During Atlassian Team25 Europe, the Compliance Alliance hosted the 4th Compliance Workshop in Barcelona.
Despite a wild thunderstorm, nearly 30 compliance enthusiasts braved the rain to join the workshop – a session packed with insights on AI in regulated industries, Atlassian Isolated Cloud, Cybersecurity of Marketplace Cloud apps, and selling must-have compliance solutions to Atlassian Cloud users in regulated domains.
You can watch a short summary of the workshop also in YouTube:
But first things first, who is Compliance Alliance?
Who are we – Compliance Alliance?
Compliance Alliance is a group of Marketplace partners working closely with regulated industry clients and offering compliance solutions on Atlassian Cloud: Izymes, Opus Guard, SoftComply, Polymetis Apps and HYCU.
Compliance Workshops
Our goals are to:
Support and build trust among regulated industry enterprise clients on Atlassian Cloud
Better understanding compliance challenges in the market
Foster collaboration between Marketplace Partners & Solution Partners & Atlassian
Share knowledge and experience gained from working with regulated industries
Why should you care about compliance?
Atlassian has done a great job with compliance, having achieved numerous certifications you can explore on the Atlassian Trust Centre.
So, why should you — as an Atlassian Partner or customer — still care?
Because Atlassian’s certifications don’t automatically guarantee that your own use of Atlassian Cloud is compliant, nor that the products you build using Atlassian tools will be compliant either. Understanding your specific regulatory obligations remains essential.
4th Compliance Workshop at Team25 Europe
This edition of the workshop was more interactive than ever, featuring four in-depth breakout sessions: Atlassian Isolated Cloud, AI in regulated industries, Cybersecurity and compliance of Marketplace apps and how to sell compliance solutions on Atlassian Cloud.
Below is a summary of each discussion.
Atlassian Isolated Cloud
With the end of life for Atlassian Data Center in three years, the most regulated industries must find an alternative – either migrating to the commercial Cloud (if legally allowed) or considering the Atlassian Isolated Cloud, provided they can meet the price threshold (the minimum user count currently starts at 20K).
Atlassian Isolated Cloud is managed by Atlassian and hosted in a dedicated AWS Virtual Private Cloud. It is a single tenant cloud option with isolated storage, compute, and networking, optimized to minimize the risk of data loss or leakage.
Below is an infrastructure diagram of multi-tenant cloud (Atlassian commercial cloud) and single-tenant isolated cloud:
Isolated Cloud will first be launched in the US in early 2026, followed by the EU.
This popular session, moderated by Hui Ren and Arun Velagapalli from Atlassian, tackled key questions around:
Regional and industry requirements for Isolated Cloud
Levels of isolation
Support and recovery of Isolated Cloud instances
In this breakout session, participants discussed the detailed isolation requirements for data, networks, storage and computing — noting that greater isolation comes with higher costs, leading some customers (without legal restrictions) to migrate to the commercial cloud.
How will Isolated Cloud be priced:
Since dedicated infrastructure is a significant investment, Isolated Cloud will be more expensive than any of the multi-tenant cloud offerings, which benefit from the efficiencies of shared resources.
In this breakout session, the minimum user count (currently set at 20K) was discussed as European companies and government agencies tend to be much smaller.
Marketplace Apps in Atlassian Isolated Cloud:
All “Runs on Atlassian” apps built on Atlassian’s Forge Platform will be compatible with Atlassian Isolated Cloud. These apps minimize risk because they:
leverage Atlassian’s Forge platform and do not rely on partner-hosted infrastructure,
do not transmit data outside of the Atlassian Cloud (or in this case, the Isolated Cloud environment) without customer consent
- offer a control in the installation consent screen so customers can enable or disable sharing of diagnostic logs and analytics with the app vendor.
Migrating data to Atlassian Isolated Cloud:
Atlassian Isolated Cloud will support Data Center to cloud migrations and cloud to cloud migrations using Atlassian’s migration tooling.
Other topics that were discussed in this breakout session included European rollout timelines for Isolated Cloud, data egress, and computing and data residency considerations.
AI in Regulated Industries
AI was the hot topic at Team25 Europe, especially with Rovo now accessible to everyone. However, for regulated industries, promoting AI-enabled features can easily trigger audit concerns before excitement.
The main challenge lies in the opacity of generative AI — how it works and what data it was trained on — both critical issues during audits. While building an organization’s own LLM could mitigate these risks, it requires strong data management practices and information hygiene.
This breakout session, led by Nick Wade (Opus Guard), Matteo Gubellini (SoftComply), and Oliver Siebenmarck (Polymetis Apps), explored:
Risks and opportunities using AI in safety-critical or other regulated industry product development
Red flags in AI use cases in Atlassian Cloud – challenges in using Rovo in regulated industries
Compliance risks in letting AI handle your critical data
The challenges of information hygiene versus AI quality and ROI
The session explored how AI can enhance productivity in regulated industries, while underscoring the need for control, transparency, and human oversight. Key themes included managing “shadow AI,” mitigating data and IP risks, and preparing for more context-aware (“agentic”) AI systems. Participants emphasized that responsible AI adoption requires clear governance, validated outputs, and open communication with stakeholders.
Balancing Innovation and Risk:
AI offers clear efficiency gains, but organizations must apply it cautiously. Existing security, quality, and compliance controls remain vital, and new safeguards will be needed as technologies evolve.
Risks of Uncontrolled AI Use:
Unsanctioned (“shadow”) AI can introduce quality and confidentiality issues—such as recent public cases involving AI-generated report errors. Clear policies, approved tools, and human validation are essential.
