How you handle customer and end-user data privacy is critical to the success of your app. As a developer, you may have access to important customer information, including personal data, that is sensitive to certain use or exposure and, in many cases, regulated by applicable laws. Below are some best practices you should follow when developing and offering your Marketplace app for download and installation.
Collect data only where you need it (and have explained that need to the user - see item #1 above). If you don’t need it, leave it. If you do need it, collect the minimum amount required to accomplish the task - do not collect it because you think it may be useful later. Where personal data is involved, consider de-identifying it.
Respect Atlassian Developer Terms and any instructions to delete user data upon request and/or uninstall. In addition, get rid of data when it is no longer needed for the original task by developing and enforcing reasonable data retention schedules.
Note, regardless of whether you obtain consent, some data use cases may be prohibited by the Atlassian Developer Terms or the Marketplace Vendor Agreement. You are responsible for reviewing and complying with those terms.
Applicable laws and data management best practices require that you make it easy for users to get a copy of, correct and delete their personal data. This means, if you are storing personal data, you need to know where that personal data is at all times and be able to update it or remove it upon request. If you are storing personal data, Atlassian may require that you action certain events, including requests to change or delete personal data, as sent through our APIs. Failure to respect these requests may result in de-listing of your app.
If you are accessing or storing personal data outside of the European Economic Area (“EEA”), you must support an adequate transfer mechanism where data is collected from EEA residents via Atlassian APIs. You are responsible for selecting and complying with the transfer mechanism appropriate for your data transfer practices. For more information on adequacy mechanisms, please see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en.
If you are accessing, storing or otherwise processing personal data of EEA residents, users may request that you sign and comply with additional data protection terms, consistent with Article 28 of the General Data Protection Regulation (“GDPR”). You are responsible for understanding and complying with the terms required under Article 28 of the GDPR as it relates to the user data you access, store or otherwise process in connection with the user’s consent to install and share data with your app.
You must take reasonable steps to protect user data shared with you and collected by your app, including user device information. In addition to developing your app with security in mind (i.e., encrypt data in transit and at rest, use a dependency scanner such as OWASP Dependency-Check, etc.) you can significantly increase the security posture of your app and your company by following lightweight, best practices for securing physical workstations, user accounts, and infrastructure. For a more comprehensive list of recommended steps for improving the security of your app, please see our Vendor Security Guidelines.
In the event your app or suppliers experience a data security breach, you are responsible for communicating with users and regulators, as required by applicable law. For guidance on how to properly handle a security incident involving your app, please see our App Security Incident Management Guidelines.