Last updated Jan 4, 2023

Rate this page:

New privacy & security tab in the Marketplace listing

Trust and security are incredibly important to Atlassian and maintaining a secure Marketplace is a collective effort shared by Atlassian and Marketplace partners. After careful consideration of the best practices to build secure apps and to increase visibility on security indicators for customers, Atlassian is introducing a new Privacy and Security tab in the Marketplace listing UI for cloud apps. This new tab will provide detailed information collected from respective app partners on the privacy, security, data handling, and compliance practices followed by their apps. It will benefit both customers and partners to streamline the often lengthy and manual app security evaluation process and thereby elevate the trust posture of Marketplace.

What will change on the listing page?

The information collected would primarily be part of the new Privacy & Security tab. The new tab will be discoverable in two sections in the Marketplace listing as shown below. Based on Atlassian’s customer research, we expect that the new tab would make it easier for customers to do the first-level assessment to determine if an app requires a more in-depth privacy and security review or not. This may also help in reducing the overall number of requests sent to the Marketplace partners to provide this information. It will also give Marketplace partners who are making significant trust investments an opportunity to showcase those investments, ideally growing their potential cloud customer base.


App OverviewP&S Expanded

How will you provide the information for your apps?

We will be accepting responses from February 2023. There will be two options to submit your responses to the questionnaire - either using a PUT API or using a UI web form. Steps to take for UI web form:

  1. Log in to Atlassian Marketplace with your partner account.

    Login  

  2. Select Manage partner account from the profile menu in the upper right.

    Manage Partner Account  

  3. Select your app's name from the list.

    Select app name  

  4. Select Privacy and Security tab. You will be introduced to the new feature.

    Privacy and Security tab  

  5. If you have pre-filled the answers via API, they would be populated on the UI. If not, you can directly enter your answers on the UI.

    Privacy and Security details  

  6. When you complete all the sections, you can select Save and preview to view the page as it would appear on the app listing page for the customers.

    Preview  

  7. To delete the changes while you fill out the form, you can select Discard changes.

    Delete Privacy and Security info  

  8. When you confirm all the responses, you can select Save and preview to preview the page and select Submit and publish for the responses to be active.

    Publish security info  

  9. You can also select Edit draft to make any changes to the pre-filled responses from the page preview.

     

For the PUT API, here’s a sneak peek at the API documentation. The APIs are not live yet and will be available in early February 2023.
Below are the questions that would be surfaced as part of the new Privacy and Security tab in the Marketplace listing. The list of questions have been prepared based on customer research findings that would enable customers to have a smooth and hassle-free assessment of apps.
 

QuestionsPotential responses
Does your app store End-User Data outside of Atlassian products and services? (excluding process/storage of End-User Data in logs)
  • Yes
  • No

If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app stores. For example:
  • Email address
  • Device ID
  • IP address
  • Content posted, received or shared in the app by end-users
Does your app process End-User Data outside of Atlassian products and services? (excluding process/storage of End-User Data in logs)
  • Yes
  • No

