Secure Delete

Hi Winn,

Here is our published policy as requested: Security practices. I think the relevant topic is Access to Customer Data:

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.  

Within Atlassian, only authorized Atlassian employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from Atlassian and internal data center locations.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

I understand the use case is "what would happen if security policy changed for a company so that data on the instance becomes confidential after it is posted, and it needs to be deleted." In such a case, Atlassian would not guarantee that the data is purged, but access to it at Atlassian would be limited as described in the security doc I linked.

Thanks,
Ann