Last updatedMay 12, 2019

Data privacy guidelines for developers

How you handle customer and end-user data privacy is critical to the success of your app. As a developer, you may have access to important customer information, including personal data, that is sensitive to certain use or exposure and, in many cases, regulated by applicable laws. Below are some best practices you should follow when developing and offering your Marketplace app for download and installation.

Note, these guidelines are in addition to and in no way limit the Atlassian Developer Terms or the Marketplace Vendor Agreement.

1. Clearly explain your data privacy practices

Tell the user how you plan to use the data they share with you - they have a right to know. This explanation should be live in a privacy policy, which is displayed to the user at the time of app install and is easily accessible through the app’s Marketplace listing and any web properties you host. The privacy policy should clearly explain to the user what data the app will collect, how that data will be used, who will have access to the data and explain the user’s choice.

If you are listing your app on the Marketplace, you are required to include a URL for your privacy policy.

2. Minimize the data you collect

Collect data only where you need it (and have explained that need to the user - see item #1 above). If you don’t need it, leave it. If you do need it, collect the minimum amount required to accomplish the task - do not collect it because you think it may be useful later. Where personal data is involved, consider de-identifying it.

Respect Atlassian Developer Terms and any instructions to delete user data upon request and/or uninstall. In addition, get rid of data when it is no longer needed for the original task by developing and enforcing reasonable data retention schedules.

Consent is different than a privacy policy - a privacy policy gives notice and explains to the user how their data will be used, whereas consent gets permission for a specific use. In some cases telling the user how you will use their data is not enough - applicable laws may require that you get consent before collecting and using data for certain purposes. Using data for marketing, sharing data with third-parties and other data use cases not strictly required to support the operation of your app may require a separate consent from the user before collecting or using the data. As a general rule of thumb, you should always get consent if the user would not expect their data to be used or shared in a particular way given the purpose of your app.

Consent may not be embedded in a privacy policy. Instead, it must be collected from the user directly. You are responsible for collecting and maintaining all such consents, either through the app itself or through direct communication with the app user.

Note, regardless of whether you obtain consent, some data use cases may be prohibited by the Atlassian Developer Terms or the Marketplace Vendor Agreement. You are responsible for reviewing and complying with those terms.

4. Provide Access, Modification and Erasure of Personal Data

Applicable laws and data management best practices require that you make it easy for users to get a copy of, correct and delete their personal data. This means, if you are storing personal data, you need to know where that personal data is at all times and be able to update it or remove it upon request. If you are storing personal data, Atlassian may require that you action certain events, including requests to change or delete personal data, as sent through our APIs. Failure to respect these requests may result in de-listing of your app.

5. Have a data transfer mechanism

If you are accessing or storing personal data outside of the European Economic Area (“EEA”), you must support an adequate transfer mechanism where data is collected from EEA residents via Atlassian APIs. You are responsible for selecting and complying with the transfer mechanism appropriate for your data transfer practices. For more information on adequacy mechanisms, please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.

6. Offer additional data processing terms

If you are accessing, storing or otherwise processing personal data of EEA residents, users may request that you sign and comply with additional data protection terms, consistent with Article 28 of the General Data Protection Regulation (“GDPR”). You are responsible for understanding and complying with the terms required under Article 28 of the GDPR as it relates to the user data you access, store or otherwise process in connection with the user’s consent to install and share data with your app.

7. Invest in data security

You must take reasonable steps to protect user data shared with you and collected by your app, including user device information. In addition to developing your app with security in mind (i.e., encrypt data in transit and at rest, use a dependency scanner such as OWASP Dependency-Check, etc.) you can significantly increase the security posture of your app and your company by following lightweight, best practices for securing physical workstations, user accounts, and infrastructure. For a more comprehensive list of recommended steps for improving the security of your app, please see our Vendor Security Guidelines.

In the event your app or suppliers experience a data security breach, you are responsible for communicating with users and regulators, as required by applicable law. For guidance on how to properly handle a security incident involving your app, please see our App Security Incident Management Guidelines.