Human Oversight:
A “human in the loop” remains critical to ensure accuracy, though growing AI output volumes can overwhelm reviewers. Scoping use cases and setting workflow limits help maintain quality and efficiency.
Agentic Workflows:
Future AI systems will be more autonomous and context-aware—tracking workflow states, adapting actions, and managing tasks within defined boundaries.
Context windows (the data an AI can access) must be tuned to ensure relevance, compliance, and efficiency.
Too broad a window risks outdated or irrelevant outputs; too narrow can omit important data.
Transparency and Trust:
Transparent AI governance—such as clear data usage rules, DPAs, and informed stakeholder communication—builds trust and supports regulatory acceptance.
AI can safely boost productivity if organizations maintain robust oversight, control access to data, and ensure transparent use. Success depends on thoughtful adoption: defining clear guardrails, validating outputs, and tuning AI systems for specific, well-scoped use cases.
Cybersecurity and Compliance of Marketplace Cloud apps
This breakout session was led by Phil Grove and Sean Bourke from Atlassian asking the following questions from its participants:
Challenges and opportunities of procuring secure, compliant Marketplace Cloud apps for enterprise customers in regulated domains
Atlassian Cloud Shared Responsibility Model
Cybersecurity and compliance considerations of Marketplace apps
Discussion topics included Connect vs. Forge, “Runs on Atlassian” architecture, data egress, and transparency of app security and privacy features to help customers better assess risks before installation:
Data Residency & Compliance Are Top Concerns:
Customers, especially in regulated industries (and in more regulated countries like Germany), are highly focused on where data is stored, compliance with local regulations (like GDPR, C5), and the ability to trace data flows within apps.Forge Native Apps as a Trust Signal:
Apps built natively on Atlassian Forge are easier to sell and adopt because customers trust that data remains within the Atlassian ecosystem. However, there is confusion about what “Forge Native” or “Runs on Atlassian” truly guarantees, especially regarding analytics and optional egress.Complexity of App Onboarding & Security Reviews:
The onboarding process for apps is stringent, focusing on data flows, third-party involvement, and compliance. Security reviews are still required even for Forge apps, as misconfigurations or improper use of APIs can introduce risks.Marketplace Badges (Cloud Fortified, Fortified, etc.) Are Not Fully Understood:
Customers use badges as trust signals, but often don’t understand the requirements behind them. There’s a need for clearer, more granular trust/compliance levels (e.g., Fortified Level 1, Level 2) and for these to be app-specific.Desire for Standardized Compliance Requirements:
Both vendors and customers would benefit from a clear, catalogued set of compliance requirements (e.g., encryption, pen testing, certifications) that can be mapped to app development and tracked through tools like Jira.Migration Challenges:
During cloud migrations, teams use checklists to determine which apps are necessary and which features are now native to cloud. There’s interest in sharing best practices and checklists for app consolidation.Feature Flags & Egress Controls:
There’s interest in giving customers more granular control over app egress (e.g., toggling integrations like Slack), but concerns remain about admins enabling features that legal/compliance teams have not approved.Standardized Agreements Streamline Procurement:
Standard agreements (e.g., standard legal terms) can greatly reduce procurement friction, but some customers still require custom amendments.
Remember, compliance is an ongoing process. Compliance isn’t just about the app you use, but also about your development process and lifecycle management. Building compliance into these processes early makes scaling and future audits easier.
Selling Compliance Solutions on Atlassian Cloud
In recent years, Atlassian Partners have shifted toward selling business solutions tailored to industry verticals. This breakout session explored exactly that – how to sell must-have compliance solutions to business users in regulated industries.
Led by Ulrich Kuhnhardt (Izymes), Monika Isak (SoftComply) and Bogdan Viher (HYCU) the session addressed:
How to make Atlassian Cloud compliant when migrating regulated industry clients from DC to Cloud?
Challenges and benefits in selling must-have compliance apps on Atlassian Cloud
Working together with marketplace partners in understanding the compliance requirements and apps that support meeting these requirements
Long lead times to very sticky clients
This breakout session explored the differences between selling “nice-to-have” technical apps in volume and selling “must-have” compliance solutions to regulated industry clients – the kind of customers with longer sales cycles but far greater long-term loyalty.
Atlassian Solution Partners have traditionally focused on Marketplace apps that solve specific technical problems across multiple industries. Now, however, the focus is shifting toward building solutions that address complex business challenges within one or two specific verticals. That’s a big change — it means learning to speak the language of business rather than purely technical terms, and truly understanding the problems faced by Atlassian enterprise customers in those industries. And when that industry happens to be regulated or safety-critical, compliance inevitably becomes one of the key business challenges that customers expect solution partners to help solve.
“Compliance” itself is a broad term that covers a wide range of legal and regulatory requirements — and its meaning varies greatly from one industry to another. To be a trusted solution partner, you need to understand each industry’s compliance landscape and the specific terminology they use. The easiest way to start is by focusing on one industry where you already have connections. Learn its regulatory requirements and its “language” first — and then expand your expertise to others once you’ve built a strong foundation.
Summary
Compliance is no longer just a checkbox – it’s becoming the foundation of trust in our digital world. As technology evolves and regulations tighten, understanding compliance isn’t just for auditors and legal teams anymore. It’s for everyone building, selling or supporting solutions in the cloud. The more we all learn about it, the more confidently we can innovate – knowing that what we create is not only powerful but also safe and secure.
We’re excited to keep this momentum going at the 5th Compliance Workshop during Atlassian Team26 in Anaheim in May 2026. Let’s continue shaping the future of compliant cloud collaboration together!
If you’d like to join us, share your experiences or be part of the conversation – just drop me an email. We’d love to see you there!
