// Trust & Security Report
Atlassian
Jira (with Rovo / Atlassian Intelligence AI features)
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on atlassian.com“SOC 2 Type II reports provide detailed assessments of Atlassian's security, availability, and confidentiality controls based on AICPA Trust Services Criteria, conducted by independent auditors.”
Verify on atlassian.com“Atlassian Trust Center - SOC 2 Type II, SOC 3, ISO 27001 (listed among Atlassian's published compliance reports; SOC 3 is the publicly distributable version of the SOC 2 audit).”
Verify on atlassian.com“ISO/IEC 27001:2022 | Atlassian — Atlassian cloud apps are certified against ISO/IEC 27001, the international standard for information security management systems.”
Verify on atlassian.com“The Atlassian Trust Management System ... is governed by the implemented controls in accordance with the organizational Statement of Applicability, which further extends to the additional controls defined within ISO/IEC 27018:2019.”
Verify on atlassian.com“PCI DSS Compliant logo displayed on the Atlassian compliance certifications page.”
Verify on atlassian.com“FedRAMP authorization demonstrates Atlassian's commitment to meeting U.S. government security requirements ... comprehensive assessment against NIST 800-53 controls. (FedRAMP logo displayed on the compliance page.)”
Verify on atlassian.com“Atlassian provides capabilities supporting HIPAA requirements through Business Associate Agreements (HIPAA-ready cloud offering with BAA available on eligible plans).”
Verify on atlassian.com“Atlassian Cloud provides a solid foundation for compliance with certifications including SOC 2 Type II, ISO 27001/27018, PCI DSS, GDPR, and HIPAA-ready status; Data Processing Addendum entered into with customers.”
Verify on atlassian.com“Atlassian references a 'growing list of compliance certifications' but the captured/fetched pages did not surface a direct quote confirming IRAP or CSA STAR specifically; not independently verified in this pass.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Cloud hosted on AWS with data residency options (pinning) available on eligible Cloud Enterprise/Premium plans for US, EU, and other regions.
Atlassian states for Rovo / Atlassian Intelligence: 'The LLM providers we use do not use your inputs and outputs to improve their services' and 'Neither OpenAI nor any other LLM provider retains your inputs and outputs.' Atlassian itself does not train LLMs on customer content; it may use de-identified/aggregated metadata to fine-tune open-source models running strictly within its own infrastructure, subject to admin opt-out data-contribution controls. Customer content is processed by Atlassian as a processor under the DPA, not used to train models by default.
// Security controls
Bug bounty program
Public bug bounty via Bugcrowd: 'Our Bug Bounty Program has consistently been recognized as one of the best in the industry' leveraging 'a trusted community of tens of thousands of researchers.'
atlassian.comPenetration testing
Internal penetration testing team performing white-box (code & engineer assisted) security assessments, plus external/specialist firm engagements; external penetration testing referenced on data-protection page.
atlassian.comEncryption in transit
Customer data encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS).
atlassian.comEncryption at rest
Data drives holding customer data use full disk, industry-standard AES-256 encryption at rest.
atlassian.comTrust portal / vendor questionnaires
Trust Portal provides pre-filled vendor security assessment questionnaires (CAIQ etc.) and downloadable compliance reports for vendor risk management.
atlassian.com// Products & data scope
data: Stores customer-entered work items, comments, attachments; Atlassian acts as processor under the DPA. Full enterprise cert coverage (SOC 2, ISO 27001/27018, PCI, FedRAMP, HIPAA-ready).
AI features (Rovo) call LLM providers under zero-retention terms; no training on customer content by default.
data: Customer-hosted on own infrastructure; customer controls data residency and security perimeter. Compliance posture depends on the customer's own environment.
Self-hostable option for orgs needing on-prem control; cloud-only AI/compliance certs may not all apply identically.
data: Processes Jira/Confluence content to generate summaries, plans, agent actions. Inputs/outputs not retained or used for training by third-party LLM providers.
Governed by Atlassian Responsible Technology Principles; admin data-contribution opt-out controls.
data: Separate Atlassian products with their own data scopes but under the same Atlassian Trust program and certifications.
Listed for completeness; share Atlassian's enterprise compliance umbrella.
// What to watch
- Major enterprise vendor (Atlassian) with comprehensive, independently audited trust program; very low procurement risk.
- AI metadata fine-tuning of internal open-source models uses de-identified/aggregated data only and is admin-controllable, not LLM training on raw customer content.
- IRAP / CSA STAR not individually quote-verified in this pass (marked unknown) though Atlassian publishes a broader cert list.
// At a glance
Pricing model
Freemium SaaS subscription (Free, Standard, Premium, Enterprise tiers) plus self-managed Data Center licensing.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Atlassian's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
atlassian.com