New Privacy & Security tab questionnaire available

LakshmiBehl · January 4, 2023, 10:50am

Hi developer community,

We just announced the upcoming release of a new Privacy & Security tab for cloud app listings on the Atlassian Marketplace. Questions are now available to help you prepare responses for the tab, which will become visible to customers toward the end of this quarter.

Please have a look at the New Privacy & Security tab questionnaire available changelog entry or new documentation for details. Feel free to add questions here.

marc · January 4, 2023, 8:16pm

@LakshmiBehl Thanks for making this available. I think this is a move in the right direction.

However, after reading the documentation it seems to me that the timeline is really short. If you want to fill in the questionnaire seriously, a vendor needs to sort out quite some things.

Another thing is, I believe, the questions are unclear. As examples:

There are multiple questions related to end user data: “Does your app store End-User Data outside of Atlassian products and services?” What if the storage of end user data is a setting a customer actively must enable? I.e. by default, the app does not store end user data. Only if an admin enables this, the app will store data. How can a vendor answer this, given only a yes/no answer is possible? Can you add an option like: “The customer must explicitly enable data storage.”
The question “Does your app support migration of in-scope End User Data between your data residency supported locations?” seems to reference a feature not yet released for vendors? Can we expect that Atlassian will release an implementation of data migration for ACE?
The question “Have you completed a CAIQ Lite Questionnaire that covers this app?” I understood that Atlassian discontinued the use of the CAIQ Lite questionnaire. Has that changed?

denizoguz · January 5, 2023, 5:47am

Hi,
Our app stores “Slack Authentication Code” if the administrator enables slack integration, which is optional. Explaining this kind of situation with just “yes”/“no” questions may be misleading.

marc · January 5, 2023, 12:28pm

Hi @LakshmiBehl ,

As a followup question: Is the Connect install payload / shared secret considered “End-User data”? If so, all Connect apps store data outside of Atlassian, and Atlassian could just state it for all Connect apps.

And is there a distinction between “in-scope” and “out-of-scope” data like Atlassian makes?

m.herrmann · January 5, 2023, 2:42pm

Hi,

Does your app process End-User Data outside of Atlassian products and services? (excluding process/storage of End-User Data in logs)

Is this question intended for server side or also for client side processing of data? It may be a big difference for customers to know that data is only processed on the computers of their users or is processed on a server ourside the atlassian services on server of the plugin provider

UlrichKuhnhardtIzym1 · January 5, 2023, 7:15pm

If an app is available for server/dc and connect in a single MP listing, does the ‘Privacy and Security’ tab only show if the ‘Cloud’ version is selected in the app listing hosting dropdown?

If that is not the case, we should be able to provide 2 sets of answers, one for cloud and one for DC.

MaggieNorbyAdams · January 9, 2023, 4:40pm

Hi @UlrichKuhnhardtIzym1 - The actual tab option (where it says “Privacy & Security” in the row of tabs next to Pricing) will be visible on DC and server app listings, but if a customer clicks the tab they will see a default message that the tab is visible for cloud apps only.

The full tab with all fields will only be visible on cloud app listings.

LakshmiBehl · January 11, 2023, 9:26am

Hi @marc , @denizoguz

Thanks for the feedback - this is a good point that we’ll take into consideration for future changes to the questionnaire.
Realm migration is currently available as an early access program for partners to start testing and integration of apps built on Connect (details here). ACE implementation is currently not planned for the initial releases of app data residency migration, however is in our longer term roadmap. We can provide an update once we have more details around timelines. cc : @SushantBista who is the Product Manager driving this initiative.
Atlassian has paused our own CAIQ Lite program for apps, but some partners have completed a CAIQ Lite questionnaire for prospective customers separate from Atlassian’s program. This question will give those partners an opportunity to showcase their investment in CAIQ Lite, and it will give visibility to customers who require completion of the CAIQ Lite questionnaire as part of their app assessment process (similar to the compliance / certification questions).

LakshmiBehl · January 11, 2023, 9:29am

Hi @denizoguz - Thanks for the feedback - this is a good point that we’ll take into consideration for future changes to the questionnaire.

MaggieNorbyAdams · February 8, 2023, 5:04pm

Hi @m.herrmann - sorry for the delayed response. To answer your question, no - “processing of End-User Data outside of Atlassian products and services” is not intended to include client side processing that the app performs entirely in the end-user’s browser. We appreciate your feedback and will explore ways to clarify the wording of this question.

MaggieNorbyAdams · February 13, 2023, 11:48am

Hi all ! The API and web form are now available so you can submit your responses. We’ve added a post on this topic here: New Privacy & Security tab API & web form available

JuliaWester · March 6, 2023, 12:42pm

cross posting from: New Privacy & Security tab API & web form available - #17 by JuliaWester

Can you clearly state exactly what end-user data is. I know what personal data is and I know what company data is (the stuff they enter into Jira) but what is end-user data?

danielwester · March 6, 2023, 12:48pm

Related question to @JuliaWester - if we store user entity properties - does that go under:

Yes. App stores End-User Data exclusively within Atlassian products and services which support data residency options, as outlined here.

or

No. App stores End-User Data exclusively within Atlassian products and services, which don’t support data residency options yet due to Atlassian’s current roadmap. (e.g. Atlassian’s Forge platform).

/Daniel

MaggieNorbyAdams · March 7, 2023, 11:29pm

Hi @JuliaWester - Good question! The definition of “End-User Data” is as follows:

“Any data, content or information of an end user that is accessed, collected or otherwise processed by you or your app in connection with use of the Atlassian Marketplace”

Unfortunately, we can’t advise on whether individual data elements that are processed by partners are covered under the definition of “End-User Data.” Please review the definition to determine whether data elements that you process fall under this definition.

Hope this helps

JuliaWester · March 8, 2023, 6:25am

I saw that but in practice have no idea what it means. Is it the data they generate in Jira?

JuliaWester · March 8, 2023, 8:04am

I guess because it says content it is not just their personal data but any data they generate in the host app that is considered end-user data? I don’t feel like this is a vendor-specific question. This should be an Atlassian level question.

JuliaWester · March 8, 2023, 8:49am

I actually found a tooltip that helps more than the definition (Or rather, alongside the definition)
For example: Email address, Device ID, IP address, Content posted, received or shared in the app by end-users.

MaggieNorbyAdams · March 9, 2023, 2:57am

@JuliaWester Perfect - hopefully those examples help!

Just to clarify for any other folks on the thread: You are correct that End-User Data is not defined in a way that includes only “personal data” of the end user (or similar privacy law concepts). That said, because this term comes from the Marketplace Partner Agreement that each partner enters with Atlassian, we can’t advise partners on how it should be interpreted. We recommend contacting your own legal counsel if you have questions about whether specific types of data would constitute End-User Data.

ademoss · March 9, 2023, 5:26am

@MaggieNorbyAdams - while it is understandable that Atlassian cannot account for specific jurisdictions that partners are in, or account for the various crazy things a partner might do, saying that Atlassian “can’t advise partners on how it should be interpreted” doesn’t seem like the right path here.

Atlassian can certainly do better, and provide proper explanations of what is being asked, reduce ambiguity, and come up with better examples, especially for common use cases and common scenarios.

For example:

“End-User Data” is any data, content or information of an end user that is accessed, collected or otherwise processed by you or your app in connection with use of the Atlassian Marketplace.

This could easily mean that any API call that an app makes that returns an accountId, an avatar, or a display name counts as end-user data. As such, pretty much every single app in the marketplace would have to say yes.

If we’re going with the definition that @JuliaWester used as an example, and include IP address, then wouldn’t that inherently mean that every app with a modern infrastructure running a web server would have to say yes? Given that most web servers have access logs that log IPs (apache, cloudfront, aws load balancers, etc).

These are common enough questions/scenarios that would be trivial for Atlassian to provide guidance on. Making vendors spend a few thousand dollars on a lawyer, simply because Atlassian can’t be bothered seems incredibly hostile towards smaller vendors that cannot easily afford such things.

danielwester · March 9, 2023, 7:49am

@MaggieNorbyAdams any chance we can get guidance on the user entity properties?