// Trust & Security Report

    Atlassian logo

    Atlassian

    Jira (with Rovo / Atlassian Intelligence AI features)

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II reports provide detailed assessments of Atlassian's security, availability, and confidentiality controls based on AICPA Trust Services Criteria, conducted by independent auditors.

    Verify on atlassian.com
    SOC 3
    HELD

    Atlassian Trust Center - SOC 2 Type II, SOC 3, ISO 27001 (listed among Atlassian's published compliance reports; SOC 3 is the publicly distributable version of the SOC 2 audit).

    Verify on atlassian.com
    ISO/IEC 27001
    HELD

    ISO/IEC 27001:2022 | Atlassian — Atlassian cloud apps are certified against ISO/IEC 27001, the international standard for information security management systems.

    Verify on atlassian.com
    ISO/IEC 27018
    HELD

    The Atlassian Trust Management System ... is governed by the implemented controls in accordance with the organizational Statement of Applicability, which further extends to the additional controls defined within ISO/IEC 27018:2019.

    Verify on atlassian.com
    PCI DSS
    HELD

    PCI DSS Compliant logo displayed on the Atlassian compliance certifications page.

    Verify on atlassian.com
    FedRAMP
    HELD

    FedRAMP authorization demonstrates Atlassian's commitment to meeting U.S. government security requirements ... comprehensive assessment against NIST 800-53 controls. (FedRAMP logo displayed on the compliance page.)

    Verify on atlassian.com
    HIPAA
    HELD

    Atlassian provides capabilities supporting HIPAA requirements through Business Associate Agreements (HIPAA-ready cloud offering with BAA available on eligible plans).

    Verify on atlassian.com
    GDPR
    HELD

    Atlassian Cloud provides a solid foundation for compliance with certifications including SOC 2 Type II, ISO 27001/27018, PCI DSS, GDPR, and HIPAA-ready status; Data Processing Addendum entered into with customers.

    Verify on atlassian.com
    IRAP / additional regional frameworks (CSA STAR, etc.)
    HELD

    Atlassian references a 'growing list of compliance certifications' but the captured/fetched pages did not surface a direct quote confirming IRAP or CSA STAR specifically; not independently verified in this pass.

    Verify on atlassian.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Cloud hosted on AWS with data residency options (pinning) available on eligible Cloud Enterprise/Premium plans for US, EU, and other regions.

    Atlassian states for Rovo / Atlassian Intelligence: 'The LLM providers we use do not use your inputs and outputs to improve their services' and 'Neither OpenAI nor any other LLM provider retains your inputs and outputs.' Atlassian itself does not train LLMs on customer content; it may use de-identified/aggregated metadata to fine-tune open-source models running strictly within its own infrastructure, subject to admin opt-out data-contribution controls. Customer content is processed by Atlassian as a processor under the DPA, not used to train models by default.

    // Security controls

    Bug bounty program

    Public bug bounty via Bugcrowd: 'Our Bug Bounty Program has consistently been recognized as one of the best in the industry' leveraging 'a trusted community of tens of thousands of researchers.'

    atlassian.com

    Penetration testing

    Internal penetration testing team performing white-box (code & engineer assisted) security assessments, plus external/specialist firm engagements; external penetration testing referenced on data-protection page.

    atlassian.com

    Encryption in transit

    Customer data encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS).

    atlassian.com

    Encryption at rest

    Data drives holding customer data use full disk, industry-standard AES-256 encryption at rest.

    atlassian.com

    Trust portal / vendor questionnaires

    Trust Portal provides pre-filled vendor security assessment questionnaires (CAIQ etc.) and downloadable compliance reports for vendor risk management.

    atlassian.com

    // Products & data scope

    Jira (Cloud)Project / work management with AI (Rovo agents, Atlassian Intelligence)

    data: Stores customer-entered work items, comments, attachments; Atlassian acts as processor under the DPA. Full enterprise cert coverage (SOC 2, ISO 27001/27018, PCI, FedRAMP, HIPAA-ready).

    AI features (Rovo) call LLM providers under zero-retention terms; no training on customer content by default.

    Jira Data Center (self-managed)Self-hosted project management

    data: Customer-hosted on own infrastructure; customer controls data residency and security perimeter. Compliance posture depends on the customer's own environment.

    Self-hostable option for orgs needing on-prem control; cloud-only AI/compliance certs may not all apply identically.

    Rovo / Atlassian IntelligenceAI agents and assistant layer

    data: Processes Jira/Confluence content to generate summaries, plans, agent actions. Inputs/outputs not retained or used for training by third-party LLM providers.

    Governed by Atlassian Responsible Technology Principles; admin data-contribution opt-out controls.

    Jira Align / Jira Service ManagementEnterprise agile planning / ITSM

    data: Separate Atlassian products with their own data scopes but under the same Atlassian Trust program and certifications.

    Listed for completeness; share Atlassian's enterprise compliance umbrella.

    // What to watch

    • Major enterprise vendor (Atlassian) with comprehensive, independently audited trust program; very low procurement risk.
    • AI metadata fine-tuning of internal open-source models uses de-identified/aggregated data only and is admin-controllable, not LLM training on raw customer content.
    • IRAP / CSA STAR not individually quote-verified in this pass (marked unknown) though Atlassian publishes a broader cert list.

    // At a glance

    Pricing model

    Freemium SaaS subscription (Free, Standard, Premium, Enterprise tiers) plus self-managed Data Center licensing.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Atlassian's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    atlassian.com

    > Browse all vendor trust reports