Financial Market Supervisory Authority (Switzerland) - FINMA
Atlassian Outsourcing Guidelines
Disclaimer
The guidance provided below is solely for the purposes of assisting Swiss cloud customers in the public sector, as well as enterprise organisations that are deemed a "regulated entity" by The Financial Market Supervisory Authority (Eidgenössische Finanzmarktaufsicht, FINMA) considering outsourcing business functions to the cloud in their evaluation of Atlassian’s cloud products and associated services.
This report is intended solely for the information and guidance provided by Atlassian to its cloud customers on how we align with FINMA. In parallel to this, we have a dedicated Shared Responsibilities whitepaper which discusses the shared responsibilities that both a Cloud Service Provider ("CSP"), like Atlassian, and its customers need to keep in mind when ensuring compliance with FINMA. This shared responsibility model does not remove the accountability and risk from customers using Atlassian Cloud products, but it does help relieve our customer’s burdens in a number of ways, including by: managing and controlling system components and physical control of facilities; and shifting a portion of the cost of security and compliance onto Atlassian and away from our customers.
To learn more about our commitment to safeguard customer data, visit our Security Practices page.
| | FINMA Guidance | Atlassian Response | Atlassian Resources |
Introduction |
| FINMA is primarily responsible for addressing operational and outsourcing risks for financial institutions - ensuring (i) that financial institutions maintain appropriate security governance controls, to protect themselves, creditors, and individuals, when engaging with outsourced service providers, and (ii) that the Swiss financial markets function effectively. |
|
BaFin Outsourcing Guidance |
| Our FINMA outsourcing guidance whitepaper offers specific mappings to each requirement and how Atlassian Cloud Enterprise assists you in meeting your obligations, including information on audit rights, the right to issue instructions, data security, termination, and chain outsourcing. To learn more about our commitment to safeguard customer data, visit our Security Practices page. | |
EBA Guidance |
| Our FINMA outsourcing guidance whitepaper offers specific mappings to each requirement and how Atlassian Cloud Enterprise assists you in meeting your obligations, including information on audit rights, the right to issue instructions, data security, termination, and chain outsourcing. To learn more about our commitment to safeguard customer data, visit our Security Practices page. | |
Inventory of outsourced function | 4.1. (14) The customer must keep an up-to-date inventory of the outsourced functions that includes a description of the outsourced functions, the service provider (including subcontractors), recipient of the outsourcing, and the customer’s internal unit, responsible for the outsourcing | We note that this is an obligation on our customers, the regulated institutions. However, in some instances Atlassian may sub-outsource certain critical or important functions to high-quality service providers (e.g., data hosting providers) in compliance with the GDPR. | |
Selection, instruction and monitoring of the service provider | 5.1. (16) The service specifications must be agreed in line with the aims of the outsourcing and documented before the agreement is signed. This includes conducting a risk analysis that takes account of the main economic and operational considerations as well as the associated risks and opportunities | This obligation does not apply to Cloud services providers. Atlassian does, however, provide several resources to assist its customers in conducting the necessary risk assessments and due diligence they require. For more information on Atlassian's security and operational practices, visit Atlassian's Trust Center (https://www.atlassian.com/trust) where you will find:
| Trust Center |
| 5.2. (17) The service provider must be chosen with due regard to, and subject to checks of, its professional capabilities as well as its financial and human resources. Where multiple functions are outsourced to the same service provider, the concentration of risk must be taken into account. | See our guidance in our response to Sections 4.1 and 5.1. |
| |
| 5.3. (18) The prospect of changing service providers and the possible consequences of such a change must be considered when deciding to outsource and selecting the service provider. The service provider must offer a guarantee of permanent service provision. Provision must be made for insourcing the outsourced function or transferring it to. | During the Subscription Term for which you have purchased an applicable Covered Cloud Product, we will use commercially reasonable efforts to provide a Monthly Uptime Percentage to you as defined below (“Service Level Commitment”):
The corresponding service level terms, as well as the remedies for not meeting service levels for the Covered Cloud Products are provided for in our Service Level Agreement and the corresponding Product Specific Terms. | Atlassian Service Level Agreement | |
| 5.4. (19) The duties of the parties must be contractually agreed and delimited, in particular with regard to interfaces and responsibilities. | See the Atlassian Customer Agreement -> https://www.atlassian.com/legal/atlassian-customer-agreement | ||
| 5.5. (20 - 21) The customer must continuously monitor and assess the services of an outsourcing provider, and for this purpose must establish contractual terms for the necessary rights of instruction and control. | To help you with compliance and reporting, we share information, best practices, and provide easy access to documentation around the functionality of our products. Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn your trust. | ||
