Hi everyone!
Thanks to all who joined us for our webinar on Privacy, security, and GDPR in Atlassian cloud. If you missed it or weren’t able to catch the whole thing, you can view the recording on-demand at any time.
And for those looking to continue exploring the topics we discussed in the webinar, we’ve compiled a list of resources that may be helpful to you. Check them out below!
GDPR
Privacy
Transparency report - summarizing all government requests for data
Security
Data residency
Data residency in our Standard and Premium plans - sign up here for updates!
Compliance
Marketplace security & compliance
And lastly, we had a number of great questions during the webinar, some of which we weren’t able to get to. So here are some of the questions (and their answers) we received during the session:
Based on your roadmap, BYOK will only be available for certain custom fields. Are there plans to introduce BYOK for entire instances?
Our MVP version of BYOK will first focus on Jira Issue Fields, encrypted at rest. For the Generally Available release we will expand the data set for Jira, while also including Confluence data. Based on demand, we will continue to expand this data set. Keep an eye on our roadmap as well as our community for more information.
Do you have plans to make data residency available for [insert region]?
Our first goal for Data Residency is to get as many of our customers covered as we possibly can with a data residency option. Our current data residency locations of the US and the EU cover a good portion of customers in, or around, those areas. There are many other parts of the world that can’t use the US or the EU as an option, and therefore we have to focus on those areas next, which includes our focus on Australia, Canada, United Kingdom, and Japan over the next 12-18 months. Please follow our roadmap for any updates or changes to these locations and timelines. Once we’re able to cover as many customers as we can with at least 1 option, we’ll start exploring more granular areas, such as locations like Germany and Singapore. It’s also good to remind everyone that we’re built on AWS, so the possibilities for our future locations hinges on what AWS makes available to us. For example, AWS has announced they will be opening a Switzerland AWS Region, which then gives us the opportunity to assess customer need in that location.
On your Cloud roadmap for HIPAA you state Atlassian will "provide an attestation of compliance". What is that exactly? And does that imply that Atlassian will not sign a Business Associate Agreement (BAA)?
HIPAA is a law and not a certification; in order to provide assurances to our customers we comply with that law, we will enlist the services of a neutral auditor to review and attest to our compliance with HIPAA. Once this assessment is complete we will make the report available to our customers as appropriate. We will sign BAAs, as we know it is a requirement for customers subject to the HIPAA law.
Does Atlassian conduct pen tests?
Our Atlassian Security Team performs on-going network vulnerability scans of both internal and external infrastructure using an industry recognized vulnerability scanner on an on-going basis. Jira tickets are created for tracking and remediation purposes, and due dates are assigned according to our SLO based on severity and where the vulnerability was found.
We also maintain an internal Red Team that conducts on-going penetration test operations of all our infrastructure, cloud-services and people. For more information on our Vulnerability Management program, see : https://www.atlassian.com/trust/security/vulnerability-management. We engage with BugCrowd to maintain a Bug Bounty program, to conduct ongoing vulnerability assessment of our publicly available Applications and Services, the program is available at : https://bugcrowd.com/atlassian . We do share on-going results from our Bug Bounty program at : https://www.atlassian.com/trust/security/security-testing.
Atlassian also hires a third party specialist to review the security state of our cloud-applications based on risk of new service or new environments.
Our security team manages a Critical Security Bugfix and Security Advisory process for our products described at: https://www.atlassian.com/security/secpol
How can I protect my application data in Jira or Confluence from being seen by an Atlassian system administrator?
Your data is encrypted at a database level and the only Atlassian staff that might have access to your instance are our cloud support engineers, who are specifically trained and certified for it and can only do so for support purposes. Please also note that support engineers can only do so if a ticket from you is raised and if you have explicitly agreed and accepted that they support you in that manner. Also, you would be notified of any sort of access in the product logs.
Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store.
Does Atlassian have to comply with the CLOUD Act? What are the implications of that with regards to GDPR compliance?
As a global company with operations in the US we are subject to the CLOUD Act. The scope of the CLOUD Act, however, is quite limited and only permits the US government to access data if they have a court-issued warrant based on probable cause of a specific criminal act. There is a common misconception around the scope of the CLOUD Act (we recommend this document for a better understanding of the CLOUD Act and its common misconceptions). It's important to note that the CLOUD Act doesn't permit bulk surveillance, it only applies to court-authorized criminal investigations, and it provides for bilateral agreements (so the EU government can access US citizen data where agreements are in place).
As noted in our webinar, Atlassian responds to government requests in accordance with our Guidelines for Law Enforcement. To protect our customers’ rights, we carefully review requests to ensure that they comply with the law.
To obtain Customer Information from Atlassian, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant. We also publish an annual Transparency Report with information about government requests for users' data as well as government requests to remove content or suspend accounts.
Abby Loesch
1 comment