Parent Company
Atlassian Corporation (Delaware, US)
CLOUD Act Status
✗ Exposed
Canadian Data Residency
⚠ Available
Encryption
⚠ CMK Available (add-on)
TIA / PIA Required
Yes — Law 25 & POPA
Previously Non-US
⚠ Redomiciled 2022

Is Jira CLOUD Act exposed for Canadian organizations?

Yes — but the answer is more nuanced than most tools in the Sovereignty Index. Atlassian Corporation is incorporated in Delaware and headquartered in San Francisco, which places it squarely within CLOUD Act scope. US authorities can compel Atlassian to produce data regardless of where it is stored.

What makes Jira unusual is that Atlassian offers Canadian data residency — you can pin your Jira issues, Confluence pages, comments, and attachments to the Canada (Central) AWS region. Atlassian also offers Customer-managed keys (CMK) as a paid add-on, allowing you to host encryption keys in your own AWS KMS account. These are real, meaningful mitigations that most US-parented tools don't offer.

But neither eliminates CLOUD Act exposure. Canadian data residency controls where data sits at rest — not which government can compel the company to produce it. And customer-managed keys give you a "kill switch" (revoke access), but under a valid US court order, Atlassian could be compelled to require you to restore access. The jurisdictional risk is structural, not technical.

There's also a sovereignty story worth understanding: Atlassian was not always a US company. Founded in Sydney, Australia, it was incorporated in England and Wales until September 2022, when it redomiciled to the United States as a Delaware corporation. Every Atlassian Cloud customer's CLOUD Act exposure changed overnight — a case study in how corporate decisions alter sovereignty risk for millions of users.

Regulatory Analysis

CLOUD Act exposure

The Clarifying Lawful Overseas Use of Data Act (2018) requires US companies to produce data in response to valid US legal process, regardless of where that data is physically stored. Atlassian Corporation, as a Delaware-incorporated entity (since October 2022), is within scope.

This is particularly notable because Atlassian was previously incorporated in England and Wales — outside direct US CLOUD Act jurisdiction. The company's decision to redomicile was driven by investor access and stock index eligibility, not sovereignty considerations. But the legal consequence was immediate: every Atlassian Cloud instance worldwide became subject to US legal process.

🍁
Your Canadian Data
Jira issues, Confluence pages
pinned to Canada (Central)
🏢
Atlassian Corporation
Delaware, USA (since 2022)
Previously UK-incorporated
⚖️
US Legal Process
CLOUD Act · Subpoena
Data access despite CDN residency

Canadian data residency — what it does and doesn't protect

Atlassian offers data residency across 11 regions, including Canada (Central). Available on Standard, Premium, and Enterprise plans at no additional cost. When enabled, your "in-scope data" — Jira issues, comments, attachments, Confluence pages, and JSM tickets — is pinned at rest to the Canada (Central) AWS region.

However, some data categories are not covered by data residency:

  • Marketplace app data: Third-party apps from the Atlassian Marketplace store data independently. Apps built on Atlassian's Forge platform support data residency; Connect apps may not. Each app must be evaluated individually.
  • Analytics and reporting: Atlassian Analytics dashboards, Opsgenie reports, and Assets reports have limitations in certain regions including Canada.
  • User account data: Account profiles and identity information are managed globally and not pinned to a specific region.
  • Platform experiences: If installed before January 2025, platform experience data defaults to US storage.

The critical point: data residency controls where data sits physically. It does not change which government can legally compel Atlassian to produce it. A US court order under the CLOUD Act applies to Atlassian Corporation regardless of which AWS region hosts the data.

Customer-managed keys (CMK)

Atlassian now offers Customer-managed keys as a paid add-on for Jira, Confluence, and Jira Service Management. CMK allows you to host encryption keys in your own AWS KMS account. This provides cryptographic separation from other cloud tenants and the ability to revoke Atlassian's access to your encryption keys at any time.

CMK is currently available for new cloud sites only — existing sites cannot yet enable CMK (Atlassian targets 2026 for existing site support). BYOK (Bring Your Own Key), the predecessor to CMK, supports Canadian data residency — keys and app data can both be hosted in Canada.

Sovereignty limitation: CMK gives you a "kill switch" — you can revoke key access to suspend Atlassian's ability to read your data. However, under a valid US court order, Atlassian could be compelled to require you to restore key access. The keys prevent unauthorized access; they do not override legal compulsion.

Quebec Law 25

Quebec organizations using Jira must complete a Transfer Impact Assessment. The TIA should document: Atlassian's US incorporation and CLOUD Act status, the availability and configuration of Canadian data residency as a partial mitigation, whether CMK or BYOK encryption is enabled, and the data residency status of each Marketplace app in use. Upper Harbour provides compliance-ready TIA documentation starting at $99.

Alberta POPA

Alberta public bodies deploying Jira must complete a PIA using the mandatory OIPC template. Section G requires documentation of Atlassian's corporate jurisdiction and CLOUD Act status. Section H2, Risk 7 explicitly asks about CLOUD Act and USA PATRIOT Act exposure. The availability of Canadian data residency should be documented as a mitigation, along with its limitations. The PIA Research Tool generates these answers automatically from our 753-tool database.

BC FIPPA

BC public bodies using Jira for personal information must complete a Privacy Impact Assessment. The availability of Canadian data residency in Jira is a meaningful factor — it reduces data residency risk but does not eliminate jurisdictional risk. Full FIPPA SaaS compliance guide →

Jira is one of 753 tools in the Upper Harbour Sovereignty Index. If you use Jira, you almost certainly use other Atlassian products (Confluence, Jira Service Management, Trello, Bitbucket) — all under the same US parent. And your stack likely includes another 15–30 SaaS tools from other vendors. Each one carries its own jurisdictional exposure.

Map your entire SaaS stack to parent jurisdictions and CLOUD Act exposure in 10 minutes.
Map Your Stack →

Alternatives & Comparison

For organizations evaluating project management tools through a sovereignty lens, here's how the major options compare:

ToolOwnershipCLOUD ActCDN ResidencyCustomer Keys
JiraUS (Delaware)ExposedAvailableCMK add-on
AsanaUSExposedNoNo
Monday.comIsraelIndirectUS/EU onlyNo
WrikeUS (Citrix)ExposedEU availableNo
ClickUpUSExposedNoNo

Based on Upper Harbour Sovereignty Index data. March 2026.

Key finding: Among major project management platforms, Jira offers the strongest sovereignty controls (Canadian data residency + CMK encryption). Monday.com has the best jurisdictional positioning (Israeli-incorporated, not directly CLOUD Act exposed). No major PM tool offers both Canadian ownership and Canadian data residency.

💬 Questions about Jira and Canadian compliance?

We help organizations assess jurisdictional risk across their SaaS stack. Book a call or send us a message.

Book a Call → Email Us →

Technical Architecture

Data storage and residency

Atlassian Cloud products run on AWS. By default, data is distributed globally — Atlassian determines hosting location based on user proximity for performance optimization. When data residency is enabled, in-scope data is pinned to one of 11 supported regions: US, EU (Frankfurt & Dublin), Germany, UK, Australia, Canada (Central), Singapore, Japan, India, South Korea, and Switzerland.

The Canada (Central) region pins data to the AWS ca-central-1 region. Available for Jira Software, Jira Service Management, Jira Product Discovery, and Confluence on Standard, Premium, and Enterprise plans at no additional cost. Loom data residency is limited to Germany and US only as of May 2026.

What's in scope: Issues, comments, attachments, pages, spaces, service desk tickets, project settings. What's not: User account profiles (managed globally), Atlassian Analytics in certain regions, Opsgenie reports in certain regions, Assets reports and dashboards in certain regions.

Encryption architecture

Atlassian encrypts data at rest using AES-256 and in transit using TLS 1.2+. Three encryption tiers are available:

  • Default (Atlassian-managed keys): Keys provisioned in Atlassian-owned AWS accounts. Shared key infrastructure across tenants. This is what most customers use.
  • BYOK (Bring Your Own Key): Encryption keys hosted in the customer's own AWS KMS account. Available for Jira, Confluence, and JSM. Supports Canadian data residency — keys and data can both reside in Canada.
  • CMK (Customer-managed keys): The successor to BYOK. Available as a paid add-on since April 2025. Provides cryptographic separation, full key lifecycle control, and the ability to revoke Atlassian's access. Currently available for new sites only — existing site support planned for 2026.