Security | 6.1. (24) The parties must contractually agree to the security requirements that apply and the customer must monitor compliance with these requirements | Contractual commitments around security are included in Section 4.2 of the Atlassian Customer Agreement (https://www.atlassian.com/legal/atlassian-customer-agreement), which states that Atlassian has implemented and will maintain appropriate physical, technical and organizational measures designed to protect your customer data from unauthorized access, destruction, use, modification or disclosure. This Section also states that Atlassian will maintain a compliance program that includes independent third-party audits and certifications. Our Trust Center (https://www.atlassian.com/trust), as updated from time to time, provides further details on our security measures and certifications. | |
| 6.2. (25) The parties must draw up a security framework to ensure the outsourced function can continue to be performed in an emergency | We maintain business continuity plans and disaster recovery plans, as described at our Trust Center (https://www.atlassian.com/trust/security/security-practices#business-continuity-and-disaster-recovery-management). These plans are reviewed and tested at least annually. | ||
Audit and Supervision | 7.1. (26) The customer, its audit firm and FINMA must be able to verify the service provider’s compliance with supervisory regulations. To that end, they must have the contractual right to inspect and audit all information relating to the outsourced function at any time without restriction. | Atlassian recognizes that regulated entities under FINMA must be able to audit our services effectively. Atlassian grants certain audit, access and information rights to such regulated entities and their supervisory authorities in compliance with applicable laws. Regulated entities may access their data on the services at any time and may provide their supervisory authority with access. |
|
| 7.2. (27) Auditing may be delegated to the service provider’s auditors if they are adequately qualified. Where this is done, the customer’s audit firm may use the findings of the service provider's auditors for its audit. | Our cloud products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards globally. You can review Atlassian's industry leading security, third party audits and certifications, documentations, and legal commitments that help support your compliance at our Compliance Resource Center (https://www.atlassian.com/trust/compliance/resources). | ||
| 7.3. (28) The outsourcing of a function must not make supervision by FINMA more difficult, in particular if the function is outsourced to another country. | Atlassian remains responsible for its overall performance under the Atlassian customer contract, including for any functions that are sub-outsourced. In addition, with respect to critical or important sub-outsourcings, Atlassian commits to ensuring that it has appropriate contracts with such sub-outsourcers, which grants Atlassian audit rights as necessary, and requires such sub-outsourcers to comply with all applicable laws. |
| |
| 7.4. (29) If the service provider is not supervised by FINMA, it must be contractually obligated to provide FINMA with all the information and documentation concerning the outsourced functions, which are necessary for FINMA's supervisory activities. If auditing is delegated to the service provider’s auditors, their report must be supplied, on request, to FINMA as well as to the outsourcing customer’s internal auditors and audit firm. | On request, Atlassian will provide its third party audit report. |
| |
Outsourcing abroad | 8.1. (30) Outsourcing to another country is admissible if customer can expressly guarantee that it, its audit firm and FINMA can assert and enforce their right to inspect and audit information. | Our FINMA outsourcing guidance whitepaper offers specific mappings to each requirement and how Atlassian Cloud Enterprise assists you in meeting your obligations, including information on audit rights, the right to issue instructions, data security, termination, and chain outsourcing. To learn more about our commitment to safeguard customer data, visit our Security Practices page. | |
| 8.2. (31) The customer must ensure that outsourcing to a foreign service provider will not hinder restructuring or resolution in Switzerland and the information necessary for this purpose must be accessible in Switzerland at all times. | Atlassian will reasonably cooperate with our customers in the event of a change in control, divestment or other organizational restructuring. |
| |
Agreement | 9.1. (32) The outsourcing must be based on a written agreement. In addition to naming the parties and describing the outsourced function, the agreement must also address the requirements in Margin nos. 33–34. | All engagments with customers are governed by a formal contract. See the Atlassian Customer Agreement -> https://www.atlassian.com/legal/atlassian-customer-agreement | |
| 9.2. (33) The customer must ensure that it is informed about the use or replacement of subcontractors for significant functions at an early stage and has the possibility of terminating the outsourcing in an orderly manner in accordance with Margin no. 18.1. Where subcontractors are used, they must also be bound by the obligations and guarantees on the part of the service provider that are necessary to comply with this circular. | Section 13.4 of the EBA guidelines describes customer's termination rights. In it, it states "We provide customers with a broad right to terminate for convenience, which would allow them to terminate in any of the instances listed in Section 13.4 of the EBA Guidelines." https://www.atlassian.com/trust/compliance/resources/eba/eba-guidance | ||
| 9.3. (34) The agreement must include measures to ensure implementation of the requirements set out in this circular, in particular in Margin nos. 21, 24, 26, 29, 30 and 31. | See questions 5.5, 6.1, 7.1, 7.4, 8.1 and 8.2 |
|