-
Suggestion
-
Resolution: Unresolved
-
None
-
944
-
Atlassian plans to offer our Enterprise plan at lower user tiers in the future. Currently some aspects of the Enterprise plan require substantial manual effort that we are not yet able to scale in a cost-effective way. We are planning to address this starting later this calendar year. Once we are confident in our delivery timeline and the exact nature of what will be available, our public roadmap will be updated.
As noted previously:
- Data residency is already available in all paid plans in four locations, with additional locations coming later this year
- We recently announced that we will offer HIPAA compliance in all paid plans. This is expected to be available in the second half of 2023.
Currently the cloud Enterprise plans for Jira Software and Confluence require a minimum of 1,000 users. This creates a major obstacle for customers who require data residency (currently available with an EU and US realm in the Enterprise plan) in order to adopt Atlassian's cloud products.
We will use this ticket, in conjunction with our public roadmap, to communicate updates about the availability of Enterprise at smaller user tiers.
- is related to
-
- Closed
- relates to
-
- Closed
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
[CLOUD-11064] Offer Atlassian cloud Enterprise plan subscriptions for user tiers below 1,000
Some revenue is better than zero revenue. These arbitrary requirements make Enterprise subscriptions unattainable for some companies. It turns potential Atlassian customers to competitors.
Why does the Product Discovery template not have the Share settings with an existing project option?
Hi there,
indeed Helpfull, but Plan to remove all Atlasian Product is already moving, sorry folks. Your Blackmail Cloud offer let us no option. Btw. please stop this "data residency" talk, it is all about who is in control, not where the data is ! It is just a nice try to hide the problem.
Also the easy solution was named "Server", the huge effort to Upgrade Server to Datacenter was just swapping the Licence ...
Ths would be very helpful, we will be leving Jira since we cant have a baa
Hi folks,
Since this request has seen some activity recently, I wanted to reiterate that Atlassian plans to offer our Enterprise plan at lower user tiers in the future. Currently some aspects of the Enterprise plan require substantial manual effort that we are not yet able to scale in a cost-effective way. We are planning to address this starting later this calendar year. Once we are confident in our delivery timeline and the exact nature of what will be available, our public roadmap will be updated.
As noted previously:
- Data residency is already available in all paid plans in four locations, with additional locations coming later this year
- We recently announced that we will offer HIPAA compliance in all paid plans. This is expected to be available in the second half of 2023.
Regards,
Dave
@Paul Smith - that's interesting! I'm going to reach out for a conversation with Carahsoft.
For those not following the other thread (ticket CLOUD-11410), Atlassian announced the following:
For those following this ticket, we posted an update in our Community today: https://community.atlassian.com/t5/Trust-Security-articles/Expand-what-s-possible-with-HIPAA/ba-p/2250357
tldr: Starting in Q3 2023 (CY), HIPAA will be available on Standard, Premium, AND Enterprise plans. The public roadmap will be updated to reflect this information in the next couple weeks.
I know it took long, but I hope this works well for most of you. We will keep you updated as we progress toward that date.
We were able to get a quote for 100-user tier for Enterprise Jira/Confluence from Carahsoft. (an Atlassian reseller). But, we want to migrate to cloud and sign a BAA for HIPAA. We also only have 10 users. So the 100-user tier quote is better but still out of our price range.
No comment from Jira resellers or enterprise sales as of today. They just referred me to this thread and said nothing more.
Has anyone seen/heard any update on this recently? It all seems to have gone quiet in this area.
No. Atlassian can be tight-lipped about roadmaps until a release has been scheduled. I would assume we are more than a year out before this would be a possibility.
Sadly, when it comes to HIPAA and BAAs from technology organizations, you're often forced into Enterprise-level agreements even though you only have a handful of users. We've overbought plenty of software for no other reason.
We are in the process of evaluating Azure DevOps as an alternative. It is a service covered under HIPAA by Azure and is very affordable. I had assumed previously that it only worked with Azure deployments, but I've since learned it's not the case.
