Atlassian's Obligation to GDPR
Atlassian's approach to data
The General Data Protection Regulation (GDPR) or DSGVO combines several already existing laws on data protection and privacy. Which requirements are of great importance for cloud users can be found here:
-
What is GDPR?
What is GDPR
The European Union's General Data Protection Regulation (GDPR) aims to improve EU citizens' control over the data that companies hold about them. The GDPR applies not only to organizations within the EU, but also to all companies that process and store personal data of data subjects in the EU. It does not matter where the company is based.
The principles for the processing of personal data are set forth in Articles 5, Art. 25 and Art. 32.
Below you will find an overview of the most important requirements with regard to the Atlassian Cloud.1. Lawful and transparent processing of personal data
The processing of personal data in the cloud is only lawful if the data subject has consented or if another legal basis exists. Data processing must take place in a clear, comprehensible manner and the process must be designed transparently in good faith.
2. Data must be stored in such a way that its integrity and confidentiality are maintained
When processing the data, appropriate security must be ensured, including protection against unauthorized processing, loss or damage. In addition, the processing of the data must not violate the dignity of the data subject or restrict his or her freedoms.
3. Safety and state of the art
Taking into account the state of the art, a sufficiently high level of security must be ensured when processing the data. The legislator requires a level of protection to be created that is appropriate to the risk. This includes, among other things:
- The pseudonymization of personal data
- The ability to quickly restore the availability of and access to the data in the event of a technical or physical incident
- A regular audit to evaluate the effectiveness of the technical and organizational measure
4. Data must be purpose-bound
Data may only be collected for unambiguous purposes and may not be further processed in any other way. Here, an exception applies to the use of data for the common good.
In addition, data must be limited to its purpose; this minimizes the volume of data and ensures that only data that is useful is collected.5. Factual accuracy and identification of the data
Data should be factually correct; if they are no longer so, they must be corrected or deleted. They may be stored only in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed.
Data Privacy
Atlassian's data protection program is tailored to meet regulatory requirements. This is ensured by:
-
Detailed analytics
-
Integrated data protection
-
Regular training
-
News and updates
How long Atlassian retains information depends on the type of data. After the relevant period, this data is anonymized or deleted.
Atlassian Cloud products are hosted by the leading cloud provider AWS (AmazonWebServices). This leverages optimal performance and provides failover options. The use of geographically different regions ensures that a failure in one data center does not affect the availability of the products or the customer data.
Safety and Certifications
Security mechanisms have been integrated at every level of the Atlassian Cloud architecture. Atlassian's security philosophy is based on the principles:
-
Training employees in cloud and product security
-
Meeting all customer requirements for cloud security and exceeding industry requirements for security standards.
-
Open and transparent approach to programs, procedures, and metrics.
Atlassian secures access to its enterprise network, internal applications and cloud environments with the Zero Trust concept. Simply put, the Zero Trust principle is "Never trust, always check."
In addition, Atlassian holds several certifications and is regularly audited. Current certifications include: ISO/IEC 27001, SOC2, SOC3, FedRAMP and PCI DSS.
International Data Transfers
Due to Atlassian's global customer base, secure data transfer must be ensured worldwide. Atlassian follows the rules for data transfer of personal information even outside the European Economic Area (EEA). In addition, Atlassian offers a Data Processing Addendum which ensures that customers can lawfully transfer personal information to cloud products. This addendum contains specific provisions that assist customers in complying with the GDPR.
When transferring data to Atlassian service providers, Atlassian remains responsible for the security of the data and assures through contracts with the service providers that the necessary security measures are in place. Atlassian's measures include, but are not limited to:
-
The encryption of data in transfer and inpatient
-
Publishing an annual transparency report with information about government requests for user data
-
Providing additional information on policies and procedures for handling government requests
Data Location and Mobility
The optimal location decision for your data is based on minimizing latency and achieving maximum performance for you and your users. As an organization admin with a new standard or premium version or the enterprise products of Jira or Confluence, you can anchor your environment in specific regions of the world.
Interested in ordering an Atlassian license?
We offer the perfect and at the same time cost-effective alternative to buying directly from Atlassian. We are happy to advise you free of charge and without obligation on your license purchase and management. We are looking forward to a conversation with you!
Alexander Post
Principal Solutions Advocate
We would be happy to advise you free of charge and without obligation. Get in touch with our experts and we'll see what we can do.