Close
View this page in your language?
All languages
Choose your language

Guidance on Atlassian’s approach to DORA

Introduction

The Digital Operational Resilience Act (DORA) establishes key requirements for financial institutions within the European Union (EU) making use of Information and Communication Technologies (ICT). Atlassian is committed to supporting its financial services customers in meeting these requirements through our implemented security practices, contractual framework, and customer support processes. Below, we outline how Atlassian addresses the requirements.

1. Form, Documentation, and Service Description

Summary: DORA requires ICT service providers to deliver written, permanently accessible documentation detailing service descriptions, updates, and clear allocations of rights and responsibilities (Art. 30(1) DORA).

How Atlassian Addresses It:

  • Atlassian documents legal agreements online, ensuring accessibility and applicability for all customers. These agreements include the Atlassian Customer Agreement (ACA), Data Processing Addendum (DPA), Security Measures, Atlassian’s Technical and Organisational Security Measures, and Service Level Agreement (SLA). These agreements address many of the DORA requirements.
  • Customers can download these agreements as PDFs for their records. Our suite of agreements form a unified contractual framework where our supplemental agreements, such as the DPA and SLA, build on the ACA.
  • Each document includes a date indicating when it became effective. Updates to these agreements are communicated at least 30 days in advance, as specified in the ACA. Customers are encouraged to subscribe to notifications for changes.
  • The DORA requirements are only applicable to the relevant Atlassian Cloud products. According to DORA Directive Article 3 Clause 21, ICT services are defined as digital and data services provided on an ongoing basis.
  • Atlassian’s Data Center (DC) products do not qualify as ICT services since they are not provided on an ongoing basis. DC products are run entirely on customer infrastructure, with Atlassian acting as a software vendor rather than an ICT service provider as defined in DORA Article 3. Customers purchase an annual license to activate the software, which expires and has to be renewed actively; hence, it does not constitute an ongoing service. As a result, Atlassian does not process or manage customer data for DC products, and these products cannot be classified as ICT services supporting critical or important functions under DORA.

2. Location, Data Processing, and Security

Summary: DORA mandates transparency on data processing and storage locations, including notification of location changes, and requires security measures to ensure availability, integrity, and confidentiality of data (Art. 30(2)(b) and Art. 30(2)(c) DORA).

How Atlassian Addresses It:

  • Customers can identify relevant sub-processors based on the products they use by consulting the detailed table on the Sub-Processor Page, which indicates the data processing and storage location, as well as the nature of processing for each sub-processor.
  • Customers can subscribe to receive notifications 30 days in advance of any changes to legal agreements (e.g., ACA, DPA, Security Measures) or the sub-processor list via the subscription portal.
  • Atlassian offers a Data Residency feature, enabling customers to pin certain in-scope product data to chosen geo-regions (e.g., AWS regions for Atlassian products where AWS acts as the Cloud Hosting Provider) for data at rest. Customers can learn more about Data Residency and manage settings via the support page. Admins can configure Data Residency options through the Admin Hub.

3. Incident Management and Business Continuity

Summary: DORA requires ICT service providers to assist with incident management, including major ICT incident reporting, and to implement tested business continuity (BC) and disaster recovery (DR) plans (Art. 30(2)(f), Art. 30(3)(c), Art. 11 DORA).

How Atlassian Addresses It:

  • Section 3.2 of the DPA outlines Atlassian’s obligations to inform customers without undue delay in the event of a security incident, and our obligation to make reasonable efforts to respond to customer requests for more information about the event. While the DPA is structured around privacy and personal data, Atlassian ensures that any incident affecting customer data is treated as a security incident. Atlassian applies these notification obligations consistently for any security event impacting customer data.
  • Atlassian’s BC and DR plans are periodically reviewed and updated to ensure their effectiveness. These plans and procedures are audited on a regular basis by external auditors, such as SOC 2 audit report and ISO 27001 certification.
  • Atlassian performs regular security testing of platform and infrastructure services relevant to service delivery. A continuous disaster recovery (DR) testing approach is applied, ensuring every in-scope service is tested for failover at least once within a quarter. Atlassian also leverages highly available infrastructure run on AWS, utilising a multi-AZ (availability zone) approach.
  • Atlassian enables customers to perform their own BC and DR testing using the Backup and Restore functionalities.

4. Supervision, Audit, and Monitoring

Summary: DORA ensures ICT service providers enable audit rights, ongoing service performance monitoring, and cooperation with competent authorities (Art. 30(2)(g), Art. 30(3)(e) DORA).

How Atlassian Addresses It:

  • Atlassian’s DPA outlines customers’ rights to conduct audits, including reviews of Atlassian’s compliance with security and data protection obligations. These rights provide customers with the assurance that their data is handled in accordance with our contractual framework.
  • Atlassian supports extended audits (such as pooled audits) where appropriate for qualified customers in regulated industries (e.g. such as the financial industry), who have purchased Enterprise versions of the covered Cloud Products. Customers can reach out to their account team or support for more information.
  • Customers can access third-party audit reports and certifications, such as ISO 27001 and SOC 2, via Atlassian’s Trust Center, which demonstrate compliance with internationally recognised standards.
  • While Atlassian provides self-attestations in the Trust Center, we place greater emphasis on third-party certifications and audit reports, such as ISO 27001 and SOC 2, which validate our security and operational measures through independent verification.
  • Service performance is continuously monitored and transparently reported on status.atlassian.com.

