Cloud Compliance AMA

G’day everyone and happy 2022! 

My name is Filiberto Selvas and I’m a Principal Product Manager focused on data management and compliance in highly regulated industries ! At Atlassian, we understand that you face a complex and dynamic regulatory environment, which is why we’re focused on providing the tools and resources customers need to navigate this ever-changing landscape.

In the last year, our team has worked on several improvements to our compliance program, from adding new features like data residency to enabling stronger operational practices that include audit and oversight rights to allow customers to abide by stricter regulatory standards. These improvements help assure that customers can abide by financial services regulatory standards in Europe, and have paved the way for future capabilities, like HIPAA (launching this quarter) and FedRamp (2023). We want to continue to build on that momentum by creating a forum for you, our customers, to ask questions about how we’re meeting these requirements and/or future investments.

Here's how it works:

Add your questions below any time during the month of January. Be sure to take a look at other community members’ questions and up-vote those that you find interesting.

You can expect to see answers from me and my team rolling in on a weekly basis. Watch the page and be ready to add follow-up questions and discuss further with other Community members. 

Note: The information provided by Atlassian here is not legal advice. Customers are responsible for making their own independent risk and compliance assessments.

Cheers,

Filiberto

22 comments

Comment

Log in or Sign up to comment
David Rodman January 4, 2022

We are a military supplier and have been waiting for data residency. Currently we have an on premise Confluence system that we are waiting for data residency to be available so we can move to cloud. In addition we have a cloud Jira implementation which currently is also waiting on data residency so we can gain full utilization of it. I am interested in the time lines of the implementation for data residency on both platforms so that we can move our systems forward.

Like Brian Hill likes this
Carmen Nadeau
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 4, 2022

We are a financial cie and we are also waiting for data residency. The timeline for Canada has been pushed back several times and has caused problems with our roadmaps. Here's hoping that it won't happen again.

Hosana
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2022

Hi @David Rodman, we currently offer data residency for all paid plans (Standard, Premium, and Enterprise) in 3 regions - the US, Europe, and AU. To learn more about these capabilities, please visit our documentation page.

David Rodman January 6, 2022

Hi Hosana,

Would this include a migration from on prem to cloud? From what I was reading, it was only available for "no data" implementations. Our on prem has data that would need to be moved up.

Brooklyn Trumpy January 6, 2022

Hi Filberto, 

Do we have an implementation timeline yet on Service Desk HIPAA compliance? 

Thanks!

Brooklyn

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 7, 2022

Hello @David Rodman , 

The process of migration is independent from the capability of keeping data resident in a specific region.  You can definitely create a Cloud instance, set it up for data residency in a specific region, and then migrate your on premise data to it... or the other way around (the former is more advisable though). 

Please do review the document Hosana offered above, you mention you are a military supplier and I want to make sure you know the data residency capability we have mentioned does not offer ITAR level guarantees. 

 

I hope this helps 

Like David Rodman likes this
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 7, 2022

Hello @Brooklyn Trumpy , not yet, it should be a couple more weeks.  Meeting Monday and Tuesday to discuss this, will define that timeline for JSM as soon as possible! 

Like Brooklyn Trumpy likes this
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 7, 2022

Thank you for the input @Carmen Nadeau , we will do all in our power to keep the timeline as it stands today 

David Rodman January 7, 2022

Thank you for the additional information Filiberto. Is there additional information or someone I can discuss ITAR related information with. Since many of the ITAR controls have been changed and data residency is the primary one, this may still work for us. If not, the landscape will be pretty grim when on premise solutions are no longer supported.

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 7, 2022

happy to schedule a call @David Rodman , send me an email to fselvas at Atlassian dot com and we can find a time 

DRFavreau January 20, 2022

We're a nonprofit government law enforcement agency and we have onprem Jira, Confluence, Bitbucket, and Bamboo and with the new change, Data Center is not possible with our limited budget and small team (< 50). Do you have a timeline on CJIS compliance for Jira, Confluence, and Bitbucket?

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 20, 2022

Hello @DRFavreau , 

We currently don't have CJIS in our roadmap, I am not an expert in CJIS but my understanding is that there is no standardized assessment approach to determining whether a Cloud solution is considered CJIS compliant, we will be happy to provide you all information available to help make the determination if that is feasible.  A couple initial pointers: 

I hope this is helpful 

Rob Yardman January 27, 2022

Hello security and compliance team. I am in a very similar circumstance to DRFavreau. I am the CJIS ISO for a Law Enforcement agency. We would struggle to be able to procure the Data Center for budgetary and justification purposes. I believe there is a possibility that CJIS compliance can be obtained with the current level of AoC provided by Atlasian. The most important aspects would be:

  • Support teams within Atlasian that have access to data within a LE license tenant
  • Data at rest and the level of encryption.

If Atlasian is willing to provide those details in a formal capacity I believe ISO's can provide those details in their CJIS Audits with the FBI to ensure Criminal History data is secured appropriately in the cloud. This would be helpful and would allow LE agencies to continue to use Atlasian products and I would take a guess that it would also attract additional agencies to your solutions.

Please let me know if we can start a conversation based around this through email or some sort of communication channel that supports this effort.

Thank you for your time.

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 27, 2022

Hello @Rob Yardman , 

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 17, 2022

HIPAA related update:

Yesterday we announced that Atlassian is ready to sign BAA agreements for compliance with the HIPAA law provisions for the Enterprise Plan version of JSW and Confluence. More information here: https://www.atlassian.com/trust/compliance/resources/hipaa 

We will soon update our public roadmap to include a timeline for JSM HIPAA as well, ETA is at the end of calendar year 2022. 

Please let me know of any questions 

David Rodman March 31, 2022

I am following up on the status of Atlassian's position on ITAR compliance to see where it stands. We are on premise at this point and are locked for user counts. To date we cannot migrate to cloud and Atlassian refuses to sell us additional seats. We need one of these two issues resolved quickly as it is negatively affecting our business. If it cannot be resolved, we will need to look to other solutions which we would prefer not to do as our users have found the Confluence system of value. 

Is there a line of site on ITAR compliance and can we get a temporary exception for additional licenses?

Like Rob Yardman likes this
Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 6, 2022

Hello @David Rodman , 

We don't have a timeline for ITAR in our Cloud solutions yet.  Have you considered Data Center? 

David Rodman April 6, 2022

We have not but would like to. Can you get me information on what is required for Data Center? 

Filiberto Selvas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 6, 2022

@David Rodman , you can find information on Data Center here, and also reach out to sales through the same page: https://www.atlassian.com/enterprise/data-center 

Michelle Tan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 18, 2022

Hey everyone,

I'm Michelle, the Product Manager who’s been looking after Jira Service Management’s Customer Notifications and Enterprise-related features. We're currently working towards HIPAA compliance for Jira Service Management and have rolled out a feature this week that will help you meet your organization’s compliance needs and protect your and your customers' data!

Announcing safe customer notifications in Jira Service Management as a building block for compliance and privacy needs 

I'd love for you to try out our feature and give us early feedback on the user experience as we work towards HIPAA compliance in the coming months. 😊

alfredo_murguia January 9, 2023

Hi Filiberto,  we are looking for SOC 2 Type II bridge letter for 2023, but you haven´t uploaded to the trust center.   Since we are in our SOX Audit, we kindly request your help to speed up the Bridge Letter release.  Many thanks!

Michelle Tan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 12, 2023

Hi everyone,

Thanks a lot for your patience - we've been awaiting our external audit results and great news!

If you haven't already seen on Community, I would like to announce that Jira Service Management and a few of our other cloud products are now certified as HIPAA compliant!

For more details on HIPAA compliance, please see here.

Wishing you all a great start to 2023!

Cheers,

Michelle

TAGS
AUG Leaders

Atlassian Community Events