As a cloud service provider, we understandably receive a lot of questions from our customers about how Atlassian is taking appropriate action for the protection and confidentiality of our their data. In addition to validating that their data is in good hands, many customers are eager to hear our best practices and guidance for working together. While our vision for effective security is one of shared responsibility, we also understand that the level of customer expectations can really vary.
While we talk often with customers our practices, to date we have not discussed in-depth (or in one place) the line between what we manage and secure versus customer responsibilities.
At a high level: responsibilities
- Atlassian responsibilities: Atlassian handles the security of the applications themselves, the systems they run on, and the environments those systems are hosted within. We ensure customer systems and environments are compliant with relevant standards, including PCI DSS and SOC2, as required.
- Customer responsibilities: Our customers manage the information within their accounts, the users and user accounts accessing their data, and which Marketplace Apps (formerly called “add-ons”) you install and trust. When using our applications, customers are responsible for ensuring their business is meeting their own compliance obligations.
How to learn more
It’s not as simple as we’ve framed it above. As a company with two core values of “Open Company, No Bullshit” and “Don’t Fuck the Customer” and, furthermore, a security team with a core tenant to “be transparent,” there’s more we can do.
Today, we’re embracing transparency in new ways to establish even more trust in our products and services. So far we’ve posted detailed information about our Security Management Program, responded publicly to the Cloud Security Alliance Questionnaire, posted about how we built our internal controls program and we released a customer guide for shared responsibility for security incidents.
The next step is to better align with those shared responsibilities and expectations. In the coming months, you’ll see more on Atlassian’s Trust site, starting today with our new white paper called “Atlassian Cloud Security Shared Responsibilities.” (Click the green button below for an instant pdf download.) Inside, you’ll find our commitments to you, where the overlap of shared responsibility exists, and what you can do to help us help you best.
We look forward to continuing this journey together.