All right let’s start off the top…
To help partners more easily meet customer data residency needs, we are enabling data residency support for apps that choose to exclusively use Forge Hosted Storage. These apps will be able support data residency for in-scope data with less separate investment (compared to supporting data residency for external databases).
That’s a false premise. In order to support data residency - each vendor has to identify their legal risk/concerns. So while technically you can “resolve” items - each partner will need to consult their legal council about the liabilities (Forge doesn’t dissolve this).
Forge will take care of the hosting, pinning, and migration of hosted data between supported locations, so partners can focus on building a high quality app for their customers.
As sub-processor of the partner - right?
- Any data that is stored in Forge Hosted Storage will be automatically migrated to the same location as the host product (starting at the time of Beta release).
With the partner as the processor of the data? We’ll give you the “yepp - go ahead and do this?” Otherwise - you’re violating GDPR and not working as our subprocessor.
- All new installations of an app using Forge Hosted Storage will have data stored (for relevant tenant) in the same location as the parent product.
Again - the partner will give the “ok” of doing this?
- When a customer requests the parent product to be moved to a new location, the relevant Forge Hosted Storage partition will move along with the host product data.
Who is the customer here? I’m assuming from the Forge platform the partner is the customer and requestor?
- Forge apps that exclusively store in-scope End User Data within Forge Hosted Storage will automatically be shown under “pinned” in the customer data residency UI (meaning they have pinned stored data to the same location as the parent product).
I’ll repeat the same concern as above. What if I don’t want to support the pinning to Russia or China?
- If the parent product is not pinned, Forge apps will remain in the Global location along with the parent product data.
? * Pinning location: App partition (for relevant tenant) will be pinned/migrated to same location as the host product
- Who determines the location: Customer admin determine the pinning location of the host product (and hence the location of the relevant Forge app partition). If the parent product is not pinned, Forge apps will remain in the Global location along with the parent product data.
Explain how the customer is telling me (preferably in a flow chart) as partner where things are being “pinned” and then me telling Atlassian Forge is processing this…
- Pinning location: Forge Hosted Compute will be provisioned and operational in all Atlassian supported locations to ensure acceptable performance (when Forge Hosted Storage is multi-location enabled). As with Jira and Confluence data residency, data-in-transit will not be pinned to any particular location.
Uhm. What?!?!?! You’re going to ship my customer’s information to a region without my involvement? How that does that work? Can I get Atlassian to decree that any liabilities will be handled by them by this statement?
- Who determines the location: Atlassian will determine the location of the hosted compute to ensure acceptable level of performance.
emphasized text
No. Just no. Unless Atlassian is saying that they’re controllers of the data - no.
Note: Like Jira or Confluence data residency, only at-rest data will be pinned. Data-in-transit (up to 30 days), app logs, cached content and user account information will not be pinned. If the data residency scope changes for the parent product data residency, we will evaluate similar changes for Forge.
That doesn’t matter. That’s telling the partner that we’ll absorb Atlassian’s legal risks. Will you indemify the partners of the risks?
Multi-location hosted compute will be automatically enabled for all Forge apps by the time Forge Hosted Storage data residency is rolled out to production. This will ensure there is acceptable level of performance when Forge Hosted Storage is multi-location enabled.
Again no.
However, in order for it to take effect, a redeployment of your app will be required. This will be a minor version update. We will make an announcement and give you advanced notice before you need to take this action.
Atlassian deploys to a new area and things break because partners aren’t notified. What is the advanced notice?
What should partners do if they don’t want to support a location?
If your app uses Forge Hosted Storage but you don’t wish to support one of the Atlassian supported locations for your app data residency, you can stipulate this in your terms with customers.
While there is no technical limitation to a customer moving their data to an Atlassian supported location, you can include stipulations about locations where customers can store data in your end user terms or any other customer contracts at your own discretion. That said, it’s important to note that Atlassian is not a party to your contracts with customers and cannot enforce the terms by prohibiting the customer from storing data in certain locations.
You realize that is probably not legally possible? If somebody shouts in a forest about new terms - it doesn’t mean that folks know about it.
While we would appreciate any reactions you have to this RFC (even if it’s simply giving it a supportive “Agree, no serious flaws”), we’re especially interested in learning more about:
I’ve got several concerns. One being - anyone one using forge should seek legal council and not rely on this RFC. If Atlassian cared about the Vendor requirements - they would take a step back and look at what partners need in order to have a proper business - not what the customer wants (while we should work to get to - let’s build one that is legal);
- What level of visibility do you anticipate needing around migration requests and hosting location of hosted storage/compute, and why?
I need to know who transfered data out and when ( with the pii details for audit rails).
- What do you think about having to redeploy your app every time Atlassian supports new locations? Are there other ways this may impact that we haven’t anticipated?
Nope. See above
We are currently targeting Q1 CY24 for release of Forge Hosted Storage data residency Preview (Customer Beta). You can track this project in Atlassian public cloud roadmap, Forge public roadmap and [FRGE feedback board]([FRGE-1203] - Ecosystem Jira> lOrigin=eyJpIjoiY2Q2YzM4NDhmN2IyNGU5OGFlZTVlZTBhYTc5MjlhZTgiLCJwIjoiaiJ9).
Thanks for your feedback!
I’m really excited that ya’ll are working on making Forge becoming a Data Resident platform - let’s just make it without risks for vendors.
/Daniel