5. Termination Rights and Exit Strategies

Summary: DORA requires clear termination rights with adequate notice and exit strategies that prevent disruptions to critical functions (Art. 30(2)(h), Art. 30(3)(f) DORA).

How Atlassian Addresses It:

  • Atlassian’s DPA and ACA include provisions on data retention and export, enabling customers to retain access to their data during the termination process. For example, Section 6 of the DPA specifies customer rights to retrieve their data before contract termination. Section 12 of the ACA further emphasises that Atlassian provides the tools and documentation necessary for customers to retrieve and manage their data prior to termination.
  • After termination, Atlassian deletes customer data in compliance with its policies and applicable laws unless prohibited by law, ensuring transparency and alignment with exit strategy requirements.
  • Transition support is facilitated through Atlassian’s features that allow customers to independently export their data, ensuring a seamless process when the business relationship ends.
  • Atlassian emphasises a shared responsibility model, which includes a responsibility for customers to regularly backup their data to mitigate the risks associated with any unplanned events. Atlassian provides the self-service tools and documentation to empower customers to manage their data export and retention needs effectively.

6. Sub-contracting

Summary: DORA mandates clear conditions for sub-contracting, requiring written agreements for critical ICT functions and notice of material changes (Art. 30(2)(a), RTS SUB Art. 6).

How Atlassian Addresses It:

  • For addressing DORA requirements on sub-contracting, we direct our customers to our list of sub-processors acting as Cloud Hosting Providers as these are the relevant Atlassian sub-contractors under DORA.
  • Atlassian has determined that only sub-processors serving as Cloud Hosting Providers are crucial for delivering the functionalities and features specified in the SLA. Sub-contracting chains for Atlassian Cloud Products are documented and monitored to ensure compliance.
  • Customers who register through the subscription portal are notified of changes to the list of sub-processors, ensuring transparency and alignment with DORA requirements.

7. Testing and Risk Management

Summary: DORA requires ICT service providers to conduct regular operational resilience testing, including threat-led penetration testing (TLPT), and assess risks related to sub-contractors and ICT systems (Art. 30(3)(d), Art. 1(1)(a)(iv) DORA).

How Atlassian Addresses It:

  • Atlassian’s risk management practices are validated through independent audits, including ISO 27001 certification and SOC 2 compliance audits. These audits assess the effectiveness of our risk management program and operational resilience measures.
  • Atlassian provides customers with security testing reports, including redacted penetration testing reports, which are available upon request. These reports enable customers to rely on Atlassian’s implemented security practices, addressing requirements for security testing and TLPT.
  • Additionally, customers are allowed to perform their own security testing on Atlassian Cloud Products, adhering to Atlassian’s Security Testing Guidance. This ensures that customers can independently verify security measures where necessary, maintaining compliance and addressing specific organisational requirements.

8. Training, Awareness, and Information Sharing

Summary: DORA emphasises mandatory ICT security awareness programs, role-specific training, and responsible information sharing to enhance resilience (Art. 30(2)(i), Art. 13(6) DORA).

How Atlassian Addresses It:

  • Atlassian, as a global SaaS provider, addresses requirements around security awareness and training through it’s comprehensive internal programs, as well as industry participation, including but not limited to:
    • Conducting mandatory privacy and security training for all employees and contractors annually, providing foundational awareness of key principles while tailoring role-specific curriculums for critical roles such as software engineers and incident responders.
    • Atlassian’s Security Measures, part of the contractual framework and independently validated through ISO 27001 and SOC 2 audits, assure customers of Atlassian’s commitment to comprehensive security awareness.
    • Participation in selected security working groups and forums, enabling proactive information sharing and alignment with industry best practices for addressing emerging threats.

9. Regulatory Compliance and Responsibility

Summary: DORA mandates that ICT service providers maintain compliance with relevant laws and ensure accountability for services, including subcontractor adherence to security and compliance standards (Art. 5(2), RTS TPPol Art. 8(3)(h)).

How Atlassian Addresses It:

  • Atlassian requires all sub-processors, including sub-contractors, to meet the same level of security and compliance as Atlassian itself. These requirements are detailed in the DPA and include provisions for audits to validate adherence.
  • The DPA outlines Atlassian’s strict sub-processing terms, ensuring that data protection obligations are replicated in all sub-processing agreements. For example, the DPA mandates that all sub-processors implement appropriate technical and organisational measures to safeguard customer data.
  • Atlassian continuously improves its services and processes to meet regulatory requirements and customer expectations, particularly for customers in regulated industries (e.g., such as the financial services industry).

10. Service Continuity and Change Management

Summary: DORA ensures ICT service continuity, requiring notification of material changes and measures to mitigate service disruptions. Sub-contractors must meet business continuity management (BCM) objectives (Art. 30(3)(b), RTS SUB Art. 4(f)).

How Atlassian Addresses It:

  • Sub-contractors supporting critical or important functions are required to meet BCM objectives, as specified in Atlassian’s agreements and referenced in the Security Measures and DPA.
  • Atlassian conducts due diligence assessments to validate sub-contractor compliance with these objectives. While Atlassian reserves the right to perform audits to ensure adherence, the frequency and necessity of audits are determined based on risk assessments.
  • Changes to sub-contractors or service delivery affecting critical functions are communicated to customers who register through the subscription portal, ensuring transparency and alignment with DORA requirements.

Additional Resources