Tools for Jira
Tools for monday.com
Today, data protection is no longer a “nice to have”, but it’s a strategic requirement.
Whether you manage a fast-scaling startup, a healthcare company bound by HIPAA, or an international enterprise regulated under GDPR, the way your data is handled in the Atlassian Cloud matters.
For many organizations, Jira and Confluence are the central hubs of work. Sensitive project information, product roadmaps, customer data, compliance documentation, all flow through cloud environments. That’s why Atlassian invests heavily in ensuring data security, privacy, and compliance across all their cloud products.
Atlassian Cloud security isn’t just about encryption and passwords. It’s about:
- Meeting strict compliance requirements like GDPR, CCPA, ISO 27001, and SOC 2.
- Providing data residency options in specific AWS regions like Germany, Australia, Singapore, Switzerland, and the US to meet local regulations.
- Offering flexible subscriptions and enterprise plans so companies can choose the right level of control over their data.
- Helping teams manage app data and product data securely while scaling workflows, automations, and integrations.
Data residency has become even more important because governments around the world are tightening their policies, requiring companies to store customer data in specific geographic locations. First it was the EU, then Brazil, Australia, and beyond.
Meanwhile, more enterprises (not just regulated industries like finance, healthcare, or government) demand full visibility and control over their data location and security measures.
This article explores how Atlassian secures your data in the cloud, how cloud migration impacts data protection, and what solutions like Atlassian Guard and Smart Checklist on Forge bring to the table for modern, compliant workflows.
Ready to dive deeper? Let’s start with Atlassian Cloud Data Residency.
Atlassian Cloud Data Residency: What You Need to Know
Data residency means storing your work items, project information, and user account data in a specific geographic location. For many enterprises and regulated industries, it’s about performance itself and at the same time about meeting strict compliance requirements like GDPR, CCPA, and regional data sovereignty laws.
Atlassian offers data residency options across key AWS regions including Germany (Frankfurt), Australia, Switzerland, Singapore, and the United States. Depending on your subscription level (Standard, Premium, or Enterprise plans) you can either pin your data to a specific region or have flexible data residency options across locations.
This ensures that your sensitive Jira, Confluence, and Marketplace apps data remains compliant with your organizational and regulatory needs.
For a full breakdown of data residency options, regional support, and how to move your data between regions, check out our detailed guide:
Data Residency for Atlassian Cloud Explained
Security Practices in Atlassian Cloud
When teams move to the cloud, they hand over control and expect guarantees. Atlassian takes this seriously, with a robust security framework that ensures customer data, app data, and product data stay protected at every layer of the cloud environment.
Encryption at Every Stage
Data security in Atlassian Cloud begins with encryption:
- In transit: All connections are secured with TLS 1.2+ encryption. Whether you’re logging into Jira or submitting API requests, your data is encrypted end-to-end.
- At rest: Data stored in Atlassian Cloud, including on Amazon RDS and EFS, is encrypted using AES-256, the same standard used by banks and government agencies.
- Backups: Daily backups are stored within the same AWS region, replicated across multiple availability zones, and also encrypted with AES-256. Atlassian retains Amazon RDS snapshots for 30 days, with support for point-in-time recovery.
All data handling, from access to storage to disaster recovery, follows best practices from AWS and ISO frameworks. You can read more in the AWS documentation.
Logical Data Isolation & Secure Access
Atlassian uses a Tenant Context Service (TCS) to guarantee logical isolation of customer data. Every Jira or Confluence request is scoped and processed within its own customer “container”, guaranteeing that your team’s data never mixes with someone else’s.
On top of that, access to data is tightly controlled:
- SSO and MFA support for secure logins using Google Workspace or Microsoft accounts.
- Granular permissions managed through admin.atlassian.com, letting you define who can access which data and workflows.
- Secure APIs: All developer connections to Forge or REST APIs are SSL-secured and authenticated, there’s no way to connect without encryption in place.
Certifications & Compliance
Atlassian meets or exceeds global data security benchmarks:
- ISO 27001: Information Security Management
- SOC 2 Type II: Security, availability, and confidentiality controls
- GDPR & CCPA compliance: Especially critical for European and U.S.-based enterprise teams
- PCI DSS (for teams processing payments or using billing integrations)
Atlassian also enforces device-level protection across its workforce, requiring antivirus, patch management, closed ports, and endpoint monitoring for any internal tools that access customer data.
Learn more at the Atlassian Trust Center
Backup, Recovery, and Deletion Policies
Worried about data loss? Atlassian’s disaster recovery policy ensures your Jira or Confluence instance remains available, even in the event of a server failure.
- Data is mirrored across redundant servers in four AWS regions (US, EU, APAC).
- When a customer uninstalls the Marketplace app, the system automatically deletes the data, meaning it can be recovered for up to 30 days.
- To delete an app, customers or Atlassian support must first uninstall all installations. The system then deletes data, following the same uninstallation retention period as described above
- How data is stored or deleted depends on what happens to the app. Forge follows Atlassian’s internal Standard Data Retention and Disposal policy. You can find more information in the Atlassian SOC 2 report
Bottom line? Your data is encrypted, isolated, and backed by some of the strongest security practices in the industry.
Cloud Migration & Data Protection: What Changed After Atlassian Server Closure?
With the discontinuation of Atlassian Server products, organizations were compelled to transition to Atlassian Cloud or Data Center solutions. This shift necessitated a reevaluation of data protection strategies to align with cloud environments.
Migrating to the cloud introduced complexities related to data residency and compliance. Organizations had to ensure that their data storage and processing met regional regulatory requirements.
Atlassian addressed these concerns by offering data residency options, allowing customers to specify the geographic location of their data storage. Additionally, Atlassian’s compliance with standards such as ISO 27001 and SOC 2 provided assurance of their commitment to data protection.
Tools and Best Practices for Secure Migration
To facilitate a secure migration, Atlassian provided tools like the Jira and Confluence Cloud Migration Assistants. These tools helped organizations assess their current setups, plan migrations, and execute them with minimal disruption.
Best practices included conducting thorough audits of existing data, implementing strong access controls, and ensuring encryption of data both in transit and at rest.
For a comprehensive guide on migrating to Atlassian Cloud, including detailed steps and considerations, refer to Atlassian’s Cloud Migration Guide: Atlassian Cloud Migration Guide
Atlassian Guard: Strengthening Security & Data Protection
When enterprise teams move to the cloud, they need more than just encryption. They need visibility, control, and fast response. That’s where Atlassian Guard steps in.
What Is Atlassian Guard?
Atlassian Guard is a cloud-native security and compliance solution built for regulatory-heavy industries like banking, finance, healthcare, and government. The role of the Atlassian Guard is not to establish more locks, but to help know what’s going on inside the vault.
Guard helps admins:
- Detect suspicious user behavior (like mass content downloads or failed login attempts)
- Identify risky misconfigurations (e.g., anonymous users with edit access)
- Monitor for compliance gaps across Jira, Confluence, and Atlassian products
How Does Guard Work?
Atlassian Guard provides real-time recommendations on how to improve your security posture. It tracks your permissions, user activity, and access settings, then flags potential vulnerabilities.
If something suspicious happens, your security specialist gets an alert and can:
- Suspend user access
- Adjust permissions in admin.atlassian.com
- Initiate a deeper investigation
Think of Guard as a real-time dashboard for cloud security hygiene. You still control your environment, but Guard helps you respond faster and stay compliant.
For regulated teams under GDPR, ISO 27001, or CCPA obligations, Guard offers a scalable way to monitor and enforce internal policies.
Learn more at the official Atlassian Guard page
Smart Checklist on Forge
Security isn’t just about the platform, but more about every layer, including the apps you use every day.
That’s why we migrated Smart Checklist to Atlassian Forge.
Why Forge?
Forge is Atlassian’s modern app development platform designed to run directly within their cloud infrastructure. When apps are built on Forge:
- All data stays within Atlassian Cloud – no third-party servers involved.
- Access is isolated using Atlassian’s Tenant Context Service, keeping customer data logically segregated.
- Apps automatically benefit from the same encryption at rest and in transit used by Jira and Confluence.
- Permissions and API access are fully scoped and enforced within Atlassian’s secure ecosystem.
For our customers in finance, healthcare, and banking, this was a must. If you’re just planning to move your app to Forge or building the new app from scratch, you can check our detailed Forge guide.
Security, Simplified
When we migrated Smart Checklist to Forge, our goal was clear:
Support our customers with better security, compliance, and long-term reliability.
- We now rely on AWS-hosted infrastructure, managed directly by Atlassian.
- User authentication flows through Atlassian’s secure SSO and API layers
- Sensitive checklist data is encrypted, anonymized, and stored securely, aligned with SOC 2 and ISO 27001 standards.
And because Forge is where Atlassian is headed (Connect is being deprecated), this move also ensures future support and scale.
Want to learn how Smart Checklist can help you achieve compliance, mitigate risks and reduce anxiety while working in everyday tasks and repeatable processes?
Explore the app on the Marketplace.
Best Practices for Atlassian Cloud Data Security & Residency
Atlassian delivers a secure foundation, but protecting your data is a shared responsibility. Here’s how teams can proactively secure their Jira and Confluence environments.
Enforce Access Controls & Granular Permissions
Use admin.atlassian.com to:
- Set granular user permissions for projects, spaces, and Marketplace apps
- Restrict admin privileges and use group-based access for sensitive data
- Enable SSO and MFA to secure user authentication across your cloud workspace
Atlassian supports OAuth 2.0, Google Workspace, and Microsoft Active Directory, offering flexible but secure login options, ensuring credentials and tokens are encrypted end-to-end.
Keep Everything Encrypted – In Transit and At Rest
Data is encrypted during every stage:
- In transit: TLS 1.2+ is enforced for all interactions with Jira Cloud and Forge apps
- At rest: AWS uses AES-256 encryption, with disks encrypted at the hardware level
- App data: Marketplace apps built on Forge inherit Atlassian’s security layers and logical data separation
Learn more from Atlassian’s Security Practices
Secure Backups & Disaster Recovery
Atlassian maintains regular encrypted backups of all cloud data:
- Amazon RDS snapshots retained for 28 days with point-in-time recovery
- Backups are replicated across multiple availability zones
- All disaster recovery processes are tested quarterly to meet enterprise-grade standards
If a customer uninstalls an app, Atlassian allows recovery within 28 days via support request. For more information on Data storage during App lifecycle stages please check Forge documentation.
When a customer reinstalls an app that uses Forge hosted storage, data from the previous installation is not automatically restored. Forge hosted storage retains data for 28 days after uninstallation.
To recover this data for a customer, app developers must:
- Get customer consent to restore data.
- Submit a recovery request within 21 days of uninstallation. This is to ensure the request is processed before the 28-day retention ends.
To request recovery, raise a bug ticket on Developer Support. Use Re-linking reinstallation data as the summary, and provide customer details, site ID, and installation IDs.
Stay Compliant with Regional Requirements
Whether you’re storing data in Frankfurt, Singapore, or Sydney, data residency options are available for Enterprise plans.
Ensure your compliance team:
- Reviews your active regions in the Atlassian Admin Console
- Monitors data residency settings during Cloud migration or expansion
- Uses tools like Atlassian Guard to flag potential security misconfigurations
Marketplace Apps: Use Forge When Security Matters
Third-party apps can store data externally unless they run on Forge. Not all Forge apps are built the same. Atlassian’s Forge platform supports two approaches to data handling, and the difference matters, especially if your company prioritizes security and compliance.
Forge Apps Without Data Egress
These apps process and store all data within Atlassian’s infrastructure. That means no information leaves your Jira instance. Apps built this way qualify for the “Runs on Atlassian” badge – a signal that the app meets the highest security and data residency standards set by Atlassian.
This is how Smart Checklist works today.
Benefits include:
- Data stays inside Atlassian Cloud
- Easier path to compliance (SOC2, GDPR, HIPAA, etc.)
- Lower risk in audits and vendor assessments
Forge Apps With Data Egress
Some Forge apps still process parts of your data on the vendor’s servers. This setup can still be compliant, but it requires additional scrutiny and may not meet strict internal policies (especially in finance, healthcare, or government sectors).
When evaluating Forge apps, check whether they Run on Atlassian or rely on external data handling. This affects how your data is stored, how integrations behave, and how much trust you need to place in the vendor.
When using apps like Smart Checklist for Jira, use Forge-built solutions to keep your app data inside Atlassian Cloud.
Bonus tip: If your industry handles PII, health records, or financial data, Forge offers logical tenant isolation and encryption policies that help meet GDPR, CCPA, and ISO 27001 standards.
Data Residency Checklist: Key Steps for Enterprise Teams
Whether you’re preparing for an internal audit, navigating GDPR, or just want peace of mind – these are the essential steps to align your Atlassian Cloud setup with data protection best practices.
Choose the Right Geographic Location
Your first decision: where should your data live?
Atlassian currently supports data residency in:
- Germany (Frankfurt)
- United States (US East/West)
- Switzerland
- Singapore
- Australia
- European Union (general region)
Check your current region and request changes in admin.atlassian.com under Organization Settings ? Data Residency.
Check Full list of supported regions
Implement Backup & Disaster Recovery Plans
Even in the cloud, backups matter.
Enterprise teams should:
- Understand Atlassian’s built-in backup schedule (30-day snapshot retention, encrypted)
- Document a business continuity plan for Jira and Confluence data
- Assign roles and escalation paths in case of outage or data loss
Learn more in Atlassian’s Disaster Recovery Policy
Secure Access and APIs
Admin users should regularly audit:
- API tokens and webhook integrations (especially for Marketplace apps)
- Third-party tools syncing with Jira or Confluence
- User provisioning and de-provisioning settings in SSO systems
If you’re using automation, ensure sensitive data isn’t exposed through webhook payloads or public endpoints.
Monitor and Maintain Compliance
- Enable Atlassian Guard to monitor risky configurations
- Track new security features in the Atlassian Cloud Roadmap
- Subscribe to updates from the Atlassian Trust Center
Data protection is a business enabler. Whether you’re operating in a regulated industry, managing sensitive customer data, or simply scaling with confidence, Atlassian Cloud gives you the tools to protect what matters most.
From encryption and permissions to backup protocols and geographic residency, Atlassian offers enterprise-grade protection out of the box. But staying secure in the cloud requires regular reviews, intentional configurations, and the right Marketplace apps.
Want to go deeper?
Check out the Atlassian Trust Center for updates on certifications, compliance practices, and roadmap developments.
FAQs: Atlassian Cloud Data Protection
What is Atlassian Data Residency and why does it matter?
Data residency in Atlassian Cloud lets you store product data and app data (e.g., in Jira, Confluence) in a specific geographic location—such as Germany (Frankfurt), Switzerland, Australia, Singapore, or the US. It’s essential for enterprise teams, regulated industries (like healthcare or finance), and any business managing in-scope data under compliance requirements like GDPR or CCPA.
Learn more about Atlassian data residency
How does Atlassian secure data in the cloud?
Atlassian Cloud follows a zero-trust architecture, ensuring all Jira Cloud, Confluence, and Jira Service Management instances are protected through:
- Encryption at rest and in transit (AES-256, TLS 1.2+)
- Access controls and permissions (SSO, MFA, secure API access)
- Logical tenant isolation using Atlassian’s Tenant Context Service
- Hosting across certified AWS regions with multiple availability zones
Security extends to Marketplace apps running on Forge, which inherit these protections.
What certifications does Atlassian Cloud meet?
Atlassian holds certifications and complies with major standards, including:
- ISO/IEC 27001 for information security
- SOC 2 Type II
- PCI DSS for payment data
- GDPR and CCPA for data privacy
You can explore full compliance documentation at the Atlassian Trust Center.
What happens to customer data if a Marketplace app is uninstalled?
For apps built on Forge, data is deleted automatically upon uninstall.
For Connect-based apps, typically app data is retained for 30 days (depends on vendor) and after that cannot be recovered.
Note: Admins managing subscriptions should always verify data retention policies of third-party apps on the Atlassian Marketplace.
How can enterprise teams move data to a new region or geographic location?
Use admin.atlassian.com to:
- Request a data residency move to a supported cloud region (e.g., Frankfurt, Singapore, Australia)
- Manage permissions and access settings across cloud products
- Monitor requests to align with enterprise plans and data residency requirements
Refer to Atlassian’s official Data Residency guide for step-by-step instructions.
What security considerations are important when migrating from Data Center to Atlassian Cloud?
While Atlassian handles data protection during cloud migration, teams should:
- Audit permissions, account information, and API integrations
- Select Marketplace apps built on Forge for added security
