データ転送影響評価

Third Countries

Direct transfers: Atlassian has offices in Australia where our employees may access personal data for the purposes of the provision of Services and Forge Platform.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page. Atlassian also offers data residency in accordance with this page.

The frequency of the transfer

Direct transfers: Continuous.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: As detailed in Atlassian DPA and Forge DPA respectively.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Determined at the sole discretion of the data exporter.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page.

Applicable transfer mechanism

Direct transfers: Standard Contractual Clauses between Atlassian and its customers, or Forge developers, respectively.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Australia has various laws, legislation and executive powers that could be used to compel companies to disclose personal data, or that provides for investigation and enforcement agencies to obtain data where there is a suspected contravention. A high-level summary of several of the key laws is provided below:

• Crimes Act 1914 (Cth) and the Criminal Code Act 1995 (Cth), which permits government agencies to collect both electronic and physical data where there are reasonable grounds to believe there is a criminal offense.

• Surveillance Devices Act 2004 (Cth) and equivalent state and territory laws that grant authorities covert access to electronic and physical data.

• Telecommunications (Interception and Access) Act 1979 (Cth) and Part 15 of the Telecommunications Act 1997 (Cth) grants government bodies powers to oblige telecommunications carriers, carriage service providers, and other communications providers to assist law enforcement and intelligence agencies.

For aspects of each of the above laws, there are potential extra-territorial powers that could theoretically compel those outside of Australia to assist in the investigative process. However, in practice, it is highly unlikely that law enforcement and surveillance authorities will be able to do so without operating through existing bilateral processes, such as mutual legal assistance treaties. In practice, it can be difficult to determine how governmental authorities use all of their powers to conduct surveillance and collect data (and therefore whether it involves unnecessary or disproportionate data access in any circumstances) because in several cases, government authorities are not required to publicly report on when and how they use these powers (although independent oversight and review, including reporting to independent statutory authorities, is embedded throughout the surveillance legislation framework). In addition, not all requests for access to data and surveillance are currently subject to prior independent judicial authorization, although a process for review and reform of Australia’s surveillance laws has commenced and this may change in the future.

Atlassian publishes and follows Atlassian Guidelines for Law Enforcement Requests in responding to any government requests for data. Atlassian also publishes an annual Transparency Report with information about government requests to access data.

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

The Brazilian government can only access/intercept personal data for certain specified purposes including, but not limited to, criminal law enforcement and surveillance, as further described below, and after authorization of a court.

A high-level summary of the key laws is provided below:

• Wiretapping and Information Systems Surveillance Law - allows interception of Brazilian telephone lines and information systems. All interception must be approved through court order and not be longer than 15 days.

• Brazilian Intelligence Agency (Agência Brasileira de Inteligência - ABIN) - establishes that ABIN can only request data from other government agencies/authorities which are part of the Brazilian System of Intelligence.

• The Brazilian Internet Civil Rights Framework (Law No 12,965) – establishes a) where a non-Brazilian company has a data center in Brazil, the Brazilian law applies, b) requires internet connection and application providers to keep connection and access logs (IP, date and time of use) for 12 months (internet connection) and 6 months (application access) and c) if a company violates the Brazilian Internet Civil Rights Framework sanctions may apply such as warnings, fines, suspension and prohibition.

• Encryption - The Federal Supreme Court has on hold two trials that may decide if a court can apply sanctions for noncompliance with a court order to reverse/access encrypted data.

The Brazilian General Data Protection Law ("LGPD") is mostly aligned with the GDPR, therefore it provides a similar level of protection, but it does not apply to national security or criminal matters. However, the country has not yet been evaluated in order to obtain an adequacy decision from the European Data Protection Board.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

India has various surveillance, criminal, and security laws which allow government agencies to intercept and access "personal information" and "sensitive personal data or information" without obtaining their prior consent if relevant factors apply.

A high-level summary of the key laws is provided below. Note that these laws are often applied together, so criminal laws cannot be distinguished from surveillance specific laws.

• Information Technology Act, 2000 - empowers government agencies to intercept any information generated, transmitted, received, or stored in any computer resource. This can be in the interest of the sovereignty, integrity of India, security, and defense of India, etc. A subsection of the act grants the central government power to authorize any government agency to monitor and collect traffic data to enhance cybersecurity, identification, analysis, and prevention of intrusion or spread of a computer containment.

• Indian Telegraph Act, 1885 - confers upon the Indian government the right to conduct surveillance over telegraph lines but only upon the occurrence of a public emergency or the interest of public safety.

• Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules) - sensitive personal data or information may be shared without obtaining the prior consent of the data subject with a government agency if such activity is mandated under law for verification of identity, prevention, detection and investigation purposes, including cyber incidents, prosecution and punishment of offenses.

