SOC 2 Certifications Update

This information is very helpful. However, neither the refreshed report nor the bridge letter seem to be available as the latest SOC 2 Report is for the period November 1, 2020 through September 30, 2021. Would you be able to post an updated report?

I just ran across this myself over the weekend.  When do you expect to have an updated report available?

Hello @Amy Knapp , will be grateful if you can share when the latest soc 2 report will be available .

Hi Becky, Eric, and Richard,

SOC 2 Type II audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC 2 reports covering a 12-month period (October 1 through September 30). The reports are applicable for the following 12 months, when we perform the next audits.

There are many factors that impact the release of new reports, but our external audits typically occur in November and refreshed reports are usually available by end of December each year.

As per the above, we also issue a 3-month bridge letter in January/February of each year that extends the coverage period through the end of January.

All SOC 2 reports (and the bridge letter) can be downloaded on the Compliance Resource Center.

Hello @Amy Knapp I am attempting to download the SOC-2 report from the Compliance Resource Center, specially off of this page but it just returns an error after I type in my email address to accept the terms of the agreement.

"There was a server error submitting"

Is there a different place I should go to gather this information?

Thank you for letting me know @les_barchard - that's definitely not working the way it is meant to be! I've logged a support ticket and will let you know when it is resolved.

Hi again @les_barchard, the SOC 2 report download error has been resolved. Please let me know if you have any other issues with obtaining the reports.

Why doesn't the SOC2 report state itself state its validity period?   This doesn't help my C&A process at all.  Also the latest SOC2 report doesn't specify what EXACT version of TLS Atlassian uses. This isn't good at all.  Please advise

Hi @J McElhiney in terms of reporting, a SOC 2 report that’s older than a year is often known as a “stale” report. Our last reports were issued on December 9, 2021, covering the period of November 1, 2020 through September 30, 2021. As stated above, Atlassian historically issues SOC 2 reports covering a 12-month period, which means that evidence of our controls operating effectively are collected over the entire period and placed into the report(s) that are published typically before the end of the December following. The reports are applicable for the following 12 months when we then will perform the next audit.

The supported security protocols for our cloud products are listed here: https://support.atlassian.com/security-and-access-policies/docs/supported-security-protocols-for-atlassian-cloud-products/ and our SOC 2 Control(s) are tested against the details outlined on this list.

For more details please see our Compliance FAQ and Security documentation.

@Amy Knapp I've shared the Atlassian Cloud most recent SOC2 and its related Bridge letter dated 3 Jan 2022 with my fellow security team members.  In no way, shape or form, does the SOC2 bridge letter or SOC 2 report itself specify the last SOC2 report dated December 2021 state that your documentation is valid until December 2022.

Additionally the latest Atlassian Cloud SOC2 report doesn't specifically tell us what version of TLS is being used for data in transit. From my security risk needs, I've asked for a new bridge letter dated August 2022. This was denied to me by your team. From my security risk view, the currently provided documentation is not enough and is stale. What's showing on your Atlassian website or this Atlassian Community website in terms of textual information, isn't official like a SOC2 report from an independent auditor. What matters the most is the clearly stated validity dates on the independent SOC2 report and its contents. 

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

Hi @Amy Knapp

as per comments made already I have provided the SOC2 Type 2 report + bridging letter to my Governance, Risk and Compliance teams as evidence of Atlassian's security/privacy/compliance activities however due to the bridging report only covering until 3rd Jan 2022 the team is denying Atlassian is compliant with SOC 2 and as such is placing a major implementation of the Atlassian suite at a large University at risk of being cancelled.

Please advise if there is anything available anywhere which can provide the governance team some assurances Atlassian is still compliant with the SOC 2 Type 2 standard. Based on the information available on the sites you have linked to it outlines an annual assessment with a period covered by the bridging report. I believe we are well past the period both of those are valid for and would have been expecting a more recent report available. 

With thanks

Hi @Rory Geoghegan @Selva & @J McElhiney

A quick update - Atlassian received its newest reporting from our external auditors on 12/9, and we are pending the publishing of these reports with our NDA wrapper for sharing to our Trust Center by our Web Team. As soon as these are publicly available we will have an updated post to this community with the links and details.

In the meantime, especially for you @Rory Geoghegan our latest ISO27k certificate is available if that helps in the interim at all with your organisations' confidence assessment until the SOC 2 reporting is published: https://www.atlassian.com/trust/compliance/resources/iso27001

Hi again @Rory Geoghegan@Selva, and @J McElhiney, we have published our new reporting and I have posted a community update here: https://community.atlassian.com/t5/Trust-Security-articles/SOC-2-Certifications-Update/ba-p/2220680

Thanks @Amy Knapp very much appreciated.