SOC 2 Certifications Update

Overview

System and Organization Controls (SOC) Reports are independent third-party examination reports that provide detailed information and assurance about controls in place at service organizations. Refer to the AICPA for further details.

When outsourcing services, it is critical to verify that the service organization has effective internal controls in place. SOC Reports establish trust and confidence in a service organization by providing assurance their internal controls are designed and operating effectively.

To offer this assurance, Atlassian provides SOC 2 reports relevant to security and availability of the systems Atlassian uses to process users' data and the confidentiality of the information processed by these systems. These reports can be used to evaluate Atlassian systems or products and verify customer requirements are met for Security, Compliance, Internal Audit, Procurement, and other governance needs.

What Atlassian Products have SOC 2 Reports?

Atlassian has published new SOC 2 Type 2 reports for

• Atlassian Platform (encompassing Jira Cloud, Confluence Cloud, Atlas, Atlassian Analytics, Bitbucket Cloud, Bitbucket Pipelines, Compass, Data Lake, Forge, Insight, Jira Service and Work Management, Jira Product Discovery, and Opsgenie)
• Halp
• Jira Align
• Statuspage
• Trello

When are SOC 2 Reports Published?

SOC 2 Type 2 audits are a review of control performance over a period of time. This means evidence for all controls throughout the new period (which covers October 1st through September 30th) need to be evaluated, tested, and evidence (including samples for the entirety of the period) need to be reviewed.

There are many factors that impact the release of new reports, Atlassian begins our external audit at the start of September, and typically span two to three months dependent on the scope (Atlassian currently evaluates 17+ products). Once the audit is completed, the reports are prepared and made available to customers before the end of December each year.

How long is the Atlassian SOC 2 report valid?

The reports are applicable for the following 12 months of the last report, when the next audit cycle once again begins.

Bridge Letter

Bridge Letters are used to “bridge the gap” between the end date of the most recently completed SOC 2 report(s) and the date of the letter. Bridge letters typically don’t cover a period of more than three months, and usually state that there have been no significant changes to controls from the end of your reporting period (such as for Atlassian from October 1), or if there have been material changes, explaining what they were and providing assurance to customers that they wouldn't affect the results of your SOC 2 report.

Obtaining Atlassian’s Reports

All SOC 2 reports (and bridge letter) can be downloaded from the Compliance Resource Center.