Q: Is Jira Secure?


Jira is a powerful work management tool by Atlassian, used by more than 180,000 customers worldwide to manage issue tracking for your business. Jira is full of business-critical information that is essential to your day-to-day operations.

With so much data packed into your Jira issues, boards, projects and more, now is the time to think about taking a proactive approach to ensuring the security of your Jira data.

So, is Jira secure?

Jira provides a secure experience for customers by keeping their security systems up to date with the best practices.

Atlassian regularly undergo independent verification of their security, privacy, and compliance controls and has 6 different certifications as listed below:

  • ISO/IEC 2700: ISO 27001 is specification for an information security management system (ISMS), which is a framework for an organization’s information risk management processes.
  • SOC 2: SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
  • SOC 3: SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, and confidentiality of a cloud service.
  • FedRAMP: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
  • PCI DSS: The Payment Card Industries Data Security Standard is an information security standard for the handling of credit card information.
  • VPAT: The Voluntary Product Accessibility Template is a document used by providers to self-disclose the accessibility of a particular product.

Jira Account Security

The best way to approach data security for a cloud-based tool like Jira is the Shared Responsibility Model:

The Shared Responsibility Model explains that keeping your Jira account’s data secure is a shared responsibility between you, the account owner, and Jira. Jira takes care of the software, infrastructure and disaster recovery of the entire platform. You, as the user, are responsible for password security, permissions given to users and third-party apps, and backups of the data you put into your account.

Web app providers take extensive precautions to ensure their infrastructure won’t fail and to maintain ~99.98% service availability. They all have a security team that is dedicated to the platform’s availability. This is one of the many benefits of using a managed service like Jira.

For instance, in the unlikely event that one of Jira’s data centres is crushed by a meteorite, the Atlassian team will recover the entire platform to the last backup. You might experience a few minutes of downtime, or even none at all depending on how fast they can react to the situation.

But their backups cannot be used to recover a single account back to a previous point in time or to recover just a selection of your data, like a project, epic, or issue.

While Jira recommends using native database backup tools for Jira Cloud instances as a workaround, it’s not automated or user-friendly. It also has a 48-hour back-off period, which isn’t ideal for those looking for faster backups.

We explain why here:

What Jira offers is a macro-backup of their entire system. Jira runs an encrypted full backup every 24 hours. This covers you for incidents on their end that impact their entire user base, such as data breaches. What Rewind offers you is a micro-backup of just your account. It’s an accessible backup of your Jira data. One you can use to swiftly recover important information.

Human error, malicious attacks, and software glitches caused by 3rd-party software are just some of the reasons why people lose important information in Jira. Using an automated backup service like Rewind for your web apps makes backups and recovery simple and gives you peace of mind about the security of your business-critical data. It’s like having an insurance policy on your digital data.You don’t need to be an expert in backups, spend an afternoon each week managing your backups, or have your own IT team. It’s a set-it-and-forget-it type of process which helps you recover from all types of possible data disasters. That’s a pretty good deal if you ask us.