Rate this page:
Trust and security are incredibly important to Atlassian and maintaining a secure Marketplace is a collective effort shared by Atlassian and Marketplace partners.
After careful consideration of the best practices to build secure apps and to increase visibility on security indicators for customers, Atlassian introduced the Privacy and Security tab in the Marketplace listing UI for cloud apps.
Learn more about:
The information collected would primarily be part of the new Privacy & Security tab. The new tab will be discoverable in two sections in the Marketplace listing as shown below. Based on Atlassian’s customer research, we expect that the new tab would make it easier for customers to do the first-level assessment to determine if an app requires a more in-depth privacy and security review or not. This may also help in reducing the overall number of requests sent to the Marketplace partners to provide this information. It will also give Marketplace partners who are making significant trust investments an opportunity to showcase those investments, ideally growing their potential cloud customer base.
|P&S Default view||P&S Expanded view|
We have been accepting responses from February 2023. There are two options to submit your responses to the questionnaire - either using a PUT API or using a UI web form.
If you wish to fill out the questionnaire via UI web form, please find the steps below. We have also created a loom video that showcases the discoverability and steps involved in filling out the UI web form.
Log in to Atlassian Marketplace with your partner account.
Select Manage partner account from the profile menu in the upper right.
Select your app's name from the list.
Select Privacy and Security tab. You will be introduced to the new feature.
If you have pre-filled the answers via API, they would be populated on the UI. If not, you can directly enter your answers on the UI.
When you complete all the sections, you can select Save and preview to view the page as it would appear on the app listing page for the customers.
To delete the changes while you fill out the form, you can select Discard changes.
When you confirm all the responses, you can select Save and preview to preview the page and select Submit and publish for the responses to be active.
You can also select Edit draft to make any changes to the pre-filled responses from the page preview.
Below are the questions that would be surfaced as part of the new Privacy and Security tab in the Marketplace listing. The list of questions have been prepared based on customer research findings that would enable customers to have a smooth and hassle-free assessment of apps. As we aim to provide the most vital and updated app privacy and security information through this tab, the questionnaire will evolve with time based on the feedback received from the partners and customers.
|Questions||Potential responses||Visible on app listing page|
|Does your app store End-User Data outside of Atlassian products and services(excluding process/storage of End-User Data in logs)?||
If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app stores. For example:
|In default view|
|Does your app process End-User Data outside of Atlassian products and services or outside of the end-user’s browser (excluding process/storage of End-User Data in logs)?||
If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app processes. For example:
|In default view|
|If the data types processed and stored are the same, checkbox needs to be ticked to confirm the response|
|If partner responses ‘no’ to the above questions, no further data-related questions would be surfaced.|
|Does your app log End-User Data?||In expanded view|
|Does your app process and/or store End-User Data in logs outside of Atlassian products and services?||In expanded view|
|Does your app share End-User Data with any third party entities (e.g. sub-processors)?||In expanded view|
|If partner responds 'yes', then the below question would be surfaced. |
Please provide the following information for each third-party, or provide a link to your sub-processor list. For reference, learn more about Atlassian's sub-processor list.
Apps may need to list multiple third parties here or provide a link to their public-facing sub-processor list. If they don’t provide a link to their sub-processor list, they will need to fill out the following information:
For each third party, please provide:
|Does your app share logs that include End-User Data with any third-party entities?||In expanded view|
|Is sharing of logs that include End-User Data with any third party entities integral for app functionality?||In expanded view|
|Does your app support data residency options? If yes, please list the locations where in-scope End-User Data is stored. |
|In default view|
|If the previous response is "Yes. App stores End-User Data exclusively within Atlassian products and service which support data residency options." No further questions would be asked and the following link would be surfaced on the UI.|
|If the previous response is "Yes. App supports data residency options." Please list the End-User Data that is in-scope for data residency. For example, here's Atlassian’s list of in-scope product data that is supported by data residency.|
|Does your app support migration of in-scope End User Data between your data residency supported locations?||In expanded view|
|Does your app store End-User Data after a customer uninstalls your app?||In expanded view|
|If partner answers 'yes', What is the minimum and maximum data storage period for End-User Data after a customer uninstalls your app?[Minimum/maximum storage period must be entered in days]|
|Does your app allow customers to request a custom End-User Data retention period?||In expanded view|
|Does your app use any privacy enhancing technologies (PETs) to protect End-User Data? If yes, please list any PETs used.|
|In expanded view|
|Is your company/organization a ‘data controller’ under the General Data Protection Regulation (GDPR) with reference to this app?||In default view|
|If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data controller.” [free text]|
|Is your company/organization a ‘data processor’ under the General Data Protection Regulation (GDPR) with reference to this app?||In default view|
|If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data processor.” [free text]|
|Is your company/organization a ‘business’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?||In expanded view|
|If partner responds “yes”, please specify the End-User Data with respect to which your app is a “business.” [free text]|
|Is your company/organization a ‘service provider’ under the California Consumer Privacy Act of 2018 (CCPA) with reference to this app?||In expanded view|
|If partner responds 'yes', please specify the End-User Data with respect to which your app is a “service provider.” [free text]|
|Does your app have a Data Processing Agreement (DPA) for customers?||In expanded view|
|If partner responds 'yes', please link it here.|
|Does your app transfer European Economic Area (EEA) residents’s End-User Data outside of the EEA?||In expanded view|
|If partner responds 'yes' to above question then the below question would be surfaced. |
Does your app have a General Data Protection Regulation (GDPR) approved transfer mechanism in place to govern those transfers? Please provide the transfer mechanism you use here.
