atlassian pty ltd.755f9133-387c-4103-a218-02fce... · processing integrity, confidentiality or...

Atlassian PTY Ltd.Service Organization Controls(SOC) 2 Report Type 1Bitbucket Cloud Description of SystemRelevant to Security, Availability and Confidentiality

As of March 31, 2017

With the Independent Service Auditor’s ReportIncluding Description of Criteria and Control

TABLE OF CONTENTS

Section I: Atlassian’s Management Assertion .............................................................1

Section II: Independent Service Auditor’s Report .......................................................4

Section III: Bitbucket Cloud Description of System .....................................................8

Scope and Purpose of the Report ..................................................................... 9Company Overview and Background ................................................................. 9Control Environment .................................................................................... 15Description of Control Activities and Relevant Aspects of Operations ................. 23Subservice Organizations .............................................................................. 34Complementary User Entity Controls .............................................................. 36

Section IV: Description of Criteria and Controls .......................................................37

SECTION I: ATLASSIAN’S MANAGEMENT ASSERTION

⇒↔≥←←∂± ⇐°↑↓°↑↔∂°± ∉≥…

⊆≡÷∂←↔≡↑≡≈ °≠≠∂…≡∑ …ñ° ⋅≡↑≡↑↔ ⊂″∂↔• ∧↑≡≡•∂≥≥← ∉⌠

∨♣…•±÷≡ ⋅°♠←≡⌠ ∉↑∂″↑°←≡ ⊂↔↑≡≡↔⌠ °±≈°±⌠ ⊇±∂↔≡≈ ∂±÷≈°″⌠ ∨⇐⇒ ∨¬

⊆≡÷∂←↔≡↑≡≈ ∂± ∨±÷≥±≈ ±≈ ∪≥≡← ♦♦♦⟩↔≥←←∂±⟩…°″

⇒↔≥←← ∂±ϑ← ±÷≡″≡±↔ ⇒←←≡↑↔∂°±

∪≡ •♥≡ ↓↑≡↓↑≡≈ ↔•≡ ……°″↓±ƒ∂±÷ ⇑∂↔♠…×≡↔ ⇐≥°♠≈ ⇔≡←…↑∂↓↔∂°± °≠ ⊂ƒ←↔≡″ ⇔≡←…↑∂↓↔∂°± °≠ ⇒↔≥←←∂± ⇐°↑↓°↑↔∂°± ∉≥… Μ⇒↔≥←←∂±Λ °↑ Μ⊂≡↑♥∂…≡ ∠↑÷±∂∞↔∂°±Λ ←≡≈ °± ↔•≡ …↑∂↔≡↑∂ ∂± ∂↔≡″←

∂∫∂∂ ≡≥°♦⌠ ♦•∂…• ↑≡ ↔•≡ …↑∂↔≡↑∂ ≠°↑ ≈≡←…↑∂↓↔∂°± °≠ ←≡↑♥∂…≡ °↑÷±∂∞↔∂°±ϑ← ←ƒ←↔≡″ ←≡↔

≠°↑↔• ∂± ↓↑÷↑↓• ⟩ °≠ ↔•≡ ⇒√⇐∉⇒ ¬♠∂≈≡ ⊆≡↓°↑↔∂±÷ °± ⇐°±↔↑°≥← ↔ ⊂≡↑♥∂…≡ ∠↑÷±∂∞↔∂°± ⊆≡≥≡♥±↔ ↔° ⊂≡…♠↑∂↔ƒ⌠ ⇒♥∂≥∂≥∂↔ƒ⌠ ∉↑°…≡←←∂±÷ √±↔≡÷↑∂↔ƒ⌠ ⇐°±≠∂≈≡±↔∂≥∂↔ƒ °↑ ∉↑∂♥…ƒ ♠↓≈↔≡≈ ← °≠

∏♠≥ƒ ⌠ ↔•≡ ≈≡←…↑∂↓↔∂°± …↑∂↔≡↑∂⟩ ⊄•≡ ≈≡←…↑∂↓↔∂°± ∂← ∂±↔≡±≈≡≈ ↔° ↓↑°♥∂≈≡ ♠←≡↑← ♦∂↔•

∂±≠°↑″↔∂°± °♠↔ ↔•≡ ⇑∂↔♠…×≡↔ ⇐≥°♠≈ ←ƒ←↔≡″ ⊂ƒ←↔≡″⌠ ↓↑↔∂…♠≥↑≥ƒ ←ƒ←↔≡″ …°±↔↑°≥←⌠ ∂±↔≡±≈≡≈ ↔°

″≡≡↔ ↔•≡ …↑∂↔≡↑∂ ≠°↑ ↔•≡ ←≡…♠↑∂↔ƒ⌠ ♥∂≥∂≥∂↔ƒ⌠ ±≈ …°±≠∂≈≡±↔∂≥∂↔ƒ ↓↑∂±…∂↓≥≡← ←≡↔ ≠°↑↔• ∂± ↔•≡ ⇒√⇐∉⇒ϑ← ⊄⊂∉ ←≡…↔∂°± ⌠ ⊄↑♠←↔ ⊂≡↑♥∂…≡← ∉↑∂±…∂↓≥≡← ±≈ ⇐↑∂↔≡↑∂ ≠°↑ ⊂≡…♠↑∂↔ƒ⌠ ⇒♥∂≥∂≥∂↔ƒ⌠

∉↑°…≡←←∂±÷ √±↔≡÷↑∂↔ƒ⌠ ⇐°±≠∂≈≡±↔∂≥∂↔ƒ⌠ ±≈ ∉↑∂♥…ƒ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂⟩

∪≡ …°±≠∂↑″ ↔° ↔•≡ ≡←↔ °≠ °♠↑ ×±°♦≥≡≈÷≡ ±≈ ≡≥∂≡≠⌠ ↔•↔∑

⟩ ↔•≡ ⇔≡←…↑∂↓↔∂°± ≠∂↑≥ƒ ↓↑≡←≡±↔← ↔•≡ ⊂ƒ←↔≡″ ← °≠ ↑…• ⌠ ←≡≈ °± ↔•≡ ≠°≥≥°♦∂±÷ ≈≡←…↑∂↓↔∂°± …↑∂↔≡↑∂∑

∂⟩ ↔•≡ ⇔≡←…↑∂↓↔∂°± …°±↔∂±← ↔•≡ ≠°≥≥°♦∂±÷ ∂±≠°↑″↔∂°±∑

⊄•≡ ↔ƒ↓≡← °≠ ←≡↑♥∂…≡← ↓↑°♥∂≈≡≈⟩ ⊄•≡ …°″↓°±≡±↔← °≠ ↔•≡ ←ƒ←↔≡″ ♠←≡≈ ↔° ↓↑°♥∂≈≡ ↔•≡ ←≡↑♥∂…≡←⌠ ♦•∂…• ↑≡ ↔•≡

≠°≥≥°♦∂±÷∑

√±≠↑←↔↑♠…↔♠↑≡⟩ ⊄•≡ ↓•ƒ←∂…≥ ←↔↑♠…↔♠↑≡←⌠ √⊄⌠ ±≈ °↔•≡↑ •↑≈♦↑≡ …°″↓°±≡±↔←

°≠ ←ƒ←↔≡″ ≠°↑ ≡♣″↓≥≡⌠ ≠…∂≥∂↔∂≡←⌠ …°″↓♠↔≡↑←⌠ ≡→♠∂↓″≡±↔⌠ ″°∂≥≡ ≈≡♥∂…≡←⌠ ±≈ °↔•≡↑ ↔≡≥≡…°″″♠±∂…↔∂°±← ±≡↔♦°↑×←⟩

⊂°≠↔♦↑≡⟩ ⊄•≡ ↓↓≥∂…↔∂°± ↓↑°÷↑″← ±≈ √⊄ ←ƒ←↔≡″← ↔•↔ ←♠↓↓°↑↔←

↓↓≥∂…↔∂°± ↓↑°÷↑″← °↓≡↑↔∂±÷ ←ƒ←↔≡″←⌠ ″∂≈≈≥≡♦↑≡⌠ ±≈ ♠↔∂≥∂↔∂≡←⟩

∉≡°↓≥≡⟩ ⊄•≡ ↓≡↑←°±±≡≥ ∂±♥°≥♥≡≈ ∂± ↔•≡ ÷°♥≡↑±±…≡⌠ °↓≡↑↔∂°± ±≈ ♠←≡ °≠

←ƒ←↔≡″ ≈≡♥≡≥°↓≡↑←⌠ °↓≡↑↔°↑←⌠ ≡±↔∂↔ƒ ♠←≡↑←⌠ ♥≡±≈°↑ ↓≡↑←°±±≡≥⌠ ±≈

″±÷≡↑←⟩

∉↑°…≡≈♠↑≡←⟩ ⊄•≡ ♠↔°″↔≡≈ ±≈ ″±♠≥ ↓↑°…≡≈♠↑≡←⟩

⇔↔⟩ ⊄↑±←…↔∂°± ←↔↑≡″←⌠ ≠∂≥≡←⌠ ≈↔←≡←⌠ ↔≥≡←⌠ ±≈ °♠↔↓♠↔ ♠←≡≈ °↑

↓↑°…≡←←≡≈ ƒ ↔•≡ ←ƒ←↔≡″⟩

⊄•≡ °♠±≈↑∂≡← °↑ ←↓≡…↔← °≠ ↔•≡ ←ƒ←↔≡″ …°♥≡↑≡≈ ƒ ↔•≡ ≈≡←…↑∂↓↔∂°±⟩

∧°↑ ∂±≠°↑″↔∂°± ↓↑°♥∂≈≡≈ ↔°⌠ °↑ ↑≡…≡∂♥≡≈ ≠↑°″⌠ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±← °↑ °↔•≡↑ ↓↑↔∂≡←

•°♦ ←♠…• ∂±≠°↑″↔∂°± ∂← ↓↑°♥∂≈≡≈ °↑ ↑≡…≡∂♥≡≈ ↔•≡ ↑°≥≡ °≠ ↔•≡ ←♠←≡↑♥∂…≡

°↑÷±∂∞↔∂°± °↑ °↔•≡↑ ↓↑↔∂≡← ↔•≡ ↓↑°…≡≈♠↑≡← ↔•≡ ←≡↑♥∂…≡ °↑÷±∂∞↔∂°± ↓≡↑≠°↑″← ↔° ≈≡↔≡↑″∂±≡ ↔•↔ ←♠…•

∂±≠°↑″↔∂°± ±≈ ∂↔← ↓↑°…≡←←∂±÷⌠ ″∂±↔≡±±…≡⌠ ±≈ ←↔°↑÷≡ ↑≡ ←♠∝≡…↔ ↔°

↓↓↑°↓↑∂↔≡ …°±↔↑°≥←⟩

⊄•≡ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂ ±≈ ↔•≡ ↑≡≥↔≡≈ …°±↔↑°≥← ≈≡←∂÷±≡≈ ↔° ″≡≡↔ ↔•°←≡ …↑∂↔≡↑∂⌠ ∂±…≥♠≈∂±÷⌠ ← ↓↓≥∂…≥≡⌠ ↔•≡ ≠°≥≥°♦∂±÷∑

⇐°″↓≥≡″≡±↔↑ƒ ♠←≡↑∫≡±↔∂↔ƒ …°±↔↑°≥← …°±↔≡″↓≥↔≡≈ ∂± ↔•≡ ≈≡←∂÷± °≠ ↔•≡

⇒↔≥←←∂± ⇑∂↔♠…×≡↔ ⇐≥°♠≈⟩

⇒↔≥←←∂± ⇐°↑↓°↑↔∂°± ∉≥…

⊆≡÷∂←↔≡↑≡≈ °≠≠∂…≡∑ …ñ° ⋅≡↑≡↑↔ ⊂″∂↔• ∧↑≡≡•∂≥≥← ∉⌠

∨♣…•±÷≡ ⋅°♠←≡⌠ ∉↑∂″↑°←≡ ⊂↔↑≡≡↔⌠ °±≈°±⌠ ⊇±∂↔≡≈ ∂±÷≈°″⌠ ∨⇐⇒ ∨¬

⊆≡÷∂←↔≡↑≡≈ ∂± ∨±÷≥±≈ ±≈ ∪≥≡← ♦♦♦⟩↔≥←←∂±⟩…°″

∪•≡± ↔•≡ ∂±…≥♠←∂♥≡ ″≡↔•°≈ ∂← ♠←≡≈ ↔° ↓↑≡←≡±↔ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±⌠

…°±↔↑°≥← ↔ ↔•≡ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±

√≠ ↔•≡ ←≡↑♥∂…≡ °↑÷±∂∞↔∂°± ↓↑≡←≡±↔← ↔•≡ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°± ♠←∂±÷ ↔•≡ …↑♥≡∫°♠↔ ″≡↔•°≈∑

↔•≡ ±↔♠↑≡ °≠ ↔•≡ ←≡↑♥∂…≡← ↓↑°♥∂≈≡≈ ƒ ↔•≡ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±

≡…• °≠ ↔•≡ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂ ↔•↔ ↑≡ ∂±↔≡±≈≡≈ ↔° ≡ ″≡↔ ƒ …°±↔↑°≥← ↔ ↔•≡ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±⌠ ≥°±≡ °↑ ∂± …°″∂±↔∂°± ♦∂↔•

