Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,367,325
Community Members
 
Community Events
168
Community Groups

Security information about Sourcetree

Hi, 

 

A few questions about using Sourcetree in corporate environment. 

It looks like the SourceTree app requires users to create a Bitbucket account so they can use it and connect it to GitHub, as explained in this guide. Our security team would like to understand whether any data is made available to Atlassian through this process and what sort of data that is. If it includes any personal data, where is this data going to be stored geographically and how can we ensure that we meet our GDPR obligations?

 

We have also attempted to find information in relation to the security practices followed for SourceTree app, however we have not been able to locate anything specific within your Trust Centre. All certifications published there seem to cover other Atlassian apps but not SourceTree. Can you point us to any other specific resources?

 

And lastly in some of the previous posts in the community it was mentioned that Sourcetree security advisories are not included in the subscription mailing list which is designed for this purpose. Why is this the case and what is the recommended way of receiving security advisories for the Sourcetree app?

 

Many thanks

 

2 answers

Thanks Mike, will wait for your response on security advisories. 

0 votes
Mike Corsaro Atlassian Team Jun 11, 2019

Hello!

 

I'll have to circle back on the security sub mailing list question, but in regards to Sourcetree requiring a Bitbucket account:

  • The Bitbucket account is only used to verify users -- we do not send any personally identifying data to our servers
    • Once you sign in you won't need to refresh credentials or anything like that
  • Sourcetree does have anonymous usage analytics -- we ask for permission for this in the welcome wizard, and can additionally be disabled under "Options > Help improve Sourcetree by sending anonymous data about your usage"
  • If anonymous usage analytics are enabled then we do track the number of repos you've interacted with and the provider you're using. No personally identifying info such as the repo name, or code, or anything like that is sent. Atlassian does not have access to any of your code

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events