Close

Marketplace App Trust

Trust is a key component of the relationship between Atlassian customers and our third-party Marketplace Partners.

Venn Diagram spot

Cloud apps are a shared responsibility

Atlassian provides information, controls and capabilities, while facilitating communication between you and Marketplace Partners.

Marketplace Partners

Marketplace partners design apps and operational processes according to their legal obligations, Atlassian’s requirements, and general industry best practices for reliable, compliant, and secure apps. They also provide support and information to help you make informed decisions.

Atlassian

Atlassian provides information and capabilities to help Marketplace Partners build trustworthy apps and to help customers vet and manage apps.

You

You leverage the information provided by Atlassian and Marketplace Partners to vet apps against your requirements. It’s important to acknowledge that app installation requires a new relationship with a Marketplace Partner that is separate from your relationship with Atlassian.

Atlassian’s approach to supporting customers and partners

Data protection support for Marketplace Partners

Atlassian has programs, tools, educational resources, and requirements in place to help third parties protect your data when you extend your workflows with Marketplace apps.

In the event that partners aren't meeting our requirements, we may take actions like removing badges, hiding apps from the Marketplace, pausing them, or adding them to a public transparency page.

Setting a privacy & security baseline

Our Marketplace programs help Marketplace Partners achieve the highest consistent standards for application security and privacy.

Cloud Security spot

Setting a security baseline with requirements

Atlassian has defined a minimum set of Cloud App Security requirements that all Marketplace apps must meet. These requirements are mandatory and are aimed at enforcing security best practices across all apps.

Code review illustration

Maintaining security through continuous scanning

Atlassian’s Ecoscanner platform performs security checks across all Marketplace cloud apps on an ongoing basis to help ensure the security of our ecosystem.

If an app is found to be missing a security requirement, Atlassian will take action to protect customers.

Bug logo

Timely resolution of security issues

To ensure the security of all Marketplace cloud apps, Marketplace Partners are required to adhere to security bug fix SLAs. If a vulnerability or missing security requirement is detected in any app listed on the Marketplace, partners are required to respond in a timely manner.

Bugcroud logo

Enhanced vulnerability discovery via opt-in Bug Bounty program

Atlassian has a best-in-class marketplace bug bounty program to increase security and trust. Participating Marketplace Partners are able to proactively combat security risks before they arise by incentivizing security researchers to find vulnerabilities. While the program is generally optional, apps must participate to get a Cloud Fortified or Cloud Security Participant badge.

Security Practices spot

Ensuring transparency through privacy requirements

Apps are required to provide a privacy policy that outlines data access, collection and processing, and with whom and where End User Data might be shared or stored.

In addition to a privacy policy, Atlassian requires partners to obtain all necessary rights, permissions, and consents from end users for any processing of any End User Data.

Administrative visibility & control for customers

Get the information you need to choose apps that fit your requirements thanks to centralized app information on Atlassian Marketplace.

Plus, leverage controls to ensure only apps you trust have access to the data they need.

We support this through:
Checkmark icon

Centralized app administration in admin.atlassian.com

Checkmark icon

Controls for end user app installs

Checkmark icon

Controls to limit app access to selected content

Checkmark icon

Privacy & Security tab on Atlassian Marketplace

Checkmark icon

Required privacy policies on each Marketplace app listing

Helping you safely power-up your workspace with apps

In addition to trust badges, we’re constantly working with partners to bring you more app information on admin.atlassian.com and the Marketplace. To learn more about an app before installing, you can:

step 1

Start with the Privacy & Security tab on the app’s listing.

This should include partner-provided information about how an app handles data, its permissions, compliance certifications, security details, privacy information and more.

step 2

Visit the app’s privacy policy.

Partners are required to provide a privacy policy that details their app’s data access and use on their Marketplace app listing. If you can’t find what you need on the Privacy & Security tab, try the privacy policy or documentation.

step 3

Check the partner’s website.

Some partners have their own comprehensive trust centers, which can provide detailed information about the company and app.

step 4

Reach out to the partner directly.

You can find support contacts on the app listing, but this may not always be the right contact for security questions. Check the security contact listed directly on the Privacy & Security tab to save time.

step 5

Sign up for new version updates.

Or check the Connected Apps tab on admin.atlassian.com for apps with an update available so you can stay up to date on app changes.

Find apps that are going the extra mile to protect your data and workflows

On the Atlassian Marketplace, you may notice that some apps have a Cloud Security Participant or Cloud Fortified badge. These badges help you easily identify apps that have gone above and beyond Atlassian’s general standards to deliver a secure and reliable cloud experience.

