Common use of Vulnerability Testing Clause in Contracts

Vulnerability Testing. a) Atlassian conducts internal vulnerability testing, as described here. This includes our bug bounty program. We make the results of these internal tests publicly available and commit to making bug fixes in line with our Security Bug Fix Policy. b) Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Atlassian), perform its own vulnerability testing of its Cloud Products in accordance with the Security Test Rules. Customer may report any vulnerabilities impacting the Cloud Products to Atlassian in accordance with the procedures set forth in the Security Test Rules. c) Atlassian will use commercially reasonable efforts to address identified security vulnerabilities in our Cloud Products and our infrastructure in accordance with the Security Bug Fix Policy. The parties acknowledge that Atlassian may update the Security Bug Fix Policy from time to time in its discretion, provided such updates do not result in a material derogation of the Security Bug Fix Policy. Measures for user identification and authorisation Atlassian cloud users can authenticate using username and password, or external IdPs (incl. via XXXX, Google, Microsoft and Apple). All credentials are hosted in the application database, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm. Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/manage-your-password-policy/. Administrators are also able to enforce SSO via Atlassian Access. Measures for the protection of data during transmission See the item above titled “Measures of pseudonymisation and encryption of data“ Measures for the protection of data during storage Data Hosting Facilities Atlassian will, no less frequently than annually, request assurances (e.g., in the form of an independent third party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that: a) such data hosting provider’s facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference; b) such data hosting provider’s facilities employ physical security appropriate to the classification of the assets and information being managed; and Measure Description c) such data hosting provider’s facilities limit and screen all entrants employing measures such as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV). Tenant Separation Atlassian will use established measures to ensure that Customer Data is kept logically segregated from other customers' data when at-rest. Data Encryption See the item above titled “Measures of pseudonymisation and encryption of data“ Measures for ensuring physical security of locations at which data are processed See the item above titled “Measures for the protection of data during storage“. Measures for ensuring events logging Audit logging is available via API. See: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/track-organization-activities- from-the-audit-log/ Measures for ensuring system configuration, including default configuration See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“. Measures for internal IT and IT security governance and management See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“. Measures for certification/assurance of processes and products See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“. Measures for ensuring data minimisation See “What information we collect about you” section of the Atlassian Privacy Policy. Measures for ensuring data quality See the items above titled “Measures of pseudonymisation and encryption of data“, “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“, and “Measures for the protection of data during storage“. In addition, Customer and its Users have the ability to update any Customer Data provided to Atlassian using in-built product functionality, as further described in the Documentation. Measures for ensuring limited data retention Data Retention and Destruction Standard Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles: • Records should be maintained as long as they serve a business purpose. • Records that serve a business purpose, or which Atlassian has a legal, regulatory, contractual or other duty to retain, will be retained. • Records that no longer serve a business purpose, and for which Atlassian has no duty to retain, should be disposed. Copies or duplicates of such data should also be disposed. To the extent Atlassian has a duty to retain a specified number of copies of a Record, such number of copies should be retained. • Atlassian’s practices implementing this Standard may vary across departments, systems and media, and will of necessity evolve over time. These practices will be reviewed under our company-wide policy review practices.

Vulnerability Testing. a) Atlassian conducts internal vulnerability testing, as described here. This includes our bug bounty program. We make the results of these internal tests publicly available and commit to making bug fixes in line with our Security Bug Fix Policy. b) Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Atlassian), perform its own vulnerability testing of its Cloud Products in accordance with the Security Test Rules. Customer may report any vulnerabilities impacting the Cloud Products to Atlassian in accordance with the procedures set forth in the Security Test Rules. c) Atlassian will use commercially reasonable efforts to address identified security vulnerabilities in our Cloud Products and our infrastructure in accordance with the Security Bug Fix Policy. The parties acknowledge that Atlassian may update the Security Bug Fix Policy from time to time in its discretion, provided such updates do not result in a material derogation of the Security Bug Fix Policy. Measures for user identification and authorisation Atlassian cloud users can authenticate using username and password, or external IdPs (incl. via XXXX, Google, Microsoft and Apple). All credentials are hosted in the application database, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm. Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/manage-your-password-policy/. Administrators are also able to enforce SSO via Atlassian Access. Measures for the protection of data during transmission See the item above titled “Measures of pseudonymisation and encryption iteMmeasaurebs oof vpseeudotnymiistatlioneadnd en“cryption of data“ Measures for the protection of data during storage Data Hosting Facilities Atlassian will, no less frequently than annually, request assurances (e.g., in the form of an independent third party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that: a) such data hosting provider’s facilities are secured in an access-controlled location and provider’-csontrofllead clociatlioniatndi protected from unauthorized access, damage, and interference; b) such data hosting provider’s facilities employ physical security appropriate to the facilit classification of the assets and information being managed; and Measure Description c) such data hosting provider’s facilities limit and screen all entrants employing measures such facilitie as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV). Tenant Separation Atlassian will use established measures to ensure that Customer Data is kept logically segregated from other customers' data when at-rest. Data Encryption See the item above titled “Measures of pseudonymisation and encryption iteMmeasaurebs oof vpseeudotnymiistatlioneadnd en“cryption of data“ Measures for ensuring physical security of locations at which data are processed See the item above titled “Measures for the protection of data during iteMmeasaurebs foorvthee protteictitonlofedadta d“uring storage“. Measures for ensuring events logging Audit logging is available via API. See: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/track-organization-activities- from-the-audit-log/ Measures for ensuring system configuration, including default configuration See the item above titled “Measures for ensuring ongoing confidentialityiteMmeasaurebs foorvenesurintg iontgolingecdonfid“entiality, integrity, availability and resilience of processing systems and services“. Measures for internal IT and IT security governance and management See the item above titled “Measures for ensuring ongoing confidentialityiteMmeasaurebs foorvenesurintg iontgolingecdonfid“entiality, integrity, availability and resilience of processing systems and services“. Measures for certification/assurance of processes and products See the item above titled “Processes for regularly testing, assessing itePmrocesasebs foorvreegulartly tiesttinlg,easdsessi“ng and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“. Measures for ensuring data minimisation See “What information we collect about abou. t you” section of the Atlassian Privacy Policy. Measures for ensuring data quality See the items above titled “Measures itemMseasuraesbofopsveuedonytmiisattioln eandd enc“ryption of pseudonymisation and encryption of data“, “Measures data“,Mea“sures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“, and “Measures for aMenasdures“for the protection of data during storage“. In addition, Customer and its Users have the ability to update any Customer Data provided to Atlassian using in-built product functionality, as further described in the Documentation. Measures for ensuring limited data retention Data Retention and Destruction Standard Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles: • x Records should be maintained as long as they serve a business purpose. • x Records that serve a business purpose, or which Atlassian has a legal, regulatory, contractual or other duty to retain, will be retained. • x Records that no longer serve a business purpose, and for which Atlassian has no duty to retain, should be disposed. Copies or duplicates of such data should also be disposed. To the extent Atlassian has a duty to retain a specified number of copies of a Record, such number of copies should be retained. • x Atlassian’s practices implementing this Standard may vary across departments, systems and media, and will of necessity evolve over time. These practices will be reviewed under our company-wide policy review practices.