New Privacy & Security tab questionnaire available

Hi developer community,

We just announced the upcoming release of a new Privacy & Security tab for cloud app listings on the Atlassian Marketplace. Questions are now available to help you prepare responses for the tab, which will become visible to customers toward the end of this quarter.

Please have a look at the New Privacy & Security tab questionnaire available changelog entry or new documentation for details. Feel free to add questions here.

5 Likes

@LakshmiBehl Thanks for making this available. I think this is a move in the right direction.

However, after reading the documentation it seems to me that the timeline is really short. If you want to fill in the questionnaire seriously, a vendor needs to sort out quite some things.

Another thing is, I believe, the questions are unclear. As examples:

  1. There are multiple questions related to end user data: “Does your app store End-User Data outside of Atlassian products and services?” What if the storage of end user data is a setting a customer actively must enable? I.e. by default, the app does not store end user data. Only if an admin enables this, the app will store data. How can a vendor answer this, given only a yes/no answer is possible? Can you add an option like: “The customer must explicitly enable data storage.”
  2. The question “Does your app support migration of in-scope End User Data between your data residency supported locations?” seems to reference a feature not yet released for vendors? Can we expect that Atlassian will release an implementation of data migration for ACE?
  3. The question “Have you completed a CAIQ Lite Questionnaire that covers this app?” I understood that Atlassian discontinued the use of the CAIQ Lite questionnaire. Has that changed?
6 Likes

Hi,
Our app stores “Slack Authentication Code” if the administrator enables slack integration, which is optional. Explaining this kind of situation with just “yes”/“no” questions may be misleading.

2 Likes

Hi @LakshmiBehl ,

As a followup question: Is the Connect install payload / shared secret considered “End-User data”? If so, all Connect apps store data outside of Atlassian, and Atlassian could just state it for all Connect apps.

And is there a distinction between “in-scope” and “out-of-scope” data like Atlassian makes?

3 Likes

Hi,

Does your app process End-User Data outside of Atlassian products and services? (excluding process/storage of End-User Data in logs)

Is this question intended for server side or also for client side processing of data? It may be a big difference for customers to know that data is only processed on the computers of their users or is processed on a server ourside the atlassian services on server of the plugin provider

3 Likes

If an app is available for server/dc and connect in a single MP listing, does the ‘Privacy and Security’ tab only show if the ‘Cloud’ version is selected in the app listing hosting dropdown?

If that is not the case, we should be able to provide 2 sets of answers, one for cloud and one for DC.

1 Like

Hi @UlrichKuhnhardtIzym1 - The actual tab option (where it says “Privacy & Security” in the row of tabs next to Pricing) will be visible on DC and server app listings, but if a customer clicks the tab they will see a default message that the tab is visible for cloud apps only.

The full tab with all fields will only be visible on cloud app listings.

2 Likes

Hi @marc , @denizoguz

  1. Thanks for the feedback - this is a good point that we’ll take into consideration for future changes to the questionnaire.
  2. Realm migration is currently available as an early access program for partners to start testing and integration of apps built on Connect (details here). ACE implementation is currently not planned for the initial releases of app data residency migration, however is in our longer term roadmap. We can provide an update once we have more details around timelines. cc : @SushantBista who is the Product Manager driving this initiative.
  3. Atlassian has paused our own CAIQ Lite program for apps, but some partners have completed a CAIQ Lite questionnaire for prospective customers separate from Atlassian’s program. This question will give those partners an opportunity to showcase their investment in CAIQ Lite, and it will give visibility to customers who require completion of the CAIQ Lite questionnaire as part of their app assessment process (similar to the compliance / certification questions).

Hi @denizoguz - Thanks for the feedback - this is a good point that we’ll take into consideration for future changes to the questionnaire.