…°±↔↑°≥← ↔ ↔•≡ ←≡↑♥∂…≡ °↑÷±∂∞↔∂°±⌠ ±≈ ↔•≡ ↔ƒ↓≡← °≠ …°±↔↑°≥← ≡♣↓≡…↔≡≈ ↔°

≡ ∂″↓≥≡″≡±↔≡≈ ↔ …↑♥≡≈∫°♠↔ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±← ↔° ″≡≡↔ ↔•°←≡

…↑∂↔≡↑∂ ⇒±ƒ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂ ↔•↔ ↑≡ ±°↔ ≈≈↑≡←←≡≈ ƒ …°±↔↑°≥ ↔ ↔•≡

←≡↑♥∂…≡ °↑÷±∂∞↔∂°± °↑ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°± ±≈ ↔•≡ ↑≡←°±← ↔•≡↑≡≠°↑≡⟩

∂∂⟩ ↔•≡ ⇔≡←…↑∂↓↔∂°± ≈°≡← ±°↔ °″∂↔ °↑ ≈∂←↔°↑↔ ∂±≠°↑″↔∂°± ↑≡≥≡♥±↔ ↔° ↔•≡ ←≡↑♥∂…≡

°↑÷±∂∞↔∂°±ϑ← ←ƒ←↔≡″ ♦•∂≥≡ …×±°♦≥≡≈÷∂±÷ ↔•↔ ↔•≡ ⇔≡←…↑∂↓↔∂°± ∂← ↓↑≡↓↑≡≈ ↔° ″≡≡↔

↔•≡ …°″″°± ±≡≡≈← °≠ ↑°≈ ↑±÷≡ °≠ ♠←≡↑← ±≈ ″ƒ ±°↔⌠ ↔•≡↑≡≠°↑≡⌠ ∂±…≥♠≈≡ ≡♥≡↑ƒ ←↓≡…↔ °≠ ↔•≡ ←ƒ←↔≡″ ↔•↔ ≡…• ∂±≈∂♥∂≈♠≥ ♠←≡↑ ″ƒ …°±←∂≈≡↑ ∂″↓°↑↔±↔ ↔° •∂← °↑ •≡↑

°♦± ↓↑↔∂…♠≥↑ ±≡≡≈←⟩

⟩ ↔•≡ …°±↔↑°≥← ←↔↔≡≈ ∂± ↔•≡ ⇔≡←…↑∂↓↔∂°± ♦≡↑≡ ←♠∂↔≥ƒ ≈≡←∂÷±≡≈ ↔° ↓↑°♥∂≈≡ ↑≡←°±≥≡ ←←♠↑±…≡ ↔•↔ ↔•≡ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂ ♦≡↑≡ ″≡↔ ∂≠ ↔•≡ …°±↔↑°≥← ♦≡↑≡

∂″↓≥≡″≡±↔≡≈ ← ≈≡←…↑∂≡≈ ±≈ ∂≠ ♠←≡↑ ≡±↔∂↔∂≡← ↓↓≥∂≡≈ ↔•≡ …°″↓≥≡″≡±↔↑ƒ ♠←≡↑ ≡±↔∂↔ƒ

…°±↔↑°≥← …°±↔≡″↓≥↔≡≈ ∂± ↔•≡ ≈≡←∂÷± °≠ ⇒↔≥←←∂±ϑ← …°±↔↑°≥← ±≈ ∂≠ ←♠←≡↑♥∂…≡ °↑÷±∂∞↔∂°±← ↓↓≥∂≡≈ ↔•≡ …°±↔↑°≥← …°±↔≡″↓≥↔≡≈ ∂± ↔•≡ ≈≡←∂÷± °≠ ⇒↔≥←←∂±ϑ← …°±↔↑°≥← ←

°≠ ↑…• ⌠ ⟩

…⟩ ⊄•≡ ⇒↔≥←←∂± …°±↔↑°≥← ←↔↔≡≈ ∂± ↔•≡ ≈≡←…↑∂↓↔∂°± ♦≡↑≡ ≈≡←∂÷±≡≈ ≡≠≠≡…↔∂♥≡≥ƒ ±≈ ∂″↓≥≡″≡±↔≡≈ ↔° ″≡≡↔ ↔•≡ ↓↓≥∂…≥≡ ↔↑♠←↔ ←≡↑♥∂…≡← …↑∂↔≡↑∂⟩

⊂∂÷±↔♠↑≡

¬≡°↑÷≡ ⊄°↔≡♥

⋅≡≈ °≠ ⊆∂←× ⇐°″↓≥∂±…≡

⇒↔≥←←∂±

SECTION II: INDEPENDENT SERVICE AUDITOR’S REPORT

5

Ernst & Young LLP303 Almaden BoulevardSan Jose, CA 95110

Tel: +1 408 947 5500Fax: +1 408 947 5717ey.com

Independent Service Auditor’s Report

To the Management of Atlassian PTY Ltd.,

ScopeWe have examined Atlassian’s accompanying Bitbucket Cloud Description of System(Description) as of March 31, 2017 based on the criteria set forth in paragraph 1.26 of theAICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability,Processing Integrity, Confidentiality or Privacy updated as of July 1, 2015 (the descriptioncriteria) and the suitability of the design and implementation of controls described therein tomeet the criteria for the security, availability, confidentiality principles set forth in the AICPA’sTSP section 100, Trust Services Principles and Criteria for Security, Availability, ProcessingIntegrity, Confidentiality, and Privacy (applicable trust services criteria) as of March 31, 2017.The Description indicates that certain applicable trust services criteria specified in theDescription can be met only if complementary user entity controls contemplated in the designof Atlassian’s controls are suitably designed and implemented, along with related controls atthe service organization. We have not evaluated the suitability of the design or implementationof such complementary user entity controls.

Atlassian uses NTT Communications (subservice organization) to provide hosting services andAmazon Web Services (subservice organization) to provide storage backup services. Thedescription indicates that certain applicable trust services criteria can be met only if certaintypes of controls that management expects to be implemented at the subservice organizationsare suitably designed and implemented. The description presents Atlassian’s system; itscontrols relevant to the applicable trust services criteria; and the types of controls that theservice organization expects to be implemented and suitably designed at the subserviceorganization to meet certain applicable trust services criteria. Our examination did not extendto the services provided by the subservice organization and we have not evaluated whether thecontrols management expects to be implemented at the subservice organization have beenimplemented or whether such controls were suitably designed as of March 31, 2017.

Atlassian’s responsibilitiesAtlassian has provided the accompanying assertion titled, Atlassian PTY Ltd ManagementAssertion (Assertion) about the fairness of the presentation of the Description based on thedescription criteria and suitability of the design and implementation of the controls describedtherein to meet the applicable trust services criteria. Atlassian is responsible for (1) preparingthe Description and Assertion; (2) the completeness, accuracy, and method of presentation ofthe Description and Assertion; (3) providing the services covered by the Description; (4)specifying the controls that meet the applicable trust services criteria and stating them in theDescription; and (5) designing, implementing, and documenting the controls to meet theapplicable trust services criteria.

6

Service auditor’s responsibilitiesOur responsibility is to express an opinion on the fairness of the presentation of the Descriptionbased on the description criteria and on the suitability of the design of the controls describedtherein to meet the applicable trust services criteria, based on our examination. We conductedour examination in accordance with attestation standards established by the American Instituteof Certified Public Accountants. Those standards require that we plan and perform ourexamination to obtain reasonable assurance about whether, in all material respects, (1) theDescription is fairly presented based on the description criteria, and (2) the controls describedtherein are suitably designed and implemented to meet the applicable trust services criteria asof March 31, 2017.

An examination of a description of a service organization’s system and the suitability of thedesign and implementation of the service organization’s controls, involves performingprocedures to obtain evidence about the fairness of the presentation of the Description basedon the description criteria and the suitability of the design and implementation of those controlsto meet the applicable trust services criteria. Our procedures included assessing the risks thatthe Description is not fairly presented and that the controls were not suitably designed orimplemented. Our examination also included evaluating the overall presentation of theDescription. We believe that the evidence we have obtained is sufficient and appropriate toprovide a reasonable basis for our opinion.

Inherent limitationsThe Description is prepared to meet the common needs of a broad range of users and may not,therefore, include every aspect of the system that each individual user may consider importantto its own particular needs. Because of their nature and inherent limitations, controls at aservice organization may not always operate effectively to meet the applicable trust servicescriteria. Also, the projection to the future of any evaluation of the fairness of the presentationof the Description, or conclusions about the suitability of the design and implementation of thecontrols to meet the applicable trust services criteria is subject to the risk that the system maychange or that controls at a service organization may become ineffective or fail.

OpinionIn our opinion, in all material respects, based on the description criteria and the applicable trustservices criteria:

a. the Description fairly presents the Bitbucket Cloud system that was designed andimplemented as of March 31, 2017.

b. the controls stated in the Description were suitably designed and implemented toprovide reasonable assurance that the applicable trust services criteria would be metand if user entities applied the complementary user entity controls contemplated in thedesign of Atlassian’s controls and if subservice organizations applied the controlscontemplated in the design of NTT and AWS controls as of March 31, 2017.

7

Restricted useThis report, including the description of controls in the Description of Criteria and Results, isintended solely for the information and use of Atlassian, user entities of Atlassian’s BitbucketCloud system and prospective user entities, independent auditors and practitioners providingservices to such user entities, and regulators who have sufficient knowledge and understandingof the following:

· The nature of the service provided by the service organization· How the service organization’s system interacts with user entities, subservice

organizations, or other parties· Internal control and its limitations· Complementary user-entity controls and how they interact with related controls at the

service organization to meet the applicable trust services criteria· The applicable trust services criteria· The risks that may threaten the achievement of the applicable trust services criteria and

how controls address those risks

This report is not intended to be and should not be used by anyone other than these specifiedparties.

April 28, 2017San Jose, California

SECTION III: BITBUCKET CLOUD DESCRIPTION OF SYSTEM

Section III – ATLASSIAN’SBITBUCKET CLOUD DESCRIPTION OF SYSTEM

9

Bitbucket Cloud Description of System Relevant to Security, Availability andConfidentiality

Scope and Purpose of the ReportThis report describes the control structure of Atlassian PTY Ltd. (hereinafter “Atlassian”) as itrelates to its Atlassian’s Bitbucket Cloud (hereinafter “the System” or “Bitbucket Cloud”) as ofMarch 31, 2017 for the Security, Availability and Confidentiality Trust Services Principles.

The description is intended to provide Bitbucket’s customers, prospective customers andauditors with information about the system controls related to the criteria for the Security,Availability and Confidentiality Trust Services Principles set forth by the American Institute ofCertified Public Accountants (hereinafter the “AICPA”) in the 2015 version of TSP section 100,Trust Services Principles and Criteria for Security, Availability, Processing Integrity,Confidentiality, and Privacy (hereinafter the “Applicable Trust Services Criteria”). Thisdescription may not provide information about Atlassian’s Bitbucket system controls that donot relate to the Applicable Trust Services Criteria.

Company Overview and BackgroundAtlassian was founded in 2002 by Scott Farquhar and Mike Cannon-Brookes and had their InitialPublic Offering (IPO) in 2015. They are headquartered in San Francisco, California and haveoffices in Mountain View, California, Manila, Philippines, Sydney, Australia, Yokohama, Japan,Amsterdam, Netherlands and Austin, Texas.

Atlassian’s mission is to unleash the potential in every team. Their collaboration software helpsteams organize, discuss and complete shared work. Teams at more than 65,000 large and smallorganizations use Atlassian's project tracking, content creation and sharing, real-timecommunication and service management products to work better together and deliver qualityresults on time. Their products include JIRA Software, Confluence, HipChat, Bitbucket and JIRAService Desk.

The system in-scope for this report is primarily the Bitbucket Cloud system and supporting ITinfrastructure and business processes.


10

Overview of Products and ServiceBitbucket Cloud is a web application that allows individuals and organizations to store andcollaborate on source code using the Git or Mercurial, distributed versioning control systems.Bitbucket is one of several products offered by Atlassian and offers seamless integration withother products offered such as JIRA and Confluence. Bitbucket also offers issue tracking, assetdownloads, static site hosting, a wiki, Git Large File Support and automated build functionality.While these features and functions are available to customers, these are out of scope for thepurpose of this report.

InfrastructureBitbucket Cloud's services and features are provided by a set of services running in the NTTdatacenter in Ashburn, Virginia, with backup services on standby in the NTT datacenter in SantaClara, California.

Separate application nodes handle web, SSH, HTTPS Git, and HTTP Mercurial requests. NetAppdatabase appliances provide persistent storage. Redis is a data store primarily used forcustomers to gain insight on the recent activities on a given repository. The load balancers,clusters and Redis are out of scope in this report.

Bitbucket Cloud's additional functionalities are hosted in Amazon Web Services (AWS) includingweb hooks, Atlassian account and media services. These functionalities are out of scope in thisreport.

The processes and controls managed by NTT datacenter and AWS are excluded from the scopeof this report.

Figure 1: Architecture Diagram


11

NetworkBitbucket Cloud's public network connectivity is maintained by Atlassian's Network Engineeringteam. Inbound packets route through Akamai, where engineers can mitigate denial-of-serviceattacks; outbound packets are routed through either NTT or Level 3, as appropriate for thedestination.

User-initiated connections are available using IPv4 or IPv6 addresses and are available on TCPports 22 (SSH), 80 (HTTP) or 443 (HTTPS). A special hostname, altssh.bitbucket.org, providesSSH connectivity over port 443 for users whose networks restrict outbound connections toport 22.

All unencrypted HTTP connections are redirected to an equivalent HTTPS endpoint. BitbucketCloud also publishes a Strict-Transport-Security header for user agents to redirect internally toHTTPS. All inbound connections are then load-balanced, based on factors such as traffic type,host header, request path and user agent.

User requests may also be redirected to Amazon S3 for user downloads, Amazon Cloudfrontfor static assets in the user interface, or to a service managed by Atlassian's Media Servicesteam for Git LFS objects or Mercurial clonebundles. These are out of scope for this report.

Bitbucket Cloud initiated connections are currently limited to notification mail to user-configured webhooks. Mail is encrypted in transit to third-party providers. Webhooks may beunencrypted at user request, or they may be sent to HTTPS servers with unverifiablecertificates at user request, though both of these cases are discouraged. Both mail andwebhooks originate from consistent IP addresses within Atlassian-managed space.

Within the datacenter, Bitbucket Cloud systems use logical binding on multiple networkinterfaces to provide redundancy against hardware failures. A dedicated VLAN connectsapplication nodes to repository storage; other VLANs connect application nodes, loadbalancers, database servers and other resources to each other. All internal resources areisolated from the Internet by firewall.

ServersApplication nodes are stateless and clustered based on their primary service. Cluster typesinclude, but are not limited to, the user interface; API; Git or Mercurial repository operationsover SSH; Git or Mercurial repository operations over HTTP; asynchronous tasks.

Physical server configurations are managed using various tools including Puppet.

DatabaseBitbucket Cloud’s customer data is stored in PostgreSQL and NetApp filers. PostgreSQLcontains account attributes, permissions, issues, pull requests and wiki data while NetAppcontains customer repository data. All primary database servers reside in the physicaldatacenters with replication nodes and backups being stored in both physical datacenters aswell as AWS.


12

SoftwareIn-scope production servers run on CentOS servers. The following software and tools supportthe Bitbucket Cloud control environment and are in scope as part of the controls and processesbeing executed:

· OneLogin – identity and access management software· JIRA - ticketing system used for incident management, user access provisioning, and

change management process.· Bamboo - Bamboo is a continuous integration tool used to perform automated testing

and deployment activities· Bitbucket Server - source code and development projects tool· Puppet - open-source software configuration management tool· LastPass – password and certificate repository· AWS Glacier - data archiving and long-term backup storage service· Workday – HR system· Impraise – performance feedback tool· SmartRecruiters - hiring tool· Datadog – monitoring tool· Pollinator – monitoring tool

NTT and AWS Glacier are managed by a third-party vendor; Atlassian performs a review of theSOC2 reports as discussed below. Datadog, Last Pass, Workday, OneLogin, Impraise andSmartRecruiters are also managed by a third party vendor, however, customer data are notstored in these applications. These are supporting and monitoring tools not in scope for theSOC2 report and are only applicable to support certain controls and criteria.

PeopleAtlassian’s organizational structure is managed by a committee consisting of HumanResources, Financial Planning and Analysis, as well as Senior Management and Leadership(including the Co-Founders).

Atlassian conducts an annual planning process that culminates in a fiscal year budget forrevenue, expenses and headcount. The co-CEOs sign-off on the annual P&L and incrementalheadcount for the next fiscal year. A summary of quarterly hires by location and functionalgroup is provided which, once approved, becomes the basis for hiring for the coming fiscal year.The planning framework consists of the following components:

· Strategic Plan· Operating Plan· Financial Plan


13

The following organizational chart identifies the teams responsible for human resources,strategic planning, education/training, legal matters, business growth/modeling andtechnology operations:

Figure 2: Atlassian’s Organizational Chart

The Co-Founders are responsible for directing all designated areas including ProductManagement, People Operations, Foundation, Legal, Growth and Modeling and the Technologyteams. All teams have full responsibility over key operations within Atlassian:

· Product Management - focuses on validating the demands of customers, providesinsight and guidance around minimum viable product and user experience.

· People Operations (in partnership with the people leaders) - focuses on determining theright talent strategy to deliver against the needs of Atlassian. People team isresponsible for talent acquisition and learning, total rewards and technology, andworkplace experiences.

· Foundation - Exists to harness the resources of Atlassian to champion organizationswho believe that education is the key to eliminate disadvantage. This is accomplishedby improving educational outcomes in developing countries, increasing skill-basedvolunteering and leveraging Atlassian’s products.

· Legal - responsible for matters related to corporate development, privacy, generalcounsel operations, public relations, risk and compliance.

· Growth and Model - responsible for monitoring business trends, analytics, dataengineering and data science.

· Chief Technology Officer (Technology Operations) - oversees Engineering, Security,Mobile, Ecosystem and Platform.

o Head of Engineering, Software Teams - oversees all operations for the products.


14

o Development Manager:§ Drives and improves product quality and innovation, team productivity,

manages simultaneous projects in an agile fashion, customer satisfactionand product supportability.

§ Coordinate multiple streams of software development, involving multipleteams, geographic distribution and indirect reports

§ Collaborate with Product Management by contributing to roadmaps,setting priorities, and providing estimates

§ Collaborate with Customer Support to ensure customer success and drivequality improvements

§ Promote, define, refine and enforce best practices and processimprovements that fit Atlassian's agile methodology

§ Provide visibility through metrics and project status reporting§ Set objectives for people and teams and holds them accountable§ Work with Recruitment to attract and hire outstanding individuals to

create high performing balanced teams§ Lead by example and practice an inclusive management style.

DataCustomers sign up to Bitbucket Cloud using the website and, upon accepting the terms andconditions, the customer account is created in PostgreSQL. Once a repository is created inBitbucket Cloud, it creates a specific folder in the Netapp file server. The path is automaticallyassigned by Bitbucket Cloud and creates the volume where the repository is stored and thevolume contains a number of directories. The directory contains the specific repository numberto which the customer is routed. The path can be seen by the customer in their Bitbucketwebsite.

Production customer data is encrypted in transit but not at rest.

Policies and ProceduresAtlassian maintains a Policy Management Program to help ensure policies and procedures:

1. Properly communicated throughout the organization2. Are properly owned, managed and supported3. Clearly outline business objectives4. Show commitment to meet regulatory obligations5. Are focused on continual iteration and improvement6. Provide for an exception process7. Policy Framework and Structure

Atlassian defines their policy, standard, guideline and procedures to refer to documents thatfall within the policy infrastructure.Item Defines Explanation

Policy General rules andrequirements("state")

Outlines specific requirements or rules that must bemet.


15

Item Defines Explanation

Standard Specific details("what")

Collection of system-specific or procedural-specificrequirements that must be met by everyone.

Guideline Common practice,recommendationsand suggestions

Collection of system specific or procedural specific"suggestions" for best practice. They are notrequirements to be met, but are stronglyrecommended. Effective policies make frequentreferences to standards and guidelines that existwithin an organization.

Standardoperatingprocedures

Steps to achieveStandard/Guidelinerequirements, inaccordance with therules ("actions")

Positioned underneath a standard or guidelines, it isa set of instructions on how to accomplish a task.From compliance perspective, procedure is alsoreferred to as control activity. The goal of aprocess/procedure is to ensure consistent outcomedefined by the standard or guideline.

Policy RequirementsEvery policy has a policy owner who is responsible for managing the risk outlined in the policyobjective. All policies are reviewed, at least annually, to ensure they are relevant andappropriately manage risk in accordance with Atlassian risk appetite. Changes are reviewed byAtlassian Policy Committee (APC) and approved by the corresponding policy owner.

Policy exceptions and violations are reviewed by the APC and actions are recommended to thepolicy owners and executive team. Policy owners can approve exceptions for a period no longerthan one year.

Policy Review ProcessGenerally, in order to advance a policy, standard, guideline or procedure to publicly availableinternally, each document should go through a review process. The review process shouldfollow the generally acceptable internet Request for Comment process where feedback issought from a small group of knowledgeable peers on the topic. After feedback is incorporated,the group is expanded to the Policy Committee, either via email or via the internal corporatechat system. Further feedback can be sought from the internal corporate chat system as well.Any announcements of changes or updates to policies, standards or guidelines can be sharedvia the Blog on Policy Central.

Relevant Aspects of the Control Environment, Risk Assessment, Control Activity,Monitoring, and Information and Communication

Control EnvironmentThe objectives of Atlassian’s control environment are to set the tone for the organization’sinternal control. Below are the components of the control environment:


16

Management Controls and Operating StyleThe control environment at Atlassian entails the involvement of Executive and SeniorManagement and engaged on an ongoing basis. The Risk and Compliance team engages theExecutive and Senior Management in various ways:

1. Standards - Atlassian follows specific standards that enables the organization toexercise practices around security, availability, quality, reliability and confidentiality.

2. Tools - Atlassian leverages tools designed specifically to assist in identifying, analyzing,tracking, deciding, implementing and monitoring risks and findings. In addition, the toolsallow us to effectively communicate and collaborate with workflow to ensure activitiesare properly tracked. The use of customized tools allows them to be more closelyintegrated with the standard way of how Atlassian operates: specific, scalable,systematic and robust.

3. Enterprise Risk Management Process - Atlassian uses an Enterprise Risk Managementprocess that is modeled after ISO31000-2009 "Risk Management - Principles andGuidelines."

4. Unified approach - As Atlassian becomes involved across various best practice, legal andregulatory requirements, it becomes more essential to create control activities that areuniversal and not unique to specific standards and guidelines. Instead of tracking controlactivities specific to a standard, Atlassian tracks activities that are universal and meetmultiple standards. This approach has enabled Atlassian to speak a common languageacross the organization. Along with a unified approach comes operational efficiency anda way to more effectively establish a controlled environment.

Integrity, Ethical Values and CompetenceThe integrity, ethical values and competence are key elements of Atlassian’s controlenvironment. Atlassian employees are required to acknowledge the Code of Conduct, InsiderTrading Policy, FCPA and Anti-Corruption Policy. The HR Operations team is involved in helpingensure these policies and agreements are acknowledged and background screening is followedthrough. Employees and contractors with access to Atlassian systems are asked to re-acknowledge on an annual basis.

The Atlassian Code of Conduct covers the following:· Standards of Conduct· Compliance Procedures

All Atlassian employees are assigned a task in Workday to acknowledge the Code of Conduct,Insider Trading Policy, and FCPA and Anti-Corruption Policy. The Human Resources Operationsteam reviews Workday for completion of the task and follows up with employees in the caseswhere that the task is not completed.

Atlassian has a documented Code of Conduct policy and process to help ensure that allemployees complete the acknowledgement. An operational control is provided by the Workdaysystem generated task assignment, which allows a report to capture any employees that havenot completed acknowledgement of Atlassian's Code of Conduct. A process for follow up inthese cases is documented.


17

TrainingAtlassian requires anti-harassment training and also offers opportunities for technical trainingand professional development. In regards to technical training and professional development,every Atlassian employees has the ability to reach their fullest potential and do the best workof their lives when given the right support. Autonomy, mastery and purpose are cornerstonesof this philosophy so to the extent possible. Atlassian wants to lower the barriers to getting thelearning the staff needs, making it possible to take charge of employee learning needs and ownmore of one’s growth and development. Atlassian offers professional development foremployees via training/tuition reimbursements and online learning management systems.

Accelerate U is an Atlassian Learning and Development program to help employees pursue newways to learn and grow. Everything from senior leadership to product training courses areavailable through Accelerate U. Accelerate U provides tracks for all employees as well astraining specified for leaders at Atlassian.

· Career Navigator is a specific Accelerate U program geared to help employeesunderstand expected attitudes, behavior and skills that contribute to success in a roleand connect them to resources aimed at improving those skills. The Learning &Development team has done extensive research to create formalized competencies fora majority of roles at Atlassian, particularly those that are customer and product facing.Managers and employees use these competencies to see what is required for success ina position and what areas an employee needs further development/training around.Based on these gaps, managers and the Learning & Development team can recommendtraining, self-study, or coaching as needed.

· Showd.me Atlassian's Learning Management System, is used to track formal andinformal learning for Atlassian employees. For formal Atlassian training offerings,employees may register for Atlassian offered trainings within Showd.me and managersmay provide suggested courses that an employee should look into. The instructor of theclass would mark the course as complete in Showd.me if the employee does attend.

Organizational StructureThe organizational charts are reviewed and updated on a quarterly basis. Organizational chartsare perpetually updated based on employee action notices and available to all Atlassianemployees via Workday.

Annual Headcount Budgeting and ReviewAtlassian conducts an annual planning process that culminates in a fiscal year budget forrevenue, expenses and headcount. The co-CEOs sign-off on the annual P&L and incrementalheadcount for the next fiscal year. A summary of quarterly hires by location and functionalgroup is provided which, once approved, becomes the basis for hiring for the coming fiscal year.

Human Resource Policies and ProceduresAtlassian has a job posting process and job advertisement template for all recruiters and teammembers to determine what needs to be included in each job advertisement. All job ads arereviewed for the text. All Atlassian job ads are required to pass an approval process before theyare posted on the careers page. The job ad is created by the recruiter and hiring manager.Additionally, a team reviews posted job ads for consistency, spelling/grammar, diversityfriendly verbiage, etc.


18

The recruiting process is based on prior relevant experience, educational background and aclear understanding of integrity and ethical behavior. As part of the hiring process, interviewfeedback is collected in the applicant tracking system, SmartRecruiters, for all candidates thatparticipate in an onsite interview. Each interviewer has access to SmartRecruiters and is ableto view the candidates' profile. A recruiter will not initiate an offer for hire without receiving aminimum of 2 reviews in SmartRecruiters prior to their start date. The exception to this processis contractors. For contractors, who are hired outside of the standard hiring process andoutside of SmartRecruiters, there is a confirmation of screening step in the onboarding processwithin Service Desk.

Roles and responsibilities are properly documented in job ads as well as within the onlineapplicant tracking system. Background checks are also performed and results are reviewedagainst a results matrix and escalated to Legal and Head of HR Operations, if needed.

Upon hiring, a 90-day onboarding plan is provided to all new employees as part of the on-boarding process with Atlassian to get them up to speed on their role, responsibilities andbecome acclimated to the culture. In addition, confidentiality and protection of company assetsare clearly communicated and acknowledged by new hires. The HR Operations team deliversthe plan to the employee during the onboarding communications process. Atlassian alsorequires that all employees and independent contractors sign a Confidential Information andInvention Assignment Agreement (CIAA).

A weekly review is performed to determine that new employees are assigned a 90 day plan,that the CIIA (Confidential Information and Inventions Assignment) and that background checksare completed prior to their start date.

Once a year, Atlassian people leaders host performance check-Ins with their team members tohave a two-way conversation about how each team member contributed to Atlassian's successfor the previous 12 months and to identify opportunities for improvement. After the check-infeedback process closes, the managers then provide performance and relative contributionratings for all those on their team. The final stage of performance appraisals is Atlassian'ssalary planning process for providing potential merit increases.

Manual presentations, reminders, and trainings are used to communicate the process toAtlassian employees. In addition, system controls provided by Impraise (for check-Ins) andWorkday (for relative contribution and salary planning) track that all eligible Atlassianemployees participate in performance reviews.

Risk AssessmentAn Enterprise Risk Management (ERM) process is in place to manage risks associated with thecompany strategy and business objectives.

Atlassian utilizes a process which:• Establishes the context, both internal and external, as it related to the company

business objectives• Assesses the risks• Facilitates development of strategies for risk treatment• Communicates the outcome


19

• Monitors the execution of the risk strategies, as well as changes to the environment

The Enterprise Risk Management process is modeled after ISO31000-2009 "Risk Management- Principles and Guidelines."

The context of the Enterprise Risk Assessment is the organization, as a whole. While there maybe specifics for a particular function, product or service, they are always considered in termsof affecting the entire company. This principle is followed, not only in the analysis but also inevaluation of the risks (e.g. a risk that is critical for product A and low for Atlassian is evaluatedas low). Nevertheless, if in the course of the analysis, a significant concern is discovered for aparticular function, product or service, this is flagged for subsequent follow up.

To perform activities supporting the ERM, various sources of information are crucial toencompass all areas of the organizations. Information sources include but are not limited to:

• Business goals and objectives - High level business goals and objectives and thestrategies in place to achieve these goals and objectives.

• Major initiatives - Large projects and initiatives that could have significant impact onthe company's risk profile. Additionally, Risk & Compliance managers are engagedby various teams and they bring their knowledge of the environment intoconsideration

• Risk and Compliance assessments - Throughout the period Atlassian performs anumber of periodic and ad-hoc assessments. Results of the assessments arecaptured in the Atlassian Governance, Risk and Compliance (GRC) tool

• Incidents - Atlassian utilizes a common Incident Management Process (IM), includingPost Incident Review (PIR). The goal of PIR is not only to establish the root cause butalso to create actions aimed at reducing the risk of repeated incident.

• Organizational policies - Organizational policies that have been put in place toachieve the organization’s strategic goals and objectives

• Interviews with major stakeholders and subject matter experts (SME) - As part of thestructured Enterprise Risk Assessment we interview all members of theManagement team and engage with SME as needed.

• Other sources - we may consult industry publications, analyses, incidents, etc., asnecessary

• Internal and external context of the ERM process includes but is not limited tounderstanding:o Competitive environment - who are the major competitors; what threat level

they presents; what are the trends in the industryo Legal/Regulatory environment - what are the obligations in the jurisdictions we

operate; what are the industry standards we need to abide byo Financial environment - current status as well as trends in the financial and

currency markets that could affect us; perceptions and values of externalstakeholders

o Technological environment - what are the trends in technology and softwaredevelopment

o Business environment - markets that we are currently in or plan to enter; whatis the perception of Atlassian and its products/services; what are the currentdevelopments and trends in Atlassian's ecosystem; major vendors andcustomers


20

o Human environment - what are the social and cultural trends that could affectus; what are the current status and trends of the talent pools where we currentlyhave or plan to establish presence

o Natural environment - considerations related to natural disasters and officelocations and facilities

The goal of establishing the external context is to identify potential key drivers and trends thatcould impact the organization.

• Organizational structure, governance, roles and accountabilities• Short and long-term strategies, objectives, initiatives, programs and projects• Resources and capabilities (capital, people, skillsets, technologies, facilities)• Operations (processes, services, systems)• Organizational culture and values• Information, information flow and decision making• Policies and standards• Vendor agreements and dependencies

The goal of establishing the internal context is to identify potential key internal misalignmentsbetween strategy, objectives, capabilities and execution.

A Risk and Compliance function plays a crucial role in Atlassian's ability to integrate ERMthrough the organization. The risk assessment process entails the following:

• Identification of risks• Analysis of risks identified• Evaluation of the risks• Treatment of the risks

Throughout all stages of the Enterprise Risk Management process, Risk & Compliance teamcommunicates with the relevant stakeholders and consults with appropriate SMEs.

All risks and associated treatment plans (e.g. remediation) are recorded in the GRC. Links todetailed treatment plans, along with individual tasks are also established. The Risk &Compliance team monitors the progress and provides oversight of the plans execution.Progress review is part of the operational business function meetings, as well are periodicupdates to the risk owners and Executive Operations.

The Atlassian Risk & Compliance team monitors the environment of internal control andidentifies significant changes that have occurred. The Risk and Compliance team meets on aweekly basis with bi-annual strategic planning to discuss:

· Risk and Compliance strategic direction· Changes happening within the organization that affect Risk and Compliance efforts and

initiatives· Changes happening outside of Atlassian that affect Risk and Compliance efforts and

initiatives· The Risk and Compliance pipeline of how we approach risk and compliance with internal

customers· Changes to existing and ingesting of new compliance standards


21

In addition, the Risk & Compliance team conducts internal audits. Internal audits are performed,results are communicated and corrective actions monitored. The Risk and Compliance teamengages with a third party qualified auditors to perform compliance audits against standardson an annual basis. The results of the audits are captured as findings in the GRC tool andremediation is tracked in the tool with regular reports to management.

Information and CommunicationAtlassian constantly updates the customers on their responsibilities as well as those ofAtlassian. Communication includes but is not limited to policies, guidelines, customer privacy,security, product changes as well as product alerts.

Customer responsibilities are described on the Atlassian customer-facing website. Theresponsibilities include, but are not limited to the following:

· Acceptable use policy· Reporting copyright and trademark violations· Customer Agreement· Designating customers as authorized users· Guidelines for law enforcement· Privacy policy· Reseller agreement· Professional services agreement· Service-specific terms· Third party code in Atlassian products· Training terms and policies· Trademark

Atlassian communicates its commitment that security is a top priority for its customers andAtlassian internal users through https://www.atlassian.com/trust/security.

A vulnerability and incident portal is available for customers and Atlassian internal users toreport any improvements, issues and/or defects related to security. A CloudSecurity Statement, Cloud Security Alliance and adherence to ISO27001 are alsocommunicated to customers through https://www.atlassian.com/trust/faq.

In addition, customers and Atlassian internal users are offered multiple methods for contactingAtlassian. Customers can contact Atlassian via various methods to report issues on bugs,defects, availability, security and confidentiality:

· https://support.atlassian.com· Social media· General web site forms· email· https//answers.atlassian.com· https//trust.atlassian.com· public bug site

Atlassian also communicates security, availability and confidentiality principles to the internalusers through the onboarding process and policies and procedures available in the internalConfluence pages.


22

Significant changes made to the system (new feature releases, integrations with other systems,interface updates) are communicated to customers via the Atlassian customer-facingwebsite https://blog.bitbucket.org/. Blog posts generally include links to Bitbucketdocumentation and support resources that customers can use to troubleshoot issues andcontact Atlassian.Formal communication is in place to state Atlassian's obligations to both internal and externalcustomers. Internal communications are directed to Atlassian staff to inform of architectural,operational and support obligations for all relevant products and services. The scope of servicesinclude but are not limited to:

· Load balancers· Services· Application node software components· Persistent and ephemeral storage· Internal provisioning, configuration, monitoring and platform maintenance

External obligations and product information to customers are communicated viawww.atlassian.com and are covered specifically in the following areas:

· Atlassian documentation1. Getting started2. Tutorials3. Integrations with other systems, add-on4. Administrative capabilities5. Product collaboration6. Knowledge base

· Frequently asked questions· Customer agreement· Privacy policy· Professional services agreement

Information SecurityInformation and information systems are critical to the operations of Atlassian globally.Atlassian takes all appropriate steps to help ensure that all company information, customerinformation, and information systems are properly protected from threats such as error, fraud,industrial espionage, privacy violation, legal liability and natural disaster.

Information Security ControlsInformation security controls are defined as appropriate and compliance with the controls arereviewed by the Risk and Compliance team.

Periodic Review of Risks and ControlsThe Atlassian security program seeks to balance risk against the cost of implementing controls.A periodic review of risks and security controls will be carried out to address changing businessrequirements and priorities. All security policies are assessed and reviewed at least on anannual basis. Evaluation of risks and controls are accomplished in line with a Risk ManagementProgram and Compliance Program.


23

Information Security TrainingAppropriate training enables employees to comply with their responsibilities as it relates to theInformation Security Policy. The Security team periodically launches company-wide phishingexercises. Exposure rates are tracked and reported to all Atlassian employees to raise theawareness. The report also includes educational material and best practice to avoid futureattacks.

Disciplinary NoticeIn the event of a violation of the Information Security Policy, employees are required to notifymanagement upon learning of the violation. Employees who violate the Information SecurityPolicy are subject to disciplinary action, up to and including termination of employment.

Description of Control Activities and Relevant Aspects of Operations

A. Change ManagementChange initiationChanges to the Bitbucket Cloud are planned in Confluence and JIRA by the Bitbucket productdevelopment team, including product management, design, engineering, and qualityassurance.

Change DevelopmentA developer creates local branch in Bitbucket Cloud, downloads the branch to local drive andbegins coding. After the code is updated, code changes are submitted as pull requests againstthe Bitbucket staging branch that is approved by at least two reviewers and pass all automatedtests performed by Bamboo. Merging a code to the staging branch is restricted via pullrequests.

Peer review green build process (PRGB)Code repositories enforce peer review and green build settings using built-in compliancesettings. When pushing to Deployment-Bamboo, an API validates the following Bitbucket Serverand Bitbucket Cloud SOX settings are enforced on the repositories:

· Requires >1 approver· Unapprove automatically on new changes· Changes without a pull request

If the following settings are not enforced, the code is rejected.

In addition, changes cannot be made to Bitbucket Cloud code that do not pass over 2500automated tests that help ensure the functionality and integrity of the application is notcompromised by the change.

The Bitbucket Cloud development team uses the "merge checks" feature built into BitbucketCloud to enforce review requirements. This prevents any changes to the production branch (theversion of application code that is served to all customers) except through a peer-reviewed andtested pull request; direct commits (changes) to the production branch are not allowed. Beforea pull request to production can be merged, it must be approved by at least two authorizeddevelopers. The author of the pull request cannot provide one of these approvals. If there isany change to the code contained in the pull request, any previous approvals are not counted,


24

and the pull request must be re-approved before it can be merged.

The changes in the pull request must also pass all automated tests that run in Atlassian'sDeployment Bamboo instance. Administrative access to Deployment bamboo is limited to themembers of the Build Engineering team.

Change DeploymentAfter a pull request is merged into the production branch, when the Bitbucket Cloud team isready to deploy the new version, the deployment is executed via Deployment Bamboo whichstores the code in Artifactory. Before a build can be created, Deployment Bamboo performs acheck to confirm that the PRGB controls were in effect on the source repository. Administrativeaccess to Artifactory is limited to the members of the Build Engineering team.

An Atlassian-only "Compliance" setting in Bitbucket Cloud prevents any of the above controlsfrom being changed or turned off, either via the web UI or the API. If the "Compliance" controlitself is turned off for a repository, Bitbucket Cloud logs an event to the Atlassian datawarehouse, where it triggers an automated alert in the REPCOM system. Any such alerts arerouted to the relevant development manager to verify no unauthorized changes were made andto restore the setting.

When a developer pushes the deploy button in Deployment Bamboo, the developer can onlyselect a code in Artifactory which was stored using Deployment Bamboo using a drop downmenu.

Scanning of Production CodeSourceclear is used to scan the Bitbucket Cloud code base to detect vulnerable open sourcelibraries being used. The scanner is integrated into the Bitbucket Cloud build plan and are runautomatically when changes are made to the codebase. After each scan, Sourceclear generatesa report which includes any vulnerable libraries found along with severity rankings andsuggested mitigations.

The Sourceclear scanner is configured to fail a build if any high severity vulnerabilities arefound. Developers periodically review the reports and triage the findings based on severitylevel. Different levels of severity will be addressed and prioritized within the development tickettracking system.

Deployment Script ChangesChanges to the Deployment Bamboo scripts follow the change management process outlinedabove. Any changes made to the repositories affecting operating system, systemconfigurations and other critical hardware follow a peer review and green build process. Codeis peer reviewed and once approved, uses Puppet as a method for deployment to a deploymentBamboo system for green build processing/testing. Bitbucket Cloud operating system anddatabase configurations are deployed using the Puppet configuration management tool.Configurations are stored in Bitbucket repositories.

Emergency ChangesEmergency changes follow the same PRGB process and controls.


25

B. Logical AccessProvisioning Customer Production AccountsWhen creating an account with any of Atlassian’s products, the user is directed to acknowledgethe standardized customer agreement. An account cannot be made for any of Atlassian’sproducts without first being directed to acknowledge the customer agreement. Upon creationand if updated, the customer agreement is approved by the Legal department. The customeragreement is standardized across all Atlassian products. This includes customer’sresponsibilities for security, availability and confidentiality.

After acknowledging the customer agreement, the customer account is created in PostgreSQLand NetApp filer once a repository is created in the account.

Bitbucket isolates each customer data per volume and directory in NetApp. The path can beseen by the customer in their Bitbucket website.

De-provisioning Customer Production AccountsCustomers’ data are stored in NetApp and PostgreSQL. Upon customer termination of servicevia their Bitbucket instance or through customer support, customer data is deleted in bothNetApp and PostgreSQL automatically.

The Bitbucket Cloud Backup and Retention document is available on the intranet and outlinesthe type of customer information that is retained. The NetApp backup is automatically deletedafter 7 days which will remove the terminated customer’s data however the backup ofPostgreSQL data which is housed in AWS Glacier is retained indefinitely. Currently, theBitbucket is working on identifying how the specific customer data can be removed from thebackup once the service is terminated. Reliance is placed on the access controls in the AWSGlacier where only authorized users have access.

Production Environment AccessCustomer AccessExternal customers registering for BB does not need to be authorized by Atlassian. Customer-side team administrators have the responsibility to invite and grant new user access upon theirown designated authorized approver's permission.

Users can access Bitbucket via the browser user interface, directly from the command line usingSSH or HTTPS, or using Bitbucket's REST API.

User account authentication and management is provided by an Atlassian Account. Users canauthorize external services to access data using OAuth 2 and Atlassian's Connect framework(application specific passwords). Users can also configure Bitbucket to send email and webhooknotifications based on changes to the code stored on Bitbucket.

Atlassian Internal Users AccessAccess to Bitbucket's infrastructure (the services running in NTT Ashburn, Santa Clara, and inAWS) is tightly restricted. User accounts are managed by integrations with Atlassian's internalWorkday employee directory. When a new employee with a need to access Bitbucketinfrastructure joins, they submit public SSH keys to dedicated repositories. From there, thosekeys are associated with the correct roles and provisioned on the appropriate hardware. Using


26

repositories to manage SSH keys also allows the team to enforce periodic rotation of SSH keysas a preventative measure. SSH Keys are rotated on an annual basis at a minimum.

PasswordCustomer AccessThe password requirement for Bitbucket Cloud customers include an 8-character or morerequirement.

Atlassian Internal Users AccessPasswords are an important part of Atlassian's efforts to protect its technology systems andinformation assets by helping ensure that only approved individuals can access these systemsand assets. Atlassian recognizes, however, that passwords have serious weaknesses as anaccess control. For high-risk systems, other, approved authentication methods that providehigher levels of assurance and accountability than passwords will be used. However, many ofAtlassian's systems continue to rely on passwords alone. This standard is designed to addresstheir weaknesses by establishing best practices for the composition, lifetime and general usageof passwords.

Atlassian provides various secured methods to connect to Atlassian resources. Two of theprimary methods for connecting to Atlassian resources are using a two-factor authenticationusing Duo and OneLogin.

Duo two-factor authentication is required when logging into VPN (Remote Access Service) fromany IP address and OneLogin single sign-on allows users to have a single point of authenticationto access multiple applications.

OneLogin enforces the following password settings configured in Active Directory:1) Minimum Length2) Password Expiration Intervals3) Password History4) Complexity5) Account Lockout Threshold6) Password are Masked7) Minimum Lockout Duration

User Provisioning, Review and De-provisioning of Atlassian Internal UsersAtlassian Internal User ProvisioningActive Directory contains a subset of groups which are automatically created and maintainedbased on demographic and employment information in Workday. In the current release, thesegroups are based on division, team, location, employment type and management status. Aswell as initially provisioning membership, staff member’s assigned groups will be updated toreflect a team/department change or termination.

· Users must have an active Active Directory account· Users must be members of the appropriate LDAP group.

Changes to the Workday employee master file (excluding terminations and changes to costcenter or product) are entered by the employee's manager and reviewed by the manager's


27

manager or GM/Functional Owner who verifies that the change is supported by documentationor communication explaining the reason for the change. Review is evidenced through electronicapproval in Workday.

Direct access to PostgreSQL and CentOS is approved prior to granting access. Access toCentOS requires SSH+LDAP and access to PostgreSQL require a username and password.Access to the CentOS system hosting the Bitbucket Cloud application is provisioned via LDAPalong with SSH keys. The Bitbucket Cloud Operations team is responsible to help ensure theaccess is appropriate and only members of appropriate teams are provisioned access. NetAppcontaining all relevant customer repositories is provisioned by the Bitbucket Cloud Operationsteam. Access is based on membership of the appropriate security groups. Databases such asPostgreSQL are provisioned by the Bitbucket Cloud Operations team on an individual basis.

Atlassian Internal User De-provisioningDe-provisioning of access via terminations are initiated at the Workday level. Human Resourcesinitiates the termination once notified by management via issue tracking or electronicmessaging. OneLogin is set to pull all the upcoming terminations and new hires from theWorkday system every 6 hours. OneLogin then schedules the user to be terminated accordinglywithin all in scope systems, including Active Directory.

Atlassian Internal User Role ChangesRole changes are a common practice and Atlassian has a process in place to make any internaltransition an effortless and seamless event. When a user changes roles and moves from theEngineering, Customers For Life (C4L), or Finance group and moves to one of the other areas(Engineering, C4L or Finance groups), an alert is generated and a notification is sent to theHuman Resource Information Systems Manager, who is responsible for helping ensure timelymodification of system access, commensurate with the new role.

Altassian Internal User Access ReviewsAtlassian’s Development Managers or Team Leads perform semi-annual user access reviewsover Bitbucket Cloud and in scope supporting tools. Any discrepancies identified are escalatedto the respective managers and are addressed in a timely manner based on the nature ofremediation required.

Access of Atlassian Support Team to Customer’s RepositoryBitbucket Cloud has a full-time support team who respond to user issues. Issues may besubmitted via an email alias ([email protected]), https://getsupport.atlassian.com orvia Bitbucket Cloud's public issue tracker (https://bitbucket.org/site/master/issues).Public documentation on how to use the service and its features is available onhttps://bitbucket.org/support and https://confluence.atlassian.com/bitbucket.

The Bitbucket Cloud Support team manager controls access to Bitbucket Cloud'sadministrative support interface. Atlassians may request access via JIRA issues raised inthe Bitbucket Cloud Access Request project.

Within the support interface, an administrator can search for and view individual, team,and repository information. Administrators with additional permissions can edit account


28

details, grant staff access to repositories for troubleshooting purposes and deleterepositories and user accounts.

Direct access to the Bitbucket Cloud of the customer is reviewed on a monthly basis to helpensure that strict security standards are followed. This includes reviewing the current listof users with read and administrative access, as well as auditing what repositories andaccounts this list currently has access to.

Vulnerability ScanningManagement of technical vulnerabilities for Atlassian systems is performed using the following:

· Technical vulnerability management is implemented using the Nessus vulnerabilityscanner

· Publicly identified vulnerabilities in Atlassian products are reported to Atlassian via theSecurity Service Desk

· Internally identified vulnerabilities in Atlassian products and systems are reported toAtlassian via the Security Service Desk

Regular reviews of all identified Atlassian critical vulnerabilities are conducted daily whenapplicable and subject matter experts monitor the vendor mailing list for notification of newversions and vulnerabilities.

Atlassian utilizes two versions of Nessus, one to scan the internal network, and one to scan theexternal-facing network. Results are emailed to the security team and designated subnetowner. The subnet owner is responsible for triaging the results and, if they determine it to benecessary, creating a ticket for resolution.

Penetration TestingAtlassian products are required to participate in a bug bounty program. There is a rolloutplan for each product which includes participating in a private bounty, followed by a publicbounty, and then increasing payouts from then on.

Submissions are initially triaged by Bugcrowd for validity and reproducibility. Valid submissionsare then released into Atlassian’s Bug Bounty account and triaged by the Security team andassigned a priority level. JIRA tickets are raised in individual team JIRA instances, tagged withthe security label and tracked to resolution by the security metrics bot.

Antivirus MonitoringMalware Protection for WindowsAtlassian’s Windows machines utilize Active Directory for authentication. Atlassian uses astandard build as a guide when provisioning or re-provisioning new machines. Standard buildrequiring malware protection is implemented and security patching is enforced on Windowsendpoints.

Asset Management Software for MACIT Asset management software is used to monitor hard drive encryption and userauthentication requirements enforced on MacOS endpoints. Atlassian uses Casper as its ITAsset management software for MacOS endpoints.


29

Email ScanningProofpoint is used to provide anti-malware protection for incoming email at the perimeter. Inaddition, on an annual basis, Atlassian performs a company-wide malware test using emailphishing on Atlassian employees to monitor and educate staff on the risks associated withmalware.

EncryptionConnections to Bitbucket Cloud services/products are protected using secure connectivityprotocols. Users connect to Bitbucket using encrypted traffic via SSH and SSL certificates.Certificates are rotated and reviewed on an annual basis.

C. Physical AccessPhysical security controls are in place for Bitbucket hosted systems. Facilities hosting BitbucketCloud systems have SOC2 attestations and Atlassian reviews the SOC2 report on an annualbasis for completeness, accuracy and relevance to Atlassian’s business needs. Any question orconcern in regards to the hosted facility SOC2 report are followed-up as appropriate. Measuresare taken to ensure that staff who require physical access to Bitbucket Cloud servers mustfollow a security access process. The process of accessing requests is captured within an issuetracking and reviewed and approved as appropriate. Physical access to the data center isreviewed on a regular basis for completeness and appropriateness.

D. Capacity ManagementA capacity planning program helps Atlassian determine what the current and future resource(people and technology) needs are in order to meet customer expectations of the goods andservices being delivered. Currently, the Bitbucket Cloud stakeholders work closely with theFP&A team to gather the necessary data to forecast compute (processing) and capacity(storage) trends, where the potential resource thresholds are, when the thresholds will bereached and what are the identified resources needed to ensure compute and capacity aremeeting customer needs and expectations. A capacity planning process needs to happen on aperpetual basis to ensure the projections are accurate and complete. With capacity planning inplace, customer needs will be better met, compute and capacity resources will be betteroptimized for use and capital expenditure forecasting will be more accurately reported forguidance to investors.

E. ReplicationMonitoring of replicationAll primary database servers reside in Atlassian’s physical datacenters with replication nodesand backups being stored in both physical datacenters as well as AWS. The production data isconstantly replicated between the read-write instance and multiple read-replicas in bothAshburn VA as well as Santa Clara. Replication is keep current within a few seconds duringnormal operation and at most within four hours.

User data stored on filesystems are managed by Atlassian’s network filers which only exist inthese datacenters. Data is replicated from the primary datacenter to the DR data center at alltimes via vendor proprietary mirroring technology. The replication lag is on average 10-20minutes and at most within four hours.


30

Disaster recoveryA disaster recovery policy is in place and is reviewed on an annual basis by the DisasterRecovery steering committee. Procedures for disaster recovery execution are defined,reviewed, tested and in place. As part of the Atlassian disaster recovery program, a policy is inplace and is reviewed on an annual basis. The policy describes, at a high level, the purpose,objectives, scope, critical dependencies, RTO/RPO and roles/responsibilities. The companyfollows ISO22301 as a guideline for the disaster recovery program.Disaster recovery tests are performed on an annual basis and are performed in a simulatedenvironment. Tabletop exercises are also performed to help the disaster response teams walkthrough various scenarios of incidents. After disaster recovery tests are performed, outputs ofthe tests are captured, analyzed and discussed to determine the scope of the next steps forcontinuous improvement of the tests. The improvement efforts are captured within JIRA ticketsand followed through as appropriate.

F. MonitoringThe Bitbucket Cloud Operations team and Product Engineering teams continuouslymonitor a wide variety of metrics across the service to help ensure users have an excellentexperience. Bitbucket uses several services for monitoring including Datadog andPollinator.

· DataDog is a data aggregator, reporting and alerting tool used to monitor theavailability and reliability of Bitbucket Cloud.

· Pollinator checks for application health and if endpoints are working.

Availability and reliability are calculated for Bitbucket Cloud by tracking the percentage ofrequests that receive any response from the service. Reliability is calculated by trackingthe percentage of non-5xx responses. Application response time is tracked, as is resourceconsumption across compute, storage, and bandwidth capacity.

Automated alerts are configured to notify members of the Bitbucket Cloud Operationsteam based on a rotating pager schedule when certain thresholds for service metrics arecrossed so that immediate action can be taken using the Incident Management process.

G. Incident ManagementAn organizational wide incident management process is in place, with service operations teamresponsible for incidents and problems for Atlassian services and platforms. The Incidentmanagement process must meet the Atlassian Incident Management Standard.

The focus of all incident management is to minimize downtime, service degradation or securityrisk for customers and internal users. Every action in managing an incident is recorded in anIncident Management System under an incident ticket.

The standard principles of Incident management consists of the following:· Detection and recording - Atlassian has monitoring tools in place to properly detect and

record all incidents.· Incident Classification for Resolution and Communication - Incidents are classified

according to the level of severity. Incident Managers are a crucial part to exercisingjudgement on the incident priority.


31

· Communication Steps Based on Severity - The severity of incident determined thecommunication steps all Incident Managers take.

· Investigation and Diagnosis - Investigations begins with existing runbooks and otherrelevant documentation. Many incidents have pre-formulated solutions captured inrunbooks.

· Resolution and Recovery - The Incident Management team encourages quick andresponsive incident resolution and have the ability to resolve incidents immediately.

· Incident Handover - When incidents are escalated and run longer, incident handoversare coordinated.

· Closure and Post Incident Review - Clients/customers have the opportunity to providefeedback on the resolution of the incident. Support or Customer Advocacy confirm theresolution of all customer-reported incidents with the reporting customer. When theincident is completely resolved, the Incident Manager completes and closes all incidentrecords and tickets. After high severity incidents, the Incident Manager completes aPost Incident Review (PIR) which is to be documented. If the root cause is fullyunderstood from a previous incident then the PIR can link to that previous incident.

· Incident Reporting and Analysis - Data from IT incidents, including both those receivedand resolved by Support are typically analyzed and reported for trends and indicationsof unidentified problems requiring definition and resolution.

· Relation to Problem Management. Where possible, all related or similar incidents areexamined for a common cause. Where incidents temporarily cannot be associated withany particular root cause (Problem), they are reviewed for any other common incidents.

Atlassian uses four severity levels:Severity Description Examples0 Crisis incident with

maximum impact· Major Security Incident· Data Centre Outage with Data Loss

1 Critical incident withvery high impact.

· Outage to Bitbucket affecting all users for overone hour

· Bad release to Cloud affecting criticalfunctionality for all JIRA users

2 Major incident withsignificant impact

· Outage to Atlassian internal extranet for overone hour

3 Minor incident with lowimpact

· Degraded plugin affecting 10 Cloud customers ofa specific product (Bitbucket, JIRA orConfluence)

Factors to Consider when Determining Severity· Length/Duration of an outage - If we know the rough time it will take to complete an

incident we can use this to help gauge the severity of an incident. Typically incidentswith no known ETA will take higher severity levels.

· Number of customers affected - for Cloud we currently classify 1 instance as 1customer. Also consider the license size of the instances, some bugs only impact biggerCloud customers, which should raise severity. Other services we have an estimate ofhow many customers use the system.

· Customer / Internal service - Customer services such assupport.atlassian.com, Bitbucket Cloud should be taken at a higher level than services


32

such as internal extranet pages.· Is there any data loss - any potential data loss to customers should increase severity· Security risks/breach - Security breaches that have been made public, or if customer

confidentiality has been compromised, or if Atlassian is in violation of the terms of acontractual agreement. These are usually sev 0 if active compromise has occurred

· Down or degraded? If degraded - how degraded? e.g. Bitbucket being slow might be alot more annoying than a slow response from support.atlassian.com.

Customers have the ability to report vulnerabilities and/or incidents via the Company web site:https://www.atlassian.com/trust/security. Reported incidents are triaged by the Securityteam. If the vulnerability and/or incident are considered to be relevant for immediate action,the Security team will escalate via the product development team JIRA system for furtherdiscussion and prioritization. All other minor requests will be backlogged for futureconsideration.

H. Data Classification and Confidentiality of InformationAll Atlassian employees share in the responsibility for helping ensure that information receivesan appropriate level of protection by observing an Information Classification policy:

· Information is classified in terms of legal requirements, value and criticality to Atlassian· Information is labeled to help ensure appropriate handling· Manage all removable media with the same handling guidelines as below· Media being disposed of is securely deleted· Media containing company information is protected against unauthorized access,

misuse or corruption during transport

The following guidelines are used to classify data at Atlassian:Rating Description ExamplesRestricted Information customers

and staff have trusted toAtlassian’s protection,which would be verydamaging if released.Trust is the operativeword.

· Customer Personally Identifiable Information(PII)

· Customer credit cards· US Social Security numbers (customer or staff)· Staff personal, bank, and salary details· Sensitive company accounting data· Decryption keys or passwords protecting

information at this level· Any other data we have a strong legal or moral

requirement to protectPublic Information freely

available to the public.· Any information available to the public· Released source code· Newsletters· Information up on web site


33

Rating Description ExamplesInternal Information internal to

Atlassian which wouldbe embarrassing ifreleased, but nototherwise harmful. Thedefault for mostAtlassian-generatedinformation.

· Most extranet pages· JIRA issues such as invoices or phone records· Unreleased source code· Information only accessible from the office IP's· Product announcements before the release

date

Confidential Information we holdabout which could causedamage to Atlassian orcustomers if released.The default for anyinformation customershave provided.

· Customer support issues logged on supportsite

· Business plans and deals (including onextranet)

· Information under a NDA· Unresolved security issues in the products· Third party closed-source code· Most passwords· Customer source code or other IP stored in

hosted products


34

Subservice OrganizationsAtlassian utilizes subservice organizations to perform certain functions as described in thedescription above. Rather than duplicate the control tests, controls at Amazon Web Services,and NTT Data Center are not included in the scope of this report. The affected criteria isincluded below along with the expected controls.

Criteria ServiceOrganization

Controls

CC5.5 (Physical Access) NTT America,Inc.

The Ashburn and Santa Clara Data Centersare remotely monitored by personnel fromthe Sterling and San Jose Data Centers,respectively.

Data Center access is limited to authorizedindividuals through the use of accesscontrol cards. Additional securitymechanisms are implemented, asapplicable.

Access to the Data Center is tracked by thesystem and will trigger a series of alarms ifunauthorized access occurs.

Customer assets, including hardware andnetwork devices, are properly segregatedfrom other customers using securedcabinets, cages and suites.

Access to the Data Centers is granted toNTT America associates based on their jobresponsibilities after the AssociateEnrollment Form has been approved byNTT America management.

Access to the Data Centers is granted tocontractors based on their jobresponsibilities after the appropriatecontractor and NTT America approvals aredocumented on the Contractor EnrollmentForm.

Quarterly user access reviews areperformed on users that have access tothe Hybrid Cloud, Console Pole Server, OpsPassword and NetBackup/GMP systems.Changes are made to users’ access basedon the review, and approval of the reviewis maintained in the quarterly review log.


35

NTT America Security performs a review ofdata center access on at least a quarterlybasis. Identified discrepancies betweenapproval forms and access assigned areremediated.

CC5.1 (Logical access) Amazon WebServices (AWS)

IT access above least privileged, includingadministrator accounts, is approved byappropriate personnel prior to accessprovisioning.

IT access privileges are reviewed on aquarterly basis by appropriate personnel.

User access to Amazon systems isrevoked within 24 hours of the employeerecord being terminated (deactivated) inthe HR System by Human Resources.

A1.1 (Availability) Backups of critical AWS systemcomponents are monitored for successfulreplication across multiple AvailabilityZones.

When disk corruption or device failure isdetected, the system automaticallyattempts to restore normal levels ofobject storage redundancy.


36

Complementary User Entity ControlsAtlassian designed its controls with the assumption that certain controls will be theresponsibility of its customers (or “user entities”). The following is a representative list ofcontrols that are recommended to be in operation at user entities to complement the controlsof Atlassian’s Bitbucket Cloud. This is not a comprehensive list of all controls that should beemployed by Atlassian’s user entities.

Change Management:· Customers are responsible for validating the accuracy and completeness of data

contained in their Bitbucket account.

Logical Access:· Customers are responsible for creating a username and password to access their

account.· Customers are responsible for inviting team members and managing team members’

access rights to Bitbucket.· Customers are responsible for managing the ‘check-in’ and ‘check-out’ process for their

code in Bitbucket.· Customers are responsible for identifying the individual(s) with Bitbucket administrator

access who may have access to the account.· Customers are responsible for establishing their own usage and access policies to their

Bitbucket account.· Customers are responsible for identifying approved points of contacts.· Customers are responsible for the appropriate set-up of the following logical security

settings: IP whitelisting, 2FA, and OAuth setup, if applicable.· Customers are responsible for configuring their instance of Bitbucket according to the

organizations policies and procedures

Incident Management· Customers are responsible for alerting Atlassian of incidents (related to Security,

Availability, and Confidentiality) when they become aware of them.· Customers are responsible for monitoring or resolving the incident alerts as part of the

use of the application.

Backup· Customers are responsible for performing periodic backup of their account.

SECTION IV: DESCRIPTION OF CRITERIA AND CONTROLS

Section IV – DESCRIPTION OFCRITERIA AND CONTROLS

38

Description of Criteria and Controls

Criteria and ControlsOn the pages that follow, the applicable Trust Services Criteria and the controls to meet thecriteria have been specified by, and are the responsibility of Atlassian and the proceduresperformed by EY are the responsibility of the service auditor.

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity(IPE)For the controls requiring the use of IPE, including Electronic Audit Evidence (EAE) (e.g.,controls requiring system-generated populations for sample-based testing), we perform acombination of the following procedures where possible based on the nature of the IPE toaddress the completeness, accuracy, and data integrity of the data or reports used: (1) inspectthe source of the IPE, (2) inspect the query, script, or parameters used to generate the IPE, (3)tie data between the IPE and the source, and/or (4) inspect the IPE for anomalous gaps insequence or timing to determine the data is complete, accurate, and maintains its integrity. Inaddition to the above procedures, for controls requiring management’s use of IPE in theexecution of the controls (e.g., periodic reviews of user access listings), we inspectmanagement’s procedures to assess the validity of the IPE source and the completeness,accuracy, and integrity of the data or reports.


39

Common Criteria (CC) to All Security, Availability and Confidentiality PrinciplesCC1.0 Common Criteria Related to Organization and Management

CC Criteria Controls of AtlassianCC1.1 The entity has defined organizational

structures, reporting lines, authorities,and responsibilities for the design,development, implementation,operation, maintenance, andmonitoring of the system enabling it tomeet its commitments and systemrequirements as they relate to security,availability and confidentiality.

Organizational charts are perpetuallyupdated based on employee actionnotices and available to all Atlassianemployees via Workday.The organizational charts are reviewedand updated on a quarterly basis.Hiring manager reviews and approvesthe job description prior to posting ofjob ads.

CC1.2 Responsibility and accountability fordesigning, developing, implementing,operating, maintaining, monitoring, andapproving the entity’s system controlsand other risk mitigation strategies areassigned to individuals within the entitywith authority to ensure policies andother system requirements areeffectively promulgated andimplemented to meet the entity’scommitments and system requirementsas they relate to security, availabilityand confidentiality.

The organizational charts are reviewedand updated on a quarterly basis.Organizational charts are perpetuallyupdated based on employee actionnotices and available to all Atlassianemployees via Workday.Hiring manager reviews and approvesthe job description prior to posting ofjob ads.Candidates are reviewed and approvedby at least two interviewers prior tohiring.Employees and contractorsacknowledge the Code of Conductannually.

CC1.3 The entity has established proceduresto evaluate the competency ofpersonnel responsible for designing,developing, implementing, operating,maintaining, and monitoring the systemaffecting security, availability andconfidentiality and provides resourcesnecessary for personnel to fulfill theirresponsibilities.

Hiring manager reviews and approvesthe job description prior to posting ofjob ads.Candidates are reviewed and approvedby at least two interviewers prior tohiring.New employees are assigned a 90 dayonboarding plan.A weekly review is performed todetermine that new employees areassigned a 90 day plan, that the CIIA(Confidential Information andInventions Assignment) and thatbackground checks are completed priorto their start date.Background checks are performed priorto their start date. Results are reviewedagainst a results matrix and escalatedto Legal and Head of HR Operations, ifneeded.


40

CC Criteria Controls of AtlassianCC1.3(Cont.)

Performance appraisals are performedat least annually.Employee training requirements areestablished during the annualperformance appraisal.User awareness training for malwarerisks are part of the Security Awarenessprogram at Atlassian and performed atleast on an annual basis.

CC1.4 The entity has established workforceconduct standards, implementedworkforce candidate backgroundscreening procedures, and conductsenforcement procedures to enable it tomeet its commitments and systemrequirements as they relate to security,availability and confidentiality.

Employees and contractorsacknowledge the Code of Conductannually.Policies are posted and available online,assigned a policy owner, and reviewedat least annually.A weekly review is performed todetermine that new employees areassigned a 90 day plan, that the CIIA(Confidential Information andInventions Assignment) and thatbackground checks are completed priorto their start date.Background checks are performed priorto their start date. Results are reviewedagainst a results matrix and escalatedto Legal and Head of HR operations, ifneeded.


41

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC2.0 Common Criteria Related to Communications

CC Criteria Controls of AtlassianCC2.1 Information regarding the design and

operation of the system and itsboundaries has been prepared andcommunicated to authorized internaland external users of the system topermit users to understand their role inthe system and the results of systemoperation.

A description of the system delineatingthe boundaries and describing relevantcomponents is documented on theAtlassian intranet and the customer-facing website. This documentation isavailable to authorized users internallyand externally.Policies are posted and available online,assigned a policy owner, and reviewedat least annually.Organizational charts are perpetuallyupdated based on employee actionnotices and available to all Atlassianemployees via Workday.Hiring manager reviews and approvesthe job description prior to posting ofjob ads.

CC2.2 The entity's security, availability andconfidentiality commitments arecommunicated to external users, asappropriate, and those commitmentsand the associated systemrequirements are communicated tointernal users to enable them to carryout their responsibilities.

Vendor agreements, including anysecurity, availability and confidentialitycommitments, are reviewed.Customers and internal users contactAtlassian to report issues on bugs,defects, availability, security andconfidentiality viasupport.atlassian.com, social media,general website forms, emails,trust.atlassian.com, public bug site andHipchat.Customer terms of service arestandardized and approved by legal.The terms of service communicate thesecurity, availability and confidentialitycommitments to the customer and anychanges are communicated.

CC2.3 The responsibilities of internal andexternal users and others whose rolesaffect system operation arecommunicated to those parties.

Employees and contractorsacknowledge the Code of Conductannually.Policies are posted and available online,assigned a policy owner, and reviewedat least annually.Customer responsibilities are describedon the Atlassian customer-facingwebsite.


42


User awareness training for malwarerisks are part of the Security Awarenessprogram at Atlassian and performed atleast on an annual basis.Vendor agreements, including anysecurity, availability and confidentialitycommitments, are reviewed.Customers and internal users contactAtlassian to report issues on bugs,defects, availability, security andconfidentiality viasupport.atlassian.com, social media,general website forms, emails,trust.atlassian.com, public bug site andHipchat.Customer terms of service arestandardized and approved by legal.The terms of service communicate thesecurity, availability and confidentialitycommitments to the customer and anychanges are communicated.Bitbucket Cloud uses tools to monitorthe availability of customer-facingservices. The availability is published sothat customers may check thestatus/uptime of Bitbucket Cloud.

CC2.4 Information necessary for designing,developing, implementing, operating,maintaining, and monitoring controls,relevant to the security, availability andconfidentiality of the system, isprovided to personnel to carry out theirresponsibilities.

Policies are posted and available online,assigned a policy owner, and reviewedat least annually.Customer responsibilities are describedon the Atlassian customer-facingwebsite.Customer terms of service arestandardized and approved by legal.The terms of service communicate thesecurity, availability and confidentialitycommitments to the customer and anychanges are communicated.Atlassian communicates itscommitment to security as a toppriority for its customers via AtlassianTrust Security page.Vendor agreements, including anysecurity, availability and confidentialitycommitments, are reviewed.


43

CC Criteria Controls of AtlassianCC2.5 Internal and external users have been

provided with information on how toreport security, availability andconfidentiality failures, incidents,concerns, and other complaints toappropriate personnel.

Customers and internal users contactAtlassian to report issues on bugs,defects, availability, security andconfidentiality viasupport.atlassian.com, social media,general website forms, emails,trust.atlassian.com, public bug site andHipchat.Incident management process is inplace, with the Site Reliability teamresponsible for incidents and problemsfor Atlassian services and platforms.Incident management process mustmeet the Atlassian IncidentManagement Standard. For incidentswith severity level 0 and 1, root causeanalysis is performed.

CC2.6 System changes that affect internal andexternal users’ responsibilities or theentity's commitments and systemrequirements relevant to security,availability and confidentiality arecommunicated to those users in atimely manner.

Bitbucket Cloud uses tools to monitorthe availability of customer-facingservices. The availability is published sothat customers may check thestatus/uptime of Bitbucket Cloud.Atlassian communicates itscommitment to security as a toppriority for its customers via AtlassianTrust Security page.Significant changes made to the systemare communicated to customers via theAtlassian customer-facing website.


44

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC2.0 Common Criteria Related to Communications

CC Criteria Controls of AtlassianCC3.1 The entity

(1) identifies potential threats thatcould impair system security,availability and confidentialitycommitments and system requirements(including threats arising from the useof vendors and other third partiesproviding goods and services, as well asthreats arising from customerpersonnel and others with access to thesystem),(2) analyzes the significance of risksassociated with the identified threats, (3) determines mitigation strategies forthose risks (including implementation ofcontrols, assessment and monitoring ofvendors and other third partiesproviding goods or services, as well astheir activities, and other mitigationstrategies),(4) identifies and assesses changes (forexample, environmental, regulatory,and technological changes and resultsof the assessment and monitoring ofcontrols) that could significantly affectthe system of internal control, and (5) reassesses, and revises, asnecessary, risk assessments andmitigation strategies based on theidentified changes.

Atlassian has defined a riskmanagement process and conducts anenterprise risk assessment on an annualbasis, which includes key productstakeholders.The Atlassian Risk & Compliance teamevaluates the design of controls andmitigation strategies in meetingidentified risks and recommendschanges in the control environment.Atlassian maintains a risk and controlsmatrix within their GRC tool.The Atlassian Risk & Compliance teammonitors the environment of internalcontrol and identifies significantchanges that have occurred.Internal audits are performed, resultsare communicated and correctiveactions monitored. The Risk andCompliance team engages with thirdparty qualified auditors to performcompliance audits against standards onan annual basis. The results of theaudits are captured as findings in theGRC tool and remediation is tracked inthe tool with regular reports tomanagement.

CC3.2 The entity designs, develops,implements, and operates controls,including policies and procedures, toimplement its risk mitigation strategy;reassesses the suitability of the designand implementation of control activitiesbased on the operation and monitoringof those activities; and updates thecontrols, as necessary.

Atlassian has defined a riskmanagement process and conducts anenterprise risk assessment on an annualbasis, which includes key productstakeholders.The Atlassian Risk & Compliance teamevaluates the design of controls andmitigation strategies in meetingidentified risks and recommendschanges in the control environment.Atlassian maintains a risk and controlsmatrix within their GRC tool.


45


User awareness training for malwarerisks are part of the Security Awarenessprogram at Atlassian and performed atleast on an annual basis.

Technical vulnerability management isimplemented using the Nessusvulnerability scanner. Critical threatsare reviewed and resolved.Policies are posted and available online,assigned a policy owner, and reviewedat least annually.Internal audits are performed, resultsare communicated and correctiveactions monitored. The Risk andCompliance team engages with a thirdparty qualified auditors to performcompliance audits against standards onan annual basis. The results of theaudits are captured as findings in theGRC tool and remediation is tracked inthe tool with regular reports tomanagement.Disaster recovery testing is performedon an annual basis. Key stakeholdersare involved in the planning, impactanalysis, execution, and remediation (ifrequired).


46

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC4.0 Common Criteria Related to Monitoring

CC Criteria Controls of AtlassianCC4.1 The design and operating effectiveness

of controls are periodically evaluatedagainst the entity’s commitments andsystem requirements as they relate tosecurity, availability and confidentiality,and corrections and other necessaryactions relating to identified deficienciesare taken in a timely manner.

BBC stakeholders have implementedand maintains monitoring and loggingsoftware to identify and evaluateongoing system performance, changingresource utilization needs, and unusualsystem activityPenetration testing is performed by BugBounty on a continuous basis. Issues arereviewed and tracked to completion in aJIRA ticket.Code scanning is performed bySourceClear on a continuous basis.Issues are reviewed and tracked tocompletion.External users connect to Bitbucketusing encrypted traffic via SSH and SSLcertificates. Certificates are rotated andreviewed prior to expiration.Technical vulnerability management isimplemented using the Nessusvulnerability scanner. Critical threatsare reviewed and resolved.Atlassian reviews the SOC reports of thevendors on an annual basis.Internal audits are performed, resultsare communicated and correctiveactions monitored. The Risk andCompliance team engages with a thirdparty qualified auditors to performcompliance audits against standards onan annual basis. The results of theaudits are captured as findings in theGRC tool and remediation is tracked inthe tool with regular reports tomanagement.Atlassian communicates its commitmentto security as a top priority for itscustomers via Atlassian Trust Securitypage.User awareness training for malwarerisks are part of the Security Awarenessprogram at Atlassian and performed atleast on an annual basis.


47

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC5.0 Common Criteria Related to Logical and Physical Access Controls

CC Criteria Controls of AtlassianCC5.1 Logical access security software,

infrastructure, and architectures havebeen implemented to support (1)identification and authentication ofauthorized internal and external users;(2) restriction of authorized internaland external user access to systemcomponents, or portions thereof,authorized by management, includinghardware, data, software, mobiledevices, output, and offline elements;and (3) prevention and detection ofunauthorized access to meet theentity’s commitments and systemrequirements as they relate to security,availability and confidentiality.

CentOS SSH keys are rotated annually.Automatic alert is triggered to the Riskand Compliance Manager and HR forany role change between the followinggroups: Engineering, Customers ForLife (C4L), or Finance group.Appropriateness of access is reviewedand approved.Access to the in-scope supporting toolsis reviewed semi-annually.Access to the Atlassian internal networkand internal tools is restricted toauthorized users via logical accessmeasures:

· Users must have an activeActive Directory account

· Users must be members of theappropriate LDAP group.

Terminated users are removed from thein-scope systems within 3 days.Active Bitbucket Cloud customers useauthentication and authorizationmethods that meet password lengthrequirements of 8 characters.Direct access to CentOS serversrequires a valid SSH key.Direct access to PostgreSQL requires aunique username and password.Direct access to PostgreSQL andCentOS is approved prior to grantingaccess.Active Directory group membership isautomatically assigned based on theuser's department and team.

CC5.2 New internal and external users, whoseaccess is administered by the entity, areregistered and authorized prior to beingissued system credentials and grantedthe ability to access the system to meetthe entity’s commitments and system

Access to the in-scope supporting toolsis reviewed semi-annually.Two-factor authentication is requiredwhen logging into the Atlassian VPN(Remote Access Service) from any IPaddress.


48


requirements as they relate to security,availability and confidentiality. Forthose users whose access isadministered by the entity, user systemcredentials are removed when useraccess is no longer authorized.

Access to the Atlassian internal networkand internal tools is restricted toauthorized users via logical accessmeasures:



Terminated users are removed from thein-scope systems within 3 days.

CC5.3 Internal and external users areidentified and authenticated whenaccessing the system components (forexample, infrastructure, software, anddata) to meet the entity’s commitmentsand system requirements as they relateto security, availability andconfidentiality.

External users connect to Bitbucketusing encrypted traffic via SSH and SSLcertificates. Certificates are rotated andreviewed prior to expiration.Active Bitbucket Cloud users useauthentication and authorizationmethods that meet password lengthrequirements of 8 characters.CentOS SSH keys are rotated annually.Two-factor authentication is requiredwhen logging into VPN (Remove AccessService) from any IP address.The following password parameters arein-place for the in-scope applications:

· Eight (8) or more characters· At least one uppercase letter· At least one lowercase letter· At least one digit (0 through 9)

or special character ($,@,# andso on)

CC5.4 Access to data, software, functions, andother IT resources is authorized and ismodified or removed based on roles,responsibilities, or the system designand changes to meet the entity’scommitments and system requirementsas they relate to security, availabilityand confidentiality.

Access to the source code is limited tothe members of the Bitbucketdevelopment team.Access to the in-scope supporting toolsis reviewed semi-annually.Access to the Atlassian internal networkand internal tools is restricted toauthorized users via logical accessmeasures:



Direct access to CentOS serversrequires a valid SSH key.Direct access to PostgreSQL requires aunique username and password.


49


Direct access to PostgreSQL andCentOS is approved prior to grantingaccess.Active Directory group membership isautomatically assigned based on theuser's department and team.Access to customer's repositories bythe Bitbucket internal support team isreviewed monthly.Changes to the Workday employeemaster file (excluding terminations andchanges to cost center or product) areentered by the employee's manager andreviewed by the manager's manager orGM/Functional Owner who verifies thatthe change is supported bydocumentation or communicationexplaining the reason for the change.Review is evidenced through electronicapproval in Workday.On a semi-annual basis, the PeopleCentral Systems Support Specialistperforms a review over Workday adminusers.Access to a customer repository by theBitbucket support team is supported bya customer support request.Automatic alert is triggered to the Riskand Compliance Manager and HR forany role change between the followinggroups: Engineering, Customers ForLife (C4L), or Finance group.Appropriateness of access is reviewedand approved.

CC5.5 Physical access to facilities housing thesystem (for example, data centers,backup media storage, and othersensitive locations, as well as sensitivesystem components within thoselocations) is restricted to authorizedpersonnel to meet the entity’scommitments and system requirementsas they relate to security, availabilityand confidentiality.

Vendor agreements, including anysecurity, availability and confidentialitycommitments, are reviewed.Physical access to the cages housingBitbucket cloud hardware is reviewedsemi-annually.Atlassian reviews the SOC reports ofthe vendors on an annual basis.

CC5.6 Logical access security measures havebeen implemented to protect against

External users connect to Bitbucketusing encrypted traffic via SSH and SSL


50


security, availability and confidentialitythreats from sources outside theboundaries of the system to meet theentity’s commitments and systemrequirements.

certificates. Certificates are rotated andreviewed prior to expiration.Access to the source code is limited tothe members of the Bitbucketdevelopment team.Access to the in-scope supporting toolsis reviewed semi-annually.Access to the Atlassian internal networkand internal tools is restricted toauthorized users via logical accessmeasures:



Terminated users are removed from thein-scope systems within 3 days.Automatic alert is triggered to the Riskand Compliance Manager and HR forany role change between the followinggroups: Engineering, Customers ForLife (C4L), or Finance group.Appropriateness of access is reviewedand approved.Two-factor authentication is requiredwhen logging into VPN (Remove AccessService) from any IP address.Firewall rules are in place to restrictaccess to the production environment.

CC5.7 The transmission, movement, andremoval of information is restricted toauthorized internal and external usersand processes and is protected duringtransmission, movement, or removal,enabling the entity to meet itscommitments and system requirementsas they relate to security, availabilityand confidentiality.

External users connect to Bitbucketusing encrypted traffic via SSH and SSLcertificates. Certificates are rotated andreviewed prior to expiration.Customer terms of service arestandardized and approved by legal.The terms of service communicate thesecurity, availability and confidentialitycommitments to the customer and anychanges are communicated.Removal of customer's Bitbucket datafrom NetApp and PostgreSQL occurswithin 7 days from the date of thetermination of service.Equipment is decommissioned and thedata residing on the hardware issanitized or destroyed.


51


Physical access to the cages housingBitbucket cloud hardware is reviewedsemi-annually.

CC5.8 Controls have been implemented toprevent or detect and act upon theintroduction of unauthorized ormalicious software to meet the entity’scommitments and system requirementsas they relate to security, availabilityand confidentiality.

Replication is monitored for failures andan alert is created and resolved.Technical vulnerability management isimplemented using the Nessusvulnerability scanner. Critical threatsare reviewed and resolved.Incident management process is inplace, with the Site Reliability teamresponsible for incidents and problemsfor Atlassian services and platforms.Incident management process mustmeet the Atlassian IncidentManagement Standard. For incidentswith severity level 0 and 1, root causeanalysis is performed.


52

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC6.0 Common Criteria Related to System Operations

CC Criteria Controls of AtlassianCC6.1 Vulnerabilities of system components to

security, availability and confidentialitybreaches and incidents due to maliciousacts, natural disasters, or errors areidentified, monitored, and evaluated,and countermeasures are designed,implemented, and operated tocompensate for known and newlyidentified vulnerabilities to meet theentity’s commitments and systemrequirements as they relate to security,availability and confidentiality.

Penetration testing is performed by BugBounty on a continuous basis. Issuesare reviewed and tracked to completionin a JIRA ticket.Code scanning is performed bySourceClear on a continuous basis.Issues are reviewed and tracked tocompletion.External users connect to Bitbucketusing encrypted traffic via SSH and SSLcertificates. Certificates are rotated andreviewed prior to expiration.Technical vulnerability management isimplemented using the Nessusvulnerability scanner. Critical threatsare reviewed and resolved.Atlassian communicates itscommitment to security as a toppriority for its customers via AtlassianTrust Security page.User awareness training for malwarerisks are part of the Security Awarenessprogram at Atlassian and performed atleast on an annual basis.Replication is monitored for failures andan alert is created and resolved.

Disaster recovery testing is performedon an annual basis. Key stakeholdersare involved in the planning, impactanalysis, execution, and remediation (ifrequired).

CC6.2 Security, availability and confidentialityincidents, including logical and physicalsecurity breaches, failures, andidentified vulnerabilities, are identifiedand reported to appropriate personneland acted on in accordance withestablished incident responseprocedures to meet the entity’scommitments and systemrequirements.

Bitbucket Cloud uses tools to monitorthe availability of customer-facingservices. The availability is published sothat customers may check thestatus/uptime of Bitbucket Cloud.Incident management process is inplace, with the Site Reliability teamresponsible for incidents and problemsfor Atlassian services and platforms.Incident management process mustmeet the Atlassian IncidentManagement Standard. For incidents


53


with severity level 0 and 1, root causeanalysis is performed.Atlassian communicates itscommitment to security as a toppriority for its customers via AtlassianTrust Security page.Customers and internal users contactAtlassian to report issues on bugs,defects, availability, security andconfidentiality viasupport.atlassian.com, social media,general website forms, emails,trust.atlassian.com, public bug site andHipchat.


54

Common Criteria to All Security, Availability and Confidentiality PrinciplesCC7.0 Common Criteria Related to Change Management

CC Criteria Controls of AtlassianCC7.1 The entity’s commitments and system

requirements, as they relate tosecurity, availability and confidentiality,are addressed during the systemdevelopment lifecycle, including theauthorization, design, acquisition,implementation, configuration, testing,modification, approval, andmaintenance of system components.

A JIRA ticket is automatically generatedif a change to the enforcement of peerreview occurs. A review is performedand tracked to closure in a JIRA ticket.Peer review and passed green buildtesting is required prior to merging thecode to the production branch.Merging a code directly to theproduction branch without goingthrough staging branch is not allowed.Only deployment bamboo has access topush the code to the Bitbucketproduction environment.Access to the source code is limited tothe members of the Bitbucketdevelopment team.Privileged access to DeploymentBamboo is restricted to the members ofthe Build Engineering team.Significant changes made to the systemare communicated to customers via theAtlassian customer-facing website.Operating system, database, Puppet,deployment script, and emergencychanges follow the same process as theapplication changes.Puppet is used to manage theconfiguration of the databases andservers used in production.Write access to Artifactory is limited tothe Build Engineering team andDeployment Bamboo.Code scanning is performed bySourceClear on a continuous basis.Issues are reviewed and tracked tocompletion.Deployment bamboo performs a checkto validate that the SOX setting onBitbucket are compliant to following:

· Requires >1 approver· Unapprove automatically on new

changes· Changes without a pull request


55


If the settings are not enforced, thecode is rejected.

CC7.2 Infrastructure, data, software, andpolicies and procedures are updated asnecessary to remain consistent with theentity’s commitments and systemrequirements as they relate to security,availability and confidentiality.

Policies are posted and available online,assigned a policy owner, and reviewedat least annually.Operating system, database, Puppet,deployment script, and emergencychanges follow the same process as theapplication changes.Code scanning is performed bySourceClear on a continuous basis.Issues are reviewed and tracked tocompletion.Deployment bamboo performs a checkto validate that the SOX setting onBitbucket are compliant to following:



If the settings are not enforced, thecode is rejected.

CC7.3 Change management processes areinitiated when deficiencies in the designor operating effectiveness of controlsare identified during system operationand are monitored to meet the entity’scommitments and system requirementsas they relate to security, availabilityand confidentiality.

Incident management process is inplace, with the Site Reliability teamresponsible for incidents and problemsfor Atlassian services and platforms.Incident management process mustmeet the Atlassian IncidentManagement Standard. For incidentswith severity level 0 and 1, root causeanalysis is performed.Customers and internal users contactAtlassian to report issues on bugs,defects, availability, security andconfidentiality viasupport.atlassian.com, social media,general website forms, emails,trust.atlassian.com, public bug site andHipchat.Policies are posted and available online,assigned a policy owner, and reviewedat least annually.

CC7.4 Changes to system components areauthorized, designed, developed,configured, documented, tested,approved, and implemented to meet the

Code scanning is performed bySourceClear on a continuous basis.Issues are reviewed and tracked tocompletion.


56


entity’s security, availability andconfidentiality commitments andsystem requirements.

Policies are posted and available online,assigned a policy owner, and reviewedat least annually.A JIRA ticket is automatically generatedif a change to the enforcement of peerreview occurs. A review is performedand tracked to closure in a JIRA ticket.Deployment bamboo performs a checkto validate that the SOX setting onBitbucket are compliant to following:



If the settings are not enforced, thecode is rejected.Peer review and passed green buildtesting is required prior to merging thecode to the production branch.Merging a code directly to theproduction branch without goingthrough staging branch is not allowed.Only deployment bamboo has access topush the code to the Bitbucketproduction environment.


57

Additional Criteria to Availability (A) Principle

A Criteria Controls of AtlassianA1.1 Current processing capacity and usage

are maintained, monitored, andevaluated to manage capacity demandand to enable the implementation ofadditional capacity to help meet theentity’s availability commitments andsystem requirements.

Capacity planning program is in place todetermine what the current and futureresource needs are to meet customerexpectations of the goods and servicesbeing delivered.Bitbucket Cloud uses tools to monitor theavailability of customer-facing services.The availability is published so thatcustomers may check the status/uptimeof Bitbucket Cloud.Monitoring tools are in place to track andnotify on the availability and reliability ofBitbucket Cloud systems and services.Incident management process is in place,with the Site Reliability team responsiblefor incidents and problems for Atlassianservices and platforms. Incidentmanagement process must meet theAtlassian Incident ManagementStandard. For incidents with severitylevel 0 and 1, root cause analysis isperformed.

A1.2 Environmental protections, software,data backup processes, and recoveryinfrastructure are authorized, designed,developed, implemented, operated,approved, maintained, and monitored tomeet the entity’s availabilitycommitments and system requirements.

PostgreSQL data is replicated in realtime from its primary site to a secondarysite.Replication is monitored for failures andan alert is created and resolved.Access to AWS Glacier is restricted tomembers of the Bitbucket Cloudoperations team and SRE team.Bitbucket production data in NetApp isreplicated every 2 hours from its primarysite to a secondary site.Disaster recovery testing is performedon an annual basis. Key stakeholders areinvolved in the planning, impact analysis,execution, and remediation (if required).Atlassian reviews the SOC reports of thevendors on an annual basis.

A1.3 Recovery plan procedures supportingsystem recovery are tested to help meetthe entity’s availability commitments andsystem requirements.

Disaster recovery testing is performedon an annual basis. Key stakeholders areinvolved in the planning, impact analysis,execution, and remediation (if required).


58

Additional Criteria to Confidentiality (C) Principle

C Criteria Controls of AtlassianC1.1 Confidential information is protected

during the system design, development,testing, implementation, and changeprocesses to meet the entity’sconfidentiality commitments andsystem requirements.

Data is classified according to companypolicy.

C1.2 Confidential information within theboundaries of the system is protectedagainst unauthorized access, use, anddisclosure during input, processing,retention, output, and disposition tomeet the entity’s confidentialitycommitments and systemrequirements.

Data is classified according to companypolicy.Access to a customer repository by theBitbucket support team is supported bya customer support request.Access to a customer repository by theBitbucket internal support team isreviewed monthly by the lead SupportEngineer.

C1.3 Access to confidential information fromoutside the boundaries of the systemand disclosure of confidentialinformation is restricted to authorizedparties to meet the entity’sconfidentiality commitments andsystem requirements.

Customer data is logically isolated.Automatic alert is triggered to the Riskand Compliance Manager and HR forany role change between the followinggroups: Engineering, Customers ForLife (C4L), or Finance group.Appropriateness of access is reviewedand approved for each alert.Access to the in-scope supporting toolsis reviewed semi-annually.Access to the Atlassian internal networkand internal tools is restricted toauthorized users via logical accessmeasures:

· Users must have an active ActiveDirectory account


Terminated users are removed from thein-scope systems within 3 days.Direct access to CentOS serversrequires a valid SSH key.Direct access to PostgreSQL requires aunique username and password.Direct access to PostgreSQL andCentOS is approved prior to grantingaccess.Active Directory group membership isautomatically assigned based on theuser's department and team.


59

C Criteria Controls of AtlassianC1.3

(Cont.)Employees and contractors are requiredto sign CIAAs as part of the onboardingprocess.Two-factor authentication is requiredwhen logging into VPN (Remove AccessService) from any IP address.The following password parameters arein-place for the in-scope applications:

· Eight (8) or more characters· At least one uppercase letter· At least one lowercase letter· At least one digit (0 through 9)

or special character ($,@,# andso on)

C1.4 The entity obtains confidentialitycommitments that are consistent withthe entity’s confidentiality systemrequirements from vendors and otherthird parties whose products andservices are part of the system andhave access to confidential information.

Vendor agreements, including anysecurity, availability and confidentialitycommitments, are reviewed during theprocurement process.Employees and contractors are requiredto sign CIAAs as part of the onboardingprocess.

C1.5 Compliance with the entity’sconfidentiality commitments andsystem requirements by vendors andothers third parties whose products andservices are part of the system isassessed on a periodic and as-neededbasis, and corrective action is taken, ifnecessary.

Atlassian reviews the SOC reports of thevendors on an annual basis.

Employees and contractors are requiredto sign CIAAs as part of the onboardingprocess.

C1.6 Changes to the entity’s confidentialitycommitments and system requirementsare communicated to internal andexternal users, vendors, and other thirdparties whose products and servicesare part of the system.

Atlassian communicates changes toconfidentiality commitments to itscustomers, vendors and internal usersthrough the Atlassian website, whenapplicable.

C1.7 The entity retains confidentialinformation to meet the entity’sconfidentiality commitments andsystem requirements.

Data is classified according to companypolicy.

C1.8 The entity disposes of confidentialinformation to meet the entity’sconfidentiality commitments andsystem requirements.

Removal of customer's Bitbucket datafrom NetApp and PostgreSQL occurswithin 7 days from the date of thetermination of service.Equipment is decommissioned and thedata residing on the hardware issanitized or destroyed.

atlassian pty ltd.755f9133-387c-4103-a218-02fce... · processing integrity, confidentiality or...

Documents