A pop-up survey could appear while you're here --curious what it's for? Click here to learn more!

×
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How Atlassian Protects, Isolates and Governs Access to Your Data

February 18, 2026

Overview

Hey Atlassian Community! I’m @Kevin Wang, a Senior Trust Analyst at Atlassian. I partner with customers to navigate complex security and compliance challenges, particularly as they evaluate Atlassian Cloud or prepare for a migration.

Across those conversations, three themes consistently come up:

  1. How Atlassian protects data

  2. How Atlassian keeps data isolated in a multi‑tenant cloud

  3. How Atlassian governs access to data.

To help you assess these topics in depth, we’ve published a new Data Protection, Isolation, and Access guidance paper, and we invite all customers to download this paper through the Atlassian Customer Trust Portal.

This paper which details our approach across the Atlassian platform and apps, broken down into the three above focus areas:

1. Data protection

First, data you store in Atlassian Cloud is encrypted in transit and at rest by default, with securely managed cryptographic keys, and Customer Managed Keys available as an add-on feature for customers needing additional control and cryptographic isolation. We also design for resilience and data loss prevention through backups and recovery testing, protections across endpoints and networks, logging and monitoring, and data deletion processes.

2. Data isolation

Next, we deep‑dive into how Atlassian isolates your data in our multi‑tenant cloud environment. We describe how tenant context is created at provisioning and enforced by the Tenant Context Service (TCS) from the cloud edge through to backend services, ensuring every request is authenticated and scoped to the correct tenant. Our architecture is designed for least privilege, and we segment shared VPC networks with tightly controlled ingress and egress to limit connectivity across boundaries, backed by ongoing testing and review under our security program.

3. Data access

Finally, we cover data access: authorized users on trusted devices can access only the data they need, and only for the time required. Multi-factor authentication (MFA) is enforced everywhere, and privileged roles are tightly scoped and undergo regular access reviews. Atlassian support access is granted by your admins via the Customer Consent Checker in a support ticket and revoked manually or within 24 hours after ticket closure.

Across all three themes, we highlight additional controls available to customers as part of Atlassian’s shared responsibility model. In addition to our secure platform foundation, Atlassian Guard, our advanced security add-on, addresses customer’s unique security and compliance needs with enhanced capabilities. Guard delivers protection, detection, and response capabilities - including data classification, detection rules, and greater audit visibility.

How do I access this paper?

This guidance paper is available to customers in the Trust Guidance Documents folder on the Atlassian Customer Trust Portal.

You can also refer to our community post for an overview of Atlassian’s Trust Portal, including available content, access instructions, and how to leverage its capabilities to support your security assessments.

How can this information help me?

This guidance paper complements other Trust Portal resources, such as our Rovo Security Whitepaper, and is intended to build on the content in our Trust Center to support your broader evaluation of Atlassian Cloud.

Practically, we suggest using this guidance to:

  • Accelerate your due diligence and security assessments, with deeper, technical insight into our trust posture.

  • Map the described controls to your internal policies, standards, and control frameworks.

  • Use the architecture diagrams to explain Atlassian Cloud’s model to your stakeholders or auditors.

What’s next?

For deeper insight into each of the topics we summarize on this page, we invite you to access our guidance paper directly via the Atlassian Customer Trust Portal.

Additionally, the Trust team is continuously expanding and updating our guidance documentation to address emerging customer security themes, and you can subscribe to receive notification of new releases via the Trust Portal.

We also want to make sure our documentation continues to address the questions that are top of mind for you, so we’d really value any feedback—questions, suggestions, or comments—in the thread below!

Comment
Watch
Like # people like this
475 views

3 comments

Chris
Chris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
February 19, 2026

Swiss data privacy regulations define "sensitive personal data". Those data is not allowed to be used in Atlassian Cloud Products due to US Cloud Act.

We are a Swiss hospital and there are lots of use cases, where I would like to use Atlassian products. All Atlassian's efforts for data protection is highly welcome and necessary, but as we do have a lot of "sensitive personal data", I cannot use Atlassian due to the US Cloud Act.

Like
Kevin Wang
Kevin Wang
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 24, 2026

@ChrisThanks for your input!

Before diving into the specifics of your query, I should highlight that Atlassian is committed to supporting customers in complying with the applicable data protection laws they are subject to. We do so, through a comprehensive privacy program backed by contractual assurances outlined under our Data Processing Addendum.

The following guidance resource provides more information on how we support Swiss customers in meeting FADP compliance https://www.atlassian.com/trust/compliance/resources/nfadp. , and I have provided further detail specific to your query below: 

  • Atlassian provides customers with a data transfer impact assessment demonstrating that cross-border personal data transfers outside of Switzerland are compliant with EU Standard Contractual Clauses (SCCs).
  • Atlassian also maintains clear standards for responding to law enforcement requests for customer data. In line with the FADP, sensitive personal data is not disclosed to third-parties, unless accompanied by an appropriate and valid legal order. Atlassian also publishes an Transparency Report annually, that details government requests for customer data.

If the above measures don't meet your organisations requirements- please provide specific detail, as well as the organisation that you represent. We welcome all customer input, and will use this to inform our product roadmap. 

Like
Chris
Chris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
February 24, 2026

Hi @Kevin Wang,

thank you for your answer. "... sensitive personal data is not disclosed to third-parties, unless accompanied by an appropriate and valid legal order." This means that the US government can get access to data within our Jira instance, without putting an official request for legal assistance to the official Switzerland.

This contradicts Swiss regulations. We are in the Swiss Healthcare Sector and our patient data are to be better protected then other data. If we want to implement a cloud solution, we need to do a Data Protection Impact Assessment (DPIA). Cloud solutions falling under the US Cloud Act are usually rejected.

As long as Atlassian falls under the US Cloud Act, there is not much you can do about it.

Like

Comment

Log in or Sign up to comment
Kevin Wang

Kevin Wang

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

2 total posts

View profile
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security