Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cloud: Atlassian internal logging and customer data

Dom Bush
Dom Bush
Contributor
March 22, 2022

A customer who is migrating to Cloud is asking for confirmation that Personal Identifiable Information (PII) and user data (e.g. issue titles, summary, attachment filenames, project names, etc.) are not stored in Atlassian's internal log files. 

After searching the documentation, I have been unable to find anything that states this explicitly.

Comment
Watch
Like # people like this
1592 views

2 comments

Comment

Log in or Sign up to comment
Andreas Springer _Actonic_
Andreas Springer _Actonic_
Community Champion
March 22, 2022

Hi Dom,

we closely monitor data privacy topics in the Atlassian ecosystem so we can keep developing our app GDPR and Security in a meaningful way and adjust it to the newest changes.

However, for Atlassian's Cloud products, it is not clear how exactly their application architecture works.

We assume that data like this is indeed stored for support and investigation purposes, but without access for users or even admins.

Furthermore it stands to reason that they only store it for a limited time – maybe 30 days – and discard it when they don't need it anymore.

Unfortunately there are no official details available on this, however.

Like Andrei Pisklenov _Actonic_ likes this
Dom Bush
Dom Bush
Contributor
March 22, 2022

Hi Andreas, 

Thanks for your answer. 

Regards,
Dom.

Like
Reply
Bill Marriott
Bill Marriott
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 23, 2022

Hi @Dom Bush - 

Due to the ability for customer admins to define their own fields in Jira or content in Confluence, we cannot absolutely rule-out logging of PII. However, if we realize that some fields do contain PII, we strip them from logging. We also : 

  1. Restrict access to logs generally;
  2. Check if the (schema-defined) automatically tainted fields are correct for your service;
  3. Determine a list of fields in your logs that can be tainted (contain UGC/PII) or are always clean (don't contain UGC/PII);
  4. Determine if individual fields need exceptions from the above generic lists at the event level (`ugc_dirty` and `ugc_clean` tags on the fields), and remove from logs;
  5. Treat any PII in logs as a Security Incident.

As Andreas mentioned above, we retain logs for 30 days in hot storage, and 365 in cold storage, after which logs are automatically deleted. For more information, see: https://www.atlassian.com/trust/security/security-practices#making-use-of-logs 

Hope that helps.

-Bill Marriott

Atlassian Trust & Security

Like # people like this
Dom Bush
Dom Bush
Contributor
March 25, 2022

Hi Bill, 

Thanks for your very detailed answer.

Just a quick follow up: Is it possible for the end customer to mark fields as "ugc_dirty" or sensitive to avoid the need for 2, 3 or 4? 

Regards,
Dom.

Like
Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security