SOC 2 Reporting Improvements

Atlassian’s 2020 reporting consisted of 8 SOC 2 reports individually attesting compliance for our cloud products. With each weighing-in at ~90 pages, we saw duplication of content, effort, inconsistent voice, not to mention that any customer using more than one of our products would need to review each individual report annually for their own compliance program requirements.

Within the last year our teams have been working hard on new products, features, and acquisitions that also require third party review and certification for customer assurance. Unchanged, that meant for our next audit year we had to add Insight, Bitbucket Pipelines, Data Lake, Forge, and Compass into the mix.

For those counting at home (and still paying attention), that brings us to 13 SOC 2 reports.

So we reframed our approach, identified our products utilising key core technologies and supporting platforms, and began consolidating the detail to create the Atlassian Platform Products report. Use of these same systems, tools, and processes (e.g., Standard backups, Change, and Incident Management) reduces testing time, removes the need for 1:1 auditor and product team walkthroughs, and reduces the chance of deviation from control requirements.

This said, there will still be more than one SOC 2 report for this round, but we’re okay with this. Some of our products aren’t on the Atlassian common platform at all, or only parts of them are (with system and tool migrations planned for the future), so we’ll still have individual reports for our beloved Halp, Jira Align, Statuspage, and Trello products. However, we can all agree that 5 reports are better than 13.

See our Compliance Resource Center for more information and keep a look out for our next update confirming our SOC 2 product reporting results.