Atlassian Compliance

We adhere to widely accepted standards and regulations.



Atlassian's Service Organization Control (SOC) Reports are certified by a third party and demonstrate how Atlassian achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the controls established to support operations and compliance at Atlassian. 

Atlassian has achieved SOC2 certifications for:

  • Bitbucket Cloud (Type II)

  • Confluence Cloud (Type II)

  • Jira Cloud (Type II)

  • Trello (Type I)

If you'd like to download a copy of the SOC3 report for Jira and Confluence Cloud, please click here.

If you'd like to download a copy of the SOC3 report for Bitbucket Cloud, please click here.

ISO 27001 Certified

ISO/IEC 27001 - Information Security Management System

ISO/IEC 27001 is recognized as the premier information security management system (ISMS) standard worldwide. ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:

  • Systematically evaluate our information security risks, taking into account the impact of security threats and vulnerabilities

  • Design and implement a comprehensive suite of information security controls to address security risks

  • Implement an overarching audit and compliance management process to ensure that the controls meet our needs on an ongoing basis

Atlassian products that are in scope for ISO/IEC 27001 include Jira and Confluence cloud, as well as the micro services which deliver those products.

ISO 27001 Certified

ISO/IEC 27018 - Code of Practice for Protecting Personal Data in the Cloud

ISO/IEC 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on the information security standard ISO/IEC 27002 and provides additional implementation guidance for ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.

Atlassian products that are in scope for ISO/IEC 27018 include Jira and Confluence cloud, as well as the micro services which deliver those products.

PCI DSS Compliant

Payment Card Industries Data Security Standard

We care about the security of your credit card and we despise fraudsters! When you pay with your credit card for Atlassian products or services you can rest assured that we handle the security of that transaction with appropriate attention. We are a Level 2 merchant and we engage with Qualified Security Assessor (QSA) to assess our compliance with PCI DSS. We are currently compliant with PCI DSS v3.2, SAQ A.

Download our PCI Attestation of Compliance (AoC)

Jira and Confluence


Cloud Security Alliance

Cloud Security Alliance - Security, Trust, and Assurance Registry

A CSA STAR Level 1 Questionnaire for Atlassian is available for download on the Cloud Security Alliance’s STAR Registry web site.

The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping customers assess the security of cloud providers they currently use or are considering contracting with. Atlassian is a CSA STAR registrant and Corporate Member of the Cloud Security Alliance (CSA) has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to over 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider

Our Atlassian CIAQ entry covers our Jira and Confluence Cloud, HipChat and Bitbucket Cloud offerings.

VPAT 508

Voluntary Product Accessibility Template (VPAT)

The Voluntary Product Accessibility Template (VPAT) is a document which evaluates how accessible a particular product is according to the Section 508 Standards. It is a self-disclosing document produced by the vendor which details each aspect of the Section 508 requirements and how the product supports each criteria.

VPATs are used by buyers to determine how accessible a product is and where any potential deficiencies are. They are required by some buyers before a purchase is made.

Our Service Providers

We hold our service providers to very high standards. Data centers, co-location, and managed service providers undergo regular SOC1, SOC2 and/or ISO/IEC 27001 audits to verify their practices.

We review the results of these audits annually at a minimum as part of our vendor management program. In the event these audits have material findings which we determine present risks to us or our customers, we work with the service provider to understand any potential impact to customer data and track their remediation efforts until the issue has been resolved.

Validating our Practices

Independent third-party audits

We use independent third-parties to audit our practices against most sought after standards and regulations in the world. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their evaluations. We take their reports seriously and have processes in place to address any issues that present risks to us or our customers. 

External and internal application security testing

Our security team performs automated and manual application security testing and network vulnerability testing on an on-going basis to identify and patch potential security vulnerabilities and bugs on our desktop, web, and mobile applications. We also work with third-party security specialists, as well as other industry security research community members. See our guidelines on submitting a vulnerability and our submission form for reporting security vulnerabilities.

Continuous Improvement

A critical part of any information security management program is the continual improvement of security and compliance programs, systems, and controls. Atlassian is committed to soliciting feedback from different internal teams, customers, internal and external auditors, and improving our security, privacy and compliance processes and controls over time.