What are the characteristics of JIRA

Quo Vadis Atlassian: Jira and Confluence Cloud and the GDPR

Disclaimer: The following information is not provided in the context of a specific contractual relationship. The author assumes no liability for the topicality, correctness, completeness or quality of the information provided. Liability claims against the author relating to material or immaterial damage caused by the use of the information provided or by the use of incorrect and incomplete information are generally excluded to the greatest possible extent.

As a long-standing Atlassian Platinum Solution Partner based in Germany, we mainly provide European customers with our services for everything to do with Atlassian solutions - regardless of the respective operating model (cloud, server, data center or managed hosting).

Due to the steadily increasing spread of applications and their importance in companies - not least due to the massive increase in teleworking and home working in times of a pandemic - we have noticed a strong influx of requests for secure, data protection-compliant and highly available operation in recent years .

With the introduction of the General Data Protection Regulation (GDPR) in May 2018 at the latest, the use and operation of all applications in which personal data (e.g. from employees, customers, suppliers) are processed require a detailed analysis or data protection impact assessment.

Depending on the operating model, different aspects have to be taken into account: for the variants still predominant in Germany and other European countries, server and data center in their own data center or in the form of managed hosting / managed services, as the kreuzwerker also offer at hosting.kreuzwerker.de , it is important to look at the applications with regard to their functionality, for example with regard to data protection-friendly default settings. In the case of managed hosting / operation, this is supported by a service provider (= order processing). An order data processing contract (AVV) concluded with the service provider ensures GDPR-compliant operation. The technical and organizational measures set out the specific measures taken by the service provider to ensure monitoring and compliance with GDPR-compliant operations.

Especially in highly regulated areas (medical technology, finance, insurance) or very heterogeneous environments with a large number of integrations, it can be advantageous to choose a flexible, local partner.

But what about Atlassian's native cloud offerings? Atlassian offers its cloud products in different license models (cloud plans). Atlassian has had its own operating offer since 2008. Started as Jira Studio (which corresponded more to classic managed hosting) and later renamed Atlassian OnDemand, a native cloud offering from Atlassian has been available since 2014 with “Atlassian Cloud”. In addition to the two established license models “Cloud Standard” and “Cloud Premium”, Atlassian has recently started offering a “Cloud Enterprise” package. The following table shows the various services well.

The Atlassian Cloud offers essentially include the following products: Jira Software, Jira Core, Jira Service Desk, Portfolio, Confluence and Bitbucket. The range of functions differs slightly from the server and data center variants depending on the product. Atlassian provides a general overview of the differences between the cloud and server operating models here.

Product-specific overviews exist for the Jira, Confluence and Bitbucket applications.

With Atlassian Access, there is also a cloud product that allows users and products to be managed centrally and compliance requirements to be monitored centrally. Atlassian has expanded its product range to include Trello, StatusPage and OpsGenie through acquisitions in recent years.

Atlassian relies on transparency for further development and has published the roadmap for the Atlassian cloud platform and accompanying services at https://www.atlassian.com/trust/roadmap.

Atlassian's efforts to provide a GDPR-compliant offer that meets the high requirements of European customers are clearly presented in this roadmap. The AVV (DPA) standard already regulates a large number of the requirements of the GDPR. Where there are gaps, for example with regard to the requirements for data protection management, incident response management or internal controls / audits, it is helpful to consider other documents, such as:

Cloud Terms of Service
Privacy Policy
Certifications / Compliance
Atlassian Common Controls Framework

Most of Atlassian's cloud offerings are already ISO27001 and SOC2 or SOC3 certified, with more being planned.

In the current state, GDPR-compliant use will therefore be possible for most of them. The test will depend on the individual case, particularly in heavily regulated areas or those that require highly flexible operation.

Atlassian has invested a lot in the platform over the past few months and has resolved a large number of previous blockages. Atlassian is still actively working on two main points: Data Locality and the GDPR-compliant use of extensions (apps from the Atlassian Marketplace, also known as add-ons or plugins).

As of today, there is an explicit control over the storage location of the data - an EAP (Early Access Program) in the Cloud Enterprise Plan already allows this in the first few moves. In all other other plans, the data is automatically stored where most users access the platform (for European customers in Europe) - but there is no control over it. Atlassian already has this on the roadmap for primary data. For secondary data (for example for the search index) this will be implemented at a later point in time.

Jira Cloud and Confluence Cloud are largely a functionally identical (or sometimes improved) basis, which, however, has been largely re-implemented technically. This also applies to the interfaces and the app framework. With server and data center products, the add-ons are usually operated locally as part of the application (on the same server). This is not the case with the cloud. Here, the apps from providers from the Marketplace are provided / operated externally by them. They interact with the Atlassian applications via interfaces. Apps are provided by the provider in the marketplace itself, so the provider is also the direct contractual and contact person for the respective app.

Providers of apps in the Atlassian Marketplace are required not to save personal data locally, unless this is absolutely necessary for the functionality of the app. In addition, Atlassian has implemented a number of new interfaces for app providers in order to meet the requirements of the GDPR, for example with regard to the right to deletion and correction or the notification obligations (https://developer.atlassian.com/cloud/jira/ platform / user-privacy-developer-guide /).

Atlassian Forge could provide a considerable simplification that would make separate consideration obsolete. Forge is a development and operating environment for Atlassian Cloud Apps, which also allows the apps to be operated on the Atlassian infrastructure and thus under identical technical and organizational conditions with regard to security, conformity and compliance.

If you have any questions about the products, operating models and the GDPR-compliant use of Atlassian applications, please register for our webinar on the topic of Atlassian Cloud and the GDPR, or contact us.

Email: [email protected]
Phone: +49 30 609 83 880