Please help us shape the "Runs on Atlassian" roadmap for 2026 and beyond

Thanks for the input, Scott!

and Atlassian deems any external fetch request (even a GET request) as “egress”.

Just to provide some context here - this is because get requests can trivially egress data via query parameters and headers.

After all, isn’t that the whole point of CME? To give customer admins the ability to decide which external connections are trusted?

Yes, you’re right.

There’s inherent friction here because the RoA badge is a black and white trust signal overlaid on a problem space that has shades of grey. Just because an app doesn’t have the RoA badge, doesn’t necessarily mean that an app hasn’t made significant investments in minimising data egress in the name of customer trust. There’s still value in presenting a slim list of egress domains on the installation screen & privacy/security tab, even without the badge.

I do understand the frustration. The criteria for the badge and where we draw the line on what is/isn’t eligible is subjective and there are a number of competing constraints across legal/privacy, technical feasibility and customer perception that we are trying to balance.

The feedback is still welcome and can inform future decision, so please don’t stop continuing to share your thoughts on this.