When evaluating third-party vendors for a migration, what technical standard should be prioritized to safeguard data and establish a foundation of trust?
Vendor due diligence is one of the most underrated parts of any DC-to-Cloud migration. If you want a single signal to prioritize, look at how the app handles your data at the platform level. That's where Atlassian's trust framework gives you the clearest answer:
"Runs on Atlassian" badge is the safest baseline Apps with this badge are built entirely on Forge and run on Atlassian's own infrastructure. That means:
Your data never leaves the Atlassian Cloud
The app inherits Atlassian's compliance posture (SOC 2 Type II, ISO 27001, GDPR, etc.)
The badge is enforced at the platform level. Vendors cannot fake it, because if any code runs outside Forge, the badge isn't granted. Whenever this option exists for a given use case, it's the strongest foundation of trust you can get.
"Cloud Fortified" Related, but not the same thing. Worth not confusing with "Runs on Atlassian". Cloud Fortified is a higher-tier quality program (Connect or Forge apps) that requires 99.9% SLA, 24/7 support, incident response, and Marketplace Bug Bounty participation. A Cloud Fortified app may still send data outside Atlassian but it just does so with more accountability and oversight.
No badge Read the privacy/security policy of the publishing company.
Plenty of useful apps simply can't be "Runs on Atlassian" because of what they do. External integrations, AI features calling third-party models, etc. That's not a red flag by itself. In that case:
Read the vendor's privacy and security policy
Check what data leaves Atlassian, where it goes, and how long it's retained
Look at the Marketplace listing's Security & Trust tab where vendors are required to declare data flows
Sometimes the "external" data is just a user-input string with no business context thus practically harmless
In general every Marketplace app goes through Atlassian's approval process before listing, but that's a quality and policy review not a deep security audit.
The best security signals are Runs on Atlassian, Cloud Fortified, Bug Bounty participation, and vendor attestations like SOC 2 or ISO 27001.
Hope this helps! If it did, please mark it as the accepted answer so others with the same question can find it more easily.
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2026 edited
Great breakdown, @Kevin Kadakas — fully agree that "Runs on Atlassian" is the strongest single trust signal, and the distinction from Cloud Fortified is one many teams get wrong.
@Utkarsh Chandel From an enterprise security / vendor due diligence perspective, I'd add a few more technical standards worth prioritizing alongside the Atlassian badges, especially for a DC-to-Cloud migration where you're often onboarding many third-party apps at once:
1. Data residency & encryption Confirm where data is stored and processed (region pinning matters for regulated industries) and that encryption is enforced both in transit (TLS 1.2+) and at rest (AES-256).
2. Authentication & access controls Look for SAML/SSO, SCIM provisioning, enforced MFA, and least-privilege OAuth scopes. For Forge/Connect apps, review the declared scopes in the manifest — over-scoped apps are a common, under-discussed risk.
3. Egress & data flow transparency Even "Runs on Atlassian" apps can call external endpoints via Forge's declared external fetch permissions. Always review the Marketplace Security & Trust tab and the app manifest before assuming zero external data flow.
4. Sub-processor disclosure Vendors should publish a current sub-processor list — increasingly relevant when AI/LLM providers sit in the data path. This is also a GDPR Art. 28 requirement.
5. Attestations beyond SOC 2 / ISO 27001 Depending on your industry: ISO 27017 (cloud), ISO 27018 (PII in cloud), HIPAA BAA availability, PCI DSS, FedRAMP, CSA STAR.
6. Vulnerability management & SDLC maturity Bug Bounty is a good signal, but also ask about SAST/DAST in CI, dependency scanning, patch SLAs, and pen-test cadence (vendors should share a recent summary under NDA).
7. Incident response & breach notification SLAs Contractual commitments around notification timelines (e.g., 72 hours) and a documented IR plan matter as much as technical controls.
8. Business continuity RTO/RPO commitments and DR test evidence, especially for apps in the critical path of your migration.
A practical shortlist: Runs on Atlassian → Cloud Fortified → SOC 2 Type II + ISO 27001 + clear sub-processor list + transparent egress declarations. That combination gives you both platform-enforced controls and vendor-level accountability.
💡 Scaling vendor evaluations with AI
If you're evaluating many vendors as part of a migration, manually researching 60+ security controls per tool can take 4–8 hours each. This is exactly the kind of repetitive, high-cognitive-load work that AI agents are great at accelerating.
I've been experimenting with a Rovo Agent — AI tool SecRev Agent built on Atlassian's Rovo platform. You give it a tool name and a few URLs (vendor trust center, pricing tiers, documentation), and it:
Researches the tool against minimum security requirements (SSO, MFA, encryption, audit logging)
Analyzes AI-specific data handling policies (does the vendor train on your data? does that vary by tier?)
Checks compliance posture (SOC 2, ISO 27001, GDPR, etc.)
Highlights risky features to avoid even on secure plans
Produces a structured, citable comparison report ready for review
It doesn't replace human judgment on the final approval, but it cuts review time by ~85% and ensures consistency across vendors — which is exactly what you need when migration timelines are tight and the vendor pipeline is long. Pairing this kind of agent with the trust signals above (Runs on Atlassian, Cloud Fortified, attestations) gives you both speed and rigor.
