When you use Atlassian products through an employer or organization, that organization is typically the data controller and Atlassian acts as a processor, meaning your employer's privacy policies and the terms negotiated between Atlassian and your employer govern how your data is handled, not solely this policy.
This analysis describes what Atlassian's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to Atlassian, and their employer's data governance practices apply to content within the account.
For users accessing Atlassian services through an employer or organization, the employer administrator controls data processing decisions including retention, deletion, and access to content. Atlassian's direct data subject rights procedures may be limited in this context, as the employer is designated as the controller under the policy.
How other platforms handle this
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
Docusign may be a 'data controller' or a 'data processor' (or both) depending on the type of personal information and the context in which it is processed. When Docusign determines the purpose and means of processing personal information, we act as a data controller. When Docusign processes personal...
Monitoring
Atlassian has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Atlassian is the controller of personal information covered by this Privacy Policy. In some instances, the customer (the 'administrator') decides how and why personal information is processed. In those instances, Atlassian is the processor of that information. The rights and obligations of customers who act as controllers are described in the agreements between Atlassian and those customers, including the Data Processing Addendum.— Excerpt from Atlassian's Atlassian Privacy Policy
(1) REGULATORY LANDSCAPE: The GDPR's controller/processor framework under Articles 4, 24, and 28 requires a written Data Processing Agreement between Atlassian and enterprise customers acting as controllers. The UK GDPR imposes equivalent requirements. Regulators in the EU and UK may scrutinize whether DPA terms are adequate, particularly regarding sub-processor obligations and audit rights. (2) GOVERNANCE EXPOSURE: High for enterprise compliance teams. Organizations must ensure an executed Atlassian DPA is in place and that internal policies address how employee data within Atlassian environments is governed, including retention schedules and access controls. (3) JURISDICTION FLAGS: EU and UK organizations have mandatory DPA requirements under GDPR Article 28. US organizations in regulated industries (healthcare, financial services) should assess whether additional agreements (BAA, financial data addenda) are required in addition to the standard DPA. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm the Atlassian DPA is executed and that the sub-processor list is reviewed and accepted. The DPA should address cross-border transfer mechanisms, incident notification timelines, and audit rights. Responsibility allocation for data subject rights requests (deletion, access) between Atlassian and the enterprise customer should be clearly documented. (5) COMPLIANCE CONSIDERATIONS: Enterprise legal teams should map all categories of personal data processed within Atlassian tools, document Atlassian as a processor in their Article 30 records, and establish internal procedures for handling data subject requests that originate from employees using Atlassian products.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that employees and contractors using Atlassian tools through an enterprise account may need to direct data subject rights requests to their employer rather than directly to Atlassian, and their employer's data governance practices apply to content within the account.
For users accessing Atlassian services through an employer or organization, the employer administrator controls data processing decisions including retention, deletion, and access to content. Atlassian's direct data subject rights procedures may be limited in this context, as the employer is designated as the controller under the policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Atlassian.