I don't suppose anyone has heard anything that constitutes anything like an update, from Atlassian, on this yet have they?
Do you mind if I ask which competitor product(s) you are in the midst of migrating to?
We've moved to YouTrack for all compliance-critical projects / data - it has many technical advantages too, like stability, speed, built-in script execution engine and usable API. For non-critical projects we are still stuck with Jira- it's a lot of work to do a clean migration. In the past YouTrack used to have an import API which could be used to feed the cleaned up data hacked out of Jira-exports, but now you basically need to write an import server so that it can pull the data in at the rate it can process it.
@Nick Kroeger - I agree with what you're saying, it looks like Atlassian have consciously made this decision as a business.
Do you mind if I ask which competitor product(s) you are in the midst of migrating to? We will need to start looking into discovery of alternatives ASAP, so we can get our migration underway in time.
Guys, I got two government-small-it projects affected as well.
One is 25 users, second is 100 users + 3 agents.
Both do have one key rule - it must run without internet access, in our local network.
I understand, that Atlassian is pushing everyone to cloud, but I cannot imagine, anytime soon moving those guys to Cloud, if law forbid them to access the internet.
@dplumpton and Sebastien, the unfortunate reality is that Atlassian seems to have actively made the decision to alienate all of its SMB customers that have specific regulatory requirements, or otherwise can't or just dont want to move to their cloud for one reason or another.
We too are in the same position and through multiple discussions with multiple people at Atlassian it's becomming more and more aparent that they are not willing to do anything to support smaller customers staying on the Atlassian platform unless we fork out for 500 users on Data Center at a 10-15x cost increase.
There was talk of offering a 100 or 250 user tier for Data Center in the Chinese market due to some laws there however I have heard no progress on that actually happening there or that being an option outside of China. A 100 or 250 user DC tier would still represent a 3-5x cost increase for us but that might just make it worthwhile for us to stay with the Atlassian stack and abandon our migration away, which we are already well into and are approaching the point of no return.
One more comment on this critical issue, we're running most of the Atlassian tools on premise for 50 users and also have contractual requirements regarding regulatory controls and data residency. Any update or announcement to come on this subject ?!
I just want to add my own voice to this issue. I work on a small banking account of a larger IT company but we currently make use of a self-built, secure, air-gapped, 50 user Jira/Confluence/Roadmaps/Bitbucket setup. We are facing into a 1,250% increase in costs if we have to move from Server to a 500 user Datacenter tier. I just can't understand how Atlassian believe that this is going to be acceptable to any small companies/accounts?
As others do on this ticket, we also have contractual requirements regarding regulatory controls and data residency, which are clearly not up to scratch in the Cloud offerings, thus making that a non-starter.
As I see it currently we have only 2x options - suck up a 12-fold increase in price or migrate to one of Atlassian's competitors.
If anyone from Atlassian reads this, I'd love to have a conversation about why you are putting your customers into this position and to hear any other options you feel I am overlooking.
This issue is statused as "In Progress". Does that mean the dev team is currently working on it ? If so, do we have an eta ?
We are a 220 person company with a 100 IT user base and started using Jira premium in June 2021 under the impression that it was HIPAA compliant and would provide a BAA. We were appalled to find out that to get a BAA we would need to move to a higher tier.
Because of this, as with the others above we are now faced with a difficult task of finding and migrating to another platform.
This is an absolute show stopper for us in terms of doing anything cloud related with Atlassian. We are on the bigger side of small but still below 1000. We will remain on premise until that's fully unsupported and then transitioning away from any Atlassian products. It's a shame Atlassian is choosing not to fully support the Health sector which requires Business Associate Agreements and data residency.
Our company has about 10 users – please consider making this option available to smaller orgs.