The requirements for each badge are as follows:

 

 

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

Privacy

App privacy policies

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

Security

Base cloud app security requirements

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

Monitored by Atlassian’s app vulnerability scanning platform, Ecoscanner

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

Additional app security requirements and fix timeframes defined by Atlassian

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

Participates in Marketplace Bug Bounty Program

All Cloud apps

 

Cloud Security Participant apps

Cloud Fortified apps

Has a complete Privacy & Security tab

All Cloud apps

(optional)

Cloud Security Participant apps

(optional)

Cloud Fortified apps

Reliability

Additional checks for service reliability and performance at scale

All Cloud apps

 

Cloud Security Participant apps

 

Cloud Fortified apps

Incident and review processes integrated with Atlassian’s for faster recovery and continuous improvement

All Cloud apps

 

Cloud Security Participant apps

 

Cloud Fortified apps

Support

Commercially reasonable efforts to provide support

All Cloud apps

Cloud Security Participant apps

Cloud Fortified apps

24 hour response time, 5 days a week SLA for all T1 tickets

All Cloud apps

 

Cloud Security Participant apps

 

Cloud Fortified apps

Frequently Asked Questions

What does Atlassian do to ensure the security of Marketplace apps?
  

Atlassian has programs and requirements in place to ensure a baseline of security and privacy across 3rd party Marketplace apps, as well as opt-in programs to encourage additional investment. We also regularly share educational materials to help Marketplace Partners build trustworthy cloud apps.

To maintain the baseline of security and privacy best practices across all 3rd party cloud apps, Atlassian regularly scans all cloud apps listed on the Marketplace. Specific Cloud Security Requirements are enforced via a set of security scanners powered by Atlassian’s EcoScanner platform.

In addition, all Marketpalce Partners must accept and comply with Atlassian Developer Terms, Marketplace Partner Agreement and Security Bug Fix Policy for Marketplace apps, which outline legal and privacy requirements as well as SLAs for security bugs.

Alongside our baseline security requirements, we also issues badges for the Marketplace to apps that have made additional investments in security, reliability and support. These badges identify:

For trust-related information (data protection, security, privacy, compliance) about specific apps, you can also view the answers provided by the app’s vendor in the Privacy & Security tab of their app listing on the Atlassian Marketplace.

Can Marketplace apps access, process or store my data?
  

Most apps need to access data in your instance to perform their core functions.

Before you install an app, we will present a page requesting consent preferences, so that you may elect how data will be accessed, processed, and stored. Admins must consent to the app's request for data access during the installation flow.

Each Marketplace app requires a different set of permissions. These details, along with data handling practices (e.g data residency, processing, storage, retention), can be found in the Privacy & Security tab on the app listing in the Marketplace.

Are there controls to block Marketplace Partners from accessing or extracting customer data?
  

With the app access rule under data security policies, customers can limit app access to certain content in selected projects or spaces. You can create an app access rule to limit an app’s ability to access and modify certain data in a Confluence space or Jira project, particularly user-generated content such as pages, blog posts, attachments, and other content that a user adds to a Confluence space or Jira project. This feature enables org admins to block all apps from spaces and projects, whereas Atlassian Access customers can make a selection and block a subset of installed apps. Learn more about blocking app access.

Atlassian is building more data loss prevention capabilities, such as data classification, to our Cloud offerings. Atlassian Guard is an easy way to defend your data and improve security posture. You can stay up-to-date on the development of these features by following our Cloud roadmap.

Additionally, there are vendors in the Atlassian Marketplace who provide DLP solutions that may meet your needs.

Does Atlassian perform application penetration testing to Marketplace apps?
  

No, Atlassian doesn’t perform penetration testing on Marketplace apps.

However, Atlassian has a Marketplace Security Bug Bounty program designed for apps which is a requirement of Cloud Fortified program or to get a Cloud Security Participant badge.

All Marketplace apps need to meet the cloud security requirements which are checked and enforced via security scanners and bug fix SLAs. Learn more about security scanning.

Do I have to go through a security assessment for each Marketplace app I am using?
  

Yes. Marketplace partners are independent businesses and by installing an app, you are establishing a separate relationship with them.

Atlassian takes some measures to ensure apps listed on Marketplace meet certain standards. See the cloud security requirements for more details on the security standards we require all Marketplace partners to follow, but ultimately Atlassian is not responsible for the products or services offered by Marketplace partners.

It is your responsibility to review apps and agreements provided by third parties.

To make this process easier for you, every cloud app on Marketplace has a “Privacy & Security” section where partners share more details on app security, data protection, privacy and compliance.

You can also have a look at Marketplace Trust programs to see how we showcase apps that have made additional investments in security through Atlassian’s Cloud Security Participant and Cloud Fortified programs. In case of any remaining questions you may contact the individual app vendor.

Ultimately, it is up to you to vet each app before installation and decide whether it meets your requirements.

Trust & Security Community

Join the Trust & Security group on the Atlassian Community to receive information, tips, and best practices for using Atlassian products in a secure and reliable way.