, or under HIPAA. It's worth checking the official Atlassian page for your exact position rather than assuming.

The real prompt: how does AI interact with your data?

The useful thing about this change is that it forces a question most of us have been putting off: what actually lives in our instance, how sensitive is it, and who – or what – can read it? Whatever you decide on data contribution, that question doesn't go away. Rovo and external agents are already reading the same content, within the same permissions. If you don't have a clear view of what's classified, what's current, and what's exposed, you can't make a confident call on contribution either.

So treat 17 August as a deadline to get that view, not just to flip a switch. Pull the right people together – security, compliance, platform owners – and agree a position deliberately, before the wrong position is agreed accidentally without you.

A good moment to think about ISO 42001

If this change has your compliance team's attention, it's a natural on-ramp to ISO/IEC 42001 – the first international standard for AI management systems.

In short, it gives organisations a structure for using AI responsibly: documenting how AI is used, governing access to sensitive information, keeping records reviewed and current, and evidencing sign-off and ownership. It matters because "we're being careful with AI" is hard to prove to a customer, a regulator or an auditor without a framework behind it – and decisions like your data contribution stance are exactly the kind of thing it expects you to have assessed and recorded.

You don't need to bend over backwards to get yourself across the start line and mobilising.

We've written up how Confluence and a few Marketplace apps can support the standard clause by clause, if it's helpful as a starting point: How to support ISO 42001 compliance in Confluence.

Next steps: check your wider AI readiness

Underneath all of this is the same foundation. An instance that's tidy, current, governed, accountable and legible is one you can make confident decisions about, whether that's data contribution, turning on Rovo, or working towards ISO 42001. One that isn't leaves you guessing.

If you'd like a quick read on where you stand, we built a short AI-Readiness Scorecard: 15 questions across those five pillars, giving you a score per pillar and a sense of where to start first. The thinking behind it is in the write-up alongside it: Is your Atlassian instance ready for AI? The 5-pillar readiness check.

For everyone who's already looked at their settings: what did you decide, and what made the call easy or hard?

2 comments

Anwesha Pan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 14, 2026

Thanks @Matthew Joslin_AppFox_ for sharing this article!

Like Matthew Joslin_AppFox_ likes this
Karl from Ricksoft
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 15, 2026

The "what's classified and who can read it" question is the right one, and it's getting measurably more expensive to ignore — Verizon's 2026 DBIR found unsanctioned AI tool use has tripled to 45% of the workforce, adding roughly $670K to breach costs when it's a factor. A plain custom field is just plaintext to anything with API access, Rovo included. With Secure Custom Fields for Jira, the value's encrypted at rest in Jira itself, so a native Rovo or Automation read only ever gets ciphertext — decryption only happens through our permission-checked resolvers. (Disclosure: I work on that product at Ricksoft.) Happy to compare notes — free trial here.

Like Anwesha Pan likes this

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events