Confluence
Enterprise-Ready
This vendor is rated Enterprise-Ready with a score of 84 out of 100. Strong evidence includes confirmed SOC 2, ISO 27001, ISO 27018, and PCI DSS certifications via their trust portal, and a published Data Processing Agreement. However, a critical, actively-exploited vulnerability (CVE-2022-26138) is present with no fix listed. This means requesting the patch status and remediation timeline is crucial before continued use.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, ISO 27018, PCI DSS, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure Actively-exploited vulnerability (CISA KEV) present — patch urgency.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 11 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://www.atlassian.com/trust/compliance/resources/hipaa |
| GDPR | Stated by vendor | https://www.atlassian.com/trust/privacy/gdpr |
| ISO 27001 | Stated by vendor | https://www.atlassian.com/trust/compliance |
| SOC 2 | Stated by vendor | https://www.atlassian.com/trust/compliance |
| HIPAA | Not publicly verified | — |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Sub-processors |
Amazon Web Services, Inc., Clumio, Inc., Databricks, Inc., Google LLC, Microsoft Corporation, MongoDB, Inc., NetApp, Inc., Salesforce, Inc. (Heroku), Snowflake, Inc., Cantab Research Ltd (trading as Speechmatics), Work OS, Inc., Mailgun Technologies, Inc., Mailchimp, MessageBird USA, Inc, (d/b/a Bird), Vonage APIs (formerly Nexmo, Inc.), OneSignal, Plivo, Inc., Twilio Inc., Cloudflare, Ltd., e-Core Soluções em Tecnologia da Informaçiupão Ltda., Partner Hero, SoftServe, Inc., Telus, Inc., Zendesk, Amazon Web Services, Inc. (AWS Bedrock), Google Vertex AI, OpenAI, L.L.C., Twilio, Inc (Twilio-Segment)
“Atlassian uses the third-party entities listed below (each, a “Sub-processor” ) to process Customer Personal Data on behalf of Atlassian customers and developers in accordance with agreements between Atlassian and the Sub-processor to uphold Atlassian’s commitments in Atlassian's Data Processin…”vendor's exact wording |
https://www.atlassian.com/legal/sub-processors |
| Sub-processors (published list) | View document → | https://www.atlassian.com/legal/sub-processors |
| Trains on Customer Data key clause |
Free / Pro:
does not train
Atlassian Intelligence / Rovo (all Confluence tiers): customer data submitted or generated is never used to train, fine-tune or improve Atlassian's or third-party (OpenAI) models; OpenAI does not store the data.
cited →
Enterprise:
does not train
Each request is sent individually over SSL; not retained or used for training by Atlassian or the provider. Covered by SOC 2 and ISO 27001. Disable via admin console.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2024-08-21 CVE CVE-2024-21690 disclosed (HIGH · no fix listed)
- 2022-07-20 CVE CVE-2022-26138 disclosed (CRITICAL · CISA KEV · EPSS 98% · no fix listed)
- 2017-04-27 CVE CVE-2017-7415 disclosed (HIGH · no fix listed)
- 2017-04-10 CVE CVE-2016-4317 disclosed (MEDIUM · no fix listed)
- 2017-01-23 CVE CVE-2016-6668 disclosed (HIGH · no fix listed)
- 2017-01-18 CVE CVE-2016-6283 disclosed (MEDIUM · no fix listed)
- 2016-04-11 CVE CVE-2015-8399 disclosed (MEDIUM · EPSS 61% · no fix listed)
- 2016-04-11 CVE CVE-2015-8398 disclosed (MEDIUM · no fix listed)
- 2014-05-13 CVE CVE-2012-6342 disclosed (MEDIUM · no fix listed)
- 2012-05-22 CVE CVE-2012-2928 disclosed (MEDIUM · no fix listed)
- 2005-12-03 CVE CVE-2005-3967 disclosed (MEDIUM · no fix listed)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://www.atlassian.com/trust/compliance |
| ISO 27018 | Available via Trust Center | https://www.atlassian.com/trust/compliance |
| PCI DSS | Available via Trust Center | https://www.atlassian.com/trust/compliance |
| SOC2 TYPE2 | Available via Trust Center | https://www.atlassian.com/trust/compliance |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
Continuous Monitoring change-tracking active
7 legal & policy documents under change-monitoring since 2026-06-11. 7 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-28 | CVE / Security Incident |
1 actively-exploited (CISA KEV) vulnerability: CVE-2022-26138; 11 new CVEs (published from 2005-12-03): CVE-2005-3967, CVE-2012-2928, CVE-2012-6342, CVE-2015-83
What this means: An actively-exploited vulnerability now affects this vendor — request the patch status and remediation timeline before continued use.
|
| 2026-06-23 | CVE / Security Incident |
19 new CVEs (published from 2005-12-03): CVE-2005-3967, CVE-2012-2926, CVE-2015-8398, CVE-2015-8399, CVE-2016-4317, CVE-2016-6283 (+13 more). Exploitation likel
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-19 | CVE / Security Incident |
7 actively-exploited (CISA KEV) vulnerabilities: CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138, CVE-2023-22515, CVE-2023-22518 (+1 more); 25 ne
What this means: An actively-exploited vulnerability now affects this vendor — request the patch status and remediation timeline before continued use.
|
| 2026-06-17 | CVE / Security Incident |
9 actively-exploited (CISA KEV) vulnerabilities: CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+3 more); 25 new
What this means: An actively-exploited vulnerability now affects this vendor — request the patch status and remediation timeline before continued use.
|
| 2026-06-16 | CVE / Security Incident |
9 actively-exploited (CISA KEV) vulnerabilities: CVE-2019-3396, CVE-2019-3398, CVE-2021-26084, CVE-2021-26085, CVE-2022-26134, CVE-2022-26138 (+3 more); 25 new
What this means: An actively-exploited vulnerability now affects this vendor — request the patch status and remediation timeline before continued use.
|
Fourth-Party Supply Chain deterministic · cited
Your data reaches these fourth parties through Confluence. Source: vendor's published sub-processor list.
If one of these fourth parties has a critical security event, you may be indirectly exposed even without a direct contract. Swanum flags this in your alerts.
Search the Legal Documents verbatim · cited
Search Confluence's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Confluence — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Confluence changes something that affects your risk. Built for procurement & security teams.