• Documentation

Security and data handling

This document outlines the security measures and data handling practices for portfolio insights. Portfolio insights adheres to Atlassian's security practices and complies with major data protection regulations, including GDPR and CCPA. For more information, see Atlassian Security Practices.

We cover the security aspects for the following parts of Portfolio insights :

Detecting Cloud and Data Center instances

We use three methods to detect your Atlassian products: license data detection, app links detection, and cloud product detection.

License and domain-based detection

  • Scans license data stored in Atlassian's license management system.

  • Matches license information with domains claimed in your organization.

  • Identifies both Data Center and Cloud products associated with your claimed domains.

  • Uses Atlassian's license and billing systems to match products with your organization.

  • No personally identifiable information (PII) is stored as part of the detection process.

  • Contact information, when needed, is fetched in real-time from our license and identity systems and is not stored.

We don't access or use the app links themselves, only their metadata.

For on-prem products:

  • Uses the existing connectivity to retrieve app links metadata from your instance.

  • Collects only non-sensitive metadata such as URL, product family, hashed server ID, and version.

For Cloud products:

  • Retrieves app links metadata from all Cloud instances in your organization.

  • Does not require additional permissions or approvals.

Connecting to Data Center instances

Cloud companion connection process

To add an on-premises Jira Data Center product, install the cloud companion app to establish a secure link between your Data Center instance and Atlassian cloud.

Security key generation and usage

A unique security key is generated upon connection:

  • The security key is valid for 30 days, after which you'll need to regenerate it to maintain the connection.

  • Audit logs are available at the organization level to track connections and actions.

  • Cloud side:

    • The security key is stored as an opaque token.

    • It cannot be encoded or decoded and is only authorized by security services in the cloud after verification.

    • No personally identifiable information is contained in the token.

  • On-prem side:

    • Stored at rest in your database, encrypted by default using AES/CBC/PKCS5Padding.

    • The encryption key is securely stored in your product's shared home directory.

Security key transmission

  • The security key is displayed only once during the linking process.

  • It must be manually copied from Admin Hub and pasted into the Linked Cloud Organization section on your Data Center instance.

  • This process ensures the key is not exposed in logs or system interfaces.

Connection encryption

All data transmitted between your self-managed instance and Atlassian cloud is encrypted in transit using TLS 1.2+ with Perfect Forward Secrecy (PFS).

Cloud readiness insights for Data Center

This section describes what data is collected to create the cloud readiness assessment of Jira instances.

What data is collected

When assessing your instances, we collect the following data:

  • Jira entities: Count and IDs of Jira entities, such as projects, issues, and custom fields, retrieved from your database.

  • Usage data: Metadata on the number of users and their activity around Jira.

  • Instance metadata: Metadata about your Jira instance, such as hardware specification, network speed, and identifiers, like Server ID.

  • Browser metrics: User interaction data, focused on performance metrics.

  • App data: Count and IDs of entities coming from the most critical Marketplace apps.

For more detailed information on data points that we collect, see Assessing the scale of your Jira instance.

Identifiable data

We don’t collect any identifiable data, such as usernames or issue keys. Everything is based on IDs.

Issue content or other user-generated content

We don’t scan or collect data on the content created by users.

Cloud readiness scope

Not all of the collected data is used in Portfolio insights. The data collection is based on a different feature (Automated assessments) where you can assess your instance and manually send additional data to Atlassian. We still collect this additional data, but don’t use it.

How data is collected

When you connect to your instance, we run an assessment that takes 24 hours. Once it’s done, we’ll display the results in Portfolio insights:

  • Most of the assessment, which collects data about your entities, takes a few minutes.

  • We need a 24-hour timeframe to analyze user traffic. We use it to know the number of your active user, peak-hour users, and so on. Right now, this data is not used in Portfolio insights.

How long the data is stored in cloud?

Your data is stored in cloud for 2 years. Afterwards, it’s automatically deleted.

