Evaluating Rovo? Three things you need to know about security and data governance

Hi Atlassian community,

I’m Tom Pieterse, Principal Trust Analyst on Atlassian’s Trust Engagement Team, and I have over 15 years of experience in cybersecurity. In my day-to-day job, I help customers like you navigate risk, security, and compliance across our Cloud and Data Center products.

Lately, as many of you are evaluating Rovo for the first time, I’ve noticed some common security themes emerging across my conversations, and I wanted to provide more clarity on how Rovo’s AI-powered capabilities have been designed. We’ve used the same secure foundation and trusted approach you’re already familiar with from our other AI capabilities, and, just like our approach to Atlassian Apps like Jira and Confluence, we continue to build Rovo capabilities in alignment with our Responsible Technology Principles, offering robust safeguards to protect your data and help you address your compliance requirements.

Today, I’m going to address three common security and governance topics that my team and I have been discussing with customers who are evaluating Rovo:

1. Rovo’s access to third-party data via app connectors

2. Guardrails for agent permission controls

3. Security, compliance, and privacy processes that protect your data

1. Rovo’s access to third-party data via app connectors

Rovo allows organization admins to connect enterprise third-party SaaS apps—such as Google Drive, SharePoint, and more—using Rovo connectors. These connectors are disabled by default, and when you choose to enable a connector for a third-party app, Rovo strictly enforces your users’ existing permissions. This means users will only be able to access the data they’re already authorized to see within each connected app, ensuring your organization’s security and compliance standards are maintained.

Admins can navigate to Atlassian Administration -> Settings -> Rovo to connect approved third-party SaaS apps using Rovo connectors

If you want to remove a connection with a third-party app linked to Rovo, you can disconnect the app by following the same steps in Atlassian Administration. The data will be deleted in accordance with our data, privacy and usage guidelines.

2. Guardrails for agent permission controls

Rovo agents are like AI teammates. Just as you create a page to share an idea, you can create an agent to help with tasks, uncover insights, brainstorm, and move work forward.

Rovo agents are designed with permissions and governance at their core. This means Rovo agents can only operate within the permissions of user interacting with them. These guardrails ensure that an agent does not have any additional access or ability to change things outside of the user’s available permissions. In addition, admins and users remain in control of configuring what actions agents can take, and agent actions are logged for transparency. For example, when a user creates a new Rovo agent, updates an agent’s configuration, or deletes an agent, each of these actions is recorded in the audit log. This approach keeps humans in the loop.

Also, your admins can use agents in automation rules to reduce time spent on more complicated repetitive tasks. Once again, all actions taken by agents through automation rules are logged and auditable for additional transparency.

Navigate to Atlassian Administration -> Security -> Audit log to filter on Rovo related activities

3. Security, compliance, and privacy processes that protect your data

Rovo is built on the trusted Atlassian Cloud Platform, keeping your data secure and private in our AI-powered features. Your inputs and outputs are not used to train, fine-tune, or improve any third-party LLM models or services, and all features are built with security, privacy, and compliance in mind on Atlassian’s enterprise-grade infrastructure. When it comes to data protection with Rovo, remember:

• Data sent to third-party LLM providers is encrypted, not retained, and only used to serve your experience.

• Your existing user permissions and access controls are always respected.

• Rovo and Atlassian Intelligence are SOC 2 and ISO 27001 certified. We are also committed to helping our customers stay compliant with GDPR and other local requirements.

• While Rovo Search, Studio, and Bookmarks are now part of the Atlassian Cloud Platform and are always on, you can activate or deactivate AI-powered Rovo features for your available apps at anytime according to the steps in our support documentation. For more guidance on which Rovo features use AI, refer to our support guide.

Navigate to Atlassian Administration -> AI-enabled Apps

As a reminder, Atlassian’s Trust Center and AI transparency page always has the latest Rovo security, privacy, and compliance information available to you. I hope covering these topics provides more insight into some of the common questions customers like you have been raising and gives some guidance around how you can address them within your own organization.

Stay tuned, as I’ll be popping into Community more often to share insights like these. I want to keep the conversation going, so please feel free to ask more questions in the comments.

 

Tx. Tom