7 min read

What compliance requirements does the Atlassian Cloud meet?

More and more customers are moving to the Atlassian Cloud. Find out what security, privacy and compliance requirements it meets and what they include here.


The cloud is no longer just an optional alternative, it has become a strategic requirement as the SaaS revolution continues. SaaS products such as Atlassian Cloud have become standardized enterprise tools and show fundamental differences from on-premise solutions. One major contrast is that the administration and management of the infrastructure is controlled by the provider. Thus, the internal IT team can strategically deploy its freed-up resources elsewhere.

With cloud services, trust starts with security and reliability. Atlassian's cloud products are independently audited on a regular basis. They are certified to meet global security, privacy and compliance requirements.

Compliance in the Atlassian Cloud



ISO / IEC 27001

The International Organization for Standardization (ISO) is an independent, organization that counts 167 standards organizations from around the world as members. The ISO/IEC 27000 family of standards helps organizations ensure the security of their information assets.

First, ISO/IEC 27001:2013 is a security management standard that defines comprehensive security measures according to best practice guidelines from ISO/IEC 27002. The basis of certification is the development and implementation of a rigorous security program.

ISO/IEC 27018 formulates recognized guidelines for implementing measures to protect personal data. The Atlassian Trust Management System supports the operations underlying cloud offerings (ISO-Zertifikat from Atlassian).



Atlassian ensures to comply with the General Data Protection Regulation (GDPR) and all data protection regulations. The GDPR gives EU citizens more control over their data and combines various privacy and security laws into one comprehensive law.

As a company with a global customer base, Atlassian is able to transfer and access data all over the world. Atlassian respects the rules for onward transfers of personal data to countries outside the European Economic Area (EEA) and provides customers with a robust framework for international data transfers under the Privacy Addendum.

In addition to the Privacy Addendum, Atlassian protects customers' data and rights by responding to law enforcement requests only after a thorough legal review.



SOC 2 and SOC 3 reports (System and Organization Controls) are independent investigative reports that document how a company or organization implements essential compliance measures and objectives.

The Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) applicable Trust Services Criteria (TSC) is the basis of the SOC 2 and SOC 3 reports.

The intent of the reports is to evaluate all of a company's or organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

A SOC 3 report includes a written opinion from the service organization. This ensures that all actions required under the applicable Trust Services Criteria have been taken. The difference between the two reports is that they are accessible to the public. This is only possible with SOC3.

Both SOC 2 reports and SOC 3 reports are evidence investigations conducted in accordance with SSAE 18, which is the responsibility of the AICPA (Sections AT-C 105 and 205).


The U.S. government has established FedRAMP (Federal Risk and Authorization Management Program), a government program for standardizing security and risk assessment, authorization, and continuous monitoring of cloud products and cloud services.

There are two FedRAMP authorizations: provisional authorization by the Joint Authorization Board (JAB) or authorization by an agency. For authorization, the relevant authorities work directly with the cloud provider. If a cloud service provider chooses to obtain an operating authorization directly through an authority, the entire FedRAMP process is guided by the respective authority.

Requirements for authorizations include an assessment by an assessment firm accredited with the program. In addition, a thorough technical review by the FedRAMP Program Management Office (PMO) is required.


The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard managed by the PCI Security Standards Council.

The PCI Security Council has defined network security and business transaction guidelines to protect customer credit card information as a "minimum security standard."

In this regard, the PCI-DSS applies to all systems, networks and applications that process, store or transmit cardholder data. It also applies to systems used to secure and log access to said systems. The PCI-DSS applies to all legal entities that store, process, or transmit cardholder data or sensitive authentication data.


Section 508 is an amendment to the U.S. Rehabilitation Act of 1973. Section 508 requires U.S. federal agencies to provide employees and citizens with impairments comparable access to electronic information and electronic technology as individuals without impairments. In addition, agencies must also consider accessibility when purchasing or using information technology.

ACSC: Cloud Computing Security for Cloud Service Providers (Cloud-Computing-Sicherheit für Cloud-Service-Anbieter)

ACSC - Cloud Computing Security

This guide helps assessors verify the security of a cloud service to provide independent assurance to organizations that cloud service provider (CSP) security claims are valid. The organization and the CSP share responsibility for mitigating risk when using cloud services. Before using cloud services, organizations should conduct a risk assessment and implement necessary mitigation measures. This document covers Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) provided by a CSP as part of a Public Cloud, Community Cloud and Outsourced Private Cloud.



APRA Prudential Standard CPS 234

The Australian Prudential Regulation Authority (APRA) has issued guidance to financial institutions it supervises to help them maintain cybersecurity and governance in their organizations when using cloud computing. APRA has issued specific guidance on outsourcing cloud computing offerings, and supervisors must review and comply with APRA Prudential Standard CPS 234 Information Security when outsourcing. The APRA 234 Outsourcing Guidance provides mappings to each requirement and outlines how Atlassian Cloud Enterprise can help customers meet their obligations, including information on audit rights, data security, termination, and outsourcing.


The German Federal Financial Supervisory Authority (BaFin) is responsible for the supervision of all financial institutions in Germany. Atlassian supports its German customers operating in the financial services sector in addressing regulatory requirements at the national level with BaFin and at the regional level with the European Banking Authority (EBA).

