All our software connects Jira & Confluence with Microsoft 365. We use nearly the same data flows independent of the hosting option. So Jira Cloud, Jira Server and Jira Data Center roughly works the same, sharing the same data storage and processing guidelines.
We only store content that has been explicitly created by our apps. Most common data we store are:
User / instance settings
Metadata mappings between Atlassian & Microsoft objects
User login tokens retrieved by OAuth login
We do not store Jira content (like Jira issues, comments, etc.) or Microsoft content (like chat content) on our servers. The exact data varies by the used features and can be looked up in the docs of the feature. In some cases, we do store PII and / or OII data, in conformance with the GDPR. We also will be able to provide a DPA (AVV), please reach out via our support channels for a signed copy.
We process data from your Jira, Microsoft 365 as well as our own data in our infrastructure in Frankfurt. Data residency with world-wide locations is coming soon. The following diagram details the data-flow.
Data flow for user interactions
Whenever a user is interacting with one of our features (in Outlook, Teams, Jira or Confluence) we might process data to fulfill the request. Most often this just includes the current context (e.g. issue, page, email, Teams chat) but also includes users email addresses. When possible (technically and security wise), we access Microsoft services from the users browser, instead our servers (Graph API direct access). Examples for these kind of scenarios are:
Sending an email from Jira
Starting a Microsoft Teams chat from Jira
Creating a new Jira issue from Microsoft Teams
Data flow for application triggered changes
Some features are triggered without user interaction like Teams notifications but instead use webhooks to be processed. We limit the amount of data processed to the minimum, by filtering them on Microsoft & Atlassian-side as much as possible. If a feature is disabled, we do not receive corresponding webhooks at all. Examples for this include:
A Jira issue is updated and a Teams notification should be sent
A task in Microsoft To Do is completed and a Jira issue should change it’s status
Limits on data flow
Whenever we implement a new feature which requires data flowing through our system, we strive to limit this as much as possible. We balance the usability of a feature with the amount of involved data, but we will never crawl all your Microsoft 365 or Atlassian data and / or store private content in our database.
There is an legacy exception for customers using only the Outlook add-in for Jira Server/Data Center that runs locally only. Going forward, with our core focus on integrating with Microsoft 365, new features will require connectivity with our own service.