Complete guide to privacy and permissions in Atlassian Rovo: data and agent security

Is it safe using Rovo? Can Rovo access confidential data in my organization? Can Rovo expose my team’s data to other Atlassian users? How can I limit what information Rovo accesses? Are my data as an Atlassian user used to train any model?

These are just some of the questions that users usually have about Atlassian Rovo, the artificial intelligence in Atlassian. So let’s start the year by breaking down, point by point, how far Rovo can go and what Atlassian’s privacy and permissions strategy is regarding Artificial Intelligence.

Don’t be left with any doubts—but above all, use Rovo with no doubt at all!

Rovo only sees what you can see

Rovo’s golden rule is respect for permissions.

• If you don’t have permission to see a space in Jira or a page in Confluence, Rovo can’t see them either.

• When you ask a question, Rovo searches for answers only in the information you already have access to as a user. It will never show you (nor learn from) private documents from other colleagues or departments to which you are not invited.

Rovo is also designed to integrate with other third‑party applications through Manage Rovo connectors | Atlassian Support. In that case too, even outside Atlassian, within the given application Rovo will only be able to access the information that the user has access to.

• Before making any connection with another application, we recommend that you review the permissions and check the configurations already in place.

• For example, if you connect Google Drive to Rovo, users must sign in and connect their Atlassian account to Google Drive in order to see any Google Drive results in Rovo. Once authorized, users will be able to see public and private documents to which they already had access.

Your data is not used to “train” AI

This is one of the most common concerns: “Will my data help make another company’s AI smarter?” The answer is a solid NO.

• Currently Rovo uses OpenAI LLMs (GPT) as well as open‑source LLMs (Mistral, LLaMA) and third‑party‑hosted LLMs (Claude, Gemini) to provide personalized, contextual information and to optimize latency in Rovo Search, Chat, and Agents. LLM providers do not use your inputs or outputs to improve their services.

• Atlassian has strict confidentiality agreements with providers to prevent this from happening.

• Your questions and our company’s data are not used to train global AI models or to improve third‑party services. What happens in our company, stays in our company.

Privacy in your conversations

Are you worried that your manager or the Atlassian instance administrator might read your chats with Rovo?

• Your prompts (questions) are private: No one in the organization can see the specific content of your conversations with Rovo Chat or with Agents.

• Temporary history: Rovo stores your messages for 30 days so you can pick up the conversation again, but you can delete them earlier if you want from the chat interface itself.

As Atlassian administrators, something we do have available is an audit log where we can see what actions both administrators and users have taken using Rovo, for example:

• When a chat was started
• Creation, update or deletion of agents
• Creation, update or deletion of bookmarks
• Creation of definitions
• Creation, update or deletion of third‑party connectors

And what about the Agents?

Indeed, creating Rovo agents is one of the key elements of this solution and yes, it also has specific permissions.

By default, everyone in the organization has permission to create agents, just as we can create a Confluence page or a new idea to start working on. However, if you think this may be a problem or you need to limit for some reason who creates those agents, you can also do that:

• You must be an org admin to manage these permissions.
• In the Rovo Studio settings you can choose between several options:
  • Any user can create agents.
  • Up to 10 groups of people can create agents.
  • Only organization administrators can create agents.

No matter who created the agent, the actions the agent can perform will always depend on the user who triggers it. Remember, Rovo cannot see anything you cannot see.

Security standards

Atlassian Rovo complies with international security standards such as ISO/IEC 27001:2022 | AtlassianISO 27001 and SOC 2 | AtlassianSOC 2.

If you have any doubts, you can access Atlassian’s [security and transparency center].(https://www.atlassian.com/platform/ai-trust)