If you administer a cloud instance, you've probably seen the notices by now: from 17 August 2026, Atlassian is changing how it uses customer metadata and in-app data to improve its apps and AI experiences across all customers. The settings began rolling out in April and were fully available from 19 May, which means the decision window is already open... and closing.
This isn't a post telling anyone what to decide! It's more of a nudge to make sure you decide at all, rather than letting the defaults decide for you.
Two categories of data come into scope for Jira, Confluence and Jira Service Management (plus platform apps like Rovo, and certain Teamwork Graph connectors):
Atlassian de-identifies and aggregates this data before it's used, and has published clear documentation on the safeguards. The defaults, though, vary by plan. Metadata is on for everyone and can only be switched off on Enterprise. In-app data is on by default for Free and Standard, off for Premium and Enterprise, and can be opted out of on any plan. Some instances are excluded entirely, such as those using customer-managed encryption keys, Government Cloud, Isolated Cloud, or under HIPAA. It's worth checking the official Atlassian page for your exact position rather than assuming.
The useful thing about this change is that it forces a question most of us have been putting off: what actually lives in our instance, how sensitive is it, and who – or what – can read it? Whatever you decide on data contribution, that question doesn't go away. Rovo and external agents are already reading the same content, within the same permissions. If you don't have a clear view of what's classified, what's current, and what's exposed, you can't make a confident call on contribution either.
So treat 17 August as a deadline to get that view, not just to flip a switch. Pull the right people together – security, compliance, platform owners – and agree a position deliberately, before the wrong position is agreed accidentally without you.
If this change has your compliance team's attention, it's a natural on-ramp to ISO/IEC 42001 – the first international standard for AI management systems.
In short, it gives organisations a structure for using AI responsibly: documenting how AI is used, governing access to sensitive information, keeping records reviewed and current, and evidencing sign-off and ownership. It matters because "we're being careful with AI" is hard to prove to a customer, a regulator or an auditor without a framework behind it – and decisions like your data contribution stance are exactly the kind of thing it expects you to have assessed and recorded.
You don't need to bend over backwards to get yourself across the start line and mobilising.
We've written up how Confluence and a few Marketplace apps can support the standard clause by clause, if it's helpful as a starting point: How to support ISO 42001 compliance in Confluence.
Underneath all of this is the same foundation. An instance that's tidy, current, governed, accountable and legible is one you can make confident decisions about, whether that's data contribution, turning on Rovo, or working towards ISO 42001. One that isn't leaves you guessing.
If you'd like a quick read on where you stand, we built a short AI-Readiness Scorecard: 15 questions across those five pillars, giving you a score per pillar and a sense of where to start first. The thinking behind it is in the write-up alongside it: Is your Atlassian instance ready for AI? The 5-pillar readiness check.
For everyone who's already looked at their settings: what did you decide, and what made the call easy or hard?
Matthew Joslin_AppFox_
2 comments