Last updated Oct 6, 2023

Privacy and Security tab in your Marketplace listing

Trust and security are incredibly important to Atlassian and maintaining a secure Marketplace is a collective effort shared by Atlassian and Marketplace partners.

After careful consideration of the best practices to build secure apps and to increase visibility on security indicators for customers, Atlassian introduced the Privacy and Security tab in the Marketplace listing UI for cloud apps.

Learn more about:

What will change on the listing page?

The information collected would primarily be part of the new Privacy & Security tab. The new tab will be discoverable in two sections in the Marketplace listing as shown below. Based on Atlassian’s customer research, we expect that the new tab would make it easier for customers to do the first-level assessment to determine if an app requires a more in-depth privacy and security review or not. This may also help in reducing the overall number of requests sent to the Marketplace partners to provide this information. It will also give Marketplace partners who are making significant trust investments an opportunity to showcase those investments, ideally growing their potential cloud customer base.


App Overview

P&S Default viewP&S Expanded view

How will you provide the information for your apps?

We have been accepting responses from February 2023. There are two options to submit your responses to the questionnaire - either using a PUT API or using a UI web form.

If you are opting to fill out via API, here’s the loom video that explains the process and steps involved. You can also get more information through our API documentation.

If you wish to fill out the questionnaire via UI web form, please find the steps below. We have also created a loom video that showcases the discoverability and steps involved in filling out the UI web form.

  1. Log in to Atlassian Marketplace with your partner account.

    Login  

  2. Select Manage partner account from the profile menu in the upper right.

    Manage Partner Account  

  3. Select your app's name from the list.

    Select app name  

  4. Select Privacy and Security tab. You will be introduced to the new feature.

    Privacy and Security tab  

  5. If you have pre-filled the answers via API, they would be populated on the UI. If not, you can directly enter your answers on the UI.

    Privacy and Security details  

  6. When you complete all the sections, you can select Save and preview to view the page as it would appear on the app listing page for the customers.

    Preview  

  7. To delete the changes while you fill out the form, you can select Discard changes.

    Delete Privacy and Security info  

  8. When you confirm all the responses, you can select Save and preview to preview the page and select Submit and publish for the responses to be active.

    Publish security info  

  9. You can also select Edit draft to make any changes to the pre-filled responses from the page preview.

     

Below are the questions that would be surfaced as part of the new Privacy and Security tab in the Marketplace listing. The list of questions have been prepared based on customer research findings that would enable customers to have a smooth and hassle-free assessment of apps. As we aim to provide the most vital and updated app privacy and security information through this tab, the questionnaire will evolve with time based on the feedback received from the partners and customers.
 

QuestionsPotential responsesVisible on app listing page
Does your app store End-User Data outside of Atlassian products and services(excluding process/storage of End-User Data in logs)?
  • Yes
  • No

If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app stores. For example:
  • Email address
  • Device ID
  • IP address
  • Content posted, received or shared in the app by end-users
In default view
Does your app process End-User Data outside of Atlassian products and services or outside of the end-user’s browser (excluding process/storage of End-User Data in logs)?
  • Yes
  • No

