Compliance is (finally) on everyone’s radar now that Atlassian is targeting business teams and business users in specific verticals and everyone is talking about solutions rather than apps.
This is also why SoftComply hosted the 3rd edition of the Compliance Workshop on April 10, 2025 during Atlassian Team event. The workshop’s title was “How to best support Regulated Industries on Atlassian Cloud” and was aimed at discussing the compliance requirements of regulated industries & collaboration between Atlassian, app vendors and solution partners to best support our customers from regulated domains.
For 3 years in a row we have had the pleasure to bring together a group of like-minded people working in or with companies from regulated industries using Atlassian. It started in 2023 in a Starbucks in Las Vegas as a discussion over breakfast. In 2024, we had a breakfast workshop with 6 speakers: Mix and Joe from Atlassian, Ulrich and Marion from Marketplace Partners & Jan and Geoff from Solution Partners.
The 3rd edition took place on April 10, 2025 at Atlassian Team in Anaheim where SoftComply organized a dedicated lunch workshop on compliance bringing together Atlassian Marketplace Partners and Solution Partners that focus on the regulated industries and their compliance requirements.
This year’s workshop featured 5 talks by Atlassian Marketplace Partners – SoftComply, Izymes, Opus Guard, Polymetis Apps and Hycu, and 2 talks by Atlassian:
With the record number of 42 attendees, we discussed the following topics at the workshop:
-
Governance, Risk and Compliance (GRC) on Atlassian Cloud by Marion (SoftComply)
-
Data Leak Prevention and Data Management by Oliver (Polymetis Apps)
-
Compliance in Software Development and Code Approvals by Ulrich (Izymes)
-
Data Backup and Recovery Strategy by Andy (Hycu)
-
Data Protection, Retention and Information Governance by Nick (Opus Guard)
-
Atlassian Government Cloud by Krista (Atlassian)
-
How Marketplace apps can ensure Enterprise Readiness by Sunny (Atlassian)
Below is a short summary of each talk given at the workshop together with a link to their presentation.
SOFTCOMPLY – Dr. Marion Lepmets
SoftComply provided an introduction to the workshop focusing on the importance of compliance in the regulated industries and how we can help Atlassian users comply better with their requirements when we, Atlassian Partners, work together.
Although the Marketplace Partners presenting at the workshop focus on different aspects of compliance, together they cover the major areas of any regulated industry client for data governance and protection, risk and compliance management.
SoftComply has focused on regulated and safety critical industries since they started over 9 years ago. With over 1’100 client companies on Atlassian today, SoftComply supports regulated industries in their audit-readiness. As such, SoftComply provides the most advanced risk management solution on Jira Cloud that supports product or software system safety and cybersecurity risk management. With extensions of Risk Reporting and automated Validation of the Risk Manager Plus in Confluence, it is the only validated risk management solution in Jira today.
SoftComply Document Manager is out-of-the-box compliant document management solution in Confluence Cloud with dedicated interface for controlled documents, specifically built for quality and compliance managers in regulated industries. In addition to the Document Manager being validated, SoftComply also provides an automated validation app for Confluence Cloud.
Risk Management on Jira Cloud
In safety-critical domains, products (including software systems) cannot be placed on the market without passing a regulatory audit first. In these audits, the developers need to provide evidence of the safety and security risk management conducted during the software development lifecycle.
SoftComply Risk Manager Plus aims to build and automate your risk management process in Jira Cloud.
Compliant Document Management on Confluence Cloud
Despite there being several document management apps on Atlassian Marketplace, the majority of them require significant customization to achieve – often partial – compliance, therefore not ideal for the regulated industries especially when audits come around.
SoftComply Document Manager was developed specifically for the regulated industries like the medical device industry to support compliance with FDA 21 CFR 11, ISO 13485 and IEC 62304. With a dedicated interface of the Document Manager app, you can easily segregate controlled documents from the rest of your organization’s wiki in Confluence Cloud. In addition to being validated, SoftComply provides automated validation app for Confluence Cloud ensuring the software tool validation requirement in the majority of regulated industries.
You can check out or download the full presentation from SoftComply here.
POLYMETIS APPS – Oliver Siebenmarck
Polymetis Apps is a Marketplace Partner helping companies protect their PII (personally identifiable information) data to prevent data leaks. Polymetis Apps makes it easier than ever to protect sensitive information in Jira & Confluence.
Data Leak Prevention refers to strategies or practices designed to prevent sensitive data from leaving an organization’s control.
Data Leak Prevention is vital for various reasons, including:
-
regulatory compliance,
-
IP protection,
-
insider threat mitigation,
-
data visibility and control,
-
organisational reputation management.
With the average cost of data breaches being around $5mln, companies are investing into building an effective Data Leak Prevention Strategy on Atlassian Cloud.
Data Leak Prevention Strategy
DLP strategy consists of:
1. Data Management Policy
2. Data Inventory
3. Continuous Detection
You can check out or download the full presentation from Polymetis Apps here.
IZYMES – Ulrich Kuhnhardt
Izymes is a Marketplace Partner focusing on regulatory compliance in software development and code approvals. At the workshop, Izymes talked about the importance of compliance in software development and cyber frauds.
Some statistics about cyber attacks and fraud:
-
Cyber attacks : 47% Highest global risk for business operations,
-
Top risk in Pharma, Chemical, Aviation, Aerospace, Defense, FinServ/Tech, Media, Telco & Technology industries
-
$4 (£3.1) trillion illicit transactions in 2023
-
$5B fines for non-compliance, up 31% YTY
-
$23B Synthetic Fraud by 2030
In the automotive industry, for example, non-compliance of software resulted in serious incidents:
-
300M Lines of code in modern cars
-
2010 – no public peer-reviewed safety standards (US)
-
8M recalls by Toyota
-
-
Lane control failures, no emergency intervention (ADAS)
-
“Software is Eating the World” (Marc Andreessen)
Despite the fact that the amount of regulatory requirements are constantly increasing, the security awareness and assurance in organizations are significantly lagging behind.
Make Software Great Again!
Compliance isn’t just a Checkbox – It’s a Gold mine
What Clients want:
-
Compliant change management
-
Clear traceability for their controls
-
Automation/rules-based review/audit steps
-
Automation in reporting and audit trailing
-
Solution partners and enterprise teams must speak both “code” and “regulator” language
Impediments to Compliance & DevSecOps:
-
Compliance vs Velocity
-
Security vs Velocity
-
Traditional model vs exponential complexity • Legacy platforms and long product lifecycle
-
Compliance is “someone else’s job.”
-
Lack of versioning and bidirectional approval trails
-
Manual Checklists and disconnected tools
Although the majority of international standards and regulations present their requirements in a waterfall fashion, these requirements can also be met in agile development – we call it “wagile”, where requirements can be broken down in sprints. 
DevSecOps compliance paradigm
Best practices of embedding compliance to software development processes:
-
Connect compliance across project, documentation and DevSecOps systems
-
Rules & Policy-as-Code
-
Compliance is a continuous system, not a quarterly event.
-
Shift-Left Compliance (think compliance early)
-
Continuous Assurance, fail early
-
Build for reporting and auditability from day one
-
Develop compliance controls as code and automate where possible.
Compliance as Code + Automation
There are several benefits of compliant software development and automation:
-
Repeatability
-
Efficiency
-
Audit readiness
-
Early defect detection
-
Transparency / Traceability
You can check out or download the full presentation from Izymes here.
OPUS GUARD – Nick Wade
Opus Guard, a Marketplace Partner, is simplifying information governance for all modern SaaS tools. Their focus is on compliance with retention mandates and policies. Their tagline is “Keep what you need, remove what you don’t”.
For a lot of long-standing Atlassian customers where Jira and Confluence have been in the company for years, almost no content has ever been deleted, despite the organization having a retention policy. There’s millions of old issues in Jira, and hundreds of thousands of old pages and posts in Confluence.
Opus Guard helps companies to automatically and systematically manage their content and delete it at 3 years, 6 or 7 years, whenever the retention policy says it’s eligible and should no longer be there. Opus Guard solves the problem of content sprawl.
Aside from content sprawl, and at the same time, you or your customers can more easily solve for and quickly demonstrate compliance evidence for the regulations, legislations, and industry standard frameworks that help build trust with customers. As one simple example, ISO27001 audits now involve checks for retention policy and effective management across unstructured content in the organization.
Employee and AI created content is everywhere, but the problem with glut is then compounded by time. Much of this information experiences a Value Risk inversion over time in any organization. While some business records will have high value for a long time, an overwhelming amount of information and content is initially valuable as it’s being created and actively worked on/with – and it then declines in value relatively quickly while potentially becoming a future liability. The longer most content lives unclassified and within distributed SaaS systems, the greater a risk it becomes.
Good Information governance and proper data retention hygiene suggests that ideally such information is identified by the retention policy and removed in automated, routine ways before the risk of retaining it outweighs the value within its content.
Content Retention Management
Opus Guard’s solution for these modern data retention problems is Content Retention Manager app for Confluence and for Jira Cloud.
The Content Retention Manager will report and visualize age metrics about all content in your systems immediately. When ready, the organizations retention policies, data classifications, discovery holds can be applied effortlessly across the contents in Confluence and Jira + Jira Service Management.
Reporting and visualization of the effectiveness of archiving, retention, and disposal is immediately available. Automating expired information disposal is an option to turn on when confident with the policies, classifications, and holds you can now see. All of this can be rolled out gradually across any Atlassian Cloud site within Confluence and Jira, and starting with some small number of target older spaces and projects is common before system-wide implementation.
You can check out or download the full presentation from Opus Guard here.
HYCU – Andy Fernandez
Hycu is an Atlassian Marketplace Partner supporting Atlassian users in Data Backup and Recovery.
Data loss threats are increasing rapidly due to an increasing amount of:
-
external cyberattacks,
-
3rd party risks,
-
automation errors,
-
configuration mishaps,
-
insider threats, and
-
human errors.
There are also an increasing amount of regulatory requirements that focus on cybersecurity resilience, disaster recovery and data backup like DORA and NIS2.
Data Backup & Recovery
To ensure data migration when migration from on-prem to Cloud, consider embedding backup & recovery planning into the migration plan to help them land safely!
There are certain times in which every organization should consider a 3rd party backup on Atlassian:
You can check out or download the full presentation from Hycu here.
ATLASSIAN – Krista Gorman
Krista talked about Atlassian Government Cloud and the recently acquired certificate of FedRAMP Moderate.
With a continuing focus on cloud adoption in the US government and an increased focus on maximizing efficiency, it’s more important than ever for agencies to have tools that boost productivity and don’t slow you down. At the same time, the work your teams do — improving citizens’ lives and protecting the nation — is critically important and must be kept secure.
Atlassian Government Cloud allows you to modernize your workflows and power greater collaboration while ensuring your agency’s work stays secure on a FedRAMP Moderate platform.
Atlassian Government Cloud is a Software as a Service (SaaS) offering that helps teams collaborate, track work, manage IT service delivery, support their DevOps practices and more – all with the security and control that agencies need. Available products include: – Jira for project management across business and software teams – Confluence for knowledge management and documentation – Jira Service Management for IT service management, including support, IT operations, customer service, and more.
ATLASSIAN – Sunny Manaktala
Sunny talked about the importance of Atlassian Marketplace partners implementing information governance best practices to ensure enterprise readiness. He highlighted the importance to making sure that Atlassian Marketplace partners understand the requirements of the regulated industry and enterprise level users.
As such, Sunny covered the benefits of Runs on Atlassian as well as building own Trust Centres as part of the ISO 27001 and/or SOC2 certification.
Sunny also stressed the importance of the Partner program requirements of achieving ISO 27001 or SOC2 certificate in 2026 latest. Platinum Marketplace partners need to build a Trust Center in addition to the certificate while Gold partners need to have the certification audit scheduled for 2026 at the latest.
Compliance Workshop in Barcelona
Team25 Europe will take place in Barcelona on 7-9 of October. The next Compliance Workshop will take place there.
Please let me know if you want to join it – either to speak at it or join the discussion from the audience.