• Criminal Laws and Code of Criminal Procedure, 1973 (CrPC) - grants courts and investigating officers, by way of a written order, to require any person in whose possession or power a document or thing lies to produce the same where necessary or desirable for the purposes of an investigation, inquiry, trial or other proceedings.

Since the scope of the surveillance and interception powers of Indian authorities extends to investigations carried out in respect of any persons, companies, and entities operating within India (including those doing business in India from offshore), any data recipient is potentially within the scope of such criminal law enforcement and shall be obligated to share data available with it if called upon by a government authority. The CrPC applies to the territory of India and accordingly, an offshore entity is not under an obligation to comply with the request, however, if the offshore entity has a presence in India, the CrPC would extend to such operations within India.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

There are laws and regulations in Malaysia that grant surveillance powers and various laws confer public authorities the right to access and intercept data, which are not limited to instances concerning matters of national security. The power to intercept communications, and to exercise powers to search and seize data, can be exercised for the purpose of any investigation into an offence under the relevant law.

A high-level summary of the key laws is provided below:

• Criminal Procedure Code (CPC): search and interception - public authorities can generally access data in order to prevent, detect and prosecute crimes. The term "access" is broadly understood as the login and password data (if any), the encryption or decryption key (if any), and more generally any information that will enable police officers to have access to the raw data and access to any software or hardware. Law enforcement and intelligence authorities enjoy very wide powers to intercept communications, if such communication may serve as a piece of evidence for a criminal offense.

• Security Offences (Special Measures) Act 2012 (SOSMA) – grants any police officer or any other person, with authorization of the Public Prosecutor, the power to intercept any communications (which includes any message transmitted or received by any communication).

• Communications and Multimedia Act 1998 (CMA) - grants a police officer the power to carry out a search operation and access computerized data, with or without a warrant, if a relevant offense is suspected. The CMA has extraterritorial effects, and it applies both within and outside Malaysia.

• Computer Crimes Act 1997 (CCA) – grants a police officer the power to search an organization's premises, if it first obtains a warrant issued by a Magistrate and when there is reasonable cause to believe that a piece of evidence relates to the commission of an offense under the CCA. The CCA has extraterritorial effects given that it applies both within and outside Malaysia.

• Income Tax Act 1967 (ITA) - provides for the power of the Director General of Inland Revenue (Director General), to require any person to provide all such information or particulars as may be demanded by him for the purposes of the ITA.

• Malaysian Anti-Corruption Commission Act 2009 (MACC Act) – grants, in certain circumstances, the power for an officer to enter any premises and search, seize, and take possession of any book, document, record, account data, or other article. It also grants officers of the MACC powers to intercept communications, where they consider that such communication is likely to contain any information which is relevant for the purpose of any investigation into an offense under the MACC Act.

• Sales Tax Act 2018 and Service Tax Act 2018 (SST Act) - grant wide powers to authorities to request access to relevant sales tax information.

• Personal Data Protection Act 2010 (PDPA) – permits personal data to be disclosed if it is necessary to prevent or detect a crime, or if such disclosure is required by law.

Public officers can exercise the enforcement powers set out in the PDPA and carry out search and seizure operations and access computerised data and information.

No extraterritorial effect: It is important to note that Malaysian public authorities would not be able to enforce most of the abovementioned laws against foreign entities not present in Malaysia. The rights granted to public authorities under the laws above to access data, and to exercise powers of search and seizure, are granted vis-à-vis entities who are based in Malaysia. As such, Malaysian public authorities would need to seek the collaboration of their foreign counterparts in order to access personal data stored in the EU by entities outside Malaysia.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Private entities that are obligated to comply with the Protection of Personal Data held by Private Parties ('LFPDPPP') legislation must process data in some manner in connection with Mexico and therefore have to respond to demands by Mexican authorities to disclose those personal data (assuming the demand is otherwise lawful).

Atlassian is potentially within the scope of the importing territory's governmental security and surveillance powers if the data importer obtains personal data that falls under the definition of “data processing” in the LFPDPPP. Under Mexican Data Protection Laws, the transfer of data turns the receiver into a data controller. The scope of application of LFPDPPP and its Regulations is when the processing:

1. is carried out in an establishment of the data controller located in Mexico;
2. is carried out by a data processor, regardless of its location, on behalf of a data controller established in Mexico;
3. the data controller is not established in Mexico but is subject to Mexican laws as a consequence of entering into a contract that is governed by Mexican law or to which Mexican jurisdiction extends under international law; or
4. the data controller is not established in Mexico but uses equipment/media located in Mexico, unless such media are used only for transit purposes that do not involve processing. For this case, the data controller shall provide the media necessary to comply with the obligations imposed by the referred laws.