With CMK or BYOK enabled, revoking key access suspends Atlassian's ability to decrypt your data. This provides a meaningful technical control — but it is a business continuity tool, not a legal shield against CLOUD Act orders.

Marketplace apps and the data residency gap

Atlassian's Marketplace has thousands of third-party apps. Their data residency compliance varies by architecture:

  • Forge apps: Run on Atlassian's infrastructure. Data stored within the same region as the host product. These automatically follow your data residency settings.
  • Connect apps: Run on the app vendor's own infrastructure. Must explicitly implement "realm pinning" and "realm migration" to support data residency. Many Connect apps do not yet support this.

This means your core Jira data can be pinned to Canada, but a time-tracking app or a reporting plugin might store its data in the US or EU. Each Marketplace app must be individually assessed — check the Privacy & Security tab on each app's Marketplace listing.

Atlassian Government Cloud and Cloud Isolated

At Team '25 Anaheim, Atlassian announced two additional cloud tiers: Atlassian Government Cloud (for US government customers, FedRAMP authorized) and Atlassian Cloud Isolated (planned for 2026, offering dedicated infrastructure). Cloud Isolated may provide stronger sovereignty controls in the future — but neither offering changes the fundamental CLOUD Act status of a US-incorporated company.

Mitigation Options

Jira offers the most comprehensive sovereignty controls of any major US-parented project management tool. None eliminate CLOUD Act exposure, but in combination they represent substantial risk reduction:

  • Enable Canadian data residency (critical): Pin in-scope data to the Canada (Central) region via admin.atlassian.com → Security → Data Residency. This is the single most impactful step. Available on all paid plans at no additional cost.
  • Enable CMK or BYOK encryption (recommended for regulated industries): Host encryption keys in your own AWS KMS account with the Canada region selected. This provides cryptographic isolation and the ability to revoke Atlassian's access. CMK is available as a paid add-on for new sites; BYOK supports existing sites. Contact Atlassian support to provision.
  • Audit Marketplace apps (required for compliance): Review every installed app's Privacy & Security tab on the Marketplace listing. Remove or replace apps that don't support data residency in Canada. Prefer Forge-built apps (look for the "Runs on Atlassian" badge) over Connect apps.
  • Execute the DPA: Atlassian's Data Processing Addendum is available through the admin console. Review against Law 25 or PIPEDA requirements. Ensure it covers data residency commitments.
  • Document everything: Your TIA or PIA should document: Canadian data residency is enabled, CMK/BYOK status, Marketplace app audit results, and the residual CLOUD Act risk that cannot be technically mitigated. This is the documentation regulators and procurement officers want to see.

Bottom line: Jira with Canadian data residency + CMK encryption + Marketplace app audit is the strongest sovereignty posture available from any major US-parented project management tool. It is not equivalent to a Canadian-owned tool — the CLOUD Act exposure remains — but it represents a defensible, documented position for most organizations.

Frequently Asked Questions

Does Jira offer Canadian data residency?

Yes. Jira Cloud supports data residency in the Canada (Central) AWS region for Standard, Premium, and Enterprise plans. In-scope data including issues, comments, and attachments can be pinned to Canadian servers.

Is Jira still CLOUD Act exposed with Canadian data residency enabled?

Yes. Atlassian Corporation is incorporated in Delaware (US). The CLOUD Act applies based on corporate jurisdiction, not data location. Canadian data residency controls where data sits at rest but does not prevent a US legal order from compelling Atlassian to produce it.

Do I need a TIA for Jira under Law 25?

Yes. Any Quebec organization using Jira must complete a Transfer Impact Assessment. The availability of Canadian data residency should be documented as a partial mitigation in the TIA.

What are the Canadian alternatives to Jira?

There are limited Canadian-owned project management alternatives at Jira's scale. Evaluate the sovereignty trade-offs of enabling Canadian data residency in Jira versus migrating to a smaller Canadian tool.

When did Atlassian become a US company?

Atlassian completed its redomiciliation from the UK to the United States in October 2022, incorporating as a Delaware corporation. This changed the CLOUD Act exposure for all Atlassian Cloud customers.

Methodology: This assessment is based on Atlassian's corporate filings (SEC), vendor documentation, published DPA terms, and the Upper Harbour classification methodology. Data verified March 2026. Updated quarterly. Part of the Canadian Technology Sovereignty Index.