AI Regulation Tracker / Vendor policy
Atlassian will use customer Jira and Confluence data to improve its AI from August 17, 2026
A new data contribution policy lets Atlassian use customer metadata and in-app content across cloud products to enhance its Rovo and Rovo Dev AI. Firms with confidentiality or privilege duties should review the setting and opt out before the deadline.
Atlassian has told customers that, beginning August 17, 2026, it will start using their metadata and in-app data from cloud products to improve its software, including the Rovo and Rovo Dev artificial intelligence features. The company describes the framework as "data contribution," and it applies across Jira, Confluence, Jira Service Management, and other Atlassian platform apps. Coverage of the change, including analysis by the Atlassian partner Seibert Group, reports that it reaches roughly 300,000 customers. That figure is as reported and not stated as an exact count on Atlassian's own page.
What the policy covers
Atlassian separates two categories of data. Metadata means de-identified, aggregated signals such as readability scores, task classifications, story points, and service-level values. In-app data means user-generated content, including Confluence page titles and bodies and Jira issue titles, descriptions, and comments. For a regulated firm, the second category is the one that matters most, because it can contain the substance of client files, matter notes, patient records, or financial detail. Atlassian says collected data may be retained for up to seven years.
The setting and the plan-tier defaults
The control lives at Atlassian Administration, then Security, then Data contribution. Whether a firm is protected by default depends on its plan. According to Atlassian and secondary summaries, metadata collection is always on for Free, Standard, and Premium plans and cannot be switched off on those tiers; only Enterprise customers can opt out of metadata. In-app data collection can be turned off on every tier, and it is off by default on Premium and Enterprise, but reported to be on by default for Free and Standard. The practical consequence is that a firm on a lower tier may already be set to contribute the contents of its Jira and Confluence unless an administrator changes the setting.
The confidentiality duty for regulated firms
For lawyers, this intersects directly with the duty to protect client confidences and privilege. Feeding matter data into a vendor improvement corpus, even one the vendor describes as internal, is a decision that should be made deliberately and documented, not left to a default. The same logic applies to accountants bound by client confidentiality, to healthcare organizations handling protected health information, and to financial firms handling nonpublic client data. This is a live supervision question with a fixed date. The prudent posture is to review the setting, decide based on your obligations, and record the decision before August 17, 2026.
Engagement letters and outside-vendor policies add a further wrinkle. Many client agreements limit how firm-side confidential information may be processed by subcontractors and third-party tools. A default that begins contributing in-app content to a vendor improvement process could sit awkwardly against those commitments. Reviewing the setting now lets a firm confirm it can still meet what it has promised clients, and gives it a documented answer if a client or regulator later asks how the firm handled the change.
What the policy does not do
Atlassian states that it does not share customer metadata or in-app data with its third-party-hosted large language model providers for those providers to train or improve their own services. The company frames its use as internal, using de-identified and aggregated metadata to fine-tune open-source models it hosts. Atlassian also lists exemptions where data contribution does not apply, including customers using customer-managed encryption keys, Atlassian Government Cloud, Atlassian Isolated Cloud, and configurations subject to HIPAA. Firms in those categories should still confirm their status rather than assume it, because the exemption depends on the specific configuration in place.
How to act before the deadline
Treat the change as a procurement and compliance item, not only an IT setting. Identify who holds organization admin rights on your Atlassian tenant. Confirm your plan tier and the current state of both metadata and in-app data contribution. Decide, against your confidentiality and records obligations, whether to opt out of what your tier allows. Where the tier does not permit opting out of metadata, weigh whether an Enterprise plan or an eligible exemption is warranted for the data you hold. Document the decision and the date. Because the setting is already live, a firm does not need to wait until August to act, and acting early avoids any window in which collection begins by default.
Frequently Asked Questions
What is changing with Atlassian and AI training?
From August 17, 2026, Atlassian will begin using customer metadata and in-app data from Jira, Confluence, Jira Service Management, and other cloud products to improve its software, including the Rovo and Rovo Dev AI features. Administrators control this at Atlassian Administration, Security, Data contribution.
Who is affected by this change?
Any Atlassian Cloud customer using the covered products. It is reported to reach roughly 300,000 customers. The highest-stakes group is regulated firms, including law firms, accounting practices, healthcare organizations, and financial firms that store confidential or privileged data in these tools.
How does a firm opt out?
An organization admin opens Atlassian Administration, then Security, then Data contribution. In-app data collection can be turned off on every plan tier. Metadata can only be turned off on the Enterprise tier, per Atlassian and secondary reporting.
Does this mean Atlassian shares our data with outside AI companies?
Atlassian states it does not share customer metadata or in-app data with its third-party-hosted large language model providers for them to train or improve their services. It describes using de-identified, aggregated metadata to fine-tune models it hosts internally.
Are any customers automatically exempt?
Atlassian lists exemptions including customers using customer-managed encryption keys, Atlassian Government Cloud, Atlassian Isolated Cloud, and configurations subject to HIPAA. Firms that believe they qualify should confirm their exemption directly rather than assume it.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.