Last updated Apr 9, 2023

Privacy and Security tab in your Marketplace listing

Trust and security are incredibly important to Atlassian and maintaining a secure Marketplace is a collective effort shared by Atlassian and Marketplace partners. To increase visibility on security indicators for customers, cloud apps have the Privacy and Security tab in the Marketplace listing UI.

Video introduction to the Privacy and Security tab

Before you begin

Complete the pre-launch trust checklist.
Learn how customers evaluate trust in cloud.
Subscribe to updates from our Trust team in the Partner Portal.

What will change on the listing page?

The information collected would primarily be part of the new Privacy & Security tab. The new tab will be discoverable in two sections in the Marketplace listing as shown below. Based on Atlassian’s customer research, we expect that the new tab would make it easier for customers to do the first-level assessment to determine if an app requires a more in-depth privacy and security review or not. This may also help in reducing the overall number of requests sent to the Marketplace partners to provide this information. It will also give Marketplace partners who are making significant trust investments an opportunity to showcase those investments, ideally growing their potential cloud customer base.

App Overview

P&S Default view	P&S Expanded view

How will you provide the information for your apps?

We have been accepting responses from February 2023. There are two options to submit your responses to the questionnaire - either using a PUT API or using a UI web form.

If you are opting to fill out via API, here’s the loom video that explains the process and steps involved. You can also get more information through our API documentation.

If you wish to fill out the questionnaire via UI web form, please find the steps below. We have also created a loom video that showcases the discoverability and steps involved in filling out the UI web form.

Log in to Atlassian Marketplace with your partner account.
Select Manage partner account from the profile menu in the upper right.
Select your app's name from the list.
Select Privacy and Security tab. You will be introduced to the new feature.
If you have pre-filled the answers via API, they would be populated on the UI. If not, you can directly enter your answers on the UI.
When you complete all the sections, you can select Save and preview to view the page as it would appear on the app listing page for the customers.
To delete the changes while you fill out the form, you can select Discard changes.
When you confirm all the responses, you can select Save and preview to preview the page and select Submit and publish for the responses to be active.
You can also select Edit draft to make any changes to the pre-filled responses from the page preview.

Below are the questions that would be surfaced as part of the new Privacy and Security tab in the Marketplace listing. The list of questions have been prepared based on customer research findings that would enable customers to have a smooth and hassle-free assessment of apps. As we aim to provide the most vital and updated app privacy and security information through this tab, the questionnaire will evolve with time based on the feedback received from the partners and customers.

Questions	Potential responses	Visible on app listing page
Does your app store End-User Data outside of Atlassian products and services (excluding process/storage of End-User Data in logs)?	Yes You'll be asked to list the End-User Data types for your app stores. For example: Email address Device ID IP address Content posted, received or shared in the app by end-users No	In default view
	Does your app process End-User Data outside of Atlassian products and services or outside of the end-user’s browser (excluding process/storage of End-User Data in logs)?	Yes You'll be asked to list the End-User Data types for your app processes. For example: Email address Device ID IP address Content posted, received or shared in the app by end-users If this is identical to the data stored by your app, you'll need to confirm this via checkbox. No	In default view
		If the data types processed and stored are the same, checkbox needs to be ticked to confirm the response
		If partner responses ‘no’ to the above questions, no further data-related questions would be surfaced.
Does your app log End-User Data?		Yes No		In expanded view
	Does your app process and/or store End-User Data in logs outside of Atlassian products and services?	Yes No	In expanded view
		Does your app share End-User Data with any third party entities (e.g. sub-processors)?			Yes You'll be asked to provide additional information for each third party, or provide a link to your sub-processor link. For reference, learn more about Atlassian's sub-processor list. You may need to list multiple third parties here or provide a link to their public-facing sub-processor list. If they don’t provide a link to their sub-processor list, they will need to submit additional information. For each third party, provide: Name of third party [free text] Domain [link] Countries where third party stores End-User Data [free text] Purpose of sharing End-User Data with third party (e.g. cloud hosting) [free text] No	In expanded view
					Does your app share logs that include End-User Data with any third-party entities?		Yes No	In expanded view
Is sharing of logs that include End-User Data with any third party entities integral for app functionality?				Yes No			In expanded view
	Does your app support data residency options? If yes, please list the locations where in-scope End-User Data is stored. For example: EU US		Yes. App supports data residency and stores End-User Data independently outside of Atlassian products and services. [partner lists locations where data residency is supported] You’ll be asked to list locations that your app supports for data residency. You’ll also be asked to list the End-User Data that is in-scope for data residency. For example, here's Atlassian’s list of in-scope product data that is supported by data residency. Yes. App stores End-User Data exclusively within Atlassian products and services which support data residency options, as outlined here (including storing all in-scope End-User Data exclusively within [Atlassian Forge platform](/platform/forge/data-residency/). No. App does not support data residency options. No. App stores End-User Data exclusively within Atlassian products and services, which don't support data residency options yet due to Atlassian’s current roadmap. Not applicable. App does not store End-User Data.	In default view
		Does your app support migration of in-scope End User Data between your data residency supported locations?	Yes No			In expanded view
			Does your app store End-User Data after a customer uninstalls your app?		Yes You'll be asked what your app's minimum and maximum data storage period is for End-User Data after a customer uninstalls your app?[Minimum/maximum storage period must be entered in days] No			In expanded view
Does your app allow customers to request a custom End-User Data retention period?					Yes No		In expanded view
	Does your app use any privacy enhancing technologies (PETs) to protect End-User Data? If yes, please list any PETs used. For example: Data masking techniques like pseudonymization and anonymization			Yes [+ list of PETs used] No	In expanded view
		Is your company/organization a ‘data controller’ under the General Data Protection Regulation (GDPR) with reference to this app?		Yes You'll be asked to specify the End-User Data with respect to which your app is a “data controller“. [free text] No Not applicable - Company/Organization is not subject to the GDPR.		In default view
			Is your company/organization a ‘data processor’ under the General Data Protection Regulation (GDPR) with reference to this app?	Yes You'll be asked to specify the End-User Data with respect to which your app is a “data processor“. [free text] No Not applicable - Company/Organization is not subject to the GDPR.				In default view
Is your company/organization a ‘business’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?				Yes You'll be asked to specify the End-User Data with respect to which your app is a “business“. [free text] No Not applicable - Company/Organization is not subject to the CCPA.			In expanded view
	Is your company/organization a ‘service provider’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?			Yes You'll be asked to specify the End-User Data with respect to which your app is a “service provider“. [free text] No Not applicable - Company/Organization is not subject to the CCPA.	In expanded view
		Does your app have a Data Processing Agreement (DPA) for customers?		Yes You'll be asked to link it here. [free text] No		In expanded view
			Does your app transfer European Economic Area (EEA) residents’s End-User Data outside of the EEA?	Yes No				In expanded view
If partner responds 'yes' to above question then the below question would be surfaced. Does your app have a General Data Protection Regulation (GDPR) approved transfer mechanism in place to govern those transfers? Please provide the transfer mechanism you use here. For example: Standard Contractual Clauses (SCCs)
	Yes[Partner specifies transfer mechanism] No
	Marketplace Security Bug Bounty Program participant	Information already available with Atlassian		In default view
		Which email address can be used to contact for app security issues?	name@partneremail.com		In expanded view
Please provide your security policy			Security policy link provided by the partner			In expanded view
			Have you completed a CAIQ Lite Questionnaire that covers this app?				Yes You'll be asked to link or upload your CAIQ Lite Questionnaire responses: [link or PDF] No	In expanded view
	Does your app use full disk encryption at-rest for End-User Data stored outside of Atlassian or the users’s browser? Atlassian’s second requirement in Security requirements for cloud applications states, “Any Atlassian End User Data stored by an application outside of the Atlassian product or users' browser must ensure full disk encryption at-rest.” Does your app meet this requirement?			Yes No			In expanded view
		Integration permissions with Atlassian products		Information already available with Atlassian	In default view
Does your app have any compliance certifications? For example: SOC2 ISO27K HIPAA FedRamp Other				Yes [partner picks from drop-down list or inserts free text in “other”] No		In default view
			Please provide your privacy policy which governs how you collect, access or otherwise process End-User Data. This is a requirement for all partners, as set out in Atlassian’s Marketplace Partner Agreement.	Link to partner privacy policy				In default view

Frequently asked questions

When can I start submitting the responses?

You can start submitting responses now via API or through the UI form. The responses will be shown to customers only after the tab on Marketplace listings goes live as part of the slow roll out beginning late March 2023.

Who can submit information for the Privacy & Security tab?

Any partner who has Manage App permissions can submit responses via the API or UI web form.

Can I re-use my Security Self Assessment answers for the Privacy & Security tab?

While there are some similar questions in Security Self Assessment and Privacy & Security tab, they don’t map one-to-one. Also, Security Self Assessment collects information at partner level while Privacy & Security tab information is at app level.

How did Atlassian choose these questions, what was the selection criteria?

The list of questions is prepared based on customer research where customers indicated that the high-level information provided by partners to these questions would help them determine whether a more in-depth privacy and security review is required.

In addition to customer research, members of Atlassian’s security and privacy teams were closely involved in determining the questions and wording for the first iteration of the Privacy & Security tab.

How will the Privacy & Security tab look for my apps if I don’t answer the questions?

If you don’t complete or partially complete the Privacy & Security tab information, the following default value will be displayed on the fields with no response “Response not provided by the partner”.

How do I make sure I entered the correct or expected information?

There will be tooltips that will explain and guide you where additional info is needed. In addition, there will be a preview option to check the information you entered before submitting the responses.

