RFC-27: Data Residency for Forge Hosted Storage

General Request for Comments (RFC)
, , ,
26

Hi everyone,

Thanks for sharing your valuable feedback and suggestions with us.

Based on your inputs:

  • We are looking into providing an audit trail or logs that can be accessed by developers to know what, when, and who certain requests regarding migrations has been made by the customer. This can include information that a customer has requested a realm migration for their Forge app/host product. We will reach out to developers if we need further feedback on this.
  • Customers will be able to proactively review apps that are moving with the product in admin.atlassian.com before submitting their move request.
  • To provide more clarity during manifest declarations, we will be updating in-scope EUD to inScopeEUD, as well as adding a new operation value to be used for external permissions.

In regards to the feedback around GDPR:

  • We have described our position on this topic in this comment. Atlassian will continue to act as your processor (or sub-processor) the same way we do currently, and we will only take the actions described for data residency if you instruct us to do so by using Forge Hosted Storage. After considering this information and consulting with your own legal counsel, if you would like to leverage this feature, by enabling Forge Hosted Storage in your app you will be providing Atlassian with your instructions to provide data residency as described in this RFC. On the other hand, if you decide that you would not like for Atlassian to provide data residency in this way, you can elect not to use Forge Hosted Storage. This feature is purely optional, and as shown in the examples in our original post (and detailed further in RFC-8), your app can leverage remote storage instead. We will be providing notice to developers in advance to understand our implementation and its limitations. We’re also working on detailed developer documentation to be published when we start to roll out this feature for use.
  • After data residency is released, Compute will continue to function the way it does today, globally. As a provider of global services, Atlassian may process personal data globally in order to maximize reliability and performance, as well as to facilitate security and fraud prevention. This is allowed by the GDPR provided certain conditions are met, which Atlassian meets and describes in more detail in the Forge DPA and Data Transfer Impact Assessment.

Thanks again!