Making Sense of Data Residency in Atlassian

‍Preface: Remember When Data Residency Was a Headache? This blog was written in the pre-Forge era—a time when supporting data residency as an app vendor involved quite a bit of mental gymnastics. We almost didn’t publish it, because… well, we’ve since migrated to Atlassian Forge, which handles data residency out of the box. No extra effort required. No fiddling with regions. No sleepless nights.

But we decided to share it anyway.

Why? Because it paints a clear picture of what life looked like before Forge—and that contrast is actually worth celebrating. If you’re still running a Connect app or using your own infrastructure, these challenges might hit close to home. And even if you’re building on Forge: if your app has egress (meaning it talks to an external backend you control), some of these concerns are still relevant.

So here it is: a look back at the old world, a reminder of why Forge is such a win for app vendors—and a useful guide for anyone still wrangling data across borders.

‍

Data residency determines the geographic location where data is stored and processed. With global privacy laws like GDPR (European Union) and CCPA (California) tightening, companies must prioritize compliance to establish customer trust and meet stringent regulatory requirements. In this blog post, Avisi Apps, an Atlassian marketplace partner, explores how data residency affects the Atlassian ecosystem and apps, providing valuable insights and best practices.

Understanding Data Residency

Data residency refers to the requirement that certain data, especially personal data, must stay within specific geographic boundaries. This requirement is closely tied to regulations like GDPR and CCPA. As businesses expand globally and increasingly rely on cloud services, understanding these rules is critical for fostering customer trust and ensuring compliance.

Atlassian's Data Residency Policies

Atlassian recognizes the importance of data residency compliance and provides the following measures:

• Product Support: Atlassian's flagship products, Jira and Confluence, offer flexible data residency options. Customers can choose designated geographic regions for storing their data, helping them comply with local regulations.
• Data Management: Atlassian provides comprehensive guides to help users smoothly implement data residency practices. Check out the data management and administration guide for detailed best practices.
• Cloud-First Architecture: Atlassian’s multi-region strategy prioritizes data residency by keeping user-generated content within data centers in specific geographic regions. This ensures robust security, compliance, and governance.
• App development platforms: Atlassian’s app development platforms ‘Connect’ and ‘Forge’ both address data residency in it’s own way. Connect leaves more responsibility to the app vendor and Forge essentially handles data residency for the app vendor. With Forge comes a trade-off for app vendors sacrificing flexibility in app development in exchange for the convenience or benefit of having data residency managed by Forge.

Challenges of Data Residency for Atlassian Apps

Maintaining data residency compliance can present challenges like:

• Extra Effort: Managing an app and deploying releases across multiple regions demands a more intricate deployment setup. This is particularly true for Connect. While Forge simplifies some aspects, it doesn’t fully eliminate the challenges, especially in scenarios where the app requires egress traffic to modules outside the Atlassian sandbox.
• Extra Cost: Region-specific storage can be expensive and require substantial effort.
• Data Transfer & Retrieval: Both data at rest and in transit can raise compliance issues. Under GDPR, personal data transferred or stored in non-EU regions requires appropriate safeguards to prevent violations.
• Migration Support: Moving existing data to compliant regions requires specialized support. Both Connect and Forge support data migration with a an extra effort for Connect on the app side of things. While Forge addresses part of the challenge, apps may still need to manage data residency for modules accessed via egress traffic.

Best Practices for Data Residency Compliance

Third-party apps and integrations are essential in the effort of maintaining data residency by ensuring consistent data management across the Atlassian ecosystem. They handle sensitive information according to regional regulations, keeping data within designated geographic areas. By aligning with Atlassian's data residency framework, these apps securely process, store, and transfer data while offering compliance flexibility.

Developers can address data residency by:

• Understanding Market Requirements: Familiarize yourself with regional data laws to ensure compliance.
• Architectural Solutions: Design systems that support data segregation and secure management.
• Leveraging Atlassian Tools: Use Atlassian's built-in features and Forge’s platform capabilities to simplify and streamline compliance efforts.

Case Study by Avisi Apps: Manage Custom Fields (MCF)

One of our apps that effectively addresses data residency needs while improving workflow management is Manage Custom Fields (MCF).

First let’s talk about what MCF does:

Alter Jira fields in company-managed projects: Don't want to keep your users waiting for a Jira administrator to add a new value to a custom field? That task can now be deferred to a project administrator. Project admins can also set default values and disable them.

Works with Jira's company-managed projects: The app is especially created for projects where rights are defined by role, editing values in different contexts.

Data Residency Compliance: MCF supports all Atlassian regions, giving customers flexibility to store data where it aligns with their needs: Australia (Sydney), Brazil (São Paulo), Canada (Central), EU (Frankfurt, Dublin), Germany (Frankfurt), India (Mumbai), Japan (Tokyo), Singapore (Singapore), South Korea (Seoul), Switzerland (Zurich), United Kingdom (London), USA (North Virginia, North California).

Now let’s talk about how we achieved how we achieved being data resident in all 12 possible regions.

Deployments per region

Here’s a high-level overview of our app. It illustrates that the app is deployed across all the regions supported by Atlassian. The Atlassian Administrator can configure the app's preferred region, and the app stores its data in the corresponding region. In our case, both the data and its processing are region-specific, ensuring that the data never leaves the region, even when it is in transit:

Data migration support

The following sequence diagram shows how the Jira Administrator can request a region migration for an app. The region migration gets scheduled and executed under the supervision of the migration service:

‍

Outcomes: With comprehensive regional support and Jira integration, MCF enables secure field management across various regions while simplifying data residency compliance.

Trends in Data Residency

• Changing Regulations: Global data protection laws are tightening, requiring stricter compliance measures.
• Customer trust: We see raised attention for data residency, especially with upmarket and enterprise customers. Apps vendors are not always seen as another supplier, rather do customers expect that a vendor / an app is part of and complies with the ecosystem in terms of security and privacy.
• Atlassian Evolution: Atlassian continues to refine data residency features, especially with Forge. Forge-hosted storage provides built-in data residency support, reducing reliance on external databases. Hosting, pinning, and data migration across regions are managed consistently with Atlassian's broader framework, so partners can focus on building quality apps. Don’t be quick to judge apps still built on Connect. Forge is evolving and adapting based on feedback but isn’t yet capable of supporting all use cases. Additionally, rewriting an app is a significant investment, often requiring a trade-off between delivering new features and achieving full Forge compatibility.

Conclusion

In summary, data residency is an evolving challenge for companies using Atlassian tools. As regulations change, it's crucial for developers to review compliance strategies regularly. Leveraging Atlassian's platform and best practices will help teams stay compliant.

Let us know your thoughts, or contact us for any questions!