This information is provided for informational purposes only. It is not intended to be a substitute for legal advice. As such, always consult legal counsel before acting on any matter discussed within this document.
This page provides a high level summary of key privacy and security information about Forge. Whether you’re looking to build a new app or integration on Forge, or are just curious about your existing apps and integrations, read on to see how Forge can help protect you and your customers.
This information applies when Atlassian is providing Forge hosted storage and/or Forge compute.
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. GDPR imposes legal obligations on companies that are located in the European Economic Area (EEA) or that process personal data relating to EEA residents. Forge developers with access to the Atlassian Partner Portal can view an overview of GDPR and implications for app developers here.
Atlassian has established contractual, technical, and organizational measures in order to help ensure that the Forge platform service provided by Atlassian complies with GDPR. For more information on Atlassian’s GDPR compliance, please see Atlassian’s GDPR Commitment.
Below are answers to some commonly asked questions regarding Forge and GDPR.
| Questions | Answers |
|---|---|
| Is there a Data Processing Agreement (DPA) for Forge? | Yes, the Forge DPA can be found here. |
| What are Atlassian’s and the Forge developers' respective roles under the DPA? | The roles are set forth in Section 1.2 of the Forge DPA, and are as follows:
|
| Does Atlassian provide Forge developers with assistance regarding data subject requests? | Yes, Atlassian has built a Personal Data Reporting API to help Forge developers comply with data subject requests. For more information on the Personal Data Reporting API please see the User Privacy Guide for App Developers. |
| How does Atlassian handle requests from law enforcement? | Atlassian has strictly defined policies and processes for any law enforcement requests and additionally publishes an annual transparency report. |
| What are the categories of personal data that Atlassian processes as a processor on behalf of Forge developers? | The relevant personal data categories are set forth in Annex 1(B), Part A of the Forge DPA. |
| Questions | Answers |
|---|---|
| Does Atlassian use sub-processors to provide Forge? | Yes, Atlassian utilizes services of sub-processors as set forth in the Forge DPA. |
| Where can I find the list of Atlassian’s sub-processors? | The link can be found here, as well as referenced in Section 1.9 of the Forge DPA. |
| Under what conditions may Atlassian engage new sub-processors? | As set forth in Section 1.9 of the Forge DPA, Atlassian may engage new sub-processors, provided that:
|
| Questions | Answers |
|---|---|
| Does Atlassian have an approved transfer mechanism in place? | Yes. Atlassian participates in and certifies compliance with the EU-U.S. DPF. You can find more information in our Privacy Policy under the Section “Data Privacy Framework Notice”. Where adequacy does not apply, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism as set forth in Section 1.6 of the Forge DPA. |
| Where does Atlassian store and process personal data on Forge? | The information on processing locations for personal data can be found in the Atlassian Data Transfer Impact Assessment. |
| Questions | Answers |
|---|---|
| What are Atlassian’s obligations in the event of a security incident relating to Atlassian’s provision of the Forge platform? | As set forth in Section 1.11 of the Forge DPA, upon becoming aware of a security incident, Atlassian will:
|
| What are the technical and organizational measures (TOMs) employed by Atlassian to protect personal data? | The TOMs are set forth in Exhibit B of the Forge DPA and include, but are not limited to the following:
|
The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. The CCPA is a California data privacy regulation that governs how certain organizations use, collect, and process personal information of California residents. The CCPA was later amended by the California Privacy Rights Acts of 2020 (CPRA), which went into effect on January 1, 2023. Forge developers with access to the Partner Portal can learn more about CCPA and implications for app developers here.
Atlassian is committed to complying with CCPA and any future modifications to the law. Accordingly, Atlassian has updated i) the Forge DPA to comply with the CCPA, and ii) the Atlassian Privacy Policy to include information specific to the CCPA. For more information on our organization’s compliance, please see Atlassian’s CCPA Commitment.
Below are answers to some commonly asked questions regarding Forge and CCPA.
| Questions | Answers |
|---|---|
| Is CCPA included in the scope of the Forge DPA? | Yes. Please refer to the definition of “U.S. Data Protection Laws” under Section 1.1 of the Forge DPA. |
| What is Atlassian’s role under the CCPA in regards to end user personal data on Forge, which Atlassian processes on behalf of Forge developers? | As set forth in Section 1.5(b) of the Forge DPA, Atlassian may act as a Service Provider on behalf of Forge developers, to the extent Atlassian processes end user personal data which includes personal information protected under the CCPA. |
| Does Atlassian ‘sell’ or ‘share’ (as defined under CCPA) end user personal data, which Atlassian processes on behalf of Forge developers, under the Forge DPA? | No, Atlassian does not “sell” or “share” end user personal data, as defined under CCPA, in its . For more information please see Section 1.5(b) of the Forge DPA. |
In addition to the technical and organizational measures mentioned in the Forge DPA, Forge complies with major security standards. Forge, as part of the Atlassian Platform, has successfully completed the ISO 27001 and SOC 2 evaluation process. Compliance reports and certificates for the Atlassian Platform, which includes Forge, may be downloaded from the Atlassian Compliance Resource Center.
Below are answers to some commonly asked questions regarding Forge and its security practices.
| Questions | Answers |
|---|---|
| Does Atlassian have a data retention policy for Forge? | Yes, the Forge platform follows Atlassian’s internal Standard Data Retention and Disposal policy. More information can be found in the Atlassian SOC 2 report which you can download here. |
| How often is Forge disaster recovery testing performed? | Atlassian performs disaster recovery testing for the Forge platform at least annually. |
| Where can I find the status/uptime of Forge? | You can find the status/uptime information at https://developer.status.atlassian.com/ |
| Who from Atlassian has access to the Forge data? | Please refer to the “Atlassian Access Controls” section of the Atlassian SOC 2 report. |
For any privacy or security-related questions relating to Atlassian’s provision of the Forge platform that are not covered here, please see the resources linked below:
For legal advice on your obligations as a Forge developer, please reach out to your own legal counsel.
Rate this page: