Atlassian has had a clear cloud-first strategy for its products, such as Jira and Confluence, for some time. As a customer, you benefit from significantly shorter innovation cycles with significantly reduced maintenance costs. In concrete terms, this means:

• Highest requirements for availability, security and performance
• New features are available immediately
• Continuous scaling as demand for the number of users increases
• No investments in your own infrastructure

Regardless of whether you already use Atlassian cloud products or are planning to switch, our cloud updates summarize the most important new features of the Atlassian Cloud.

In this article, we focus on data protection and information security from a Swiss perspective.

How do we get to the cloud?

Atlassian has developed a structured cloud migration process with its solution partners. We're with you all the way with our technical expertise and migration experience.

Our free Cloud Readiness Assessment is the perfect start. This provides you with answers to questions such as:

• Are your apps fully available in the cloud?
• What does the rough migration path look like?
• How is the licensing model changing?
• Are your cloud infrastructure requirements met?

Cloud Readiness Assessment

Data protection and information security

As a Swiss Atlassian Platinum Solution Partner, it is important to us to focus on the needs and requirements of our Swiss and European customers. For this reason, we deliberately focus on the topic of information security in SaaS solutions and the Atlassian Cloud in this blog post.

When it comes to information security, dividing it into the following subject areas helps:

• data protection law: What are the legal bases for the data and you as an organization?
• Data storage & data processing: Where is the data stored and where is it processed?
• data integrity: How is the integrity of the data ensured?

data protection law

The relevance and application of legal principles depend initially on three issues:

• What data is stored in the cloud?
• What are the legal requirements for you as an organization?
• Are there requirements from supervisory authorities? If yes, which?

Data is not the same as data

It is important to know which data you will be keeping in your Atlassian cloud. Once you have an overview of the data stored in your Atlassian Cloud, you can categorize it according to the following aspects:

• Personal data or non-personal data
• For personal data:
• Special personal data, or particularly sensitive personal data
• Data of natural persons or data of legal persons
• The location of the people from whom you process data

Basically: Is it exclusively non-personal data or do you also process personal data? If yes, then there are certain legal and regulatory requirements.

Statutory and regulatory requirements for your organization

Private companies

Private companies in Switzerland belong to Swiss Federal Act on Data Protection insinuates. If you offer products or services on the European market, you must also consider the market location principle. In this case, the European GDPR also applies (Article 3 of the Regulation).

The following aspects are relevant to the storage of personal data:

• Where is the data stored and who processes it? If data is transferred abroad, it must be ensured that your data is also adequately protected there. To this end, the Federal Data Protection and Information Commissioner has a List of states published, whose legislation ensures adequate data protection.
• If the data is to be transferred to a country without an adequate level of data protection, accepted standard contractual clauses can be agreed between you and the cloud partner, provided that the adjustments and additions necessary for use under Swiss data protection law have been made.

financial institutions

Atlassian is constantly investing in legal and regulatory compliance in Europe. The requirements of the following authorities are currently being met (among others):

• European Banking Authority: EBA — Atlassian
• Federal Financial Supervisory Authority (BaFin): BaFin Atlassian

Swiss financial institutions are primarily subject to the Financial Market Supervisory Authority (FINMA). Customer-identifying data (CID) represents a particular need for protection. This protection is governed by bank client secrecy. For a long time, CID data was not allowed to leave Switzerland in accordance with the “over-the-border out-of-control principle.”

However, since the FINMA guidelines were amended, this principle no longer applies in principle. As soon as the following elements are met, bank customer data can be stored in the cloud:

• anonymization
• pseudonymization
• encryption
• Organizational measures (monitoring, etc.)
• Contractual measures

Administration & authorities

As a cantonal or municipal administration or authorities, you are subject to the data protection legislation of your canton. Key aspects for possible storage of personal data in the cloud are:

• Location of data storage and application of the CLOUD Act
• Encryption of data by the client or the contractor
• Existence of recognized standard contractual clauses

Data storage (data residency) & data processing

In accordance with the legal principles described above, data storage is often relevant.

Atlassian therefore offers the option of explicitly defining the location of data storage for all cloud plans (Standard, Premium, Enterprise). This option is available free of charge.

Our recommendations

• Select the data residency “Europe” (specifically: Frankfurt and Dublin)
• Sign the Atlassian Data Processing Addendum (standard contractual clauses covering Swiss Data Protection Act): Data Processing Addendum — Atlassian
• Check the data residency of the apps you use
• Atlassian users manage their personal data privacy: Manage your personal data privacy — Atlassian

Additional information on the topic

• Atlassian's GDPR Commitment

What the Atlassian Roadmap promises

• Data residency for apps, planned for Q1/Q2 2022: Apps support the storage and migration of data in the same region as the host product.

data integrity

Atlassian has already taken various measures to secure your data:

ECM140 Zero Trust white paper

Take further steps to ensure the integrity of your data.

Our recommendations

• Activate two-factor authentication
• Integrate an existing identity provider with SSO

Atlassian Access is required to use these options. Benefit from other security features that are available with Access (e.g. IP whitelisting)

What the Atlassian Roadmap promises

• Password rules for employees who did not belong to the organization (external employees), planned for Q3 2022
• Support for multiple identity providers for the same company, planned for Q2 2022
• Bring your own key — BYOK encryption for Jira and Confluence, planned for 2023: Encrypt Jira and Confluence product data with a key that you manage in your own instance of AWS KMS.
• Custom domains - Using your own company domain for your Atlassian Jira Cloud instance for Q4 2023
• Data residency in Switzerland for Q1 2024
• Data classification - The ability to classify data in Jira and Confluence for Q1 2024

Does that mean concretely?

The information is extensive and sometimes complex. We are happy to help you use the possibilities of the cloud to your advantage.

• We support your cloud migration
• In cooperation with our partners in legal advice, we clarify outstanding data protection concerns.

‍