If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app processes. For example:
  • Email address
  • Device ID
  • IP address
  • Content posted, received or shared in the app by end-users
In default view
If the data types processed and stored are the same, checkbox needs to be ticked to confirm the response
If partner responses ‘no’ to the above questions, no further data-related questions would be surfaced.
Does your app log End-User Data?
  • Yes
  • No
In expanded view
Does your app process and/or store End-User Data in logs outside of Atlassian products and services?
  • Yes
  • No
In expanded view
Does your app share End-User Data with any third party entities (e.g. sub-processors)?
  • Yes
  • No
In expanded view
If partner responds 'yes', then the below question would be surfaced.
Please provide the following information for each third-party, or provide a link to your sub-processor list. For reference, learn more about Atlassian's sub-processor list.
Apps may need to list multiple third parties here or provide a link to their public-facing sub-processor list. If they don’t provide a link to their sub-processor list, they will need to fill out the following information:
For each third party, please provide:
  • Name of third party [free text]
  • Domain [link]
  • Countries where third party stores End-User Data [free text]
  • Purpose of sharing End-User Data with third party (e.g. cloud hosting) [free text]
Does your app share logs that include End-User Data with any third-party entities?
  • Yes
  • No
In expanded view
Is sharing of logs that include End-User Data with any third party entities integral for app functionality?
  • Yes
  • No
In expanded view
Does your app support data residency options? If yes, please list the locations where in-scope End-User Data is stored.
For example:
  • EU
  • US
In default view
If the previous response is "Yes. App stores End-User Data exclusively within Atlassian products and service which support data residency options." No further questions would be asked and the following link would be surfaced on the UI.
If the previous response is "Yes. App supports data residency options." Please list the End-User Data that is in-scope for data residency. For example, here's Atlassian’s list of in-scope product data that is supported by data residency.
Does your app support migration of in-scope End User Data between your data residency supported locations?
  • Yes
  • No
In expanded view
Does your app store End-User Data after a customer uninstalls your app?
  • Yes
  • No
In expanded view
If partner answers 'yes', What is the minimum and maximum data storage period for End-User Data after a customer uninstalls your app?[Minimum/maximum storage period must be entered in days]
Does your app allow customers to request a custom End-User Data retention period?
  • Yes
  • No
In expanded view
Does your app use any privacy enhancing technologies (PETs) to protect End-User Data? If yes, please list any PETs used.
For example:
  • Data masking techniques like pseudonymization and anonymization
  • Yes [+ list of PETs used]
  • No
In expanded view
Is your company/organization a ‘data controller’ under the General Data Protection Regulation (GDPR) with reference to this app?
  • Yes
  • No
  • Not applicable - Company/Organization is not subject to the GDPR.
In default view
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data controller.” [free text]
Is your company/organization a ‘data processor’ under the General Data Protection Regulation (GDPR) with reference to this app?
  • Yes
  • No
  • Not applicable - Company/Organization is not subject to the GDPR.
In default view
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data processor.” [free text]
Is your company/organization a ‘business’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?
  • Yes
  • No
  • Not applicable - Company/Organization is not subject to the CCPA.
In expanded view
If partner responds “yes”, please specify the End-User Data with respect to which your app is a “business.” [free text]
Is your company/organization a ‘service provider’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?
  • Yes
  • No
  • Not applicable - Company/Organization is not subject to the CCPA.
In expanded view
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “service provider.” [free text]
Does your app have a Data Processing Agreement (DPA) for customers?
  • Yes
  • No
In expanded view
If partner responds 'yes', please link it here.
Does your app transfer European Economic Area (EEA) residents’s End-User Data outside of the EEA?
  • Yes
  • No
In expanded view
If partner responds 'yes' to above question then the below question would be surfaced.
Does your app have a General Data Protection Regulation (GDPR) approved transfer mechanism in place to govern those transfers? Please provide the transfer mechanism you use here.
For example:
  • Standard Contractual Clauses (SCCs)
  • Yes[Partner specifies transfer mechanism]
  • No
Marketplace Security Bug Bounty Program participant
  • Information already available with Atlassian
In default view
Which email address can be used to contact for app security issues?
  • name@partneremail.com
In expanded view
Please provide your security policy
  • Security policy link provided by the partner
In expanded view
Have you completed a CAIQ Lite Questionnaire that covers this app?
  • Yes
  • No
In expanded view
If partner responds “yes”, Please link or upload your CAIQ Lite Questionnaire responses: [link or PDF]
Does your app use full disk encryption at-rest for End-User Data stored outside of Atlassian or the users’s browser?
Atlassian’s second requirement in Security requirements for cloud applications states, “Any Atlassian End User Data stored by an application outside of the Atlassian product or users' browser must ensure full disk encryption at-rest.” Does your app meet this requirement?
  • Yes
  • No
In expanded view
Integration permissions with Atlassian products
  • Information already available with Atlassian
In default view
Does your app have any compliance certifications?
For example:
  • SOC2
  • ISO27K
  • HIPAA
  • FedRamp
  • Other
  • Yes [partner picks from drop-down list or inserts free text in “other”]
  • No
In default view
Please provide your privacy policy which governs how you collect, access or otherwise process End-User Data. This is a requirement for all partners, as set out in Atlassian’s Marketplace Partner Agreement.Link to partner privacy policyIn default view

Frequently asked questions


  • When can I start submitting the responses?

You can start submitting responses now via API or through the UI form. The responses will be shown to customers only after the tab on Marketplace listings goes live as part of the slow roll out beginning late March 2023.

  • Who can submit information for the Privacy & Security tab?

Any partner who has Manage App permissions can submit responses via the API or UI web form.

  • Can I re-use my Security Self Assessment answers for the Privacy & Security tab?

While there are some similar questions in Security Self Assessment and Privacy & Security tab, they don’t map one-to-one. Also, Security Self Assessment collects information at partner level while Privacy & Security tab information is at app level.

  • How did Atlassian choose these questions, what was the selection criteria?

The list of questions is prepared based on customer research where customers indicated that the high-level information provided by partners to these questions would help them determine whether a more in-depth privacy and security review is required.

In addition to customer research, members of Atlassian’s security and privacy teams were closely involved in determining the questions and wording for the first iteration of the Privacy & Security tab.

