SOC 2 Certifications Update

Overview

System and Organization Controls (SOC) Reports are independent third-party examination reports that provide detailed information and assurance about controls in place at service organizations. Refer to the AICPA for further details.

When outsourcing services, it is critical to verify that the service organization has effective internal controls in place. SOC Reports establish trust and confidence in a service organization by providing assurance their internal controls are designed and operating effectively.

To offer this assurance, Atlassian provides SOC 2 reports relevant to security and availability of the systems Atlassian uses to process users' data and the confidentiality of the information processed by these systems. These reports can be used to evaluate Atlassian systems or products and verify that we meet our customer requirements across Security, Compliance, Internal Audit, Procurement, and other governance needs.

What Atlassian Products have SOC 2 Reports?

Atlassian is proud to announce we have obtained updated SOC 2 Type II reports for Atlassian Platform (encompassing Jira Cloud, Confluence Cloud, Bitbucket Cloud, Bitbucket Pipelines, Opsgenie, Jira Service Management (JSM), Data Lake, Forge, Insight, and Compass), Halp, Jira Align, Statuspage, and Trello.

You can download the latest certifications from our Compliance Page: SOC 2 | Atlassian.

When are SOC 2 Reports Published?

Atlassian SOC 2 Type II reports are maintained on an annual basis for a rolling 12-month cycle that begins in October and ends in September of the following year. External audits typically occur in November and refreshed reports are usually available prior to 31 December each year.

Bridge Letters

Bridge letters are used to bridge the “gap” between the end date of the most recently completed SOC report(s) and the date of the bridge letter.

You can download the latest bridge letter, updated prior to 31 January each year, from our Compliance Page: SOC 2 | Atlassian.

15 comments

Comment

Log in or Sign up to comment
Becky March 30, 2022

This information is very helpful. However, neither the refreshed report nor the bridge letter seem to be available as the latest SOC 2 Report is for the period November 1, 2020 through September 30, 2021. Would you be able to post an updated report?

Like # people like this
Eric Maynard April 11, 2022

I just ran across this myself over the weekend.  When do you expect to have an updated report available?

Like Charlotte likes this
RICHARD KOMLA AMOAKU July 18, 2022

Hello @Amy Knapp , will be grateful if you can share when the latest soc 2 report will be available .

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 18, 2022

Hi Becky, Eric, and Richard,

SOC 2 Type II audits are a review of performance of controls over a period of time. Once the audit period is over, the report is prepared and made available to customers. Atlassian issues SOC 2 reports covering a 12-month period (October 1 through September 30). The reports are applicable for the following 12 months, when we perform the next audits.

There are many factors that impact the release of new reports, but our external audits typically occur in November and refreshed reports are usually available by end of December each year.

As per the above, we also issue a 3-month bridge letter in January/February of each year that extends the coverage period through the end of January.

All SOC 2 reports (and the bridge letter) can be downloaded on the Compliance Resource Center.

les_barchard July 21, 2022

Hello @Amy Knapp I am attempting to download the SOC-2 report from the Compliance Resource Center, specially off of this page but it just returns an error after I type in my email address to accept the terms of the agreement.

"There was a server error submitting"

Is there a different place I should go to gather this information?

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 21, 2022

Thank you for letting me know @les_barchard - that's definitely not working the way it is meant to be! I've logged a support ticket and will let you know when it is resolved.

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 21, 2022

Hi again @les_barchard, the SOC 2 report download error has been resolved. Please let me know if you have any other issues with obtaining the reports.

Like les_barchard likes this
J McElhiney August 8, 2022

Why doesn't the SOC2 report state itself state its validity period?   This doesn't help my C&A process at all.  Also the latest SOC2 report doesn't specify what EXACT version of TLS Atlassian uses. This isn't good at all.  Please advise

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 8, 2022

Hi @J McElhiney in terms of reporting, a SOC 2 report that’s older than a year is often known as a “stale” report. Our last reports were issued on December 9, 2021, covering the period of November 1, 2020 through September 30, 2021. As stated above, Atlassian historically issues SOC 2 reports covering a 12-month period, which means that evidence of our controls operating effectively are collected over the entire period and placed into the report(s) that are published typically before the end of the December following. The reports are applicable for the following 12 months when we then will perform the next audit.

The supported security protocols for our cloud products are listed here: https://support.atlassian.com/security-and-access-policies/docs/supported-security-protocols-for-atlassian-cloud-products/ and our SOC 2 Control(s) are tested against the details outlined on this list.

For more details please see our Compliance FAQ and Security documentation.

J McElhiney August 16, 2022

@Amy Knapp I've shared the Atlassian Cloud most recent SOC2 and its related Bridge letter dated 3 Jan 2022 with my fellow security team members.  In no way, shape or form, does the SOC2 bridge letter or SOC 2 report itself specify the last SOC2 report dated December 2021 state that your documentation is valid until December 2022.

Additionally the latest Atlassian Cloud SOC2 report doesn't specifically tell us what version of TLS is being used for data in transit. From my security risk needs, I've asked for a new bridge letter dated August 2022. This was denied to me by your team. From my security risk view, the currently provided documentation is not enough and is stale. What's showing on your Atlassian website or this Atlassian Community website in terms of textual information, isn't official like a SOC2 report from an independent auditor. What matters the most is the clearly stated validity dates on the independent SOC2 report and its contents. 

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

Like # people like this
Selva November 8, 2022

When there's a new SOC2 Type 2 bridge letter available and or a new SOC 2 report, please do let us know. Thanks..  

Like # people like this
Rory Geoghegan December 13, 2022

Hi @Amy Knapp

 

as per comments made already I have provided the SOC2 Type 2 report + bridging letter to my Governance, Risk and Compliance teams as evidence of Atlassian's security/privacy/compliance activities however due to the bridging report only covering until 3rd Jan 2022 the team is denying Atlassian is compliant with SOC 2 and as such is placing a major implementation of the Atlassian suite at a large University at risk of being cancelled.

 

Please advise if there is anything available anywhere which can provide the governance team some assurances Atlassian is still compliant with the SOC 2 Type 2 standard. Based on the information available on the sites you have linked to it outlines an annual assessment with a period covered by the bridging report. I believe we are well past the period both of those are valid for and would have been expecting a more recent report available. 

 

With thanks

Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 14, 2022

Hi @Rory Geoghegan @Selva & @J McElhiney

A quick update - Atlassian received its newest reporting from our external auditors on 12/9, and we are pending the publishing of these reports with our NDA wrapper for sharing to our Trust Center by our Web Team. As soon as these are publicly available we will have an updated post to this community with the links and details.

In the meantime, especially for you @Rory Geoghegan our latest ISO27k certificate is available if that helps in the interim at all with your organisations' confidence assessment until the SOC 2 reporting is published: https://www.atlassian.com/trust/compliance/resources/iso27001

Like Rory Geoghegan likes this
Amy Knapp
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 19, 2022

Hi again @Rory Geoghegan@Selva, and @J McElhiney, we have published our new reporting and I have posted a community update here: https://community.atlassian.com/t5/Trust-Security-articles/SOC-2-Certifications-Update/ba-p/2220680

Like Rory Geoghegan likes this
Rory Geoghegan January 10, 2023

Thanks @Amy Knapp very much appreciated.

Like Amy Knapp likes this
TAGS
AUG Leaders

Atlassian Community Events