Argues that opt-out for AI training on enterprise data is a fundamentally different social contract than opt-in, and that Atlassian deliberately chose this architecture knowing most organizations never audit admin settings quarterly. The buried toggle ensures maximum data collection by exploiting admin inattention.
Surfaced the default-on data collection policy to the Hacker News community, framing it as noteworthy enough to warrant attention. The submission's 532-point score indicates the community validated this as a significant consent concern.
Enumerates what actually lives in Atlassian instances: architecture decision records, security vulnerability tickets, infrastructure diagrams, salary discussions, M&A planning documents, and customer PII in support tickets. Argues this is raw operational knowledge of the business, not usage telemetry, making the default-on collection far more consequential.
Points out that customer personal data in Jira tickets may now be processed for purposes not covered by existing Data Processing Agreements, violating GDPR. SOC 2 Type II audits require demonstrating data is only used for its stated purpose, and HIPAA-covered entities face similar exposure — creating concrete legal liability for organizations that haven't manually opted out.
Atlassian updated its product terms to enable the collection of customer data — content stored across its cloud suite including Jira, Confluence, Trello, and Bitbucket — for the purpose of training and improving its AI and machine learning models. The change was enabled by default, meaning every cloud organization was automatically opted in without explicit admin consent.
The setting, buried in Atlassian's organization admin console, allows admins to toggle off AI data sharing. But the default state is on. For the thousands of organizations that never audit their admin settings quarterly, their internal documentation, project plans, code review comments, and strategic planning documents are now training fodder for Atlassian's AI models.
The news surfaced on Hacker News where it scored 532 points — placing it firmly in the "community outrage" tier alongside previous SaaS data grabs.
This isn't about whether Atlassian's AI features are useful. Atlassian Intelligence, their AI layer across products, genuinely helps with summarization, search, and automation. The issue is consent architecture. Opt-out for AI training on enterprise data is a fundamentally different social contract than opt-in, and Atlassian knows it.
Consider what lives in a typical engineering org's Atlassian instance: architecture decision records in Confluence, security vulnerability tickets in Jira, infrastructure diagrams, salary band discussions, M&A planning documents, customer PII referenced in support tickets. This isn't "anonymized usage telemetry" — it's the raw operational knowledge of the business.
The enterprise implications are severe. Organizations operating under GDPR face a clear problem: customer personal data referenced in Jira tickets may now be processed for a purpose not covered by existing Data Processing Agreements. SOC 2 Type II audits require organizations to demonstrate that data is only used for its stated purpose. HIPAA-covered entities storing any PHI-adjacent information in Confluence have an immediate compliance gap.
The legal surface area here is enormous, and Atlassian is shifting the liability onto admins who didn't notice a default changed.
We've seen this movie before. The pattern is now so predictable it deserves a name:
1. Zoom (2023): Updated Terms of Service to allow customer data use for AI training. Massive backlash. Zoom issued a clarification and partially walked back the language, but the trust damage was done.
2. Adobe (2024): ToS update implied Creative Cloud content could be accessed for AI training. Creators panicked. Adobe clarified they "don't train on customer content" — but the ToS language remained ambiguous enough to leave doubt.
3. Slack (2024): Enabled default opt-in for using workspace messages to train ML models. The opt-out process required emailing Slack support — deliberately friction-heavy. Only discovered because a privacy researcher read the updated terms line by line.
4. Atlassian (2026): Default-on data collection for AI training across all cloud products.
The playbook works because most customers never read terms updates. By the time the community discovers the change and raises alarm, weeks or months of data have already been collected. The subsequent "clarification" press release costs nothing and preserves most of the data already ingested.
If you run Atlassian Cloud, your action items are immediate:
Right now: Log into admin.atlassian.com and check your organization's AI settings. Look for any toggle related to "AI data sharing," "product improvement," or "machine learning." Disable it. Document that you did this and when — you'll need the timestamp for compliance audits.
This week: Review your Data Processing Agreement with Atlassian. If your DPA specifies that data is processed only for service delivery, Atlassian may be in breach. Your legal team should send a written inquiry requesting confirmation of what data was collected between the policy change date and your opt-out date.
This quarter: Seriously evaluate your dependency on cloud SaaS for sensitive operational data. The pattern is clear: every major SaaS vendor will eventually attempt to use your data for AI training, because the competitive pressure to ship AI features is existential for them. Your options are self-hosted alternatives (Jira Data Center still exists, though Atlassian is de-emphasizing it), or architectural segmentation — keeping genuinely sensitive content in systems you control while using cloud tools only for non-sensitive workflows.
For teams that can't self-host, consider data classification. Not everything in Confluence needs to be there. Strategic documents, security reviews, and anything containing customer PII might belong in a system with stronger contractual guarantees — or at minimum, in a separate Atlassian organization with AI sharing explicitly disabled and audited.
This is the fundamental tension of the SaaS era colliding with the AI era. SaaS companies accumulated years of customer data under one social contract ("we host it, you access it, we don't look at it"). Now that same data is the most valuable training asset in existence, and the incentive to reclassify "hosting" as "learning" is irresistible.
The vendors who resist this temptation — or at minimum make it genuinely opt-in with clear disclosure — will earn disproportionate trust from enterprise buyers in the next 24 months. Everyone else is trading long-term customer trust for short-term model improvement. For Atlassian specifically, with their already-rocky relationship with the developer community over pricing and Cloud migration pressure, this is a particularly tone-deaf move.
Expect Atlassian to issue a clarification blog post within days — they always do. It will say something about how they "only use aggregated patterns" and "never expose one customer's data to another." The community will remain skeptical, because the opt-out architecture reveals the true priority: data collection first, consent second. The real question is whether enterprise procurement teams start adding AI training exclusions to their SaaS contracts as standard practice. Based on the trajectory, they should have started two years ago.
I really wish I could find a better source to link to for this. By default, all free and paid customers are being opted-in to their data being used for AI training.All your Confluence pages, Jira tickets, etc.https://support.atlassian.com/security-and-access-policies/d... describ
Rumors that Anthropic is in talks to buy Atlassian, presumably for the training data. Data poisoning efforts are underway: https://www.reddit.com/r/PoisonFountain/comments/1sqrq24/atl...
The opt-out-by-default pattern has been gradually normalizing in enterprise SaaS, but what makes this particularly egregious is the combination of two things: the data scope (not just metadata, but all in-app content per kevcampb's link) and the broken opt-out (the disabling setting not renderi
Plenty of other companies enable this by default too, such as Github, Figma, Adobe, Vercel. I think it's fair to assume that if you ahve data stored within any company, they'll by default use it for training.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Atlassian just goes from misstep to misstep. I still use their products quite often. The amount of P0 bugs I experience is absolutely crazy:- Bitbucket workers are hopelessly out of date (self hosted). We've had to put so many random workarounds in especially for Docker, as they don't keep