Our company is small (<50) but we do business with healthcare organizations and therefore PHI makes it into our Jira mainly from our customers. For that reason, we must use a product that is HIPAA compliant. We can't sustain the cost of hosting Server and are not big enough to move to Data Center. If we can't get into Enterprise at a reasonable price level, we'll be forced to switch products.
We have the same issue. We are a small company < 100 users but need HIPAA compliance. We need a license that supports smaller user bases and provides HIPAA compliance.
FYI to the group following this ticket. I spent time asking this to Atlassian employees at the Team'22 Conference and was told "It's on the roadmap" and the ETA for this is anywhere between 6 months to 2 years. This obviously provides some concern in knowing that the support for server ends in early 2024.
Considering the actual Cloud outage ... happy be on premise .. our backup takes just 15 minutes to restore, sorry to say that but the way Atlassian treated us is also not fair.
Our company has 30 people. We have enjoyed Atlassian products for years now. It's a shame that we have to start considering other options now.
Thanks for contributing Robert, Brian and Nick. We have clients in the same boat, which is why we'd contributed to some of the options assessment exercise done which you'll see evident in https://bye-bye-server.com - interested to know if your pathway options are in line with what we've spotted, or if you see something different.
Robert and Brian, we are in the same position. Atlassian seems to have made the business decision that smaller organizations with compliance requirements are unimportant to them. We are unfortunately in the situation where we are unable to migrate to the cloud but yet as an organization of 50 users are completely priced out of Data Center. In fairness to Atlassian, we are operating within a very unique set of requirements which I would not expect Atlassian though, but Data Center is not an option for us either due to cost. While I have heard rumors (from someone knowledgeable inside Atlassian) that they will be offering Data Center starting at 250 users (maybe less) in China, the rest of us are SOL.
We've already started reviewing alternate platforms and short of a significant change in Atlassian's (current lack of) willingness work with smaller companies in a way that allows us to manage our regulatory requirements, will start the migration at the end of this year.
For those with residency requirements, unless something has changed in the last few months it is also important to understand that the data within add-ins may or may not respect the residency settings of the Confluence/Jira/etc instance as add-ins are handled differently.
Additionally, Server support dies at the very beginning of 2024, and we're less than 20 total people.
Unless a plan is less than a month away, we have to start considering alternative products.
Is there a place to see the BAA?
What legal entity is the BAA signed with at Atlassian?
I don't understand why you need to have at least 800 seats in order to purchase a HIPAA compliant plan. This inhibits the ability for startups to use Jira and Confluence Cloud without putting their own checks in place to protect PHI.
Hi everyone,
While it's not the direct focus of this feature request, we are aware that many of you are following this ticket because you have a requirement for data residency, which is currently only available in the Enterprise plan. I'm excited to announce that our Standard and Premium plans for Jira and Confluence cloud will include data residency later this year. We've shared more details on CLOUD-11100. You can read the update there, or check out our landing page to learn more and sign up to receive an email update when it's available here. For your convenience I've copied the answers to a few of the top questions below.
We do plan to offer the Enterprise plan to customers with fewer than 1000 users in the future; however we are not ready to share an availability date at this time.
Regards,
Dave Meyer
Senior Group Product Manager
FAQ
Will the price of cloud plans increase with the addition of data residency?
No, we will not be increasing the price of our Standard or Premium cloud plans as a result of including data residency as a native feature.
Which products is data residency available for?
Data residency is offered for Jira Software, Jira Service Management, and Confluence at this time.
When will data residency be available?
Data residency is currently available for customers on the Enterprise plan. We’re working hard to make data residency available in our Standard and Premium cloud plans by the second half of 2021. To stay up to date on availability, please sign up for updates at the bottom of this page or view our cloud roadmap.
Which locations can I store my data in?
You can choose to pin your data to our US or EU data realms. To stay up to date on additional geographies we are working on, please see our cloud roadmap.
Will enabling data residency make my Jira or Confluence performance faster?
