Atlassian Rovo & data security compatibility

Katie Lai
Contributor
October 30, 2024

Hi everyone! My team and I were curious about the data security and privacy standards that Rovo maintains, so we decided to do a deep-dive and complied our findings here:

 

Atlassian Rovo was designed with data security at its core, making it compatible with strict security protocols. 

Rovo inherits many of Atlassian’s privacy and security policies and practices, including encryption, data isolation, and permissions. This is reflected in the customer agreements when using Atlassian software, including:  

We recommend that users review all their existing permissions in Atlassian and their third-party environment before enabling Rovo to ensure that any confidential data within your organization remains restricted to the appropriate users. Here’s how Rovo safeguards your sensitive data:

Honoring Permissions and User Access

 

Does Rovo respect existing permissions? 

Rovo respects and adheres to the existing permissions model in your Atlassian tools. This means that Rovo will only have access to the information users can see based on their roles within Jira or Confluence. For example, if a user doesn’t have access to specific projects or sensitive data, Rovo won’t either.

This means that different users will get different responses from Rovo based on the information they can access.

Example 1: If you do a natural language search on JQL, you will only see issues/projects that you have access to, or you will get Confluence pages sourced for an answer to a question if you have access to those pages.

Example 2: If a Confluence user executes an intelligent search, the results will consider the pages and spaces the user has permission to view and ignore restricted pages and spaces.

This respect ensures that Rovo operates within your organization’s established security boundaries, preventing unauthorized access to sensitive data. This is crucial for security officers managing data protection compliance.

Interoperation with Third-party products

Rovo is designed to interoperate with third-party products, through Rovo connectors. Integrating Rovo with third-party products may allow third parties to access information you choose to share while using their products. The use of these products and the information you provide will be subject to their terms and policies, including their privacy policies. For more information, make sure to check out Atlassian’s Privacy Policy, specifically “Third Party Services.”

Does Rovo respect third-party permissions? 

Rovo respects existing permissions not only with Atlassian products but also permission settings from connected third-party products. Because Rovo relies on set permissions, remember to check your third-party product permissions before setting up Rovo. 

Example 3: If you connect Rovo to Google Drive, users need to login and connect their Atlassian account to Google drive to see any Google Drive results when using Rovo. 

What does Rovo do with deleted third-party data?

Content that is deleted in a third-party product will not appear in Rovo. In Figma’s case, links to deleted content may still appear in search results. However, when a user clicks on a link to content that has been removed, the link will no longer work. For additional details, refer to how Rovo displays Figma results.

When an organization admin disconnects a third-party tool from Rovo, the content indexed from that tool is removed within 30 days. GitHub content, however, follows a different process. Since GitHub data is integrated through the GitHub for Jira app, the data is only deleted if you disconnect GitHub from Rovo and uninstall the GitHub for Jira app. For more information on this, see how to disconnect GitHub from Rovo.

What is the scope of Rovo’s access to third-party data? 

When you connect Rovo to third-party products, you connect the entire product to Rovo. At this moment, you cannot narrow the scope further. 

Example 4: If you connect Rovo to Google Drive or Microsoft SharePoint, you give access to the whole Drive or workspace. You cannot give access to just one folder or a set of folders.

Narrowing the scope is something that Atlassian is considering in the future. 

How is data from Browser Extensions used?  

Source: Atlassian Support

If users are able to install the Rovo browser extension on their device, they can interact with Rovo Chat and Agents on any public webpage (e.g. wikipedia) or on websites connected to Rovo via a connector (e.g. Google Drive). It is important to note that the extension reads and does not store contents.

Source: Atlassian Support

Example 5: If you use a Rovo connector and connect to Google Drive, you can ask Rovo Chat to summarize a Google doc. The Google doc’s content is sent to Atlassian to identify words – it is not stored or shared with third-party models like OpenAI. 

Trust and Data

How will Rovo handle customer Data? 

Many assurances in the Atlassian Intelligence Trust Center apply to Rovo. Rovo is built to process user inputs securely while delivering the outputs your team needs.  When users interact with Rovo, the tool processes their inputs to provide the requested responses while incorporating organizational data from within your site. This data is only used when the user can view it, ensuring that the outputs are more accurate, relevant, and contextual to your organization’s needs.

To maintain strict privacy standards, the LLM providers that power Rovo, including OpenAI, do not use your inputs and outputs to improve their services. Neither OpenAI nor any other LLM provider retains your data after processing.

Beyond the policies for LLM providers, Atlassian limits customer data use and access within its platform. Here is how the data is protected:

  • Inputs and outputs are only used to enhance your organization’s experience. They are never used for model training across different customers.
  • Atlassian may temporarily store your inputs and outputs to reduce latency for certain features, such as displaying a page summary or search history. This data is retained only to improve user experience and is not stored longer than necessary.
  • For total transparency, Atlassian’s transparency page offers detailed information on how each feature utilizes customer data. You can also subscribe to get updates on Atlaissna’s legal terms and list of sub-processors.

Does Rovo support Data Residency?

Currently, Rovo does not support data residency. However, Atlassian plans to support this in the future. 

Encryption and Data Privacy Compliance

Does Rovo comply with GDPR?

Atlassian Rovo complies with industry-leading encryption standards to protect data in transit and at rest. You can ensure that data exchanged between users and Rovo remains secure, reducing the risk of data breaches or interception. Atlassian is committed to meeting stringent data privacy regulations, including GDPR. 

Is Rovo SOC2 and ISO compliant?

While many of Rovo’s systems and services hold SOC2 and ISO certifications and follow the same internal policies and standards, Rovo itself has not yet undergone external assessments for these certifications. However, Atlassian plans to include Rovo in its standard audit certification process by the end of 2024.

Is Rovo HIPAA compliant? 

Currently, Rovo is not HIPAA compliant, and its Business Associate Agreement (BAA) does not cover Rovo’s features. If your organization requires HIPAA compliance, we recommend holding off on using these features until Atlassian extends its coverage to include them.

How to Evaluate Rovo for Your Security Needs

When considering Rovo for your organization, evaluating its security features against your existing data protection framework is essential. Here are a few tips:

  1. Review your organization’s data classification policies to ensure Rovo’s permissions model aligns with your internal access controls.
  2. Assess encryption protocols to verify that Rovo meets your organization’s standards for data in transit and at rest.
  3. Consult with your security team to ensure that Rovo’s use of LLMs complies with your privacy guidelines, especially in sectors where handling confidential data is a concern.

I hope this helps answer some questions. Did we miss anything? Does Rovo fit your org's security needs? Have you already started using Rovo? I'd love to hear about your experience so far!

1 comment

Comment

Log in or Sign up to comment
Bryan Guffey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 30, 2024

Great work, @Katie Lai! A wonderful summary of Rovo's data security practices! 

Like # people like this
Katie Lai
Contributor
October 31, 2024

Thanks @Bryan Guffey

 

TAGS
AUG Leaders

Atlassian Community Events