Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,405
Community Members
 
Community Events
176
Community Groups

SOC 2 Certifications Update

Overview

System and Organization Controls (SOC) Reports are independent third-party examination reports that provide detailed information and assurance about controls in place at service organizations. Refer to the AICPA for further details.

When outsourcing services, it is critical to verify that the service organization has effective internal controls in place. SOC Reports establish trust and confidence in a service organization by providing assurance their internal controls are designed and operating effectively.

To offer this assurance, Atlassian provides SOC 2 reports relevant to security and availability of the systems Atlassian uses to process users' data and the confidentiality of the information processed by these systems. These reports can be used to evaluate Atlassian systems or products and verify that we meet our customer requirements across Security, Compliance, Internal Audit, Procurement, and other governance needs.

What Atlassian Products have SOC 2 Reports?

Atlassian is proud to announce we have obtained updated SOC 2 Type II reports for Atlassian Platform (encompassing Jira Cloud, Confluence Cloud, Bitbucket Cloud, Bitbucket Pipelines, Opsgenie, Jira Service Management (JSM), Data Lake, Forge, Insight, and Compass), Halp, Jira Align, Statuspage, and Trello.

You can download the latest certifications from our Compliance Page: SOC 2 | Atlassian.

When are SOC 2 Reports Published?

Atlassian SOC 2 Type II reports are maintained on an annual basis for a rolling 12-month cycle that begins in October and ends in September of the following year. External audits typically occur in November and refreshed reports are usually available prior to 31 December each year.

Bridge Letters

Bridge letters are used to bridge the “gap” between the end date of the most recently completed SOC report(s) and the date of the bridge letter.

You can download the latest bridge letter, updated prior to 31 January each year, from our Compliance Page: SOC 2 | Atlassian.

15 comments

This information is very helpful. However, neither the refreshed report nor the bridge letter seem to be available as the latest SOC 2 Report is for the period November 1, 2020 through September 30, 2021. Would you be able to post an updated report?

Like # people like this

I just ran across this myself over the weekend.  When do you expect to have an updated report available?

Like Charlotte likes this

Hello @Amy Knapp , will be grateful if you can share when the latest soc 2 report will be available .

Hi Becky, Eric, and Richard,

SOC 2 Type II audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC 2 reports covering a 12-month period (October 1 through September 30). The reports are applicable for the following 12 months, when we perform the next audits.

There are many factors that impact the release of new reports, but our external audits typically occur in November and refreshed reports are usually available by end of December each year.

As per the above, we also issue a 3-month bridge letter in January/February of each year that extends the coverage period through the end of January.

All SOC 2 reports (and the bridge letter) can be downloaded on the Compliance Resource Center.

Hello @Amy Knapp I am attempting to download the SOC-2 report from the Compliance Resource Center, specially off of this page but it just returns an error after I type in my email address to accept the terms of the agreement.

"There was a server error submitting"

Is there a different place I should go to gather this information?

Amy Knapp Atlassian Team Jul 21, 2022

Thank you for letting me know @les_barchard - that's definitely not working the way it is meant to be! I've logged a support ticket and will let you know when it is resolved.

Amy Knapp Atlassian Team Jul 21, 2022

Hi again @les_barchard, the SOC 2 report download error has been resolved. Please let me know if you have any other issues with obtaining the reports.

Like les_barchard likes this

Why doesn't the SOC2 report state itself state its validity period?   This doesn't help my C&A process at all.  Also the latest SOC2 report doesn't specify what EXACT version of TLS Atlassian uses. This isn't good at all.  Please advise

Hi @J McElhiney in terms of reporting, a SOC 2 report that’s older than a year is often known as a “stale” report. Our last reports were issued on December 9, 2021, covering the period of November 1, 2020 through September 30, 2021. As stated above, Atlassian historically issues SOC 2 reports covering a 12-month period, which means that evidence of our controls operating effectively are collected over the entire period and placed into the report(s) that are published typically before the end of the December following. The reports are applicable for the following 12 months when we then will perform the next audit.

The supported security protocols for our cloud products are listed here: https://support.atlassian.com/security-and-access-policies/docs/supported-security-protocols-for-atlassian-cloud-products/ and our SOC 2 Control(s) are tested against the details outlined on this list.

For more details please see our Compliance FAQ and Security documentation.

@Amy Knapp I've shared the Atlassian Cloud most recent SOC2 and its related Bridge letter dated 3 Jan 2022 with my fellow security team members.  In no way, shape or form, does the SOC2 bridge letter or SOC 2 report itself specify the last SOC2 report dated December 2021 state that your documentation is valid until December 2022.

Additionally the latest Atlassian Cloud SOC2 report doesn't specifically tell us what version of TLS is being used for data in transit. From my security risk needs, I've asked for a new bridge letter dated August 2022. This was denied to me by your team. From my security risk view, the currently provided documentation is not enough and is stale. What's showing on your Atlassian website or this Atlassian Community website in terms of textual information, isn't official like a SOC2 report from an independent auditor. What matters the most is the clearly stated validity dates on the independent SOC2 report and its contents. 

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

Like # people like this
Selva I'm New Here Nov 08, 2022

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

Like # people like this

Hi @Amy Knapp

 

as per comments made already I have provided the SOC2 Type 2 report + bridging letter to my Governance, Risk and Compliance teams as evidence of Atlassian's security/privacy/compliance activities however due to the bridging report only covering until 3rd Jan 2022 the team is denying Atlassian is compliant with SOC 2 and as such is placing a major implementation of the Atlassian suite at a large University at risk of being cancelled.

 

Please advise if there is anything available anywhere which can provide the governance team some assurances Atlassian is still compliant with the SOC 2 Type 2 standard. Based on the information available on the sites you have linked to it outlines an annual assessment with a period covered by the bridging report. I believe we are well past the period both of those are valid for and would have been expecting a more recent report available. 

 

With thanks

Amy Knapp Atlassian Team Dec 14, 2022

Hi @Rory Geoghegan @Selva & @J McElhiney

A quick update - Atlassian received its newest reporting from our external auditors on 12/9, and we are pending the publishing of these reports with our NDA wrapper for sharing to our Trust Center by our Web Team. As soon as these are publicly available we will have an updated post to this community with the links and details.

In the meantime, especially for you @Rory Geoghegan our latest ISO27k certificate is available if that helps in the interim at all with your organisations' confidence assessment until the SOC 2 reporting is published: https://www.atlassian.com/trust/compliance/resources/iso27001

Like Rory Geoghegan likes this
Amy Knapp Atlassian Team Dec 19, 2022

Hi again @Rory Geoghegan@Selva, and @J McElhiney, we have published our new reporting and I have posted a community update here: https://community.atlassian.com/t5/Trust-Security-articles/SOC-2-Certifications-Update/ba-p/2220680

Like Rory Geoghegan likes this

Thanks @Amy Knapp very much appreciated.

Like Amy Knapp likes this

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events