No, Atlassian uses our global infrastructure presence to host data as close to customers as possible in order to achieve maximum performance. While data residency provides an additional level of certainty that data will not be stored outside a specific geographic area, our architecture is designed to provide global customers the best possible experience. Enabling data residency may lead to more latency for users outside the designated geographic area. Learn more about our global cloud infrastructure.
I totally agree with Dirk regarding who can handle the data, or moreover who can access the data? In the case of a customer-supplied encryption key which actually encrypts the databases wouldn't only a ciphertext be available to the company providing the service? Of course depending on how the keys are handled when used in the service. For example, if they are purged after each operation is complete.
Hi Everyone! First big thanks to those of you who have reached out already to have a phone call with me, so I can better understand. The reason I'm asking for this feedback is we currently have customers in the EU on the cloud and large customers who will be moving to the cloud in the EU. We've worked with customers, partners, and our tech peers to make sure that we were doing our part and meeting our obligations. What I need to get a better understanding of is, which parts of the regulations in place, say with GDPR, are causing some customers and their legal teams to be happy with our data management and protection practices and others to say it's no good.
So feel free to come on over to the discussion board, or email me directly so we can set up some time to talk. Thanks to everyone for your feedback and openness, and willingness to work with me. rgazarek@atlassian.com
the unfortunate thing is, datastorage within the EU is not the key, it is who is handling the data. Also Atlassians ISO 27001 cert is only limited to non EU countries,
I totally agree with 513b59bdeb2e in his comment of yesterday: "there is at the moment NO legal way to use the Atlassian cloud for sensitive data."
It is actually is worser than that !
Even customers who use the service desk to store personal data (i.e. not GDPR sensitive data, but all other data also), might have a big problem, because most EU companies have used the "Data processor agreements" based on the EU recommended template for this. And this template clearly states that the company should process customer data within the EU.
So potentially most of EU customers will be forced to use another system than Jira Service Desk to store their customer data in - unless Atlassian finds a way to ensure that data is indeed stored within EU.
If I understand the EDPB guidelines correctly wouldn't it be possible with an external key manager to encrypt the databases? (Of course with a company that resides in the EU or another country which is approved by the EU with an adequate level of data protection https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
Also as I understand it the data processor should take all possible actions to secure the data as possible within the EU.
Data regions would be one part but maybe not enough, especially not for sensitive personal data. Another feature which also would be really interesting which we are using in Google Workspace, as well as in Google Cloud, is Access Transparency as well as Access Approval even though it wouldn't actually hinder a request in regards of FISA but it would give us another level of security in some aspects.
@RJ Gazarek: these aren't needs of Dirk's company, these are needs of all EU companies and all companies dealing with personal data of EU residents. 
I know, the scope of the EU GDPR effects only 550+ million people, but companies outside the EU should begin to respect and understand that once their products met legal requirements in the US, Australia or wherever the company resides, they should investigate legal requirements that apply in other countries.
Nevertheless, thing is - like Dirk already told - Cloud needs a different approach to access the data. In many cases the app manufacturers are forced to implement computing or storage resources outside of Atlassian Cloud on their own servers. And "own servers" today means in many cases Google, AWS, IBM, etc..
Point is, that customers are unware of the fact that their data is transferred from Atlassian Cloud to somewhere else. And they are unware of the data residency of the copied data. EU based companies mostly try to use servers hosted by EU companies in EU countries. But with AWS or Google, the data is still under some kind of control of an US company. Which is - with Patriot Act, Cloud Act, FISA, etc... - a no-go if you want to take data protection and protection of intellectual property seriously.
From my point of view, there is nothing which can be "discussed". The (legal) rules have been set and are clear. Even the "last exit", called "GDPR standard contractual clauses", cannot be used if hosting is done by AWS or Google. The one and only rule to stay safe is: use on-premises or or use EU companies with hosting in the EU only. Or ignore it but don't cry if it goes south.
GDPR was "founded" in 2016 and has been "armed" May 2018. And in 2021 GDPR still needs discussion or is ignored at all. There should be no discussion as the GDPR is a EU wide regulation, means: law in every single EU country (and more, as the Brexiteers have learned).
Hi 513b59bdeb2e if you could join our closed group for these discussions, that would be awesome to capture this feedback there, but also I'd love to jump on a call with you and/or your legal team to get a better understanding on the needs of your company with respect to EU law. rgazarek@atlassian.com
is my email address if you'd be willing to help me better understand.
yes, rigth, but you have seen what happend to telekom cloud... it was canceld by Microsoft, Telekom got this from newspapers ...
I see one solution: to implement a EU based subsidiary of Atlassian. Like Microsoft did with Telekom.
OR: revive the server tier
Basically the only way out would be apropriate Datacenter User Tiers. Also Dataresidency is according to our Lawers useless, the main point is EU Court has stopped Privacy Shield. (Schremps II) and the issue is arround the cloud provider and in no way related to the country in which it is stored.
The next big thing is, even you have standard clauses or rules, the EU Court pointed out you have to prove the effectivness of those claues. This is simply not possible for any US American Company due to the Patriot Act. So even Atlassian likes it or not, there is at the moment NO legal way to use the Atlassian cloud for sensitive data.
Considering the cost of datacenter licenses for the small user Tiers, there is at the moment no way for us to continue investing in those products, nether recomending it to our customers.
d503b996312f leaving this comment on this thread, similar to my reply to this same comment on another ticket you left. And thank you for doing so!
I would really love to get some time with you either asynchronously on our data residency discussion thread here to directly in a call if you're willing. I'm definitely interested in understanding more about your internal data protection requirements, as well as which laws/regulations you have to adhere to specifically, so we can take all of that as part of our intake/feedback process. If you're willing, please join our group and the data residency feedback thread!
https://community.atlassian.com/t5/Cloud-Security-Compliance/gh-p/cloud-security-compliance
Tomáš Vrabec: I can't really comment on your situation but would instead suggest that you review the requirements and regulations for your company/industry to determine:
- What, if any, types of the data you handle must reside within a specific region keeping in mind that not all data will have the same requirements
- What the implications of the data being processed outside that region or leaving that region temporarily (ie while in transit) are and if there is a difference if that is encrypted or not
Nick Kroeger:
Do you have law-analysis about this? This could be deal-breaker for many many many organizations and customers from government etc.
For anyone else reading this thread, even with data residency within your region on the enterprise cloud tier, Atlassian does not keep data in transit, add-ins, user account info, and more within that particular region per their Manage data residency page. As such, even if your instance is pinned to EU/US/Canadian servers, your data may leave your region and therefore may put you in violation of PIPEDA, GDPR, export controls, etc.
We are an organization of approximately 50 users and Atlassian has left us in the position where we must either see our annual licensing costs almost quadruple (from 50 server users to 500 data center users) or to move entirely away from ALL Atlassian products.
What we really need is data center tiers lower than 500 users!
I am in the stage of building PoC for Czech government, same situation.
No Atlassian product suitable to local laws. And noone will pay for DC when there is need for 50 users ...
Due to French jurisdiction, we are only allowed to host our data on French servers. Otherwise we can't run Jira/Confluence for our processes anymore.
Hey guys, think about the smaller companies (25-100 users) that have dependencies to government clients! Due to German jurisdiction, we are only allowed to host our data on German servers. Otherwise we can't run Jira/Confluence for our processes anymore.
I still can't believe Atlassian has no plan to deploy the BYOK (Bring Your Own Key) solution on Standard or Premium licenses. Currently, it's only available on the Enterprise one for 141k annually instead of 20-30k for the Premium with 100-200 users.
You're closing the door on so many potential clients: businesses with fewer than 1,000 employees with strong security requirements (ex. private banks, family office or asset managers in Switzerland) who are interested in a suite of Atlassian solutions, not just JIRA software but also Confluence, JIRA Service Management, etc. It's baffling.