To improve trust amongst customers using apps, comply with global privacy law (including GDPR), and clarify vendor roles and responsibilities we will be making several changes to our policies and procedures.
Personal Data storage requirements
To signal to Atlassian whether or not you store personal data outside Atlassian systems, we are adding a new required field in Atlassian Marketplace for all public cloud apps that must be updated by 10 December 2018.
The field will ask you to select whether or not your app stores data via a single select (Yes / No) dropdown.
We expect you to select “Yes” on this field if you are copying user records that you’ve obtained through our APIs associated with an accountID (or formerly username or user key).
For example, keeping any of the following personal data associated with a user reference (either accountID or username or user key): Display Name (Full name), Avatar URLs, Email Address, Job Title, Department, Organization, Location (“based in”), Phone Number, Timezone, Language, or Recent Devices.
Storing data may also mean copying a user reference (e.g. accountID or username or user key) and associating that ID with personal data separately collected by your app but not necessarily passed as part of the user object through our product APIs.
It does not necessarily mean caching, however, if you are caching for an extended period of time (e.g. > 24 hours) we suggest either refreshing more frequently or selecting “Yes” on this field.
We do not recommend storing user personal data in your own systems, especially if you intend to use your own data store to render personal data in-product. In doing so, you may unintentionally expose user personal data to other users when profile visibility control settings change.
Instead, we recommend that you request user personal data from Atlassian Account via product APIs and display that data in real-time.
In the event that you are storing personal data in your own systems, you will have to call new endpoints in our product APIs to ensure that the record of your data store’s known Atlassian Accounts (accountIDs) are accurate. This is to satisfy applicable laws and customer expectations around handling user personal data, including:
- permanent data deletion of user personal data upon request from the end user;
- strict adherence to privacy control settings where the user’s preferences are stored in Atlassian Account (e.g. only display user profile details that are public) and
- immediate updates to user profile details should they change, where the details are stored in Atlassian Account.
This guide describes in more detail how to call these new endpoints and what to do with the instructions to delete user data should we receive a permanent data deletion request from an end user.
You will be required to maintain a sync with the user record details in Atlassian Account (accountID), which means that you should be refreshing your data regularly. We recommend refreshing your records no less than every 30 days.
All requirements for data storage must be in place by 10 December 2018.
Falsely reporting your practices around data storage puts both you and Atlassian at risk of not adhering to global privacy laws. Atlassian will be monitoring self-registration and randomly and periodically auditing apps that have indicated that they do not store user profile details externally for accuracy in representation. Should false representation be discovered, Atlassian will consider this a breach of terms and schedule the app for de-listing.
De-listing means immediate removal of your app from Atlassian Marketplace search results and disablement of customer installation (and Try / Buy where applicable). It may also lead to permanent deletion of your app listing from the Atlassian Marketplace, at Atlassian’s discretion.
Marketplace Agreement update
The terms of the Atlassian Marketplace Vendor Agreement will be updated soon and we are targeting them to take effected at the end of March 2019. Some of the changes we are making to the Atlassian Marketplace Vendor Agreement include:
- Requiring all vendors to provide a legally sufficient set of (a) user terms and (b) privacy policy to users, and removing the “Standard EULA Terms”. This change reflects the multiple deployment options for apps (server and cloud) and gives vendors the flexibility to set their own terms with users.
- Adding a minimum-security standard and setting forth procedures for reporting incidents
- Clarifying our policy on privacy and data usage by vendors.
- Clarifying that vendors cannot review their own apps or apps made by competitors.
- Adding the ability for vendor Apps to be listed in currencies other than USD for certain countries (such as Euros and Yen)
- Explaining in more detail how our App Programs work
- Updating our terminology (replacing “Add-on” with “App”, “Publisher” with “Vendor”, etc.)
Please review or add a URL linking your EULA (for server apps) or Terms of Use (for cloud apps), as appropriate, in the “End user license agreement” field (which we will be renaming to “End User Terms of Use”), located in the latest version of your app in the Manage App Version screen in Atlassian Marketplace. This link will be shown to customers in the app installation consent flow. Apps that do not have customer terms in place by 1 April 2019 will also be scheduled for de-listing.
To improve customer trust, and help you manage all of these new requirements together, we recommend ensuring that each of these policies are adhered to by 10 December 2018.