Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Evaluating Rovo? Three things you need to know about security and data governance

Tom Pieterse
Tom Pieterse
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 7, 2025

Hi Atlassian community,

I’m Tom Pieterse, Principal Trust Analyst on Atlassian’s Trust Engagement Team and I've been in the cybersecurity space for over 15 years. In my day-to-day job, I help customers like you navigate risk, security, and compliance across our Cloud and Data Center products. 

In these conversations, I’ve noticed some common security themes emerging. So I figured I'd take to the community to provide more clarity on how Rovo’s AI-powered capabilities have been designed.

First things first: We’ve used the same secure foundation and trusted approach you’re already familiar with from our other AI capabilities. Just like our approach to Atlassian Apps like Jira and Confluence, we continue to build Rovo capabilities in alignment with our Responsible Technology Principles, offering robust safeguards to protect your data and help you address your compliance requirements.

Today, I’m going to address the three top security and governance topics that my team and I tackle with customers evaluating Rovo:

  1. Rovo’s access to third-party data via app connectors

  2. Guardrails for agent permission controls

  3. Security, compliance, and privacy processes that protect your data

 

Rovo’s access to third-party data via app connectors

Rovo allows organization admins to connect enterprise third-party SaaS apps—such as Google Drive, SharePoint, and more—using Rovo connectors. Connectors are disabled by default! When you do choose to enable a connector for a third-party app, Rovo strictly enforces your users’ existing permissions. This means users will only be able to access the data they’re already authorized to see within each connected app, ensuring your organization’s security and compliance standards are maintained.

S1.gif

Admins can navigate to Atlassian Administration -> Settings -> Rovo to connect approved third-party SaaS apps using Rovo connectors

If you want to remove a connection with a third-party app linked to Rovo, you can disconnect the app by following the same steps in Atlassian Administration. The data will be deleted in accordance with our data, privacy and usage guidelines.

 

Guardrails for agent permission controls

Rovo agents are like AI teammates. Meaning you can create an agent to help with tasks, uncover insights, brainstorm, and move work forward. 

Rovo agents are designed with permissions and governance at their core. Rovo agents can only operate within the permissions of user interacting with them. These guardrails ensure that an agent does not have any additional access or ability to change things outside of the user’s available permissions.

In addition, admins and users remain in control of configuring what actions agents can take, and agent actions are logged for transparency. For example, when a user creates a new Rovo agent, updates an agent’s configuration, or deletes an agent, each of these actions is recorded in the audit log. This approach keeps humans in the loop.

To supercharge your efficiency, admins can use agents in automation rules to reduce time spent on more complicated repetitive tasks. Once again, all actions taken by agents through automation rules are logged and auditable for additional transparency.

S2.gif

Navigate to Atlassian Administration -> Security -> Audit log to filter on Rovo related activities

 

Security, compliance, and privacy processes that protect your data

Rovo is built on the trusted Atlassian Cloud Platform, keeping your data secure and private. Your inputs and outputs are not used to train, fine-tune, or improve any third-party LLM models or services. All features are built with security, privacy, and compliance in mind on Atlassian’s enterprise-grade infrastructure.

When it comes to data protection with Rovo, remember:

  • Data sent to third-party LLM providers is encrypted, not retained, and only used to serve your experience.

  • Your existing user permissions and access controls are always respected.

  • Rovo and Atlassian Intelligence are SOC 2 and ISO 27001 certified. We are also committed to helping our customers stay compliant with GDPR and other local requirements.

  • While Rovo Search, Studio, and Bookmarks are now part of the Atlassian Cloud Platform and are always on, you can activate or deactivate AI-powered Rovo features for your available apps at anytime according to the steps in our support documentation

S3.gif

Navigate to Atlassian Administration -> AI-enabled Apps

As a reminder, Atlassian’s Trust Center and AI transparency page always has the latest Rovo security, privacy, and compliance information available to you. For more guidance on which Rovo features use AI, refer to our support guide.

I hope covering these topics helps you answer questions before you have to ask them! This is a weighty and important topic and my team and I are available to help you and guide you through addressing them within your own organization.

I’ll be popping into Community more often to share insights like these. I know this was a lot to take in but I'd love to answer any questions you have. Ask me in the comments and I'll check this post to make sure I'm getting back to you. 

Oh! And if you happen to be in Melbourne or Sydney next week, come say hi in person! 

Tx. Tom

Comment
Watch
Like # people like this
404 views

1 comment

Comment

Log in or Sign up to comment
Kc
Kc
Contributor
August 11, 2025

@Tom Pieterse , thank you for the helpful and informative writeup. Ref to Agent Permissions. When agents are granted autonomy to create Confluence pages for example, how can we trace whether an action was performed by the user or the agent in the event of a security incident? More specifically, how can we differentiate between actions performed by the user versus those performed by the agent when they share the same permissions tied to a particular Atlassian account?

Like Kelly Stocker likes this
Reply

Recommended Learning For You

Level up your skills with Atlassian learning

Learning Path

Get the most out of Atlassian Intelligence

Rovo Atlassian Intelligence

Unlock your team's full potential by automating repetitive tasks and generating new ideas with Atlassian Intelligence.

2.8h Beginner
Free

Learning Path

Get the most out of Rovo

Rovo Atlassian Intelligence

Learn how to use Rovo, Atlassian's AI-powered product, to find, learn, and act on information faster.

1.5h Beginner
Free

Using Atlassian Intelligence across your organization

Rovo Atlassian Intelligence

As an Atlassian organization admin, learn the capabilities of Atlassian Intelligence and how to enable it across products.

10m Advanced
Free
groups-icon
Atlassian AI & Rovo
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security