If your organization processes personal data using Atlassian products, a separate Data Processing Addendum governs how that data is handled, and it is legally part of your agreement with Atlassian.
This analysis describes what Atlassian's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechanisms for personal data processed through Atlassian products.
Interpretive note: The full scope of obligations depends on the terms of the separately published DPA, which is incorporated by reference but not reproduced in the base agreement text analyzed here.
Organizations processing personal data in Atlassian products are subject to the terms of the Data Processing Addendum, which governs how Atlassian handles that data and what sub-processors may have access to it.
How other platforms handle this
Miro's processing of personal data on behalf of customers is governed by the Customer Data Processing Addendum, which is incorporated into these Terms by reference. A current list of subprocessors used by Miro is available at miro.com/legal/subprocessors-list/ and is updated from time to time.
We may access, preserve, and share information with regulators, law enforcement, or others if we believe it is reasonably necessary to: detect, prevent, and address fraud and other illegal activity; protect ourselves, you, and others, including as part of investigations; and prevent death or imminen...
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Monitoring
Atlassian has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To the extent Customer's use of the products involves the processing of personal data subject to applicable data protection laws (including the GDPR and CCPA), the parties' respective rights and obligations with respect to such processing are set forth in the Data Processing Addendum, which is incorporated into this Agreement by reference.— Excerpt from Atlassian's Atlassian Cloud Terms
REGULATORY LANDSCAPE: The DPA incorporation directly engages GDPR (for EU/EEA and UK customers), CCPA and CPRA (for California-based customers), and applicable national data protection laws globally. The relevant enforcement authorities are EU data protection authorities through the European Data Protection Board, the UK Information Commissioner's Office, and the California Privacy Protection Agency. The DPA governs the legal basis for processing, sub-processor authorization, data subject rights mechanisms, and cross-border transfer safeguards. GOVERNANCE EXPOSURE: High for organizations in regulated industries or those processing sensitive personal data categories. The DPA must be reviewed and executed separately from the main agreement; failure to do so may create gaps in GDPR controller-processor documentation requirements. JURISDICTION FLAGS: EU and UK customers must confirm that the DPA includes appropriate Standard Contractual Clauses (SCCs) and, where applicable, transfer impact assessments for cross-border data transfers to Atlassian entities outside the EEA. Australian customers should assess alignment with the Privacy Act and Australian Privacy Principles. Canadian customers should assess alignment with PIPEDA and provincial privacy laws. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm the DPA is executed, that the sub-processor list has been reviewed and accepted, and that notification mechanisms for sub-processor changes are operational. The DPA should be reviewed for audit rights, data breach notification timelines, and data retention and deletion obligations. COMPLIANCE CONSIDERATIONS: Privacy and legal teams should maintain a current copy of the executed DPA, update data processing records of activities to reflect Atlassian as a sub-processor, and review the sub-processor list against their own vendor risk management program. Any changes to Atlassian's sub-processor list should trigger a review of the organization's data flow documentation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The DPA is the operative document for GDPR and CCPA compliance purposes, and its terms govern data controller and processor obligations, sub-processor authorization, and cross-border transfer mechanisms for personal data processed through Atlassian products.
Organizations processing personal data in Atlassian products are subject to the terms of the Data Processing Addendum, which governs how Atlassian handles that data and what sub-processors may have access to it.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Atlassian.