Compliance protocols, including those set by BaFin, are the joint responsibility of the financial institution and the cloud service provider. Atlassian provides a BaFin outsourcing guide with specific mappings to each requirement and how its cloud enterprise helps customers meet their obligations, including information on audit rights, data security, termination, and outsourcing.


The California Consumer Privacy Act (CCPA) is a privacy law passed in the United States in 2018 that regulates the use, collection, and processing of personal data. The law gives California consumers rights as data subjects, and Atlassian is committed to complying with the requirements of the law. Atlassian's privacy program includes features that support compliance with the CCPA, such as tools to facilitate deletion of personal data and access requests.

Atlassian does not sell personal information, but may share it with third parties as described in the Privacy Policy. Atlassian has updated its privacy policy to include information specific to California residents and the CCPA. A new privacy law, the California Privacy Rights Act (CPRA), is currently in the drafting stage and is expected to take effect on January 1, 2023.


Cloud Security Alliance

The Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for ensuring security in cloud computing and helps secure other forms of computing. Its Security, Trust & Assurance Registry Program (CSA STAR) evaluates cloud service providers (CSPs) through a three-tiered program of self-assessment, third-party auditing and continuous monitoring.

STAR offers three assurance levels, and CSPs can submit either a completed Common Assurance Initiative Questionnaire (CAIQ) or a report documenting compliance with the Cloud Controls Matrix (CCM) as part of the CSA STAR self-assessment. Atlassian, which is both a corporate member of the Cloud Security Alliance and on the Trusted Cloud Provider list, offers a Level 1 self-assessment for its cloud products.



European Banking Authority (EBA)

The European Banking Authority (EBA) is an EU authority responsible for developing and implementing a set of rules to regulate and supervise banking in all EU countries to ensure financial stability and consumer confidence. Atlassian Cloud Enterprise has developed a solution to help European customers in the financial services sector comply with EBA regulations and guidelines.

Compliance with these requirements is the joint responsibility of the financial institutions and the cloud service provider. Atlassian provides an EBA outsourcing guide with specific mappings to each requirement and outlines how it helps customers meet obligations such as audit rights, data security, location of data processing, chain outsourcing and termination.


Financial Market Supervisory Authority

Atlassian is committed to helping its Swiss financial services clients comply with the Swiss Financial Market Supervisory Authority's (FINMA) requirements for maintaining adequate cybersecurity and governance programs. FINMA's guidance on outsourcing requirements for cloud companies is contained in Circular 2018/3. Atlassian's FINMA outsourcing guidance addresses each requirement and explains how Atlassian Cloud Enterprise helps users meet obligations such as audit rights, data security, termination, and chain outsourcing.



The Higher Education Information Security Council (HEISC), in collaboration with other organizations, has developed the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) for higher education institutions to assess the security and privacy requirements of cloud service providers in the United States. As a cloud service provider, Atlassian Cloud has completed a self-assessment for its core products in accordance with HECVAT, describing its alignment with industry standards and the security of its products and infrastructure.


HIPAA is a regulation issued by the U.S. Department of Health and Human Services to protect protected health information. It applies to health care providers, health plans, and health care clearinghouses, as well as third parties known as "business associates." Atlassian ensures HIPAA compliance for its customers through a series of security measures, assessments, policies and procedures. Customers must purchase an Enterprise Plan and a Business Associate Agreement (BAA) to comply with HIPAA regulations when using Atlassian's products and services. Atlassian has also created a HIPAA Implementation Guide for customers to ensure they are using the products and services in a HIPAA compliant manner.

NCSC - UK Cloud Security

The National Cyber Security Centre (NCSC) is a UK government organization focused on providing cybersecurity guidance to mitigate cybersecurity risks to public and private sector networks in the UK. The NCSC has developed 14 Cloud Security Principles for information security, including secure use of a cloud service provider (CSP), identity and access management, and encryption standards. Atlassian's UK Cloud Security Principles outsourcing guide maps each requirement and explains how they can help meet obligations such as audit rights, data security, termination and chain outsourcing.

Lei Geral de Proteção de Dados (LGPD)

The Brazilian General Data Protection Law (LGPD) establishes guidelines for the collection, use, processing, storage, and transfer of personal data of Brazilian data subjects. The law regulates data collection, increases accountability, imposes fines for violations, creates a Brazilian Data Protection Authority (ANPD), and outlines requirements for personal data protection. Atlassian's cloud products comply with widely recognized standards and certifications, and the company provides an annex to its Data Processing Addendum with terms that cover LGPD compliance. Atlassian's GDPR practices also address LGPD compliance.

Section 889

Section 889(a)(1)(A) and (B) of the Federal Acquisition Regulation (FAR) prohibits U.S. government agencies from procuring or contracting with companies that use telecommunications equipment or services manufactured by certain companies, including Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. Atlassian represents that it does not use any Covered Telecommunications Equipment or Services and confirms that it has conducted a reasonable investigation to this end.

Web Content Accessibility Guidelines – WCAG

The Web Content Accessibility Guidelines (WCAG) are internationally recognized standards for making software, websites, and content accessible to people with disabilities. They are anchored in the US Rehabilitation Act Section 508 and in the European standard for accessibility (EN 301 549). Atlassian's internal accessibility standards are based on WCAG 2.1 and aim for AA level compliance. They will be updated to reflect WCAG 2.2 guidelines expected in late 2022. To ensure transparency and accountability, Atlassian publishes WCAG conformance reports for each of its products, indicating the level of support for each WCAG criterion.