New 'Rovo: Atlassian's Secure AI Architecture Whitepaper v2'

Hey Atlassian Community!

I am David Cross, your Chief Information Security Officer and I am thrilled to announce an update to our Rovo AI Security white paper today. We collaborate with security, privacy, and product experts to help customers adopt AI securely with Rovo in Atlassian apps. Your organization can confidently embrace Rovo AI while prioritizing security, privacy and compliance.

When it comes to AI adoption, we hear a common challenge: security teams and decision-makers want something comprehensive but accessible that addresses their AI-specific concerns beyond a general trust FAQ.

We have published the second edition of our Rovo Security & Trust White Paper: a comprehensive, technically rigorous yet accessible document designed to assist your security, privacy, and compliance stakeholders in confidently assessing Rovo.

📄 Download it from the Trust Portal

If you are new to the Trust portal, you may be guided through a quick, one-time access flow (one-time code, and possibly an NDA for your organization). To learn more about the Atlassian Customer Trust Portal, visit https://customertrust.atlassian.com/.

This white paper includes

• Rovo architecture and security principles: High-level architecture, data flows, and integration with Atlassian's Teamwork Graph

• Zero Data Retention (ZDR): How third-party LLM providers (OpenAI, Google, Anthropic via AWS Bedrock) process prompts without storing or training on your data

• Permission-aware AI: How Rovo enforces your existing access controls across Atlassian apps and 50+ Teamwork Graph connectors (Google Drive, Slack, SharePoint, and more)

• Enterprise admin controls: Rovo Access (allowlist/blocklist), Atlassian-hosted LLMs option, data residency, IP allowlisting, Customer-Managed Keys (CMK), and agent governance

• Observability: Audit logs, admin dashboards, and Rovo-specific service status monitoring

• AI threat detection and response: How Atlassian detects abuse, prompt injection, and anomalous access patterns

• Compliance certifications: SOC 2 Type II, ISO 27001, ISO 27018, ISO 22301, and progress toward ISO 42001 (AI Management System)

• EU AI Act and Responsible AI: Atlassian’s EU AI Pact commitments, Responsible Technology Reviews, and Acceptable Use Policy enforcement

How this benefits you

If your security or compliance team is evaluating AI tools, this paper is designed to give you the answers you need to move forward:

• Prove to leadership that AI adoption does not mean compromising data governance. ZDR, permission checks, and tenant isolation mean your data is not used for LLM training and not exposed across customers.

• Simplify your vendor risk assessment. The paper maps directly to common security review questions; architecture, data flows, encryption, access control, incident response, and compliance.

• Maintain control while enabling AI at scale. Admins can restrict AI to specific user groups, determine third-party tools to connect, pin data at rest to a region of choice, and monitor usage through dashboards and audit logs.

• Unlock organizational knowledge safely. Rovo Search, Chat, and Agents connect your teams' knowledge across Jira, Confluence, and connected third-party apps, always respecting the user's permissions, never the agent creator's.

• Test before you commit. Activate Rovo in a sandbox and test the features before rolling it out broadly.

You might find this handy for

• Security and compliance reviews during AI procurement

• Internal risk assessments (CISO, DPO, Legal)

• Board or exec briefings on AI governance posture

• Vendor due-diligence and questionnaire responses

• Pre-reads before turning on Rovo for your organization

Updates included in v2

This second release significantly expands on v1 with:

• New sections on Rovo Skills, Rovo Studio, and Teamwork Graph Connectors (including admin scoping controls like blocklists, allowlists, and date-based ingestion)

• Customer-Managed Keys (CMK) support for Rovo

• AI-specific detection and response; how we identify and mitigate AI threats

• Atlassian Guard integration for sensitive data discovery and DLP

• Updated compliance section including ISO 42001 progress and EU AI Act commitments

We would love your feedback

• Your feedback is instrumental in assessing the impact of this document. Please indicate whether the paper contributed to time savings during an actual security review.

• Your insights assist us in calibrating the level of detail. Kindly inform us if the content is appropriate for your audience or if it requires adjustment to be more high-level or technically detailed.

• Your suggestions regarding topics guide our future efforts. Please provide comments specifying one or two areas you would like us to investigate further, along with the intended audience, such as Chief Information Security Officer, procurement, Data Protection Officer, engineering, or other relevant groups.

We will utilize your feedback to inform the development of subsequent initiatives.

Thank you for contributing to the creation of Trust content that is genuinely valuable!

David