If partner responses ‘yes’, then the below question would be surfaced, please list the End-User Data types your app processes. For example:
  • Email address
  • Device ID
  • IP address
  • Content posted, received or shared in the app by end-users
If the data types processed and stored are the same, checkbox needs to be ticked to confirm the response
If partner responses ‘no’, no further questions would be surfaced.
Does your app log End-User Data?
  • Yes
  • No
Does your app process and/or store End-User Data in logs outside of Atlassian products and services?
  • Yes
  • No
Does your app share End-User Data with any third party entities (e.g. sub-processors)?
  • Yes
  • No
  • Not applicable - App does not process or store End-User Data outside of Atlassian products and services.
If partner responds 'yes', then the below question would be surfaced.
Please provide the following information for each third-party, or provide a link to your sub-processor list. For reference, learn more about Atlassian's sub-processor list.
Apps may need to list multiple third parties here or provide a link to their public-facing sub-processor list. If they don’t provide a link to their sub-processor list, they will need to fill out the following information:
For each third party, please provide:
  • Name of third party [free text]
  • Domain [link]
  • Countries where third party stores End-User Data [free text]
  • Purpose of sharing End-User Data with third party (e.g. cloud hosting) [free text]
Does your app share logs that include End-User Data with any third-party entities?
  • Yes
  • No
Is sharing of logs that include End-User Data with any third party entities integral for app functionality?
  • Yes
  • No
Does your app support data residency options? If yes, please list the locations where in-scope End-User Data is processed and/or stored.
For example:
  • EU
  • US
If the previous response is "Yes. App stores End-User Data exclusively within Atlassian products and service which support data residency options." No further questions would be asked and the following link would be surfaced on the UI.
If the previous response is "Yes. App supports data residency options." List the End-User Data that is in-scope for data residency. For example, here's Atlassian’s list of in-scope product data that is supported by data residency.
Does your app support migration of in-scope End User Data between your data residency supported locations?
  • Yes
  • No
Does your app store End-User Data after a customer uninstalls your app?
  • Yes
  • No
  • Not applicable - App does not store End-User Data outside of Atlassian products and services.
If partner answers 'yes', What is the minimum and maximum data storage period for End-User Data after a customer uninstalls your app?[Free text response]
Does your app allow customers to request a custom End-User Data retention period?
  • Yes
  • No
  • Not applicable - App does not store End-User Data outside of Atlassian products and services.
Does your app use any privacy enhancing technologies (PETs) to protect End-User Data? If yes, please list any PETs used.
For example:
  • Data masking techniques like pseudonymization and anonymization
  • Yes [+ list of PETs used]
  • No
  • Not applicable - App does not process or store End-User Data outside of Atlassian products and services.
Is your app a “data controller” under the General Data Protection Regulation (GDPR)?
  • Yes
  • No
  • Not applicable - App is not subject to the GDPR.
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data controller.” [free text]
Is your app a “data processor” under the General Data Protection Regulation (GDPR)?
  • Yes
  • No
  • Not applicable - App is not subject to the GDPR.
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “data processor.” [free text]
Is your app a “business” under the California Consumer Privacy Act of 2018 (CCPA)?
  • Yes
  • No
  • Not applicable - App is not subject to the CCPA.
If partner responds “yes”, please specify the End-User Data with respect to which your app is a “business.” [free text]
Is your app a “service provider” under the California Consumer Privacy Act of 2018 (CCPA)?
  • Yes
  • No
  • Not applicable - App is not subject to the CCPA.
If partner responds 'yes', please specify the End-User Data with respect to which your app is a “service provider.” [free text]
Does your app have a Data Processing Agreement (DPA) for customers?
  • Yes
  • No
If partner responds 'yes', please link it here.
Does your app transfer European Economic Area (EEA) residents’s End-User Data outside of the EEA?
  • Yes
  • No
  • Not applicable - App does not process and/or store End-User Data outside of Atlassian products and services.
If partner responds 'yes' to above question then the below question would be surfaced.
Does your app have a General Data Protection Regulation (GDPR) approved transfer mechanism in place to govern those transfers? Please provide the transfer mechanism you use here.
For example:
  • Standard Contractual Clauses (SCCs)
  • Yes[Partner specifies transfer mechanism]
  • No
Marketplace Security Bug Bounty Program participant
  • Information already available with Atlassian
Which email address can be used to contact for app security issues?
  • name@partneremail.com
Please provide your security policy
  • Security policy link provided by the partner
Have you completed a CAIQ Lite Questionnaire that covers this app?
  • Yes
  • No
If partner responds “yes”, Please link or upload your CAIQ Lite Questionnaire responses: [link or PDF]
Does your app use full disk encryption at-rest for End-User Data stored outside of Atlassian or the users’s browser?
Atlassian’s second requirement in Security requirements for cloud applications states, “Any Atlassian End User Data stored by an application outside of the Atlassian product or users' browser must ensure full disk encryption at-rest.” Does your app meet this requirement?
  • Yes
  • No
  • App does not store data outside of Atlassian
Integration permissions with Atlassian products
  • Information already available with Atlassian
Does your app have any compliance certifications?
For example:
  • SOC2
  • ISO27K
  • HIPAA
  • FedRamp
  • Other
  • Yes [partner picks from drop-down list or inserts free text in “other”]
  • No
Please provide your privacy policy which governs how you collect, access or otherwise process End-User Data. This is a requirement for all partners, as set out in Atlassian’s Marketplace Partner Agreement.Link to partner privacy policy

Frequently asked questions


  • When can I start submitting the responses?

You can start submitting responses from when the API and UI form is available (early Feb 2023). The responses will be shown to customers only after the tab on Marketplace listings goes live (mid-March 2023), in case you choose to publish them.

  • Can I re-use my Security Self Assessment answers for the Privacy & Security tab?

