Note: This blog post is provided for informational purposes only. It is not intended to be a substitute for legal advice. As such, we recommend that you consult a lawyer before acting on any matter discussed within this post.
Whether you've been selling apps on our Marketplace for years or you're new to the ecosystem, chances are you've heard a thing or two from Atlassian or our customers about compliance, particularly for cloud apps.
According to a recent report by IBM, the average cost of a data breach has surged to $4.45 million, a 15% increase in just three years. In this environment, it's difficult to get far in the business world as a SaaS provider without discovering that protecting your customer's data is just as important as offering customers a useful product. And of course, compliance plays an important role as the framework that makes your data protection efforts legible to your customers.
So, what do we mean when we say "compliance"?
When we talk about "compliance" we are typically referring to the rules, frameworks, and processes that signal your level of maturity with respect to government laws and regulations, including ones governing personal data, as well as data and security requirements.
Privacy, security, and compliance are terms that are often used interchangeably, but they're not exactly the same.
- Privacy, or data privacy, is focused on ensuring that personally identifiable information (sometimes referred to as PII) belongs to the individual. Individuals have the right to determine what, how, when, and who has access to their information and how it is used. The onus is on businesses to meet requirements that protect this right.
- Security is focused on ensuring all data is protected from unauthorized access and use by avoiding security breaches should be top of mind for all software companies.
- Compliance refers to a set of policies, frameworks, regulatory requirements, or laws that outline the conditions that need to be met to be considered secure, reliable, and private.Compliance is often much broader than just privacy. It can cover compliance with all laws and regulations (even ones that are not privacy related) and also alignment with security and other standards (like SOC 2 or FedRamp).
In short, privacy focuses on the use and governance of personal data, security focuses on the systems, controls, and processes necessary for protecting data, including but not limited to personal data, from unauthorized access and/or use, and compliance provides a blueprint for how that needs to be done. You can read more about Atlassian's compliance program here.
Marketplace Partners with at least one Paid via Atlassian app can get partner-specific compliance information and resources in the Partner Portal here.
Why is compliance important for Marketplace app developers?
According to an Atlassian survey, 72% of enterprise Atlassian Cloud customers say apps meeting compliance requirements is very or extremely important.
Compliance makes it easier for a customer to determine if your systems can be trusted when you're maintaining a clear standard that a 3rd party has set for all your peers. It is important for a few reasons in addition to customer demand though, and these reasons will vary depending on whether you're thinking about compliance with a legal obligation like a privacy regulation, or with a security or privacy standard.
Why is it important to comply with privacy laws and regulations?
Complying with legal obligations related to data privacy should be top of mind for all SaaS providers. If you violate data privacy laws in the area where your business is located or where your customers are located, you or your customers can be subject to serious fines. For example, if you have customers in the EU, you can be fined if you do not meet your obligations under the GDPR. Violating data privacy laws can also hurt your reputation among customers and prospective customers, who take their own data privacy seriously.
Meeting your legal obligations in the areas where your business operates (in other words, where you are located or where your customers are located) is also a requirement under the Atlassian Marketplace Partner Agreement.
You can read up on tips for developers when it comes to some key regional privacy regulations—the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)—here on the Developer blog.
Of course, in addition to compliance with data privacy laws, there are also regulatory obligations you or your customers may be subject to depending on their industry and/or location. For example, many companies may be subject to financial laws (Sarbanes Oxley, Gramm Leach Bliley, etc.), healthcare laws, and more. These are other factors your prospective customers may be considering when evaluating an app.
Why are security standards and frameworks important?
Customers often look to trusted reports or standards like SOC 2 or ISO27001 to simplify and streamline their software assessment process. For many customers, these certifications like ISO27001 or reports like SOC 2 'tick' a lot of boxes and provide enough basic assurance for them to use a cloud offering.
Even if compliance with a framework is not a hard requirement for a customer, it can still help reduce the number of questions a customer needs to reach out and ask you about your app and your business before they can install. While achieving a certification or going through an audit may take time up front, it can save you time down the road by streamlining security assessments for you and your prospective customers.
Finally, and perhaps most importantly, going through a certification or audit process can improve the quality of your product and business. When sharing their ISO27001 journey at Developer Day this year, Tobias Viehweger of Platinum Marketplace Partner Yasoon listed a number of improvements to his app's infrastructure and company's operations as a result of the certification process.
How should developers think about prioritizing when it comes to compliance?
Your first step should always be to understand and make sure you're meeting your legal requirements.
This is not only a stipulation in the Marketplace Partner Agreement, but not meeting legal requirements can lead to legal action and fines for your business, not to mention harm to your company's reputation.
The easiest way to verify you're meeting your legal requirements is to consult with a lawyer who understands laws and regulations that apply to your organization. If you don't have legal support and can't afford to consult with a lawyer, you can start by looking at regulations related to data privacy in the region where your company operates, and in the regions where your customers are located (you can get started here in the Partner Portal — feel free to let us know if you'd like us to cover additional regulations in the comments).
Once you're sure your bases are covered from a legal standpoint, you can start thinking about ways to comply with popular standards and frameworks.
When thinking about where to start, there are a number of things to consider that will, in many cases, be specific to your unique app business. It helps here to think about which projects will bring the most value to your business, and compare that list to which ones will be the highest investment from a financial or effort perspective.
Things that you might consider when determining value for your compliance roadmap include:
- Which frameworks seem to be seen as "table stakes," meaning your competitors are meeting them or your customers seem to ask for them regularly
- Where are certain frameworks most popular or relevant?
- Where is your customer base primarily located?
- Which industries or regions do you hope to grow in the future (in other words, where are a potential market you’d like to invest in)?
- Are there frameworks that apply to a broader range of places or customers that would work vs a smaller/more specialized regional framework? (For example, is there a general EU standard for an industry vs country-specific standard that has many of the same requirements).
Things you might consider when determining effort for your compliance roadmap include:
- Does the investment apply to multiple different regulations and frameworks? (For example, will investing in a given control only help with your ISO27001 certification or is the same control a requirement for SOC 2 or GDPR as well?)
- Do you already have most of the controls in place?
- Is this a certification, or a report, or a self-audit?
The biggest jump here is getting started, but once you've gotten one certification or gone through one audit process, it's often easier to achieve additional milestones.
For example, at Atlassian, we started our journey with SOC 2 and then appended ISO27001 to our annual audit and certification program. There are a lot of overlapping controls, so once we had them in place for SOC 2 they could also help us achieve our ISO27001 certification.
Marketplace Partner tailored resources to get started
One big benefit of starting a SaaS business as an Atlassian Marketplace Partner is you're not alone in your journey. We're committed to helping Marketplace Partners get up to speed on compliance topics through:
- an exclusive discount on compliance support from popular compliance platform Vanta
- 101-level compliance resources on the Partner Portal (available to Marketplace Partners only)
- updates and tips on key regulations from Atlassian's legal team here on the Developer Blog, like:
Plus, if you're reading this before October, 2023, you can sign up for live trainings on trust from Atlassian experts and our partners at Vanta.