I gave my consent to Atlassian for sharing the answers of Security Self Assessment with customers who request it. Will that process continue after Security Self Assessment deprecation?

No, after the deprecation of Security Self Assessment program, we will no longer continue to share your responses with customers.

Is answering the Privacy & Security tab questions mandatory?

It is not mandatory to answer the Privacy & Security questionnaire. However, Cloud Fortified apps will be required to complete all fields by a to-be-announced date 6 months after the API is released. After that date their Cloud Fortified badge will be removed if all fields of Privacy & Security tab are not filled out.

However, as this information is highly sought by customers, we encourage partners to submit their answers for all cloud apps.

My Cloud Fortified Security Self Assessment review is coming up. Should I update that, or the Privacy & Security tab?

During the 6 month Security Self Assessment deprecation period, we recommend updating the Privacy & Security tab instead of the Security Self Assessment to avoid duplicating efforts.

What happens if I enter wrong information or want to update my answers?

If you would like to update the information you entered, you can simply resubmit your answers via API or UI web form. These submission options will be available in early February 2023.

What will happen to the Security Self Assessment program?

As the Privacy & Security tab will be displaying more comprehensive information related to app behavior, we will be deprecating the Security Self Assessment program on August 13, 2023 (6 months after the API release). This will prevent you from having to fill out the same type of information in two places.

Until the official deprecation date, the Security Self Assessment program will remain active. However, we strongly encourage Marketplace Partners to fill out the Privacy & Security Tab instead of the Security Self Assessment during this deprecation period to avoid duplicating efforts.

Where can I get support if I have questions related to Privacy & Security tab?

Partners can submit their questions related to Privacy & Security tab via this service desk.

Why is it important to answer Privacy & Security tab questions?

When purchasing Marketplace apps in cloud or assessing cloud apps during a migration to cloud, many customers have a rigorous security and privacy assessment that each app must go through. This process usually starts with some desk research (checking the Marketplace listing, partner website, and app documentation) to assess the app’s basic privacy and security practices, and ends with a long, thorough questionnaire sent directly from a customer to a Marketplace Partner. This process is time consuming for customers and Marketplace Partners alike, and can deter some customers from bringing their apps with them to cloud or adopting apps for their cloud instances.

While the new UI will not replace security assessments, we expect it to streamline the assessment process by answering the most commonly asked questions and helping customers determine if an app requires a more in-depth assessment.

Will Privacy & Security tab be available for all Atlassian deployment options: Cloud, Data Center, and Server?

Atlassian is introducing Privacy & Security tab for cloud apps only.

Will the tab be visible on the web marketplace (marketplace.atlassian.com) as well as the in-product Marketplace?

Yes, the tab will be visible on cloud app listings on marketplace.atlassian.com as well as the in product marketplaces for Jira Cloud and Confluence Cloud.

Will my answers go through a review process?

Your answers will go live on the Privacy & Security tab of your app listing page immediately after you submit the information.

Atlassian will not conduct a review of the content of partners' responses, but we will do a lagging review (review of information on live Privacy & Security tabs) to ensure partner responses do not contain malicious links, obscenity, or other items that violate our Acceptable Use Policy. We will provide a disclaimer on the tab stating that Marketplace Partners are responsible for the responses on the tab.

Will the new tab go live on all cloud app listings at once?

The tab will go live on all cloud app listings at once in late March 2023, but not all customers will see it. We will roll out the tab slowly over 6-8 weeks to ensure a smooth transition for customers.

Ultimately, we plan to roll out the tab to 100% of customers across Atlassian Marketplace and the Embedded Marketplace starting in June 2023.

When can I start sending customers to my Privacy & Security tab?

We plan to roll out the tab to 100% of customers starting in June 2023. We will share an update when the full rollout is complete.

Between late March 2023 and May 2023, expect some customers to be aware of your Privacy & Security tab, and some customers to be unaware of the tab.

We recommend refraining from sending customers to the tab between March and May, as some may not yet have access.

When will Atlassian announce the Privacy & Security tab to customers?

We plan to do an official announcement to customers on the Work/Life blog and via email after it is visible to 100% of customers who visit the Marketplace.

We also plan to let customers know that the Privacy & Security tab is “coming soon” starting at our annual conference, Team 23.

When will these UI changes go into effect?

Here is a timeline for the coming months:

January 2023: Marketplace partners can start preparing responses.
February 2023: API documentation and UI web form will be available and Marketplace partners can start submitting responses.
March 2023 (planned for March 29): Beginning of slow roll out to customers - tab will be live on all cloud listings on marketplace.atlassian.com

For the gradual rollout phase (March-May 2023), the Privacy & Security tab will only be available on Atlassian Marketplace, not on Embedded Marketplace.
June 2023: Tab will go live for 100% of customers on marketplace.atlassian.com and on Embedded Marketplace.
August 13, 2023: All fields must be filled out for all Cloud Fortified apps.