Marketplace App Trust
Trust is a key component of the relationship between Atlassian customers and our third-party Marketplace Partners.
Cloud apps are a shared responsibility
Atlassian provides information, controls and capabilities, while facilitating communication between you and Marketplace Partners.
Marketplace Partners
Marketplace partners design apps and operational processes according to their legal obligations, Atlassian’s requirements, and general industry best practices for reliable, compliant, and secure apps. They also provide support and information to help you make informed decisions.
Atlassian
Atlassian provides information and capabilities to help Marketplace Partners build trustworthy apps and to help customers vet and manage apps.
You
You leverage the information provided by Atlassian and Marketplace Partners to vet apps against your requirements. It’s important to acknowledge that app installation requires a new relationship with a Marketplace Partner that is separate from your relationship with Atlassian.
Data protection support for Marketplace Partners
Atlassian has programs, tools, educational resources, and requirements in place to help third parties protect your data when you extend your workflows with Marketplace apps.
In the event that partners aren't meeting our requirements, we may take actions like removing badges, hiding apps from the Marketplace, pausing them, or adding them to a public transparency page.
Setting a privacy & security baseline
Our Marketplace programs help Marketplace Partners achieve the highest consistent standards for application security and privacy.
Setting a security baseline with requirements
Atlassian has defined a minimum set of Cloud App Security requirements that all Marketplace apps must meet. These requirements are mandatory and are aimed at enforcing security best practices across all apps.
Maintaining security through continuous scanning
Atlassian’s Ecoscanner platform performs security checks across all Marketplace cloud apps on an ongoing basis to help ensure the security of our ecosystem.
If an app is found to be missing a security requirement, Atlassian will take action to protect customers.
Timely resolution of security issues
To ensure the security of all Marketplace cloud apps, Marketplace Partners are required to adhere to security bug fix SLAs. If a vulnerability or missing security requirement is detected in any app listed on the Marketplace, partners are required to respond in a timely manner.
Enhanced vulnerability discovery via opt-in Bug Bounty program
Atlassian has a best-in-class marketplace bug bounty program to increase security and trust. Participating Marketplace Partners are able to proactively combat security risks before they arise by incentivizing security researchers to find vulnerabilities. While the program is generally optional, apps must participate to get a Cloud Fortified or Cloud Security Participant badge.
Ensuring transparency through privacy requirements
Apps are required to provide a privacy policy that outlines data access, collection and processing, and with whom and where End User Data might be shared or stored.
In addition to a privacy policy, Atlassian requires partners to obtain all necessary rights, permissions, and consents from end users for any processing of any End User Data.
Administrative visibility & control for customers
Get the information you need to choose apps that fit your requirements thanks to centralized app information on Atlassian Marketplace.
Plus, leverage controls to ensure only apps you trust have access to the data they need.
We support this through:
Centralized app administration in admin.atlassian.com
Controls for end user app installs
Controls to limit app access to selected content
Privacy & Security tab on Atlassian Marketplace
Required privacy policies on each Marketplace app listing
Helping you safely power-up your workspace with apps
In addition to trust badges, we’re constantly working with partners to bring you more app information on admin.atlassian.com and the Marketplace. To learn more about an app before installing, you can:
Start with the Privacy & Security tab on the app’s listing.
This should include partner-provided information about how an app handles data, its permissions, compliance certifications, security details, privacy information and more.
Visit the app’s privacy policy.
Partners are required to provide a privacy policy that details their app’s data access and use on their Marketplace app listing. If you can’t find what you need on the Privacy & Security tab, try the privacy policy or documentation.
Check the partner’s website.
Some partners have their own comprehensive trust centers, which can provide detailed information about the company and app.
Reach out to the partner directly.
You can find support contacts on the app listing, but this may not always be the right contact for security questions. Check the security contact listed directly on the Privacy & Security tab to save time.
Sign up for new version updates.
Or check the Connected Apps tab on admin.atlassian.com for apps with an update available so you can stay up to date on app changes.
Find apps that are going the extra mile to protect your data and workflows
On the Atlassian Marketplace, you may notice that some apps have a Cloud Security Participant or Cloud Fortified badge. These badges help you easily identify apps that have gone above and beyond Atlassian’s general standards to deliver a secure and reliable cloud experience.
The requirements for each badge are as follows:
| | All Cloud apps | Cloud Security Participant apps | Cloud Fortified apps |
---|---|---|---|---|
| All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Base cloud app security requirements | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Monitored by Atlassian’s app vulnerability scanning platform, Ecoscanner | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Additional app security requirements and fix timeframes defined by Atlassian | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Participates in Marketplace Bug Bounty Program | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Has a complete Privacy & Security tab | All Cloud apps (optional) | Cloud Security Participant apps (optional) | Cloud Fortified apps
| |
Additional checks for service reliability and performance at scale | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Incident and review processes integrated with Atlassian’s for faster recovery and continuous improvement | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
Commercially reasonable efforts to provide support | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
| |
24 hour response time, 5 days a week SLA for all T1 tickets | All Cloud apps
| Cloud Security Participant apps
| Cloud Fortified apps
|
Trust & Security Community
Join the Trust & Security group on the Atlassian Community to receive information, tips, and best practices for using Atlassian products in a secure and reliable way.