Bitbucket Cloud Security
We take security seriously here at Bitbucket, building it into every layer of our infrastructure and processes. Rest easy knowing that your code and data are safe in the Cloud.
Data encryption in transit
All data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.
Simplify and strengthen login through SAML-based SSO. Bitbucket supports SAML-based SSO with all major portals through Atlassian Access.
Security key support
Bolster your 2FA with an extra layer of hardware security. Bitbucket supports security key devices that use the FIDO U2F standard.
IP Whitelisting & Enforced 2FA
Fend off data breaches by enforcing security settings on individual accounts. Assign safe, pre-defined IP addresses and require two-factor authentication with Bitbucket Premium.
Our compliance certifications
Ernst & Young LLP (“EY”) has prepared the attached report (the “Report”) for the sole benefit and use of Atlassian Pty Ltd (“Company”), and, for limited purposes in accordance with the relevant standards of the American Institute of Certified Public Accountants (the “AICPA”), Company’s existing user entities and their auditors. In addition, certain prospective user entities, identified by the Company (collectively with existing user entities, each a “Recipient”), may have access to the Report subject to the terms of this agreement. Your access to the Report is subject to your agreement to the terms and conditions set forth below. Please read them carefully. If you are agreeing to this agreement not as an individual but on behalf of your company, then “Recipient” or “you” means your company, and you are binding your company to this agreement.
By clicking on the “I ACCEPT” button below, you signify that you and the Recipient agree to be bound by these terms and conditions. Such acceptance and agreement shall be deemed to be as effective as a written signature by you, on behalf of yourself and the Recipient, and this agreement shall be deemed to satisfy any writings requirements of any applicable law, notwithstanding that the agreement is written and accepted electronically. Distribution or disclosure of any portion of the Report or any information or advice contained therein to persons other than Company is prohibited, except as provided below.
Company agrees to allow Recipient to access to the Report on the condition that Recipient reads, understands, and agrees to all of the following:
- The Report consists of a service auditor’s examination (the “Services”) conducted for the Company in accordance with the AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. Recipient has requested that Company provide Recipient a copy of the Report.
- The Services were undertaken, and the Report was prepared, solely for the benefit and use of Company, its existing user entities, and their auditors, and was not intended for any other purpose, including the use by prospective user entities of Company. EY has made no representation or warranty to the Recipient as to the sufficiency of the Services or otherwise with respect to the Report. Had EY been engaged to perform additional services or procedures, other matters might have come to EY’s attention that would have been addressed in the Report.
- The Services did not (a) constitute an audit, review or examination of financial statements in accordance with generally accepted auditing standards of the AICPA or the standards of the Public Company Accounting Oversight Board, (b) constitute an examination of prospective financial statements in accordance with applicable professional standards or (c) include procedures to detect fraud or illegal acts to test compliance with the laws or regulations of any jurisdiction.
- The Recipient (a) does not acquire any rights against EY, any other member firm of the global Ernst & Young network, or any of their respective affiliates, partners, agents, representatives or employees (collectively, the “EY Parties”), the Company or any of their respective affiliates, partners, agents, representatives or employees (together with EY Parties, the “Report Parties”), and the Report Parties assume no duty or liability to the Recipient, in connection with the Services or its access to the Report hereunder; (b) may not rely on the Report; and (c) will not contend that any provisions of United States or state securities laws could invalidate or avoid any provision of this agreement.
- Except where compelled by legal process (of which the Recipient shall promptly inform EY and the Company so that they may seek appropriate protection), the Recipient will not disclose, orally or in writing, any Report or any portion thereof or any other Confidential Information received from EY or the Company in connection therewith, or make any reference to EY or Company in connection therewith, in any public document or to any third party other than Recipient’s employees, agents and representatives, who need to know the information to evaluate operations for compliance with Recipient’s security, regulatory and other business policies, and provided such third parties are bound by confidentiality restrictions at least as stringent as those stated in this agreement. “Confidential Information” shall mean the Report and other information and materials that are (i) disclosed by the Company in writing and marked as confidential at the time of disclosure, or (ii) disclosed by the Company in any other manner and identified as confidential at the time of disclosure and within thirty (30) days of disclosure, or (iii) reasonably regarded as being of a confidential nature.
- Recipient may use Confidential Information, including the Report, for a period of the sooner of one (1) year from disclosure or such other validity term as indicated in the Report, and only for the purpose of evaluating the Company’s operations for compliance with Recipient’s security, regulatory and other business policies. This agreement does not create or imply an agreement to complete any transaction or an assignment by Company of any rights in its intellectual property.
- The Recipient (for itself and its successors and assigns) hereby releases each of the Report Parties, from any and all claims or causes of action that the Recipient has, or hereafter may or shall have, against them in connection with the Report, the Recipient’s access to the Report, or EY’s performance of the Services. The Recipient shall indemnify, defend and hold harmless the Report Parties from and against all claims, liabilities, losses and expenses suffered or incurred by any of them arising out of or in connection with (a) any breach of this agreement by the Recipient or its representatives; and/or (b) any use or reliance on the Report or other Confidential Information by any party that obtains access to the Report, directly or indirectly, from or through the Recipient or at its request.
- Upon termination of this agreement or written request by a Report Party, the Recipient shall: (i) cease using the Confidential Information, (ii) return or destroy the Confidential Information and all copies, notes or extracts thereof to Company within seven (7) business days of receipt of request, and (iii) upon request of a Reporting Party, confirm in writing that Recipient has complied with these obligations.
- This agreement shall be governed by, and construed in accordance with, the laws of the State of New York applicable to agreements made and fully to be performed therein by residents thereof. This agreement can be enforced by any of Report Parties, individually or collectively.
By entering your email you agree to be bound to the terms of this Agreement. If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity.
Please download the report:
We are wholly invested in our customers' success and the protection of customer data. The way we deliver this promise is by complying and by helping you understand the EU General Data Protection Regulation (GDPR).
We host our own data for Bitbucket Cloud. Our main data center is located in Virginia and our disaster recovery center is hosted in California.
More information about the physical security of the data center can be found here.
Atlassian Bug Bounty
We've partnered with Bugcrowd to add an additional layer of security to our products by rewarding unique vulnerability research. If you've found a vulnerability, disclose the issue to our security team through our bug bounty program.