While there are some similar questions in Security Self Assessment and Privacy & Security tab, they don’t map one-to-one. Also, Security Self Assessment collects information at partner level while Privacy & Security tab information is at app level.

  • How did Atlassian choose these questions, what was the selection criteria?

The list of questions is prepared based on customer research where customers indicated that the high-level information provided by partners to these questions would help them determine whether a more in-depth privacy and security review is required.

In addition to customer research, members of Atlassian’s security and privacy teams were closely involved in determining the questions and wording for the first iteration of the Privacy & Security tab.

  • How will the Privacy & Security tab look for my apps if I don’t answer the questions?

If you don’t complete or partially complete the Privacy & Security tab information, the following default value will be displayed on the fields with no response “Response not provided by the partner”.

  • How do I make sure I entered the correct or expected information?

There will be tooltips that will explain and guide you where additional info is needed. In addition, there will be a preview option to check the information you entered before submitting the responses.

  • I gave my consent to Atlassian for sharing the answers of Security Self Assessment with customers who request it. Will that process continue after Security Self Assessment deprecation?

No, after the deprecation of Security Self Assessment program, we will no longer continue to share your responses with customers.

  • Is answering the Privacy & Security tab questions mandatory?

It is not mandatory to answer the Privacy & Security questionnaire. However, Cloud Fortified apps will be required to complete all fields by a to-be-announced date 6 months after the API is released. After that date their Cloud Fortified badge will be removed if all fields of Privacy & Security tab are not filled out.

However, as this information is highly sought by customers, we encourage partners to submit their answers for all cloud apps.

  • My Cloud Fortified Security Self Assessment review is coming up. Should I update that, or the Privacy & Security tab?

During the 6 month Security Self Assessment deprecation period, we recommend updating the Privacy & Security tab instead of the Security Self Assessment to avoid duplicating efforts.

  • What happens if I enter wrong information or want to update my answers?

If you would like to update the information you entered, you can simply resubmit your answers via API or UI web form. These submission options will be available in early February 2023.

  • What will happen to the Security Self Assessment program?

As the Privacy & Security tab will be displaying more comprehensive information related to app behavior, we will be deprecating the Security Self Assessment program 6 months after the API release. This will prevent you from having to fill out the same type of information in two places.

Until the official deprecation date, the Security Self Assessment program will remain active. However, we strongly encourage Marketplace Partners to fill out the Privacy & Security Tab instead of the Security Self Assessment during this deprecation period to avoid duplicating efforts.

  • Where can I get support if I have questions related to Privacy & Security tab?

Partners can submit their questions related to Privacy & Security tab via this service desk.

  • Why is it important to answer Privacy & Security tab questions?

When purchasing Marketplace apps in cloud or assessing cloud apps during a migration to cloud, many customers have a rigorous security and privacy assessment that each app must go through. This process usually starts with some desk research (checking the Marketplace listing, partner website, and app documentation) to assess the app’s basic privacy and security practices, and ends with a long, thorough questionnaire sent directly from a customer to a Marketplace Partner. This process is time consuming for customers and Marketplace Partners alike, and can deter some customers from bringing their apps with them to cloud or adopting apps for their cloud instances.

While the new UI will not replace security assessments, we expect it to streamline the assessment process by answering the most commonly asked questions and helping customers determine if an app requires a more in-depth assessment.

  • Will Privacy & Security tab be available for all Atlassian deployment options: Cloud, Data Center, and Server?

Atlassian is introducing Privacy & Security tab for cloud apps only.

Yes, the tab will be visible on cloud app listings on marketplace.atlassian.com as well as the in product marketplaces for Jira Cloud and Confluence Cloud.

  • Will my answers go through a review process?

Your answers will go live on the Privacy & Security tab of your app listing page immediately after you submit the information. However, that will trigger a review process and our internal teams will look into the responses provided to make sure they do not have any broken links or obvious errors. If an issue is detected with the answers provided, our Support team will get in touch with you.

  • Will the new tab go live on all cloud app listings at once?

We are exploring an A/B test during the initial rollout of the Privacy & Security tab. This is because it is a lot of new information for customers, and we want to ensure we are closely monitoring customer response and impact.

We will provide more details on the A/B test timeline closer to the customer release.

When will these UI changes go into effect?

Here is a timeline for the coming months:

  • January 2023: Marketplace partners can start preparing responses.

  • February 2023: API documentation and UI web form will be available and Marketplace partners can start submitting responses.

  • March 2023: Tab will be live and launched to customers.

Rate this page: