Atlassian Business Associate Agreement

Introduction

This Data Transfer Impact Assessment (“DTIA”) serves the purpose of assisting Atlassian customers as well as Forge developers in conducting a risk assessment for the transfer of personal data in connection with Atlassian’s provision of its Cloud Products, Support, and Services (together, “Services”), and Forge Platform (“Forge”), and subsequent processing of such personal data by Atlassian, its Affiliates and sub-processors in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law as defined in our Atlassian Data Processing Addendum (Atlassian DPA) and Forge Data Processing Addendum (Forge DPA).

As a provider of global services, Atlassian runs its services with common operational practices and features across multiple jurisdictions. Therefore, we store personal data in data centers located in the United States, EMEA, and APAC, further outlined in our data residency documentation, and process it in other locations worldwide for the provision of products, features, as well as customer and technical support purposes.

Under the European Data Protection Laws, personal data may not be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”

The Atlassian DPA incorporates the Standard Contractual Clauses (as defined in the DPA) as such transfer mechanism as follows:

• Where personal data protected by the GDPR is transferred to Atlassian outside of Europe, Atlassian relies upon the EU Standard Contractual Clauses (SCCs) to provide an appropriate safeguard for the transfer. Under the SCCs, our Customers are acting as the "Data Exporter" and Atlassian is the "Data Importer".
• Where personal data protected by the UK Data Protection Law, Atlassian relies on the UK Addendum in our DPA in accordance with the ICO guidance from 2022.

• Where personal data is protected by the Swiss Federal Act on Data Protection is transferred to Atlassian outside of Europe, Atlassian relies upon the EU SCCs plus certain interpretative provisions to make the SCCs work for Switzerland's legal regime.

Furthermore, Atlassian participates in and certifies compliance with the Data Privacy Framework. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.” Where adequacy does not apply, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism.