As organizations increasingly rely on AI-powered tools to enhance productivity and streamline operations, data security remains a top priority—especially for tools that manage sensitive corporate data, like Atlassian Rovo. If you’re a Jira admin or a security officer considering purchasing Rovo, understanding its data security and protection mechanisms is crucial.
In this detailed article, we’ll explore everything we know about Atlassian Rovo’s security features, including how it handles sensitive information, its AI-driven operations, and its alignment with your organization’s security needs.
Does Rovo respect existing permissions? How will Rovo handle customer Data? Does Rovo comply with GDPR? We’ll answer all of these burning questions and more.
What is Atlassian Rovo?
First off, what is Atlassian Rovo? Atlassian Rovo is an AI-powered teammate that integrates directly into Jira, Confluence, and connects to third-party products (check out Rovo connectors). It uses large language models (LLMs) to boost efficiency, enabling teams to automate routine tasks, organize project data, and offer real-time recommendations across different platforms. While AI offers many advantages, it also raises questions about data privacy and security—particularly for organizations handling confidential information.
How Rovo Ensures Data Security
Atlassian Rovo was designed with data security at its core, making it compatible with strict security protocols.
Rovo inherits many of Atlassian’s privacy and security policies and practices, including encryption, data isolation, and permissions. This is reflected in the customer agreements when using Atlassian software, including:
We recommend that users review all their existing permissions in Atlassian and their third-party environment before enabling Rovo to ensure that any confidential data within your organization remains restricted to the appropriate users. Here’s how Rovo safeguards your sensitive data:
Honoring Permissions and User Access
Does Rovo respect existing permissions?
Rovo respects and adheres to the existing permissions model in your Atlassian tools. This means that Rovo will only have access to the information users can see based on their roles within Jira or Confluence. For example, if a user doesn’t have access to specific projects or sensitive data, Rovo won’t either.
This means that different users will get different responses from Rovo based on the information they can access.
Example 1: If you do a natural language search on JQL, you will only see issues/projects that you have access to, or you will get Confluence pages sourced for an answer to a question if you have access to those pages.
Example 2: If a Confluence user executes an intelligent search, the results will consider the pages and spaces the user has permission to view and ignore restricted pages and spaces.
This respect ensures that Rovo operates within your organization’s established security boundaries, preventing unauthorized access to sensitive data. This is crucial for security officers managing data protection compliance.
Interoperation with Third-party products
Rovo is designed to interoperate with third-party products, through Rovo connectors. Integrating Rovo with third-party products may allow third parties to access information you choose to share while using their products. The use of these products and the information you provide will be subject to their terms and policies, including their privacy policies. For more information, make sure to check out Atlassian’s Privacy Policy, specifically “Third Party Services.”
Does Rovo respect third-party permissions?
Rovo respects existing permissions not only with Atlassian products but also permission settings from connected third-party products. Because Rovo relies on set permissions, remember to check your third-party product permissions before setting up Rovo.
Example 3: If you connect Rovo to Google Drive, users need to login and connect their Atlassian account to Google drive to see any Google Drive results when using Rovo.
What does Rovo do with deleted third-party data?
Content that is deleted in a third-party product will not appear in Rovo. In Figma’s case, links to deleted content may still appear in search results. However, when a user clicks on a link to content that has been removed, the link will no longer work. For additional details, refer to how Rovo displays Figma results.
When an organization admin disconnects a third-party tool from Rovo, the content indexed from that tool is removed within 30 days. GitHub content, however, follows a different process. Since GitHub data is integrated through the GitHub for Jira app, the data is only deleted if you disconnect GitHub from Rovo and uninstall the GitHub for Jira app. For more information on this, see how to disconnect GitHub from Rovo.
What is the scope of Rovo’s access to third-party data?
When you connect Rovo to third-party products, you connect the entire product to Rovo. At this moment, you cannot narrow the scope further.
Example 4: If you connect Rovo to Google Drive or Microsoft SharePoint, you give access to the whole Drive or workspace. You cannot give access to just one folder or a set of folders.
Narrowing the scope is something that Atlassian is considering in the future.
How is data from Browser Extensions used?
Source: Atlassian Support
If users are able to install the Rovo browser extension on their device, they can interact with Rovo Chat and Agents on any public webpage (e.g. wikipedia) or on websites connected to Rovo via a connector (e.g. Google Drive). It is important to note that the extension reads and does not store contents.
Source: Atlassian Support
Example 5: If you use a Rovo connector and connect to Google Drive, you can ask Rovo Chat to summarize a Google doc. The Google doc’s content is sent to Atlassian to identify words – it is not stored or shared with third-party models like OpenAI.
Trust and Data
How will Rovo handle customer Data?
Many assurances in the Atlassian Intelligence Trust Center apply to Rovo. Rovo is built to process user inputs securely while delivering the outputs your team needs. When users interact with Rovo, the tool processes their inputs to provide the requested responses while incorporating organizational data from within your site. This data is only used when the user can view it, ensuring that the outputs are more accurate, relevant, and contextual to your organization’s needs.
To maintain strict privacy standards, the LLM providers that power Rovo, including OpenAI, do not use your inputs and outputs to improve their services. Neither OpenAI nor any other LLM provider retains your data after processing.
Beyond the policies for LLM providers, Atlassian limits customer data use and access within its platform. Here is how the data is protected:
- Inputs and outputs are only used to enhance your organization’s experience. They are never used for model training across different customers.
- Atlassian may temporarily store your inputs and outputs to reduce latency for certain features, such as displaying a page summary or search history. This data is retained only to improve user experience and is not stored longer than necessary.
- For total transparency, Atlassian’s transparency page offers detailed information on how each feature utilizes customer data. You can also subscribeto get updates on Atlaissna’s legal terms and list of sub-processors.
Does Rovo support Data Residency?
Currently, Rovo does not support data residency. However, Atlassian plans to support this in the future.
Encryption and Data Privacy Compliance
Does Rovo comply with GDPR?
Atlassian Rovo complies with industry-leading encryption standards to protect data in transit and at rest. You can ensure that data exchanged between users and Rovo remains secure, reducing the risk of data breaches or interception. Atlassian is committed to meeting stringent data privacy regulations, including GDPR.
Is Rovo SOC2 and ISO compliant?
While many of Rovo’s systems and services hold SOC2 and ISO certifications and follow the same internal policies and standards, Rovo itself has not yet undergone external assessments for these certifications. However, Atlassian plans to include Rovo in its standard audit certification process by the end of 2024.
Is Rovo HIPAA compliant?
Currently, Rovo is not HIPAA compliant, and its Business Associate Agreement (BAA) does not cover Rovo’s features. If your organization requires HIPAA compliance, we recommend holding off on using these features until Atlassian extends its coverage to include them.
How to Evaluate Rovo for Your Security Needs
When considering Rovo for your organization, evaluating its security features against your existing data protection framework is essential. Here are a few tips:
- Review your organization’s data classification policies to ensure Rovo’s permissions model aligns with your internal access controls.
- Assess encryption protocols to verify that Rovo meets your organization’s standards for data in transit and at rest.
- Consult with your security team to ensure that Rovo’s use of LLMs complies with your privacy guidelines, especially in sectors where handling confidential data is a concern.
Is Atlassian Rovo Right for You?
Atlassian Rovo offers a secure AI solution for teams looking to streamline collaboration while protecting sensitive data. Its ability to honor existing permissions, leverage secure LLM processing, and maintain compliance with data privacy regulations makes it a strong contender for organizations prioritizing security.
Understanding these security measures is critical if you’re a Jira admin or security officer evaluating Rovo for your organization.
Ready to learn more about Rovo? Contact us today to discuss whether Atlassian Rovo complies with your organization’s security requirements and see how this AI-powered teammate can enhance your productivity without compromising data protection.