  • How will the Privacy & Security tab look for my apps if I don’t answer the questions?

If you don’t complete or partially complete the Privacy & Security tab information, the following default value will be displayed on the fields with no response “Response not provided by the partner”.

  • How do I make sure I entered the correct or expected information?

There will be tooltips that will explain and guide you where additional info is needed. In addition, there will be a preview option to check the information you entered before submitting the responses.

  • I gave my consent to Atlassian for sharing the answers of Security Self Assessment with customers who request it. Will that process continue after Security Self Assessment deprecation?

No, after the deprecation of Security Self Assessment program, we will no longer continue to share your responses with customers.

  • Is answering the Privacy & Security tab questions mandatory?

It is not mandatory to answer the Privacy & Security questionnaire. However, Cloud Fortified apps will be required to complete all fields by a to-be-announced date 6 months after the API is released. After that date their Cloud Fortified badge will be removed if all fields of Privacy & Security tab are not filled out.

However, as this information is highly sought by customers, we encourage partners to submit their answers for all cloud apps.

  • My Cloud Fortified Security Self Assessment review is coming up. Should I update that, or the Privacy & Security tab?

During the 6 month Security Self Assessment deprecation period, we recommend updating the Privacy & Security tab instead of the Security Self Assessment to avoid duplicating efforts.

  • What happens if I enter wrong information or want to update my answers?

If you would like to update the information you entered, you can simply resubmit your answers via API or UI web form. These submission options will be available in early February 2023.

  • What will happen to the Security Self Assessment program?

As the Privacy & Security tab will be displaying more comprehensive information related to app behavior, we will be deprecating the Security Self Assessment program on August 13, 2023 (6 months after the API release). This will prevent you from having to fill out the same type of information in two places.

Until the official deprecation date, the Security Self Assessment program will remain active. However, we strongly encourage Marketplace Partners to fill out the Privacy & Security Tab instead of the Security Self Assessment during this deprecation period to avoid duplicating efforts.

  • Where can I get support if I have questions related to Privacy & Security tab?

Partners can submit their questions related to Privacy & Security tab via this service desk.

  • Why is it important to answer Privacy & Security tab questions?

When purchasing Marketplace apps in cloud or assessing cloud apps during a migration to cloud, many customers have a rigorous security and privacy assessment that each app must go through. This process usually starts with some desk research (checking the Marketplace listing, partner website, and app documentation) to assess the app’s basic privacy and security practices, and ends with a long, thorough questionnaire sent directly from a customer to a Marketplace Partner. This process is time consuming for customers and Marketplace Partners alike, and can deter some customers from bringing their apps with them to cloud or adopting apps for their cloud instances.

While the new UI will not replace security assessments, we expect it to streamline the assessment process by answering the most commonly asked questions and helping customers determine if an app requires a more in-depth assessment.

  • Will Privacy & Security tab be available for all Atlassian deployment options: Cloud, Data Center, and Server?

Atlassian is introducing Privacy & Security tab for cloud apps only.

Yes, the tab will be visible on cloud app listings on marketplace.atlassian.com as well as the in product marketplaces for Jira Cloud and Confluence Cloud.

  • Will my answers go through a review process?

Your answers will go live on the Privacy & Security tab of your app listing page immediately after you submit the information.

Atlassian will not conduct a review of the content of partners' responses, but we will do a lagging review (review of information on live Privacy & Security tabs) to ensure partner responses do not contain malicious links, obscenity, or other items that violate our Acceptable Use Policy. We will provide a disclaimer on the tab stating that Marketplace Partners are responsible for the responses on the tab.

  • Will the new tab go live on all cloud app listings at once?

The tab will go live on all cloud app listings at once in late March 2023, but not all customers will see it. We will roll out the tab slowly over 6-8 weeks to ensure a smooth transition for customers.

Ultimately, we plan to roll out the tab to 100% of customers across Atlassian Marketplace and the Embedded Marketplace starting in June 2023.

  • When can I start sending customers to my Privacy & Security tab?

We plan to roll out the tab to 100% of customers starting in June 2023. We will share an update when the full rollout is complete.

Between late March 2023 and May 2023, expect some customers to be aware of your Privacy & Security tab, and some customers to be unaware of the tab.

We recommend refraining from sending customers to the tab between March and May, as some may not yet have access.

  • When will Atlassian announce the Privacy & Security tab to customers?

We plan to do an official announcement to customers on the Work/Life blog and via email after it is visible to 100% of customers who visit the Marketplace.

We also plan to let customers know that the Privacy & Security tab is “coming soon” starting at our annual conference, Team 23.

When will these UI changes go into effect?

Here is a timeline for the coming months:

Rate this page: