Care about security? We do too. Learn what Atlassian does and what you can do too.
Need to test security settings? Learn how with authentication policies.
Eager to configure? Read on about single sign-on.
Manage password policies for users? Set up two-step verification and idle session duration.
Stay on top of data across your organization with all the reports and tracking options we offer.
Learn about where your cloud product data is hosted and the types of data you can move.
Control how users and apps access your Atlassian cloud products.
Use classification levels to identify and categorize sensitive information in your organization.
Set up and manage BYOK encryption to add protection for your sensitive data.
Set up and manage data security policies to secure your organization’s data.
BYOK encryption for Jira Software is available to all customers with Enterprise plans.
BYOK encryption for Confluence is available through an early access program (EAP) to a number of customers with Enterprise plans. If you're interested in participating in the EAP reach out to your Enterprise account representative.
Atlassian products and plans
Which Atlassian Cloud plans offer BYOK encryption?
Cloud Enterprise and Cloud Enterprise trial plans.
Which Atlassian cloud products can I encrypt with BYOK?
Jira Software for all customers with Enterprise plans
Confluence for customers who’re participating in the Confluence early access program (EAP).
What data is covered by BYOK encryption?
Issue Summary, Description and fields content (including system and custom fields)
Attachments (except for attachments metadata)
Confluence (only for EAP customers):
How does BYOK impact performance for Atlassian products?
There is minimal overhead resulting in an unnoticeable impact.
Org, site, and product instances
Can I enable BYOK encryption on existing product instances?
No, BYOK encryption can be enabled only on new product instances.
What happens if I add another product to my site?
You can add product to your site after you enabled BYOK for another product, but the new product will not be BYOK-enabled.
If you want to add a BYOK product to your site after you've enabled BYOK for another product, you need to reach out to your Atlassian Enterprise account representative to add the product to your site. If you add the product directly, it will not be BYOK enabled. Learn how to set up BYOK encryption
Can I enable BYOK on the Cloud site level, or on individual product instances?
You can only enable BYOK at the product instance level, not on the Cloud site level. This means that if you create a BYOK-enabled Jira Software instance, and you add a Confluence product instance to the same site during the EAP, then that Confluence product instance will not be BYOK-enabled.
It’s different with the Jira software family, the BYOK setting must be consistent for all Jiras products on a site, because all Jira products are linked. For example, If JSM is BYOK-enabled, then JSW must be also BYOK-enabled on the same site.
How many encryption configurations can I set up for my organization?
You can have only one BYOK encryption configuration (combination of AWS account ID and data residency location) per organization.
Can I use admin.atlassian.com to set up BYOK Encryption?
BYOK encryption can only be provisioned by Atlassian support.
Learn how to set up BYOK encryption
Which key management solutions/workflows are supported with Atlassian BYOK?
The encryption keys are provisioned and managed in AWS Key Management Service (KMS).
What happens if I want to re-encrypt my data with new keys?
Re-encryption is not available during EAP.
How frequently can I rotate my encryption keys?
AWS KMS auto-rotation can only be set with once-a-year key rotation. Note that this creates new keys that are used going forward; the old keys still exist.
Revoking access to keys
At what granularity can I revoke access to keys to prevent access to my data?
Revocation granularity is for all data associated with a your BYOK encryption configuration. Revocation disables access to all BYOK-enabled product instances.
After I revoke access to keys, how soon is Atlassian’s access to my data stopped?
Atlassian systems stop having access to your data within 24 hours. This is the expected time, but we don’t guarantee this.
How do I restore access to my encryption keys after I’ve revoked access to them?
You’ll need to update a policy in AWS, and then contact us. Learn how to restore access to your encryption keys.
What information can I see with regards to when/how/why my keys are accessed?
Once a BYOK-enabled product instance is created, can I migrate its data to a different data residency location?
When you set up your BYOK encryption, you are asked to choose a data residency location. You won’t be able to change to a different location after a BYOK instance has been created.
Atlassian’s Service Level Agreement
If I use BYOK, are my products still subject to Atlassian’s Service Level Agreement?
New BYOK-enabled Jira products are subject to Atlassian’s SLA.
Since Confluence is in EAP, new BYOK-enabled Confluence products are excluded from Atlassian’s SLA, per Section 3(x) and trial clause.
Issues caused by third party e.g. AWS are excluded from Atlassian’s SLA, per Section 3(e).
Was this helpful?