Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What are the compensating controls given BitBucket Cloud data is not encrypted at rest

We are Jira and Confluence cloud users and are evaluating migrating from an on-premise Git hosting solution to BitBucket cloud. Atlassian's Security practices page states "Bitbucket does not offer encryption at rest for repositories at this time." Competing platforms and have both added encryption at rest to their platforms within the past two years.

We could be fine with no encryption at rest provided there are compensating controls to assure the confidentiality and integrity of our data. Can anyone provide specific information about compensating controls that Atlassian follows to ensure that:

  • our repositories are not accessible to other tenants on the platform
  • our repositories are not  accessible to Atlassian staff other than those authorized to access it for support and operational purposes
  • backups of the unencrypted repositories are managed to prevent disclosure

Thanks for your help with our evaluation.



In my experience, you can't even access the repositories of your own employees unless they're on managed accounts. We had a company owned workspace that I had to go to great lengths to regain ownership for, because the person who had created it had left. Also, even if you are invited to a workspace, you cannot see any repos in it unless you are added to a group which has access to the specific repository. In this way, your repos aren't even visible to bitbucket accounts at your company unless explicitly granted by an admin, whether through the UI or command line. 


Hope this helps; I'm sure an actual Atlassian will be able to confirm on the backups issue, which is the one I am not sure about.

Hi Kyle,


I also struggled with these asks from CISO & Compliance.

The compensation controls can by found in SOC 2 & 3 reports, in addition to Cloud Security Alliance, Self-assessment filed by Atlassian.  here>>


Interestingly while searching for these, i also went through github's self assessment


This is what github says, Row 90 in the self assessment

"Repository backup data is encrypted in storage; data is encrypted with github keys and then stored. Data in Production environment is not encrypted at rest "

Dont know what to make of it, given this is opposite of what is stated publicly

but it was sufficient to make this an equalizer for this specific security requirement.


Hope this was helpful.


Log in or Sign up to comment

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you