// Trust & Security Report
Atlassian
Confluence (AI workspace) with Rovo AI / Atlassian Intelligence; part of the Atlassian cloud and Data Center product suite (Jira, Loom, Trello, Bitbucket).
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on atlassian.com“AICPA SOC (compliance certification listed on Atlassian's compliance page); "Our cloud apps regularly undergo independent verification of their security, privacy, and compliance controls to ensure they meet global standards."”
Verify on atlassian.com“ISO 27001 (listed as a current certification on Atlassian's compliance page)”
Verify on atlassian.com“FedRAMP (listed on Atlassian's compliance page); "Compliant solutions for the public sector." Scope applies to Atlassian Government Cloud; verify exact authorization level (Moderate / In Process) for the specific product needed.”
Verify on atlassian.com“"Unless the parties have entered into a 'Business Associate Agreement,' Customer must not (and must not permit anyone else to) upload to the Cloud Products (or use the Cloud Products to process) any patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act."”
Verify on atlassian.com“Atlassian's Compliance Resource Center lists 34 compliance resources across certifications, attestations, and frameworks, but direct on-domain quotes for these specific standards were not captured in this review. Atlassian is widely documented to hold these; confirm individually in the Trust Center compliance resources before relying on them.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Encryption in transit TLS 1.2+ with Perfect Forward Secrecy; at rest AES-256. Atlassian offers cloud data residency (region pinning) for eligible products/tiers (e.g., US, EU and other regions). Confirm specific region availability per product tier.
POLICY IN FLUX / TIER-DEPENDENT. Current stated position: "Customer data, including data submitted to or generated by Rovo and Atlassian Intelligence, is never used to train, fine-tune, or improve AI models or services" and third-party LLM providers do not retain inputs/outputs. HOWEVER, both the Privacy Policy and Atlassian Customer Agreement carry an effective date of August 17, 2026, and Atlassian has announced it will begin collecting customer metadata and in-app content from Jira, Confluence, and other cloud products to train its AI offerings (Rovo / Rovo Dev) from that date. Per widely reported coverage, metadata/content collection becomes default and is mandatory (cannot be disabled) for Free, Standard, and Premium tiers; only Enterprise-tier customers can opt out. Atlassian's AI Trust page already states: "Atlassian may use metadata to fine-tune open-source models that operate strictly within Atlassian's infrastructure, solely to improve the quality of responses" (subject to data contribution settings, de-identification, and aggregation). Eligible Cloud Enterprise customers can also request restriction to Atlassian-hosted LLMs only.
// Security controls
Bug bounty program
Yes (Bugcrowd). "we make use of Bugcrowd's community of trusted security researchers to run our acclaimed bug bounty program"
atlassian.comPenetration testing
Yes. "We also partner with specialist security consulting firms to conduct white-box penetration tests on our products and infrastructure."
atlassian.comEncryption in transit
"Any customer data in Atlassian cloud products is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS)."
atlassian.comEncryption at rest
"Data drives on servers holding customer data and attachments...use full disk, industry-standard AES-256 encryption at rest."
atlassian.comSecurity program contractual commitment
"Atlassian has implemented and will maintain an information security program...Atlassian will also maintain a compliance program that includes independent third-party audits and certifications, as described in its Security Measures."
atlassian.comVendor security questionnaires / Trust Portal
Pre-filled vendor security assessment questionnaires and documentation available via the Atlassian Trust Portal for vendor risk management.
atlassian.com// Products & data scope
data: Customer content (pages, live docs, whiteboards, databases) processed by Atlassian as a processor/service provider under the DPA. AI features (Rovo) honor existing permissions. AI training on customer metadata/in-app content becomes default for Free/Standard/Premium tiers from Aug 17, 2026; Enterprise can opt out.
Multi-tier: Free, Standard, Premium, Enterprise. Enterprise unlocks opt-out of AI training, ability to restrict to Atlassian-hosted LLMs, and broader data residency/governance controls.
data: Customer installs and operates on their own infrastructure; data stays in customer environment. Subject to license verification and Software Product terms rather than cloud processing.
Self-hostable option for organizations needing full data control. AI cloud-training concerns largely do not apply to self-hosted deployment data.
data: Sends per-request data to LLM providers over encrypted connections; providers do not retain inputs/outputs. Atlassian may fine-tune open-source models within its own infrastructure using metadata (de-identified/aggregated), with the policy shift noted above.
Admins can enable/disable AI Rovo features; non-AI Rovo Search cannot be disabled. Eligible Enterprise customers can restrict to Atlassian-hosted LLMs only.
// What to watch
- AI TRAINING POLICY CHANGE: Effective Aug 17, 2026 (matches the Privacy Policy and Customer Agreement effective dates), Atlassian begins using customer metadata and in-app content from Confluence/Jira to train its AI (Rovo). Reported as mandatory for Free/Standard/Premium tiers with opt-out only for Enterprise. This reverses the prior 'never used to train' commitment that is still live on Atlassian support pages as of the verification date.
- Conflicting current vs. upcoming statements: support KB still says customer data is 'never used to train' AI models, while the new agreements/policies and announcements indicate default training collection imminently.
- Some certifications (ISO 27017/27018/27701, SOC 3, CSA STAR) are widely documented for Atlassian but were not captured with a direct on-domain quote in this review; verify individually in the Trust Center before relying on them.
- FedRAMP scope is tied to Atlassian Government Cloud; confirm the exact authorization level for the specific product/tier needed.
// At a glance
Pricing model
Freemium / subscription (Free, Standard, Premium, Enterprise) per user; self-hosted Data Center licensing also available.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Atlassian's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
atlassian.com