Below is a list of frequently asked questions that we’ve fielded from a number of our marketplace vendors and partners. We encourage all vendors to evaluate the impact of GDPR with their own legal counsel, and hope that the questions and answers provided here will help in that process. Note that we may make changes/updates to this top-level post based on the questions we continue to receive.
Important: Atlassian does not provide legal advice. This FAQ has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for legal advice. You should consult your own legal counsel on how GDPR applies to your business.
Q1: What is the GDPR and what is Atlassian doing to prepare?
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide regulation that governs the use, sharing, transfer and processing of personal data that originates from the EU.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our customers have requirements under GDPR that are directly impacted by their use of Atlassian products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements. To find out more what Atlassian is doing to prepare, please visit our external GDPR FAQs.
Q2: What are Atlassian’s expectations with respect to my approach to GDPR as a Marketplace Vendor?
You have a direct relationship with the customer who installs your app and are responsible for complying with applicable laws when processing customer data, including GDPR where applicable. We encourage you to look into how you are using, storing, transferring and otherwise processing EU personal data via your app to determine how the GDPR may impact your data processing operations and related compliance requirements.
Q3: As a Marketplace Vendor am I an Atlassian “sub processor” for purposes of GDPR?
No. You provide a service directly to your customers; not on behalf of Atlassian. When a customer integrates your app with an Atlassian product, they establish a direct relationship with you and the customer’s use of your app is subject to the terms you provide.
Marketplace Vendors are likely to be seen as data processors by customers using their apps for most data processing activities. We encourage Marketplace Vendors to review their data processing activities to evaluate the impact of GDPR with their own legal counsel.
Q4: Will Atlassian be updating the Marketplace Vendor Agreement?
Yes. Atlassian is currently undertaking a review and update of our Marketplace Vendor Agreement. We expect to provide a formal announcement with the terms of the updated agreement soon. Once finalized, we will provide all Marketplace Vendors with 30 days notice of the updated Marketplace Vendor Agreement prior to the updated terms becoming effective.
What to start preparing for now:
- Your own EULA / Terms of Service is a requirement to list on the Marketplace
This is not an exhaustive list, but we are sharing this information with you ahead of time to help you prepare.
Yes. As noted above, the upcoming revisions to the Marketplace Vendor Agreement will elaborate on this by requiring all Marketplace Vendors to have legally adequate privacy notices that provide clear and complete information on how you use and process customer data. In most jurisdictions, providing notice to end users on how your app processes personal data is a legal requirement.
If you have not provided a link to your privacy notice in your Marketplace listing, customers will be notified as such prior to the installation of your app and also on your app’s Marketplace listing.
You can update your app’s Marketplace Listing to provide a link to your privacy notice as follows:
- Go to marketplace.atlassian.com, and log in.
- Click on your avatar and select “manage account”.
- Select the Apps tab, click the app and go to the “details” tab.
- Find the field “Data security and privacy statement” and enter the link to your privacy notice.
Q7: Am I required to have an End User License Agreement (EULA) or other Terms of Service in order to list an app in the Marketplace?
You can update your app’s Marketplace Listing to provide a link to your EULA / Terms of Service as follows:
- Go to marketplace.atlassian.com, and log in.
- Click on your avatar and select “manage account”.
- Select the Apps tab, click the latest live version of your app, and go to the “links” tab.
- Find the field “End user license agreement” and enter the link to your EULA / Terms of Service.
Q8: What is a Data Processing Agreement?
The GDPR places obligations on companies related to the selection and use of third parties who process EU personal data on their behalf (i.e., data processors). This includes a requirement to enter into specific contractual terms with those third parties to ensure that EU personal data is adequately protected. Data Processing Agreements typically include (but are not limited to) the following provisions:
- Only processing personal data at the written instruction of the controller
- Implementing appropriate technical and organizational measures to safeguard personal data in a manner that meets Article 32 Security requirements of the GDPR
- Controller Audit Rights
- Use and approval of “sub processors”
- Data Breach Notifications
- Assisting the controller with the fulfillment of the controller’s obligation to respond to requests from data subjects exercising their rights under GDPR (such as data subject access requests, data deletion requests, etc.)
Q9: As a Marketplace Vendor am I covered by Atlassian’s Data Processing Agreement?
No. Atlassian’s standard Data Processing Agreement does not cover your processing of personal data. Atlassian’s DPA is an extension of our Customer Agreement and is specific to where Atlassian is a processor of our customers’ personal data.
Q10: As a Marketplace Vendor do I need to have a Data Processing Agreement in place with customers?
Customers who have integrated your app with their use of Atlassian products may approach you to enter into a separate Data Processing Agreement that would be applicable to your specific contractual relationship with that customer and the data processing operations you are conducting on their behalf.
Q11: How can I certify that my app is GDPR compliant?
Currently, there is no “GDPR certification” that companies can earn. The EU Commission is currently exploring allowing certain third parties to audit and certify companies as “GDPR compliant.” Until there is more guidance on GDPR certifications, we encourage you to implement other measures that help to approximate a company’s investment in GDPR compliance including the adoption of specific security practices, technical certifications (including ISO27001, ISO27002 and ISO27018), and participation in EU-US Privacy Shield framework.
In the short-term, we have no plans to “certify” apps as GDPR compliant or non-compliant. However, we are exploring ways to surface the above-mentioned metrics in Marketplace Listings so that enterprise customers who are interested in integrating third party apps into their Atlassian cloud platform are able to make an informed choice around which Marketplace Vendors meet their own data privacy and security requirements.
Q12: Will Atlassian be making any immediate changes to the Atlassian Cloud Security Program or Verified Program?
No. We will not be making any changes to the Atlassian Verified and Cloud security programs at this time. However, we will be reviewing and evaluating these programs and may make changes in the future. If we do, we will provide sufficient notice and time for program members and the broader ecosystem to adapt. If you are a member of the Cloud security program, now is a great time to review the program requirements to ensure that your checklist and corresponding documentation is up to date.
Q13: Will Atlassian require me to obtain technical certifications such as: ISO27001, ISO27002, ISO27018 in order to participate in the Atlassian Ecosystem as a vendor listed on Atlassian Marketplace?
No. We will not be requiring technical certifications at this time. However, as noted above we will be reviewing our current programs and may require certain certifications for participation in those programs in the future.
However, we do encourage you to pursue technical certifications due to the fact that:
- Some customers may not be able to use your app without these types of certifications due to their own internal security and privacy requirements; and
- Certain technical certifications can help demonstrate your compliance with related GDPR requirements. For example, an organization that has obtained an ISO27001 certification will be in a good position to demonstrate compliance with the Security related obligations outlined in Article 32 of the GDPR:
- Take measures to pseudonymise and encrypt personal data;
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing; and or
- Identify and mitigate risks “from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” to be identified and mitigated.
Q14: Will Atlassian require me to participate in the EU-US Privacy Shield Framework in order to participate in the Atlassian Ecosystem as a vendor listed on Atlassian Marketplace?
No. We do not require participation in EU-US Privacy Shield Framework in order to list in the Marketplace, but certain customers might see this as a requirement in order to use your app. The GDPR imposes certain restrictions on the transfer personal data from the EU to other countries. If you are currently processing / storing EU customer data in the US or any other country outside of the EU that has not been deemed to provide an adequate level of data protection under the GDPR, you may be approached by customers to address EU data transfer legal requirements (such as certification to the EU-US Privacy Shield or by entering into EU approved Standard Contractual Clauses).