SOC 2 Certifications Update

Overview

System and Organization Controls (SOC) Reports are independent third-party examination reports that provide detailed information and assurance about controls in place at service organizations. Refer to the AICPA for further details.

When outsourcing services, it is critical to verify that the service organization has effective internal controls in place. SOC Reports establish trust and confidence in a service organization by providing assurance their internal controls are designed and operating effectively.

To offer this assurance, Atlassian provides a SOC 2 report relevant to security and availability of the systems Atlassian uses to process users' data and the confidentiality of the information processed by these systems. These reports can be used to evaluate Atlassian systems or products and verify customer requirements are met for Security, Compliance, Internal Audit, Procurement, and other governance needs.

What Atlassian Products have SOC 2 Reports?

Atlassian has published new SOC 2 Type 2 report for Atlassian Cloud Products including Jira Cloud, Confluence Cloud, Atlas, Atlassian Analytics, Bitbucket Cloud, Bitbucket Pipelines, Compass, Data Lake, Forge, Jira Service Management, Jira Work Management, Jira Product Discovery, Opsgenie, Assets, Automation for Jira, Halp, Jira Align, Statuspage, and Trello.

When is the SOC 2 Report Published?

SOC 2 Type 2 audits are a review of control performance over a period of time. This means evidence for all controls throughout the period (which covers October 1st through September 30th) need to be evaluated, tested, and evidence (including samples for the entirety of the period) need to be reviewed.

There are many factors that impact the release of a new report, Atlassian begins our external audit at the start of September, and typically span two to three months dependent on the scope (Atlassian currently evaluates 19 products). Once the audit is completed, the report is prepared and made available to customers around end of  December or early January each year.

How long is the Atlassian SOC 2 report valid?

The reports are applicable for the following 12 months of the last report, when the next audit cycle once again begins.

Bridge Letter

Bridge Letters are used to “bridge the gap” between the end date of the most recently completed SOC 2 report and the date of the letter. Bridge letters typically don’t cover a period of more than three months, and usually state that there have been no significant changes to controls from the end of your reporting period (such as for Atlassian from October 1), or if there have been material changes, explaining what they were and providing assurance to customers that they wouldn't affect the results of your SOC 2 report.

Obtaining Atlassian’s Reports

The SOC 2 report (and bridge letter) can be downloaded from the Compliance Resource Center.