Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Enterprise team workspace and knowledge base by Atlassian. When pages or status feeds are embedded on a site, Confluence drops session cookies, the atlassian.xsrf.token and analytics identifiers on the host domain.
Atlassian Confluence is a cloud collaboration workspace used to write documentation, meeting notes, product specifications and internal knowledge bases. Teams can publish pages externally, embed public pages on a marketing site, or expose a Statuspage feed. When embedded, the Confluence iframe loads scripts from the Atlassian domains and writes cookies on the host page that identify the visitor session.
The Confluence embed sets the ATL session cookie, JSESSIONID for the Java backend, atlassian.xsrf.token to protect against cross site request forgery, and analytics cookies such as ajs_anonymous_id used by Atlassian product analytics. It also collects the visitor IP, the user agent, the referring page, and timestamps for each page view. Authenticated viewers additionally have their Atlassian account identifier processed.
The cookies set by the Confluence embed are not strictly necessary for the visitor of the host site, which means Article 5(3) of the ePrivacy Directive requires prior informed consent. Atlassian acts as a processor under Article 28 GDPR when the operator pushes its own users into Confluence, and as a controller for its own analytics. A data processing addendum signed with Atlassian is mandatory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Confluence iframe until the visitor gives consent through the consent management platform. Provide a placeholder explaining what will be loaded, why, and a clear button to accept or refuse. Visitors must be able to withdraw consent at any time, which should remove the embed and clear the cookies set on the host domain.
Atlassian Cloud is available with data residency in the United States, the European Union, the United Kingdom and Australia for Premium and Enterprise plans. Standard plans default to the US region. Atlassian is certified under the EU US Data Privacy Framework and signs Standard Contractual Clauses for transfers outside the EEA. Operators must check the actual residency of their workspace before stating no transfer occurs.
Sign the Atlassian DPA, set the workspace data residency to EU when EU users are involved, list the Confluence cookies in the cookie policy, block the embed until consent is collected, document Atlassian as a processor in the records of processing, and review access logs and shared link permissions on a regular basis.
Websites using Atlassian Confluence must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Confluence pages are embedded on public sites with significant audience, when sensitive categories of content are published, or when the workspace processes employee data at scale. Document the data residency choice, the categories of viewers, the retention of access logs and the role of Atlassian as processor.
Sample consent text
We embed pages from our Atlassian Confluence workspace to share documentation and status updates. Confluence sets session cookies and an XSRF token on this page, and may transfer data to the United States. We need your consent to load the embed. You can accept, refuse or withdraw your consent at any time.
Third-party domains contacted
atlassian.comatlassian.netatl-paas.netstatuspage.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ATL | http_session | Session | Identifies the Atlassian session for the Confluence backend. |
| JSESSIONID | http_session | Session | Java application server session identifier for Confluence. |
| atlassian.xsrf.token | http_session | Session | Cross site request forgery protection token for Atlassian requests. |
| ajs_anonymous_id | http_persistent | 1 year | Anonymous visitor identifier used by Atlassian product analytics. |
| ajs_user_id | http_persistent | 1 year | Atlassian account identifier used by Atlassian product analytics for logged in users. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The embed writes ATL session and JSESSIONID cookies for the Atlassian backend, atlassian.xsrf.token for cross site request forgery protection, and analytics cookies such as ajs_anonymous_id and ajs_user_id from the Atlassian product analytics stack. Authenticated viewers also receive cookies tied to their Atlassian account session.
Yes. The cookies set by the embed are not strictly necessary for the visitor of the host site, so Article 5(3) of the ePrivacy Directive requires prior, freely given, informed consent before the iframe is loaded. Use a blocker that replaces the embed with a placeholder until consent is collected.
For non essential cookies and the analytics identifiers the legal basis is consent under Article 6(1)(a) GDPR combined with Article 5(3) ePrivacy. For authenticated Confluence users acting on behalf of the operator, the legal basis is performance of a contract or legitimate interest under Article 6(1)(b) or 6(1)(f) GDPR, with Atlassian acting as processor.
It can. Atlassian Cloud Standard plans default to the United States. Premium and Enterprise plans allow EU, UK and Australia data residency. Even with EU residency, support, monitoring or sub processors may access data from the US or other regions. Atlassian relies on the EU US Data Privacy Framework and Standard Contractual Clauses.
A DPIA is recommended when Confluence is used at scale, when it processes employee data with monitoring features, when the embedded content targets minors or covers sensitive topics, or when the workspace is hosted outside the EEA. Document the data flows, the residency, the access controls and the retention periods.
Sign the Atlassian Data Processing Addendum, choose EU data residency where possible, block the embed until consent is captured, configure the cookie scanner to detect ATL, JSESSIONID and atlassian.xsrf.token, restrict shared link permissions, and add Atlassian to the records of processing as a processor with the proper transfer safeguards.
Yes. You can export pages to static HTML or PDF and host them on your own domain, use a self hosted wiki such as BookStack or Outline, or publish documentation through a generator like Docusaurus. These options avoid third party cookies and US transfers at the cost of losing real time updates from Confluence.
List ATL, JSESSIONID, atlassian.xsrf.token and the Atlassian product analytics cookies with their purpose, duration and the third party that sets them. State that data may be transferred to Atlassian outside the EEA, mention the Data Privacy Framework and Standard Contractual Clauses, link to the Atlassian privacy policy, and offer a way to withdraw consent at any time.