New Privacy & Security tab questionnaire available

I totally agree with you @ademoss . I will say, though, that IP address is personal data according to the GDPR so it makes sense that it would be included with other examples of personal data.

The ambiguity of GDPR is the fault of European lawmakers and not Atlassian. However, I feel like the privacy & security tab conflates two different concepts:

• Information security
• Personal data protection

I would rather not have the GDPR question in there, because effectively, every app is a data controller, no matter how you design it.

Actually, there are really two types of data we need to pay attention to:

• personally identifiable information (PII), which can identify a user, such as names, phone numbers, IP addresses, etc.
• user-generated content (UGC), which can include… well, in the case of Jira issues or Confluence content, just about anything, including PII (since the app doesn’t control and cannot know what’s contained in Jira or Confluence data

This means that as soon as your app starts to access Jira issues or Confluence pages (which is UGC), it is potentially processing PII.

Hi @ademoss and @JuliaWester - We want to provide a bit more context for you to explain where we’re coming from re: helping you define data types. Hopefully this clarifies things a bit.

We designed the new tab to provide answers to the questions our customers most commonly want to understand about their apps.

One almost universal concern we hear from our customers is about what apps are doing with their data - for example, is it being sent outside of the Atlassian apps and infrastructure they’ve already evaluated for further processing and/or storage?

This concern is broader than just what you might think of as “personal data” - for instance, a company might use Confluence to store financial data, roadmap plans, legal advice or other information that may be extremely sensitive, even if it doesn’t include any personally identifiable information.

That’s why we use a broad definition for “End-User Data” that encompasses any data, content or information of an end user that is accessed, collected or otherwise processed by you or your app rather than a narrower or more limited definition that would still leave our customers with questions about what might be happening with their data.

@ademoss - we’d love to be able to give you and other partners specific and personalized guidance. The problem is not that Atlassian can’t be bothered to do so, it’s that as a matter of legal ethics our lawyers can’t offer legal advice about how you should interpret the defined terms that come from the contracts you’ve signed with Atlassian.

Fortunately, from the example in your post it sounds like you have already arrived at an understanding of “End-User Data,” but we’d be happy to hear any feedback if there’s something specific in the definition that still seems ambiguous.

Understanding that this definition is quite broad, we also give you the opportunity in the questionnaire to specifically list the End-User Data types that your app processes and/or stores, so you can give customers the full visibility that they often request, and share in detail your interpretation of “End-User Data.”

@MaggieNorbyAdams any chance we can get guidance on the user entity properties?

Hi @danielwester - Yes, apologies for the delay. We’ve seen your question and we’re working on it We’ll have a response for you by the end of this week.

cc - @SeanBourke @SushantBista

Hi @danielwester, apologies for the delay. We were discussing some of the nuances here to determine what would be the most appropriate option. As a general rule, the first option (“Yes. App stores End-User Data exclusively within Atlassian products and services which support data residency options, as outlined here.” ) is the most appropriate response if your app stores data exclusively in Atlassian products, including entity properties.

That said, it’s important to note that user/profile info is not pinned as part of “in scope data” for Atlassian data residency. In the customer facing UI where we provide your response, we do link out to Atlassian’s definition of “in-scope data” for Atlassian data residency, so we do explain this publicly in our documentation which will be linked from your response.

Please be aware of the definition of “in scope data” so that you are prepared to respond should a customer ask for more details.

Thank you @SeanBourke. this is very helpful. In discussions with our TPM yesterday we talked about how what “the app” does and what we as a company do with information surrounding their subscription are not the same. (ie, we get marketplace data from the company, we have support case data, etc. - none of which come from the app). So, I think the tab should be explicitly clear to the reader, as well as us, what the scope of the questions really is. That we may handle more of their company data outside of the app but that information isn’t in scope and they should refer to our provided links for more information about those aspects.

When we look at the definitions of a “Data Controller” and a “Data Processor” in the link provided as a helpful resource on the new privacy & security tab (https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en) they make it clear that both of those terms relate to Personal Data.

The data controller determines the purposes for which and the means by which personal data is processed
The data processor processes personal data only on behalf of the controller

Personal Data is not any user-generated content or end-user data as explained here - What is personal data?

However, when we fill out the new form, we are asked about the “End-User Data with respect to which your app is a data processor/data controller”

Isn’t this question fundamentally wrong? If data controllers and data processors are by definition limited to personal data, what end-user data are we supposed to provide here?

Looking for some guidance as we are stuck on those questions. If the app doesn’t process personal data should we just check “Not applicable - App is not subject to the GDPR.”?

Best,
Sebastian

Hi Julia - thanks for the feedback. It sounds like what you’re looking for is more specific clarity at the question or section-level on whether the information refers to an app or to a company (ie: the Marketplace Partner who runs the app).

We’ve taken note of this as something to consider for future updates to the questionnaire.

Please note that the tab will also have a feedback button at the bottom so we can track whether customers are similarly confused about the information they’re seeing.

Hi @sbrudzinski - thanks for your question.

The definition of “End-User Data” is “any data, content or information of an end user that is accessed, collected or otherwise processed by you or your app in connection with use of the Atlassian Marketplace.”

This definition is broad enough to include data types that would constitute “personal data” under the GDPR. So if the GDPR applies to your processing activities (for example, if you process personal data relating to European Economic Area (EEA) residents), you should specify the personal data (which is a type of data covered by the umbrella definition of “End-User Data”) over which you are a controller. If you’ve determined that the GDPR does not apply to you, you can answer "Not applicable - App is not subject to the GDPR.”

Hope this helps clarify.

Hi @sbrudzinski ,
you are right about the GDPR definition of Data Controller and Data Processor. It only applies to Personal Data.
However, as soon as your app manipulates user-generated content that is readable (any text really), it can actually unknowingly be manipulating Personal Data. For example, the issue summary or description could contain Personal Data because the user put it there. But it can be more tricky: a project name or key, a Component name, a Version name, etc., could also contain Personal Data, and you have no way of determining that and avoiding access to this potentially Personal Data.
So the only case where you are not manipulating potentially Personal Data is if you only access numerical or otherwise opaque entity IDs (not an issue key but an issue ID for example). Which is probably very rare amongst apps.

Just my two cents,
David

Hi all! Dropping in to flag this latest update: Privacy & Security tab improvements: new PATCH API and adjustments to Data Residency and Disk Encryption response options

I have just submitted responses to one of the apps. However, I have noticed a bug in showing DPA question answer:

The answer is

Yet it shows

image938×102 7.82 KB

Hi @RaimisJ Many thanks for reporting this issue. I confirm that this is indeed a bug, I was able to validate this on my test app. We will update this thread, once the issue is fixed.

“Does your app process and/or store logs outside of Atlassian products and services?”

What’s the appropriate answer, if we ‘keep’ logs for 1 month in Cloudwatch and then AWS Cloudwatch deletes them for good via log retention settings?

1. Does this relate to End-user-data?
2. Is temporary retention for debugging classed as storing?

How do we input values when there is no period (unlimited)? It looks the form allows only numbers.

min-max-period2314×476 37.6 KB

Hi Ulrich - The goal of the question is to let customers know if your app stores logs in general. There is a separate question for End User Data access via logs where you can clarify how your logs relate to EUD. For this question, if your app stores logs, the answer is yes.

We’ve added a note to look into providing more opportunities for you to clarify a temporary retention period for log storage in the event that this is the only data your app stores. This is something we’ll explore for the next iteration of the questionnaire.

1. Does this question:

Does your app log End-User Data?

Include Google Analytics connected to our apps, or is this strictly about application logs?

2. According to Atlassian, is this “end-user data”?

• email address
• saved app configurations (app settings)
• translations/proper names
• JQL saved by app provided by end-user
• any data entered into text fields of forms provided by our apps
• user accountId

Hi @RadoslawCichockiDevi - Please see our response above on this subject. You should see a space to specify the data your app stores so you can clarify this for prospective customers.