Data protection in the Atlassian cloud

Atlassian has made many privacy improvements. In this article, we summarize the current situation and point out potential stumbling blocks from a technical point of view.

Since End of EU-U.S. Privacy Shield Atlassian bases the protection of personal data in accordance with European standards on the so-called standard contractual clauses. Customers who want to make use of it can sign the corresponding agreement Get it here and sign. The list of from Atlassian The contracted sub-contract data processor is also published here. Atlassian is thus implementing the requirements of the European General Data Protection Regulation GDPR, insofar as this can be solved by a private company in the short term. In any case, we recommend signing the standard contractual clauses.

Rightly placed Computerworld However, it is clear that the reasoning of the European Court of Justice is not directly attributable to deficiencies in the agreement itself, and therefore this also calls into question at least in part the use of standard contractual clauses. At least with regard to providers of Internet services and telecommunications providers from the USA, because these companies are subject to laws which, according to the EU Court of Justice, are not compatible with the fundamental rights of the EU. Internet service providers, for example, are subject to the Foreign Intelligence Surveillance Act (FISA), which grants American secret services far-reaching rights to access data. It is therefore not clear how a private contract with the standard contractual clauses should protect against data access by American secret services better than the EU-U.S. Privacy Shield could. For even better protection, it can therefore be useful, where possible, to add to the few Exceptions under Art. 49 GDPR to support, in particular the declaration of consent. In some, though not all, cases, this is likely to be possible. For further information on the legal side, we refer you to suitably specialized lawyers.

Data residency

This is currently taking place Hosting with Atlassian in AWS regions United States (East and West), Germany, Ireland, Singapore and Australia. Today, it is not possible to directly control where the data is stored. According to the documentation, Atlassian decides in which region the data is stored based on the frequency of access. User data is also stored centrally in the USA, regardless of which data region is used. Some relevant Expansions are planned for this. Specifically, there is currently a Early access program of the so-called Enterprise Plan, which should then also activate data residency management features.

When considering the topic of data residency, however, it is important to note that the EU General Data Protection Regulation not only specifies where data is stored, but where it is processed. Art. 4 GDPR It also states that the term data processing includes any view, change, transfer or storage of personal data. Accordingly, the choice of data storage in the EU is in principle irrelevant if the processing continues to be carried out by support personnel from other countries, for example.

If data processing is therefore to be restricted to a specific region in accordance with the GDPR, it is therefore not sufficient to simply transfer the data to this region technically. Only when all data processing is carried out within this region or regions considered as equivalent does data residency have an effect from a data protection perspective. However, data residency naturally has various other benefits, such as better network latency.

Marketplace Apps

Most Atlassian products can be functionally extended through apps. This gives third-party software manufacturers the opportunity to expand Atlassian's products for further use cases. In our experience, most customers are using a handful of additional apps within a few weeks of starting operations, as they support their use cases even better. The available apps can be found in Atlassian Marketplace be rummaged through. It is important to know that the vast majority of these apps are not offered by Atlassian, but by third-party manufacturers. In the marketplace, the providers are named accordingly.

‍

A special technical feature of the Atlassian Cloud is that these apps are not directly integrated into the respective application as additional program code, as is the case with Server and data center deployment models is the case with Atlassian. This means that these programs are not operated by Atlassian, but by the corresponding third-party manufacturer. He runs the corresponding app independently at a location of his choice. The app communicates via the interface Atlassian Connect with the appropriate Atlassian product. In order to be able to perform their service, these apps usually receive extensive access to customer data stored by Atlassian. This data is passed on because otherwise it would not be possible to fulfill the contract.

It is important that when using an Atlassian Connect app, the customer is the direct contractual partner of the corresponding third-party software manufacturers and must assume their role as responsible to them within the meaning of the GDPR. Atlassian is not responsible for compliance with data protection regulations by third-party software manufacturers, but only forwards the required data via the interface for processing on behalf of the customer. Accordingly, the customer must separately check compliance with the GDPR for each third-party software manufacturer. It should be borne in mind that many apps are provided by manufacturers who have their headquarters or branch offices in countries such as Russia, the Philippines or Ukraine. Or, of course, the USA again. In addition to data protection, such data transfers may of course also be relevant for the protection of intellectual property.

Atlassian has identified this problem and, as a solution, the Atlassian Forge launches for which Atlassian will then provide the operating infrastructure. From a data protection perspective, this makes the landscape somewhat more manageable, as the separate IT infrastructure providers are eliminated as sub-processors of third-party manufacturers. Whether the GDPR compliance check or contracts with third-party manufacturers can then be omitted will depend on whether they can continue to have access to customer data, which is then stored by Atlassian. In the special case of European app providers, data potentially stored in the EU so far will also have to be exported to the USA, which may eliminate compliance that has been ensured so far. Atlassian Forge is currently in a beta program, so not all mechanisms have been described in detail yet.

Experience has shown that the contracts with Atlassian for the basic product (e.g. Confluence or Jira) are carefully reviewed by customers, but when apps are added later, there is often no longer a legal review of the contracts with these third-party manufacturers. Accordingly, especially in the case of the Atlassian Cloud, we recommend that you inventory and review contracts with app manufacturers where this has not yet been done. Where necessary and possible, GDPR-compliant contracts should then also be concluded with these third-party manufacturers.

--

linkyard is a Gold Atlassian Solution Partner based in Switzerland and offers full service for its products. In addition to product knowledge, linkyard also offers proven know-how in the areas of management, project management (Lean/Agile and classic), security, compliance, risk management, requirements engineer or software architecture. linkyard also specializes in technically sophisticated integrations and customers with particularly high standards of information security and data protection. The linkyard information security management system is certified in accordance with ISO/IEC 27001:2013.