Instance optimization for Data Center

Data collection

We collect the following data:

  1. Instance and node metadata: Product version, base URL, anonymized node identifiers, and Support Entitlement Number (SEN).

  2. Performance metrics: JMX metrics on system performance (CPU load, database connection latency, garbage collection time, etc.).

  3. Guardrails: Counts of performance-impacting entities (projects, users, groups, custom fields).

Collection process

  • The ATST (Atlassian Troubleshooting and Support Tools) plugin collects metrics every 2 minutes.

  • Data is aggregated hourly and sent to Atlassian Cloud.

  • Guardrails data is collected hourly.

Data storage

  • Performance data is securely stored in Atlassian Cloud for 2 years, then automatically deleted.

  • Storage allows for historical trend analysis and performance comparisons.

Data transmission and security

  • All data is encrypted in transit using TLS 1.2+ with Perfect Forward Secrecy (PFS).

  • A secure token authenticates data sent to Atlassian Cloud.

  • No PII or user-generated content is collected or transmitted.

Data usage

Collected data is used to:

  • Calculate your Optimization Score.

  • Provide detailed performance insights.

  • Generate actionable recommendations.

  • Identify performance trends over time.

Privacy and compliance

  • Adheres to Atlassian's security practices.

  • Complies with GDPR, CCPA, and other major data protection regulations.

Data residency

You can control the location of the data that we collect and use in Portfolio insights.

Data residency in Portfolio insights is controlled separately from the data residency from admin.atlassian.com (Security > Data residency), which applies to Atlassian cloud apps and their in-scope data. If you’d like to change the location of Portfolio insights data, you need to request it separately.

Change the location

To change the location of your data:

  1. Go to admin.atlassian.com, and select your organization.

  2. Go to Settings > Portfolio insights.

  3. In the top right, select > Manage data residency.

  4. Select Change location via request. You’ll be moved to a portal where you can fill out the request details, including your information and a new location.

  5. Select Submit to send the request.

When submitted, the Portfolio insights team will review your request and prepare to move the data. Once we start moving the data, Portfolio insights won’t be available – this might take up to a few hours.

Data stored and the default location

By default, the Portfolio insights data is stored in the Global location.

The data we store is specific to your usage of Portfolio insights, and includes data or metadata related to the following capabilities:

  • Detecting Cloud apps and Data Center instances

  • Connecting to Data Center instances

  • Data collected and used for Instance optimization for Data Center

  • Data collected and used for Cloud readiness for Data Center

The details of what we collect are described on the page you’re viewing, please review it for more information.

Portfolio insights doesn’t include any in-scope data from any of your instances, such as content of issues or pages, or details of users.

Available locations

The following locations are available for Open Beta of Portfolio insights.

Each location corresponds with one or more AWS regions, which are physical locations around the world where AWS clusters its data centers. Learn more about AWS infrastructure and its role in our cloud hosting infrastructure.

 Location

AWS regions

Not set (Global)

All Atlassian cloud across AWS regions

EU

Consists of Europe (Frankfurt) and Europe (Dublin) regions

USA

Consists of US East (North Virginia) and US West (North California) regions

By default, your data is hosted in the Global location, which includes all of our AWS regions. This means that we might move data between AWS regions if needed for performance or other reasons.

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageDetecting Cloud and Data Center instancesLicense and domain-based detectionApp links detectionConnecting to Data Center instancesCloud companion connection processSecurity key generation and usageSecurity key transmissionConnection encryptionCloud readiness insights for Data CenterWhat data is collectedIdentifiable dataIssue content or other user-generated contentCloud readiness scopeHow data is collectedHow long the data is stored in cloud?Instance optimization for Data CenterData collectionCollection processData storageData transmission and securityData usagePrivacy and complianceData residencyChange the locationData stored and the default locationAvailable locations
CommunityQuestions, discussions, and articles