Atlassian Compliance
We adhere to widely accepted standards and regulations.

SOC
Atlassian's Service Organization Control (SOC) Reports are certified by a third party and demonstrate how Atlassian achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the controls established to support operations and compliance at Atlassian.
Atlassian has achieved SOC2 certifications for:
-
Bitbucket Cloud (Type II)
-
Confluence Cloud (Type II)
-
Jira Cloud (Type II)
-
Trello (Type I)
Non-disclosure agreement
Ernst & Young LLP (“EY”) has prepared the attached report (the “Report”) for the sole benefit and use of Atlassian Pty Ltd (“Company”), and, for limited purposes in accordance with the relevant standards of the American Institute of Certified Public Accountants (the “AICPA”), Company’s existing user entities and their auditors. In addition, certain prospective user entities, identified by the Company (collectively with existing user entities, each a “Recipient”), may have access to the Report subject to the terms of this agreement. Your access to the Report is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your company, then “Recipient” or “you” means your company, and you are binding your company to this agreement.
By clicking on the “I ACCEPT” button below, you signify that you and the Recipient agree to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, on behalf of yourself and the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below.
Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
- The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Recipient has requested that Company provide Recipient a copy of the Report.
- The Services were undertaken, and the Report was prepared, solely for the benefit and use of Company, its existing user entities, and their auditors, and was not intended for any other purpose, including the use by prospective user entities of Company. EY has made no representation or warranty to the Recipient as to the sufficiency of the Services or otherwise with respect to the Report. Had EY been engaged to perform additional services or procedures, other matters might have come to EY’s attention that would have been addressed in the Report.
- The Services did not (a) constitute an audit, review or examination of financial statements in accordance with generally accepted auditing standards of the AICPA or the standards of the Public Company Accounting Oversight Board, (b) constitute an examination of prospective financial statements in accordance with applicable professional standards or (c) include procedures to detect fraud or illegal acts to test compliance with the laws or regulations of any jurisdiction.
- The Recipient (a) does not acquire any rights against EY, any other member firm of the global Ernst & Young network, or any of their respective affiliates, partners, agents, representatives or employees (collectively, the “EY Parties”), the Company or any of their respective affiliates, partners, agents, representatives or employees (together with EY Parties, the “Report Parties”), and the Report Parties assume no duty or liability to the Recipient, in connection with the Services or its access to the Report hereunder; (b) may not rely on the Report; and (c) will not contend that any provisions of United States or state securities laws could invalidate or avoid any provision of this agreement.
- Except where compelled by legal process (of which the Recipient shall promptly inform EY and the Company so that they may seek appropriate protection), the Recipient will not disclose, orally or in writing, any Report or any portion thereof or any other Confidential Information received from EY or the Company in connection therewith, or make any reference to EY or Company in connection therewith, in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the Company in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
- Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security, regulatory and other business policies. This agreement does not create or imply an agreement to complete any transaction or an assignment by Company of any rights in its intellectual property.
- The Recipient (for itself and its successors and assigns) hereby releases each of the Report Parties, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or EY’s performance of the Services. The Recipient shall indemnify, defend and hold harmless the Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
- Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
- This agreement shall be governed by, and construed in accordance with, the laws of the State of New York applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by any of Report Parties, individually or collectively.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
Please download the report you want to view:
If you'd like to download a copy of the SOC3 report for Jira and Confluence Cloud, please click here.
If you'd like to download a copy of the SOC3 report for Bitbucket Cloud, please click here.

ISO/IEC 27001 - Information Security Management System
ISO/IEC 27001 is recognized as the premier information security management system (ISMS) standard worldwide. ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:
-
Systematically evaluate our information security risks, taking into account the impact of security threats and vulnerabilities
-
Design and implement a comprehensive suite of information security controls to address security risks
-
Implement an overarching audit and compliance management process to ensure that the controls meet our needs on an ongoing basis
The scope is Atlassian Cloud offerings Jira Cloud, Confluence Cloud and Bitbucket Cloud including the micro services used to deliver these applications. Also Corporate functions including Legal, Talent, Policy, Privacy, Procurement, Risk & Compliance, Security, Workplace Experience and Workplace Technology teams.

ISO/IEC 27018 - Code of Practice for Protecting Personal Data in the Cloud
ISO/IEC 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on the information security standard ISO/IEC 27002 and provides additional implementation guidance for ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.
The scope is Atlassian Cloud offerings Jira Cloud, Confluence Cloud and Bitbucket Cloud including the micro services used to deliver these applications. Also Corporate functions including Legal, Talent, Policy, Privacy, Procurement, Risk & Compliance, Security, Workplace Experience and Workplace Technology teams.

Payment Card Industries Data Security Standard
We care about the security of your credit card and we despise fraudsters! When you pay with your credit card for Atlassian products or services you can rest assured that we handle the security of that transaction with appropriate attention. We are a Level 2 merchant and we engage with Qualified Security Assessor (QSA) to assess our compliance with PCI DSS. We are currently compliant with PCI DSS v3.2, SAQ A.
View or download our PCI Attestation of Compliance (AoC)

Cloud Security Alliance - Security, Trust, and Assurance Registry
A CSA STAR Level 1 Questionnaire for Atlassian is available for download on the Cloud Security Alliance’s STAR Registry web site.
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping customers assess the security of cloud providers they currently use or are considering contracting with. Atlassian is a CSA STAR registrant and Corporate Member of the Cloud Security Alliance (CSA) has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to over 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider
Our Atlassian CIAQ entry covers our Jira and Confluence Cloud, HipChat and Bitbucket Cloud offerings.

Voluntary Product Accessibility Template (VPAT)
The Voluntary Product Accessibility Template (VPAT) is a document which evaluates how accessible a particular product is according to the Section 508 Standards. It is a self-disclosing document produced by the vendor which details each aspect of the Section 508 requirements and how the product supports each criteria.
VPATs are used by buyers to determine how accessible a product is and where any potential deficiencies are. They are required by some buyers before a purchase is made.
Our Service Providers
We hold our service providers to very high standards. Data centers, co-location, and managed service providers undergo regular SOC1, SOC2 and/or ISO/IEC 27001 audits to verify their practices.
We review the results of these audits annually at a minimum as part of our vendor management program. In the event these audits have material findings which we determine present risks to us or our customers, we work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.
Validating our Practices
Independent third-party audits
We use independent third-parties to audit our practices against most sought after standards and regulations in the world. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their evaluations. We take their reports seriously and have processes in place to address any issues that present risks to us or our customers.
External and internal application security testing
Our security team performs automated and manual application security testing and network vulnerability testing on an on-going basis to identify and patch potential security vulnerabilities and bugs on our desktop, web, and mobile applications. We also work with third-party security specialists, as well as other industry security research community members. See our guidelines on submitting a vulnerability and our bug bounty program.
Continuous Improvement
A critical part of any information security management program is the continual improvement of security and compliance programs, systems, and controls. Atlassian is committed to soliciting feedback from different internal teams, customers, internal and external auditors, and improving our security, privacy and compliance processes and controls over time.