Reduce risks and vulnerabilities, conduct periodic technical, and nontechnical evaluations in response to environmental or operational changes

Annually, we perform a Gap Assessment, update our Security Risk Analysis, and obtain a HIPAA Attestation from an independent certifying authority.

We perform risk assessments which include the identification, assessment, assignment, acceptance, remediation, and other relevant management activities, to ensure we operate within the agreed upon risk appetite and relevant legal and regulatory requirements. We continuously evaluate the design of controls and mitigation strategies, including recommending changes in the control environment. We maintain a risk and controls matrix within our Governance, Risk, and Compliance (GRC) tool.

Background screening and proper termination procedures

New Atlassians, globally, are required to complete a background check upon accepting an offer of employment. A comprehensive set of background checks are automatically triggered and run on all new hires, as well as independent contractors.

Our employees and contractors that have access to confidential information are bound by their employment contracts and confidentiality deeds to ensure that information security responsibilities and duties remain valid after termination, or change of employment, as well as the end of contractual relationships.

Sanctions against workforce members

During onboarding, every new employee must acknowledge our company Code of Business Conduct and Ethics policy, as well as complete Security Awareness training. Formal sanctions exist and are employed for individuals failing to comply with established information security policies and procedures.

Authorization of access for employees who work with ePHI

Active Directory role membership is automatically assigned based on a user’s department and team and is restricted to those that need such access. If a user transfers to another team, an alert is generated that triggers follow-up and removal of legacy access where appropriate. System or service owners have been designated as approvers to grant or modify user access within Active Directory access levels for various systems.

Privileged access to production environments is restricted to authorized and appropriate users only.

Access to our internal network and tools is restricted to authorized users via logical access measures. Each user account must:

• have an active Active Directory account, and
• be a member of the appropriate Active Directory group.

Appropriate granting of access (least privileged basis)

Terminate a session after predetermined time of inactivity

Desktop and mobile applications have a maximum user session timeout based on our standard operating procedures (8 to 24 hours for desktop sessions, 30 to 90 days for mobile sessions).

A screensaver is enforced for both MacOS and Windows endpoints with a requirement to enter a password to unlock it.

Audit logging/detection (including monitoring of login attempts)

We retain and secure event logs against loss or tampering. We review access to logs periodically. We have enabled logging within our AWS environment and direct those logs to Splunk. We have deployed automated alerts for AWS as well as all HIPAA-qualified cloud events based upon known and prior security events and incidents.

We maintain a review process to tune and optimize our alerts, and remove false-positives. We have a dedicated automation engineer to streamline the alert development and triage process.

Identify and respond to suspected or known security incidents. Mitigate and document the incidents and their outcomes

We have implemented an organizational-wide incident management process, with the Security team responsible for the program, which comprises of:

• recording every action, when managing an incident, into the Incident Management System under an incident ticket. Records must include:
  • incident start time
  • incident description
  • severity
  • services affected
  • impact
  • number of affected customers
  • root cause
  • actions taken
  • affected SLOs (capabilities impacted)
• associating problems, where possible, with the underlying cause and/or grouping them together into parent incidents
• completing a Post Incident Review (PIR) after Major and Critical Incidents

Identify an individual responsible for the development and implementation of the HIPAA security compliance program

We have a dedicated HIPAA Security Officer. Our Security Officer understands their responsibilities, the HIPAA Security Rule, and how those requirements apply to our products.

Identify an individual responsible for the development and implementation of the HIPAA privacy compliance program

We have a dedicated HIPAA Privacy Officer. Our Privacy Officer understands their responsibilities, the HIPAA Privacy Rule, and how those requirements apply to our products.

User awareness training

As part of the Atlassian Security Awareness program, all employees are required to complete training annually. Additionally, we distribute security-related awareness exercises and communications ad hoc throughout the year.

Procedures to enable continuation of critical business processes

We have defined, reviewed, and tested procedures for Disaster Recovery execution. The policy describes, at a high level, the purpose, objectives, scope, recovery time objective, recovery point objective, and roles/responsibilities. We test formal business continuity and disaster recovery plans on a quarterly basis. In support of contingency plan components, we assess services and systems for their criticality annually.

We perform and test backups and restores of applications, systems, and configurations associated with the Atlassian assets in line with our standard operating procedures.

Business Associate Agreements contain satisfactory assurances that your data will be appropriately safeguarded by Atlassian and third party suppliers

We provide assurances that we will appropriately safeguard your information, and will only use or disclose your information as permitted or required wherever we create, receive, maintain, or transmit PHI on your behalf. These assurances are captured in Business Associate Agreements with you. We have also created an Implementation Guide that provides instructions to customers on how they should use and configure our services to ensure they are also appropriately safeguarding information.

Additionally, we ensure relevant third party suppliers will protect your PHI by requiring them to sign Business Associate Agreements with us.

Safeguard physical facilities and equipment from tampering or theft

All of our staff and contractors are issued a security badge when onboarding to gain physical access to a facility. Upon termination and close of a profile in our Human Resources Information System, our system automatically revokes physical access.

We issue temporary badges to visitors at local sites. Visitors must return guest passes on exit of the building. If cards are not returned, we automatically terminate those badges.

Implement physical safeguards for all workstations that access ePHI

We have implemented a ZeroTrust network to only allow access from known devices that are enrolled into a management platform. We have placed our applications into security tiers depending on the data they store and the systems they connect to. This tiered network is as follows: High Tier, Low Tier, and Open Tier. The type of device and its security posture are assessed to determine what applications it can access.

We manage disk encryption, password lock, and security patching on all MacOS and Windows laptops.

We have configured USB mass storage devices as read-only on all Atlassian issued MacOS and Windows machines.

Procedures to address the final disposition of ePHI and the hardware on which it is stored

We wipe any laptop returned before it is redeployed or disposed. A lost/stolen laptop procedure is also in place to ensure data is not stolen.

Retain documentation for 6 years from the date of its creation, or the date when it was last in effect

All of our policies are reviewed at least annually by the designated policy owner and are retained indefinitely. To view a snapshot of our policies, visit Our Atlassian Security & Technology Policies.

Our Privacy Policy can be found here.

Security measures to ensure that ePHI is not improperly modified

We encrypt all HIPAA-qualified cloud product's data at rest. Additionally, we encrypt data transmitted over public networks and ensure the data reaches its intended destination.

External users connect to HIPAA-qualified cloud products using encrypted traffic via the SSL protocol.

Mechanisms to encrypt ePHI whenever it is deemed appropriate