Atlassian uses TLS 1.2 and perfect forward secrecy to protect external data.
Atlassian meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition, the Stride domains currently get an ‘A’ rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.
In Atlassian’s Consensus Assessment Initiative Questionnaire (CAIQ), they state that the Atlassian Cloud Platform uses SSH for data and images transported between networks.
At this time, it is unknown whether Atlassian protects internal data in transit using correctly configured certificates.
All API requests made to Stride need a valid OAuth token as described in the API documentation.
Stride currently does not offer that many different user roles and privileges. However, additional controls may be added in the future.
Does the SaaS provider collect logs of events?
Types of log may include security logs and resource logs
Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?
The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.