|Marketplace Security Bug Bounty Program participant||In default view|
|Which email address can be used to contact for app security issues?||In expanded view|
|Please provide your security policy||In expanded view|
|Have you completed a CAIQ Lite Questionnaire that covers this app?||In expanded view|
|If partner responds “yes”, Please link or upload your CAIQ Lite Questionnaire responses: [link or PDF]|
|Does your app use full disk encryption at-rest for End-User Data stored outside of Atlassian or the users’s browser? |
Atlassian’s second requirement in Security requirements for cloud applications states, “Any Atlassian End User Data stored by an application outside of the Atlassian product or users' browser must ensure full disk encryption at-rest.” Does your app meet this requirement?
|In expanded view|
|Integration permissions with Atlassian products||In default view|
|Does your app have any compliance certifications? |
|In default view|
You can start submitting responses now via API or through the UI form. The responses will be shown to customers only after the tab on Marketplace listings goes live as part of the slow roll out beginning late March 2023.
Any partner who has Manage App permissions can submit responses via the API or UI web form.
While there are some similar questions in Security Self Assessment and Privacy & Security tab, they don’t map one-to-one. Also, Security Self Assessment collects information at partner level while Privacy & Security tab information is at app level.
The list of questions is prepared based on customer research where customers indicated that the high-level information provided by partners to these questions would help them determine whether a more in-depth privacy and security review is required.
In addition to customer research, members of Atlassian’s security and privacy teams were closely involved in determining the questions and wording for the first iteration of the Privacy & Security tab.
If you don’t complete or partially complete the Privacy & Security tab information, the following default value will be displayed on the fields with no response “Response not provided by the partner”.
There will be tooltips that will explain and guide you where additional info is needed. In addition, there will be a preview option to check the information you entered before submitting the responses.
No, after the deprecation of Security Self Assessment program, we will no longer continue to share your responses with customers.
It is not mandatory to answer the Privacy & Security questionnaire. However, Cloud Fortified apps will be required to complete all fields by a to-be-announced date 6 months after the API is released. After that date their Cloud Fortified badge will be removed if all fields of Privacy & Security tab are not filled out.
However, as this information is highly sought by customers, we encourage partners to submit their answers for all cloud apps.
During the 6 month Security Self Assessment deprecation period, we recommend updating the Privacy & Security tab instead of the Security Self Assessment to avoid duplicating efforts.
If you would like to update the information you entered, you can simply resubmit your answers via API or UI web form. These submission options will be available in early February 2023.
As the Privacy & Security tab will be displaying more comprehensive information related to app behavior, we will be deprecating the Security Self Assessment program on August 13, 2023 (6 months after the API release). This will prevent you from having to fill out the same type of information in two places.
Until the official deprecation date, the Security Self Assessment program will remain active. However, we strongly encourage Marketplace Partners to fill out the Privacy & Security Tab instead of the Security Self Assessment during this deprecation period to avoid duplicating efforts.
Partners can submit their questions related to Privacy & Security tab via this service desk.
When purchasing Marketplace apps in cloud or assessing cloud apps during a migration to cloud, many customers have a rigorous security and privacy assessment that each app must go through. This process usually starts with some desk research (checking the Marketplace listing, partner website, and app documentation) to assess the app’s basic privacy and security practices, and ends with a long, thorough questionnaire sent directly from a customer to a Marketplace Partner. This process is time consuming for customers and Marketplace Partners alike, and can deter some customers from bringing their apps with them to cloud or adopting apps for their cloud instances.
While the new UI will not replace security assessments, we expect it to streamline the assessment process by answering the most commonly asked questions and helping customers determine if an app requires a more in-depth assessment.
Atlassian is introducing Privacy & Security tab for cloud apps only.
Yes, the tab will be visible on cloud app listings on marketplace.atlassian.com as well as the in product marketplaces for Jira Cloud and Confluence Cloud.
Your answers will go live on the Privacy & Security tab of your app listing page immediately after you submit the information.
Atlassian will not conduct a review of the content of partners' responses, but we will do a lagging review (review of information on live Privacy & Security tabs) to ensure partner responses do not contain malicious links, obscenity, or other items that violate our Acceptable Use Policy. We will provide a disclaimer on the tab stating that Marketplace Partners are responsible for the responses on the tab.
The tab will go live on all cloud app listings at once in late March 2023, but not all customers will see it. We will roll out the tab slowly over 6-8 weeks to ensure a smooth transition for customers.
Ultimately, we plan to roll out the tab to 100% of customers across Atlassian Marketplace and the Embedded Marketplace starting in June 2023.
We plan to roll out the tab to 100% of customers starting in June 2023. We will share an update when the full rollout is complete.
Between late March 2023 and May 2023, expect some customers to be aware of your Privacy & Security tab, and some customers to be unaware of the tab.
We recommend refraining from sending customers to the tab between March and May, as some may not yet have access.
We plan to do an official announcement to customers on the Work/Life blog and via email after it is visible to 100% of customers who visit the Marketplace.
We also plan to let customers know that the Privacy & Security tab is “coming soon” starting at our annual conference, Team 23.
Here is a timeline for the coming months:
January 2023: Marketplace partners can start preparing responses.
February 2023: API documentation and UI web form will be available and Marketplace partners can start submitting responses.
March 2023 (planned for March 29): Beginning of slow roll out to customers - tab will be live on all cloud listings on marketplace.atlassian.com
For the gradual rollout phase (March-May 2023), the Privacy & Security tab will only be available on Atlassian Marketplace, not on Embedded Marketplace.
June 2023: Tab will go live for 100% of customers on marketplace.atlassian.com and on Embedded Marketplace.
August 13, 2023: All fields must be filled out for all Cloud Fortified apps.
Rate this page: