Privacy & Security tab updates: questionnaire improvements and 100% customer rollout

Announcements
,
1

Hi developer community,

Thank you to everyone who has submitted responses so far for the new Privacy & Security tab. We’re pleased to see over 700 apps with complete Privacy & Security tab information available to help prospective cloud customers and migrating customers more easily evaluate apps.

We have two important updates to share this week, as our 100% rollout milestone is rapidly approaching.

Privacy & Security tab improvements

As the Privacy & Security tab is a space to reflect the most important app privacy and security information for customers, it will be periodically updated and improved. Of course, as a new feature in particular, we’re keen to respond to feedback quickly.

As such, this week we’re rolling out a few improvements to the questionnaire and tab. None of these changes require immediate action, and your live Privacy & Security tab responses will not be impacted.

Updates to the questionnaire are detailed below:

Some questions have been re-worded for clarity.

We received feedback that some questions were worded in a way that was unclear or inaccurate. We also got some questions about where information was sourced from. To address some of this feedback, we’re making the following adjustments:

Screenshot 2023-06-05 at 8.01.14 AM (1)
Screenshot 2023-06-05 at 8.01.14 AM (1)2334×650 119 KB

Some questions have new response options.

We also learned from you that our options for some of the questions were too restrictive or didn’t give you enough flexibility to explain your app’s trust posture.

Here are two adjustments to provide you with more / better options and a better experience:

Screenshot 2023-06-05 at 8.01.22 AM (1)
Screenshot 2023-06-05 at 8.01.22 AM (1)2336×268 47.1 KB

Again, none of these changes require immediate action, and your live Privacy & Security tab responses will not be impacted. However, be aware that if and when you return to update your app’s Privacy & Security tab or to the web form, you may notice some clarified wording. Also, if you’d like to adjust your responses based on any of these changes, you are welcome and encouraged to do so at your earliest convenience.

100% customer rollout

Next week, 100% of visitors to the Atlassian web Marketplace will be able to see the Privacy & Security tab on cloud app listings. We will announce the new experience to customers in the Atlassian Community in the coming weeks.

If you haven’t yet, please use the following resources to fill out your Privacy & Security tab information:

See the full timeline below:

Screenshot 2023-05-12 at 8.52.29 AM
Screenshot 2023-05-12 at 8.52.29 AM2498×688 139 KB

What can partners expect going forward when there are other changes to the tab?

As we mentioned in a previous update on the Privacy & Security tab, we will not make any changes to previously submitted responses without your permission, so please continue submitting your responses and providing feedback. With the 100% rollout coming soon, having information filled out will help prospective customers better understand how your app fits their needs.

In the event of future changes, we will provide an announcement similar to this one (outlining the change and action items) here in the Developer Community, and in the Marketplace change log.

After the initial release period, where we expect to see the most changes, we plan to move toward more regular updates with longer lead times so you can prepare for changes. However, during this initial launch period we may be moving a bit faster to ensure you have what you need to put your best foot forward.

And of course, feel free to add questions here on this post.

8 Likes
2

Can you give us a date when changes to this questionnaire will be less frequent?

For vendors (particularly those with large app portfolios) it’s a tremendous waste of time to be updating responses when you release yet another new version.

This security tab feature should be a one-and-done thing. I do hope there isn’t a dedicated team on this with an incentive to constantly release new questionnaire changes to justify the existence of the team.

3 Likes
3

Can you also consider adding a new url field to the Privacy section? Currently the Security and Compliance policy url is used for the privacy policy link as well which in my case, and I think most other vendors as well, is not correct. Each policy has its own url for further reading.

1 Like
4

@HarshDhaka Have you clarified the changes of the GDPR texts with a lawyer or did you just copied that from the CCPA?

IANAL, but:
I cannot think of any company that is not a data controller. Everyone collects its own PII data on their website or at the very least on their own employees.
So what is the purpose of the question? No customer would care.
In my opinion it must be scoped on the app level, and the new wording makes no sense.
Additionally it changes the meaning and is not a “you do not need to change anything” kind of change.

Questions should be something like: (but I am not a native speaker nor a legal person)
Are there data collected in the app that you are the data controller for?
Are there data collected in the app that you are the data processor for?

5 Likes
5

@HarshDhaka Agree with @andreas.schmidt here on the wording regarding data controller and data processor. These terms apply to the company AND are scoped to the app.

2 Likes
6

@HarshDhaka thanks for the great work you and your team is doing for the Privacy & Security tab.

When filling out the new “minimum and maximum data storage period” fields, we noticed that both minimum and maximum are mandatory and have to be different values. However, in our case, we delete our logs after exactly 30 days, which isn’t currently possible:

Screenshot 2023-06-09 at 09.49.52
Screenshot 2023-06-09 at 09.49.522206×560 48.2 KB

Can you please change it so we can either:

  • Only specify the “maximum storage period” days, or
  • Specify the same amount of days in both minimum and maximum

Is the minimum even relevant for customers? Or am I misunderstanding how these fields should be filled out?

Thanks!

2 Likes
7

It would be great to have a free-form text there as well since not all app vendors trigger on the uninstallation of an app. We’re wanting to respect the business agreement (ie once we get a signal for the Atlassian marketplace license report that the license is up - then our 30 day counter will start).

3 Likes
8

None of these changes require immediate action, and your live Privacy & Security tab responses will not be impacted.

I have to disagree here. You have reworded some of the questions, but left the previous answers intact. For example, before the update you asked “Is your app a ‘data controller’ under GDPR?” which now reads “Company/Organization is a ‘data controller’ under the GDPR” – changing the subject of the question. IANAL, but to me that seems like quite a difference and w/o having asked legal counsel and I would not feel comfortable answering both questions with the same answer.

And frankly, collecting answers from vendors and then changing the question – however slightly – in a form that is all about trust and security does not sit well with me.

In the event of future changes, we will provide an announcement similar to this one (outlining the change and action items) here in the Developer Community, and in the Marketplace change log.

I think it would be good practise to announce such changes before making them, so that vendors can react and prepare appropriate changes. Trust and security is not the area to “move fast and break things.”

5 Likes
9

Hi @osiebenmarck ,

We appreciate your perspective on this and will keep working to find a balance between evolving with customer and partner needs, and honoring your existing responses. We had hoped to make changes that only increase clarity but do not change the meaning of any responses.

In the case of the GDPR and CCPA questions, we worked with privacy lawyers and felt that the disclaimer at the top of the page (which states that responses are related to the current app version) and the context of the listing warrant an app-level response.

However, we recognize that without a clarification about the app-level nature of the fields on the questions themselves, several of you feel we have made the GDPR and CCPA questions less clear than they were before.

We’ll work on fixing this by clarifying that the responses are “with reference to this app” (ex: “Company/Organization is a ‘data processor’ under the General Data Protection Regulation (GDPR) with reference to this app”). We plan to make this adjustment by the end of this week for the customer UI, and by the end of next week for the web form.

In the meantime, please leave your responses at the app level.

As mentioned in the post above, one thing we plan to do going forward (after the rollout phase this quarter) is provide you with more warning about changes that we’re considering, either during the quarterly Marketplace roadmap webinar and/or here in the community. That way you’ll know of any upcoming adjustments, and be able to provide feedback in advance.

Thanks again for your commitment to transparency and security, and for providing your feedback on this process.

3 Likes
10

Hi @andreas.schmidt and @marc,

We appreciate your concern, and assure you that we did work with lawyers on this change. We believe that the context of being on the tab signifies that the tab information is at the app-level. Especially given that the disclaimer at the top of the tab states that the information in the tab is related to the app (specifically the current app version).

That said, we agree with you that it could still be more clear. Based on the feedback here in this thread, we are planning to add a clarification in the questions that were updated (GDPR and CCPA) to clarify that this is all “with reference to this app” (ex: “Company/Organization is a ‘data processor’ under the General Data Protection Regulation (GDPR) with reference to this app” ). We will prioritize making this change on the customer UI this week, and the partner web form next week.

For now, please leave your responses at the app-level. We apologize for any confusion and appreciate your timely feedback.

1 Like
11

Hi @nathanwaters,

We plan to make updates and tweaks as needed based on customer and partner feedback, and as industry standards evolve. After the 100% customer rollout this week, we plan to make changes less frequently, so we can prepare you for any changes in the quarterly Marketplace Roadmap webinar and give you advanced notice here in the developer community.

As a general principle, whenever possible we will try to make changes that don’t require immediate action or substantively change the meaning of your responses, so you can update your responses at your own convenience.

We do not have a team that is measured on or exists just to update the Privacy & Security tab. The Privacy & Security tab was brought to you by the same team that makes all changes to the Marketplace’s customer-facing surfaces. Their only goal is to make a feature that is understandable, usable, and meets the needs of customers.

While we understand that a one-and-done update would be easiest, since privacy and security expectations are constantly evolving (for example, regulations and security standards are being updated all the time), we will need to align with these changes for the information to remain useful to customers.

For what it’s worth, we also recommend that you regularly update the Privacy & Security tab for your apps the same way you regularly update any of your public-facing materials and surfaces, as your offering evolves and improves. On our side, we’ll work to find ways to remove some of the manual effort.

2 Likes
12

Thanks for the feedback @danielwester @BenRomberg and @markrekveld!

We’ve noted that you’d like the option to have minimum = maximum for data storage period, more space to further explain your data retention policy, and a space to put in a unique Privacy url.

We’ll take each piece of feedback into consideration when thinking about future improvements to the tab.

2 Likes
13

Hi all,

As we mentioned in this post, as of this week, 100% of visitors to the Atlassian web Marketplace are now able to see the Privacy & Security tab on cloud app listings. We will announce the new experience to customers in the Atlassian Community in the coming week.

If you haven’t yet, please use the following resources to fill out your Privacy & Security tab information:

Remember - filling out all the fields in the new tab will replace the Security Self Assessment as a requirement for the Cloud Fortified program starting in August, 2023.

See the full timeline below:

Screenshot 2023-05-12 at 8.52.29 AM
Screenshot 2023-05-12 at 8.52.29 AM2498×688 139 KB

Thank you for working with us throughout this rollout period as we’ve made changes to respond to your feedback and customer feedback.

We do plan to release one additional change to the customer UI before the end of June. We plan to add a new tooltip to the customer UI for Forge apps only to clarify default logging practices for customers.

The new tooltip will look like this and link to support documentation:

Sancus Forge tooltip

and will display on these questions for Forge apps only :

Forge tooltip questions
Forge tooltip questions1174×352 84 KB

The end of June represents the end of the rollout period, after which time we expect changes to be less frequent and communicated farther in advance. Thank you all again for your patience and feedback during this time.

2 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.