Mexican Authorities will argue that the data importer has the data and they may exercise their powers.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

The Philippines has enacted specific laws that enable law enforcement authorities and military personnel to obtain access to data, including personal data being processed in the Philippines and held by private organizations. In addition, the powers of government authorities enable them to request / access data stored in Europe but which are accessed by individuals located in the Philippines, as long as the person or entity sought to be enjoined is subject to the jurisdiction of the Philippine government.

A high-level summary of the key laws is provided below:

• The Philippine Constitution of 1987 – this allows exceptions to the right to privacy, which means that data (including personal data) can be accessed however law enforcers must first obtain a warrant with the proper court.
• Republic Act (R.A.) No. 11479 or the “The Anti-Terrorism Act of 2020” (ATA) – this allows law enforcers or military personnel to have access to, read, collect, or record, any private communication, conversation, discussion, data, information, or messages in whatever form, kind or nature, when it takes place between terrorists / terrorist organizations.
• Anti-Wiretapping Act (R.A. 4200) - while it is generally prohibited for any person to secretly tap, intercept, or record private communications between individuals, the law provides for an exception when any police officer has obtained a court order.
• Cybercrime Prevention Act (R.A. No. 10175) - authorizes law enforcement authorities, upon securing a court warrant, may require any person or telecommunications service providers to preserve, disclose, or submit subscriber information, traffic data, or relevant data in its possession or control in relation to the prosecution of a crime committed through a computer network or the use of electronic communications devices. Service providers are required to preserve the integrity of traffic data and subscriber information for a minimum period of six months from the date of the transaction.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Not applicable.

Onward transfers: Atlassian transfers Customer Personal Data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Not applicable.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: Not applicable.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not applicable.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Not applicable.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

A high-level summary of the key laws relevant in Turkey is provided below:

• Constitution of the Republic of Turkey - establishes that any interference with fundamental rights and freedoms must be proportionate and in compliance with the essence of the Constitution and the requirements of the democratic and secular system. However, under extreme circumstances (e.g., war, mobilization, or state of emergency), the exercise of fundamental rights and freedoms may be partially or entirely suspended to the extent required by the requirements of the situation, as long as this does not violate any obligations under international law
• Criminal Procedural Code No. 5271 (CPC) – permits communications that are at a post office to be seized, if there is probable cause that they constitute evidence of a crime. Evidence can also be obtained by interception of correspondence through telecommunications, provided certain conditions are met (such as lack of alternative methods, relation to specific crimes, etc.).
• Electronic Communications Law No. 5809 (ECL) – grants, in the context of its duties, the relevant authority the power to request any type of document or information from individuals, private and public entities.
• Protection of Competition Law No. 4054 (only available in Turkish) – establishes the Competition Authority's right to supervise and inspect all information, documents, and ledger of any organization.
• State Intelligence Services and National Intelligence Organisation Law No. 2937 (only available in Turkish) ("State Intelligence Services Law") – Turkish intelligence services are entitled to request any type of document or information from individuals, private or public entities. They may also intercept communications provided a judge authorizes it, or a written order issued by the relevant authority's senior official in cases of disclosure of state secrets or the activities of terrorism.

Extraterritorial effect: the governmental or state authorities’ powers to request documents from organizations are not limited to information located in Turkey (if servers are located in Europe). The same principle applies to tapping into the communication of individuals by judicial decision. In a two-ended conversation, if one of the persons is located in Europe or is a European citizen, the National Intelligence Organisation will still be able to collect the necessary information.

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

Direct transfers: Atlassian has offices in the United States where our employees may access personal data for the purposes of the provision of Services and Forge.

Onward transfers: Atlassian transfers personal data to its sub-processors for the purposes of assisting in the provision of Services as well as Forge as further outlined in our sub-processor page.

The frequency of the transfer

Direct transfers: Continuous.

Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: As detailed in Atlassian DPA and Forge DPA respectively.

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: None.

Onward transfers: Determined at the sole discretion of the data exporter.

Length of processing chain

Onward transfers: Please refer to Atlassian's sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Atlassian’s DPF Certification for the contractual relationship between Atlassian and its customers, or Forge developers, respectively.

Onward transfers: Standard Contractual Clauses between Atlassian and its sub-processors. Atlassian imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

Schrems II では欧州連合 (EU) 司法裁判所により、以下の米国の法律が米国において個人データの実質的に同等な保護を確保する上での潜在的な障害として特定されました。

• FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering.
• Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire, and other electromagnetic means.

Further information about these U.S. surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. As for the CLOUD Act, please refer to What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.

