This document provides guidance on GDPR and BaFin compliance for organizations considering moving work management tools to Atlassian Cloud. It outlines key GDPR goals and requirements, such as data protection and user consent. It also discusses BaFin guidance for outsourcing to cloud services. The document reviews Atlassian Cloud's compliance measures, including data processing agreements and data residency controls. It notes some additional assessment areas and documents organizations should reference. Overall, the document indicates GDPR and BaFin compliance is achievable for most use cases when utilizing Atlassian Cloud's default security and privacy controls.
7. TIME TO VALUE
Move fast, accelerate time
to value and
speed to market
ROI
Refocus resources and
investments to maximize
your business ROI
INNOVATION
Future-proof your
strategy & tools with
continuous innovation
REVENUE PROFIT GROWTH
Why Atlassian Cloud?
15. Security features for everyone
SAML Single Sign-on (SSO)
User lifecycle management with SCIM
Organization Audit Logs
Shadow IT insights
Nested groups flattening
Selective user claim
External User Security
COMING SOON
COMING SOON
Encryption at rest & in transit
Data Residency
Mobile Device Management (MDM)
Secure Application Tunneling 🆕
Improved backup and restore
Data Residency for apps COMING SOON
COMING SOON
💡Included with Enterprise
16. Atlassian Enterprise Plan adds
Governance
Multiple Identity Providers in Atlassian Access
User activity audit log
🆕
18. Atlassian Enterprise Plan adds
Security
Bring your own Key
Data Leakage Protection
COMING SOON
FUTURE
19. Atlassian Enterprise Plan adds
Analytics & Data Lake
Atlassian
Data Lake
Atlassian Analytics
Data Warehouse
BI tools
(eg. Tableau and
Power BI)
COMING SOON
COMING SOON
24. Scale globally with unlimited sites
Cloud Enterprise
Centralized user licensing - pay for user once and grant access to multiple instances
Acquisitions Business Units Security
Corporate Regions
Centralized Admin Console - Manage users, products, security policies, insights and billing
Customize instances with marketplace apps based on team needs
25. MINIMUM REQUIREMENTS FOR ENTERPRISE
OR
801+ users 201+ agents
501+ users 51+ agents
👀 Financial Services Special
28. Migration
Assistant App
Helps assessing apps
and migrating core
content from Server to
Cloud
Migration
Manager
Dedicated team
to help you assess and
plan your migration
Solution Partners
Help you with the
hand-on-keyboard
work before, during
and after the migration
Migration Center
Resources, best
practices & migration
tools for every stage of
the migration journey.
Migration Helpers
34. Non-operation
(Business can not work)
Maintenance windows
Outages/Disruptions
Holistic view on Cost Advantages
Risk
Attacks
Data breaches
Security vulnerabilities
Operation
Hardware
Software
Support
Licenses
Maintenance
Covered, maintenance-free and included in Atlassian Cloud
37. Audit rights
On-site audits and
flow-down audit
rights over material
sub-outsourcers (i.e.,
AWS)
Cooperation
Commitment to
cooperate with
regulators
Oversight rights
Enhanced
record-keeping
and notifications
in case of a breach
Continuity of
service
In the event of
bankruptcy and after
termination
Included with the Financial Services
Addendum
38. Eligibility requirements
Cloud Enterprise Plan
> 500 users minimum
No other editions qualify for
this addendum or compliance
Operate in the EU
From regional to
multinational banks with
presence within EEA
Product Scope
Only the above products
apply
40. Shareholder & Co-CEO
Atlassian Expert by Heart
Atlassian Certified Instructor
Atlassian Certified Professional
User since Jira 2.0 EAP & Confluence 1.0
2
Daniel Meisen
41. Moving to a cloud
future, together…
3
- Guidance on GDPR
- Guidance on BaFin
- Atlassian Cloud compliance
- Guidance on your compliance
Journey to Cloud
47. Protection
Protect personal data
& strengthen privacy
rights of EU individuals
Control
Give users control
over their data
Goals of EU’s General Data Protection Regulation
GOALS
https://time.com/6146178/meta-facebook-eu-withdraw-data/
48. Protection
Protect personal data
& strengthen privacy
rights of EU individuals
Control
Give users control
over their data
Goals of EU’s General Data Protection Regulation
GOALS
https://about.fb.com/news/2022/02/meta-is-absolutely-not-threatening-to-leave-europe/
52. GDPR Non-Compliance - Penalties & Fines
If your data is breached:
GDPR
FINES
You must
report it within
72
hours
OR
Face a fine up to
20M € or 4%
global turnover
https://www.enforcementtracker.com/
54. Primer on GDPR SaaS assessments
- Assess data flows - is there any data exported outside the EU –
lawfulness, purpose limitation and ensure data minimization.
- Adequacy decisions exist for certain countries (i.e. Switzerland,
Canada, United Kingdom, …) but not for all (USA: Schrems II)
- Decide if a data protections impact assessment (DPIA) is required
required - depends on your specific use case (Art. 35 Abs. 4 DS-
GVO)
- Perform a Transfer Impact Assessment (TIA) – Guidance provided
by Atlassian1
- Ensure up-to date DPA including “new” SCCs – grace period
expires on Dec 27th, 20222
16
1 h"ps://www.atlassian.com/legal/data-transfer-impact-assessment
2 h"ps://www.atlassian.com/legal/data-processing-addendum
56. BaFin – Guidance on Outsourcing to Cloud Services
- Additional requirements for all non-differentiated outsourcing
according to the KAGB (Scope, Audit-Rights supervised company /
supervised authorities, right to issue instructions, data security /
protection, … - Chapter V)
- Quick Tip: Guidance1 of the BaFin (together with Deutsche
Bundesbank) in cooperation EIOPA, EBA, SSM and other national
supervisory authorities
- Covers outsourcing of materials and items to the Public Cloud (and
private/community/hybrid) as IaaS, PaaS or SaaS.
- Supervised company (you?!) are requested to have a documented
process covering all relevant steps to outsource to a cloud provider.
18
1 https:/
/www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146
57. BaFin – Guidance on Outsourcing to Cloud Services
- Review your use-case in regards to supervisory law if a case of
outsourcing exists and whether its to be qualified as material -
when in doubt assume outsourcing
- Perform a risk analysis covering all relevant aspects of
outsourcing (type, scope, complexity, risk)
- Review and map all Chapter V (Contractual terms in the case
of (material) outsourcing) requirements to the Atlassian
contractual vehicles1
19
1 https://www.atlassian.com/trust/compliance/resources/bafin/bafin-guidance