• Products
  • Documentation
  • Resources

What is a data security policy?

Data security policies are currently only available through our early access program (EAP). If you’re not part of the program, this feature will be available from June 2023.

A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content such as Confluence pages and Jira issues.

Data security policies take a content-based approach to governing how your data in Atlassian products can be used. This is different to a user-based approach that relies on giving or revoking specific permissions that allow users or apps to perform certain actions.

Data security policies are only available with Atlassian Access. Learn more about Atlassian Access

What’s in a policy?

Detail view of a data security policy.
  1. Policy name: Name of the policy.

  2. Policy description: An optional description to help give context for the policy.

  3. Policy author: Person who created the policy. Information about the person who updated the policy most recently is also shown (if different to the policy author).

  4. Policy status: An indication of whether the policy is active or not.

  5. Policy coverage: The scope of products that the policy applies to.

  6. Policy rule: A security control that can be configured as part of a policy and thereby enforced on all products specified in the policy coverage.

There are two main elements of a data security policy: the policy coverage and policy rules.

The policy coverage is the scope of products that a policy applies to. If you have more than one product, you can choose to include as many or as few of your products as you like in a single policy. A product can be part of more than one policy.

Policy rules are security controls that are available to be configured as part of a policy. When a policy rule is added to a policy and the policy is activated, the security control is enforced on all products covered by the policy. Learn more about data security policy rules


This is an example of two different policies set up by Acme Inc.

One combination of overlapping data security policies, where two products are simultaneously covered by two policies.

In this example, Policy 1 covers Acme’s products that contain personally identifiable information (PII) and has the security requirements to not allow users to download content, not allow apps access to data, and not allow anyone the ability to enable anonymous access to these products.

Policy 2 covers Acme’s products that contain information not approved for public distribution and has the security requirements to not allow users to download content and not allow anyone the ability to enable anonymous access to these products.

Two of Acme’s products are covered by both Policy 1 and Policy 2. Data security policies are additive, which means any product that is included in more than one policy is subject to all the policy rules specified by all the policies that cover that product.

Additional Help