Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

What are the compensating controls given BitBucket Cloud data is not encrypted at rest

We are Jira and Confluence cloud users and are evaluating migrating from an on-premise Git hosting solution to BitBucket cloud. Atlassian's Security practices page states "Bitbucket does not offer encryption at rest for repositories at this time." Competing platforms and have both added encryption at rest to their platforms within the past two years.

We could be fine with no encryption at rest provided there are compensating controls to assure the confidentiality and integrity of our data. Can anyone provide specific information about compensating controls that Atlassian follows to ensure that:

  • our repositories are not accessible to other tenants on the platform
  • our repositories are not  accessible to Atlassian staff other than those authorized to access it for support and operational purposes
  • backups of the unencrypted repositories are managed to prevent disclosure

Thanks for your help with our evaluation.



In my experience, you can't even access the repositories of your own employees unless they're on managed accounts. We had a company owned workspace that I had to go to great lengths to regain ownership for, because the person who had created it had left. Also, even if you are invited to a workspace, you cannot see any repos in it unless you are added to a group which has access to the specific repository. In this way, your repos aren't even visible to bitbucket accounts at your company unless explicitly granted by an admin, whether through the UI or command line. 


Hope this helps; I'm sure an actual Atlassian will be able to confirm on the backups issue, which is the one I am not sure about.

Hi Kyle,


I also struggled with these asks from CISO & Compliance.

The compensation controls can by found in SOC 2 & 3 reports, in addition to Cloud Security Alliance, Self-assessment filed by Atlassian.  here>>


Interestingly while searching for these, i also went through github's self assessment


This is what github says, Row 90 in the self assessment

"Repository backup data is encrypted in storage; data is encrypted with github keys and then stored. Data in Production environment is not encrypted at rest "

Dont know what to make of it, given this is opposite of what is stated publicly

but it was sufficient to make this an equalizer for this specific security requirement.


Hope this was helpful.


Log in or Sign up to comment

Atlassian Community Events