A Guide to Regulatory Compliance in Atlassian Cloud (EBA, BaFin, HIPAA, and more)

It’s good practice to observe the regulations a software solution conforms to before choosing one for your business. In this blog post, we will be exploring the updates Atlassian Cloud has added to its regulatory compliance guidelines in recent years.

Here are some of the key ways Atlassian Cloud complies with EBA:

• All documentation is clear, including pricing and sub-outsourcing information.
• Service availability updates are published here so customers can monitor performance.
• Atlassian’s insurance covers many identifiable risks.
• Customers are allowed to access or export their data anytime.
• Atlassian always complies with the standards listed in their trust center.
• The same level of security is provided to every customer.
• Atlassian permits customers to carry out penetration testing without prior approval.
• Atlassian customers will never put other customers at risk when it comes to service level, data, or confidentiality.
• Customers are allowed to terminate service for any reason listed in Section 13.4 of the EBA Guidelines
• Organizations needing a transition period in between service providers may extend their subscription term for a short time.

BaFin Regulatory Compliance

Similar to EBA guidelines, BaFin guidelines are also focused on the financial system. BaFin stands for Bundesanstalt für Finanzdienstleistungsaufsicht, (The Federal Financial Supervisory Authority). Essentially, it is an independent public-law organization established to guarantee the appropriate operation of the German financial system. All German banks and financial institutions are under the jurisdiction of BaFin. Atlassian Cloud adheres to its guidelines. 

Although Germany is part of the EU, making it subject to EBA standards, there are some regulations specific to BaFin. Below are the main ways Atlassian Cloud follows BaFin regulatory compliance guidelines:

• All documentation contains clear descriptions of the covered cloud products.
• Qualifying customers have access to the Atlassian support offering for support services.
• Service levels and service availability updates can be viewed anytime here.
• Atlassian’s audit program allows qualifying customers to effectively audit qualifying cloud products.
• Atlassian always complies with their trust center standards.
• Customers may issue instructions regarding qualifying cloud products through their support channels.
• Customers may export data or terminate their service at any time.
• Security is equal among all clientele.
• Atlassian has a disaster recovery plan in case of a system failure.
• An organization may extend its subscription if needed for a transition period.
• Atlassian lists its policy on sub-outsourcing and will provide notice of any changes to it.
• Any material changes will be updated on the cloud product roadmap.

Here are the main ways Atlassian Cloud abides with APRA:

• All Atlassian security practices are assessed by APRA.
• Atlassian classifies information and labels assets in terms of criticality, value, and legal requirements.
• Atlassian has a detailed security incident response policy in case of a security breach.
• Customers are quickly informed if a data breach occurs.
• Atlassian conducts several external audits and verifications to evaluate the efficacy of its security safeguards.
• Atlassian continuously refines the efficiency of its Information Security Management System (ISMS)
• Through its partner, Bugcrowd, Atlassian runs a public bug bounty program for its products to keep customers aware of any vulnerabilities that may affect its products.

Atlassian Cloud HIPAA Regulatory Compliance

In addition to financial compliance, Atlassian Cloud has also aligned its guidelines with HIPAA.

HIPAA, The Health Insurance Portability and Accountability Act, is a set of federal guidelines created to ensure Personal Health Information (PHI) stays private and secure – the U.S. Department of Health and Human Services developed HIPAA with this reason in mind. Covered entities or business partners who interact in any way with an individual’s PHI are subject to HIPAA guidelines. Atlassian Cloud complies with these health guidelines as well as financial regulations within the U.S. Furthermore, it is important to note that unlike the EU and Australia, it does not abide by one specific U.S. financial organization. 

Another unique factor regarding HIPAA is that a Business Associate Agreement (BAA) must be signed by all businesses partnering with Atlassian who adhere to HIPAA guidelines. This contract describes the guidelines guaranteeing PHI is properly protected. These are the main ways Atlassian adheres to HIPAA regulations:

• Atlassian manages risks by annually performing a gap assessment, updating its security risk analysis, and obtaining a HIPAA attestation. 
• All Atlassian employees are subject to background screening and must sign contracts detailing the security requirements they must adhere to, even after the contractual relationship with Atlassian ends.
• New employees must receive security awareness training.
• Electronic Protected Health Information (ePHI) is restricted to employees who have active directory role membership.
• Event logs are secured against tampering.
• Atlassian has an organizational-wide incident management process.
• Atlassian has a dedicated HIPAA Security Officer who is responsible for security and privacy compliance.
• Disaster recovery procedures are continuously tested and reviewed.
• All HIPAA-qualified cloud product data is encrypted.

Here are the main ways Atlassian adheres to GDPR regulations:

• Data processing is fair and transparent.
• Collected data is only used for the subject’s intended purpose with exceptions being for the “common good.”
• Only necessary data is collected.
• Data is continuously updated or deleted if it is no longer correct or useful.
• Data is securely stored.
• Data is encrypted and easily imported or exported.
• Atlassian customers can view a list their data subprocessors here.
• Atlassian’s addendum guarantees clients may move personal information to Atlassian Cloud products from outside of Europe.

Other Atlassian Cloud Compliance Updates

Additional noteworthy updates Atlassian Cloud has added to its compliance roadmap are:

• TISAX level 2 compliance and the ISO 27001: TISAX level 2 is a set of regulations for the automotive industry created by the German Association of the Automotive Industry (VDA). Level 2 is advised for organizations who handle confidential information such as personal data
• ISO 27018 certification for Jira Service Management and Automation for Jira: ISO 27001 is regarded as the global benchmark for data security. ISO 27018 is more specific as it is the international standard explicitly for data privacy in cloud computing. Receiving certifications for both of these ISO standards is highly regarded. 

FedRAMP

Atlassian has stated it will be implementing FedRAMP by the end of 2024. The Federal Risk and Authorization Management Program (FedRAMP) was established by the U.S. Federal Government. It is a program offering:

• A uniform method for monitoring cloud-based products and services.
• Evaluating security risks.
• Assessing authorization procedures. 

Want to Get Started with Atlassian Cloud?

If you have more questions about Atlassian Cloud’s compliance regulations, you can view the roadmap here. You can also chat with our team at SPK if you have general inquiries or need help getting started with Atlassian Cloud. Contact our SPK experts today.