Updates coming to Marketplace Agreements, Policies and Procedures



@akassab, does this mean that Cloud apps that store personal data must have the Personal Data Reporting API implemented by 10 December 2018 or end of March 2019?


@kkolina - 10 December 2018 is the hard deadline for setting the field in Atlassian Marketplace (does your app store personal data). If you are storing personal data and intend to continue storing personal data after your data store migrations from username and userkey to accountID then you need to start implementing the Personal Data Reporting API as soon as possible. The API endpoints you’ll need to call are available now although you’ll see a 500 error if you start testing. On 10 December the API will return accurate instructions for processing data deletion for closed accounts.

We will start to de-list apps in the Marketplace that have indicated that they do store personal data and have not implemented the personal data reporting API by end of March 2019.

In the meantime - you may continue to receive data deletion requests directly from customers. You should continue to process those in a reasonable timeframe manually.


Question: If the API is currently broken, currently during SERVER releases Marketplace REQUIRES us to say we have implemented the personal data reporting API, which clearly cannot happen until after 10 DEC. Is Atlassian therefore OK, with us ticking the “yes we implement the privacy api” checkbox NOW regardless of its operational state and our validated implementation of that, assuming that we will be having something operational after 10 DEC.

To reiterate, the changes you have made on Marketplace listings that have a cloud app are blocking SERVER and DC releases. This question has been asked above and through AMKT but we do not yet have a YES / NO answer!


Hi @andy - We’re updating the instruction text as we speak to clarify. Sorry for the confusion. If you intend to implement the personal data reporting API for your cloud apps check the box and save. If you have a server only app and/or DC only app (or Server / DC app) that stores personal data then select yes and check the box but no need to implement the personal data reporting API.

That API will only be required for cloud apps.

The API is available and can be called. The response returns a 500 error currently but will be fixed by 10 December.


@akassab, does this mean that a vendor can now check ‘I intend to implement the Personal Data Reporting API’ on the Marketplace if they intend to implement it (but haven’t done this yet); and implement it by end of March 2019?


Yes. Please don’t wait until end of March!


@akassab One more question: we have a cloud app that requires clients to install additional software component on THEIR infrastructure. Assuming that this component is storing personal data (usernames), should we select “Yes”? It’s a bit unclear if the question is about “storing data outside Jira” or “storing data on our infrastructure”.


Hello Alexandra @akassab ,

Thank your for your explanations. Could you clarify a few more things for us?

  1. We have developed a Bitbucket Server/DC-only add-on. According to your comment in this discussion above, we should check the box, but don’t need to implement the API. Is this the official position of the Atlassian company that we can refer to? So far the checkbox says “I understand that I must implement the API”.

  2. We are not storing any user data within our app. Yet we have a CRM, where all our customers’ data is stored (for analytics and communication). We receive this data via Marketplace API - so we only have the same data as we can see in our vendor account. We are also not storing Atlassian ID’s of our customers.
    Do we still have to select “yes” for “app stores personal data”? This may be misleading to the users - they might think, that the app itself collects some user data (which it of course doesn’t).

  3. In case we actually have to develop the Privacy Data Reporting API, where can we find the specs for Bitbucket Server/Data Center apps? The guide provided seems to have only specs for Jira and Confluence apps.

  4. According to the GDPR, a customer can request us directly to amend or delete all his or her personal data. It is then our responsibility to inform Atlassian about this request. How can we use the new Privacy Data Reporting API for that?

Thank you.


Please consider updating the text description of the new MarketPlace app field (App stores personal data required Yes/No) such that vendors can realistically comply.
I’ve created a tracking issue here: https://ecosystem.atlassian.net/browse/MPJC-38


did you ever receive a reply to your questions?


Not completely :slight_smile: I had the same questions in the support ticket, and this is what Alexandra said there:

_If you are only storing contact information for billing and technical contacts associated with your licenses (distributed via the Marketplace API), then you will not need to set up reporting thru the personal data reporting API. This is because we will require technical and billing contacts to remove themselves as a technical or billing contact before they complete a request to delete their personal data. The change will be reflected in the Marketplace API as an update to the license record. _

You should be checking the updated dates on the license records (currently available thru that API) to make sure you have the right technical and billing contact information. We may introduce something in the future for ensuring proper sync’s with the Marketplace API if you are storing technical and billing contact information in your own systems but this is not part of the current requirement. We will update you if/when things change regarding data collection thru the Marketplace API.

She also specifically confirmed, that we should select “No” in the “App storing data” field, which is an answer to #2, that makes #1 & #3 irrelevant (for us, for now). It may be different for other cases.


Is there a draft of the new agreement available? Specifically, the " * Adding a minimum-security standard and setting forth procedures for reporting incidents" as I assume all vendors will need to be compliant with a new standard?



Our application provides Administration and Security for Atlassian (Confluence, Jira). Our application is installed by an administrator and our application is a ‘Processor’ with respect to GDPR.

We retain the accountID, email address, first name and last name in our database. However, we sync in this data every single day so if there was any change in the user account (addition, update, or delete), then we would reflect this change in our database everyday.

Should we select “No” in the “App storing data” field? If not, then what would the point be in using the ‘Personal Data reporting API’ if we are updating our data daily?


@akassab why can’t Atlassian provide a standard agreement for free apps?



For section 6.3 (End User Support) would it be possible for Atlassian Support to identify a request as critical during the weekend? Our support team does not generally work weekends.