With the Data Privacy Framework, Europe introduced the adequacy framework for US companies that self-certify under the DPF. An essential element of the adequacy decision was the updated US legal framework, e.g. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which was signed by President Biden on 7 October and is accompanied by regulations adopted by the Attorney General. These instruments were adopted to address the issues raised by the Court of Justice in its Schrems II judgment.

For Europeans whose personal data is transferred to the US, the Executive Order provides for:

• Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
• Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
• The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.

Atlassian US, Inc. and its US affiliates participate in and certify compliance with the Data Privacy Framework Principles. Our US entities are now able to rely on the adequacy decision to receive EU personal data. You can find more information in our Privacy Notice under the Section “Data Privacy Framework Notice.”

アトラシアンは、政府からのデータ提供要請に応じるにあたり、アトラシアンの法執行機関からの要請に関するガイドラインを公表し、これに従っています。また、データ アクセスに関する政府からの要請に関する情報を掲載した、年次透明性報告書も公表しています。

アトラシアンは、個人データのセキュリティを強化するために、以下の技術的措置を講じています。

• データ レジデンシー: アトラシアンは、お客様が対象となる製品コンテンツを特定の場所にピン留めすることを許可しています。データ レジデンシー プログラム (アプリや追加場所のデータ レジデンシーを含む) に追加される予定の拡張機能は、アトラシアンのクラウド ロードマップでハイライトされています。
• 暗号化: アトラシアンは、BYOK 暗号化だけでなく、保管時と移転時のデータ暗号化も提供しています。
• セキュリティと認定: アトラシアンは正式なセキュリティ管理プログラムを実施しており、ISMP (情報セキュリティ管理プログラム) を毎年見直しています。アトラシアンのセキュリティ プラクティスと認定に関する追加情報は、アトラシアンの DPA と Forge DPA、および当社の Trust Center をご覧ください。

契約的措置

アトラシアンの契約的措置は、SCC を組み込んだデータ処理補遺と、SCC に関する英国補遺とスイスによる修正条項に定められています。特に、当社は以下の要件の対象となっています。

• 技術的措置: アトラシアンは、個人データを保護するための適切な技術的および組織的な措置を講じることを、契約上 (お客様および Forge の DPA、ならびにアトラシアンがお客様、サービス プロバイダー、およびアトラシアン グループの事業体間で締結する SCC の両方において) 義務付けられています。
• 透明性: アトラシアンは、政府機関から政府によるお客様の個人データへのアクセス要求を受けた場合、SCC に基づきお客様と Forge 開発者に通知する義務があります。アトラシアンがそのような開示を行うことが法的に禁止されている場合、アトラシアンは、当該禁止に異議を申し立てて権利放棄を求めるよう契約上義務付けられています。
• アクセスに異議を申し立てる措置: SCC に基づき、アトラシアンは政府機関によるアクセス要求の合法性を検討し、違法と見なされる要求に異議を申し立てる義務があります。

組織的措置

データを保護するためのアトラシアンの組織的措置には以下が含まれます。

• 政府によるアクセスに対するポリシー: 政府からのデータ提供要求に応じるにあたり、アトラシアンは、法執行機関からの要請に関するアトラシアン ガイドラインを公表し、これに従っています。アトラシアンからデータを取得するために、法執行機関は、召喚状、裁判所命令または令状など、求められる情報の種類に対して適切な法的手続きを踏む必要があります。
• アトラシアンでは、政府からのデータ アクセス要求に関する情報を掲載した、年次透明性報告書も公表しています。
• データの転送: アトラシアンは、お客様のデータをアトラシアンのサービス プロバイダーと共有する場合は、常にデータの使用方法についてお客様に対する説明責任を負います。当社のお客様および Forge 開発者の個人データを適切に保護することを保証するために、すべてのサービス プロバイダーに対して、当社のセキュリティ、プライバシー、リスク & コンプライアンスの各チームにおける対象分野のエキスパートによる徹底した部門横断型なデュー デリジェンスのプロセスを実施することを義務付けています。このプロセスには、アトラシアンがサービス プロバイダーとの共有を計画しているデータや関連するリスク レベル、サプライヤーのセキュリティ ポリシー、措置、サードパーティの監査、ならびにサプライヤーがデータ主体の権利を尊重する成熟したプライバシー プログラムを保有しているかどうかの確認が含まれます。当社の復処理者のページに掲載されている復処理者のリストをご覧ください。
• プライバシー バイ デザイン: アトラシアンのプライバシー原則では、アトラシアンのプライバシーに対するアプローチを概説しています。機械学習のインテリジェントなエクスペリエンスにおけるプライバシーに関するより詳細な情報は、こちらをご覧ください。
• 従業員トレーニング: アトラシアンは、世界中のすべてのアトラシアン スタッフにデータ保護研修を提供しています。