Insights
Atlassian Trust Signals Explained: How to use them to choose the best marketplace app
Jul 2, 2026
•
min read

Over the past years, Atlassian has been rebuilding the way Marketplace search works to ensure users get the best-fitting apps in their search results.
Just a week ago, Atlassian rolled out a new search functionality that comes with the "Trust Signal" dropdown menu. Now users can directly select the desired trust signals from the dropdown menu and filter apps based on whether they run on Atlassian, are Cloud Fortified, if the developer company is SOC 2 certified, and more.

Usually, when searching for the the best Jira and Confluence apps, companies take the number of installs, reviews, and overall rating into account. While these are indeed helpful indicators, the trust signals remain to be the telltale sign of app's quality.
They exist to help teams make the right choice, but if you are not aware of what each badge or signal stands for, they can quickly make your quest to find the best Atlassian marketplace app even more confusing and time-consuming.
This article focuses on Trust signals, explaining what each of them signifies and what does it mean for your company.
What are Atlassian trust signals?
Atlassian Trust signals provide additional transparency into how app vendors build, secure, and support their products. They indicate that an app provider has invested in security, compliance, transparency, and operational maturity.
As of today Atlassian has 8 trust signals:
Runs on Atlassian
Cloud fortified
Bug bounty
Penetration testing
SOC 2
ISO 27K
Partner Trust Center
Standard Legal Agreement
Each is designed to focus on one aspect of the app or the company.
Where to look for the Trust Signals?
Some of the trust signals can be found directly on the app listing page, such as the Runs on Atlassian and the Cloud Fortified Badges.

Signals such as being part of the bug bounty program, having a trust center or being SOC 2 and ISO27K certified can be seen on the app provider’s page on Marketplace.

Other trust signals like the Standard Legal Agreement can usually be viewed on company’s websites or Trust Centers.
Each Atlassian Marketplace Trust signal explained
1. Runs on Atlassian

What it means:
The Runs on Atlassian badge means that the app is designed specifically to work within the Atlassian ecosystem.
It is built on its cloud platform and follows development requirements and best practices of Atlassian. They were designed with the platform's user experience principles in mind, developed with Atlassian's cloud architecture, and meet its security expectations.
Why it matters for companies:
The Runs on Atlassian badge is one of the strongest signals for users evaluating Atlassian Marketplace apps. It provides additional confidence that the app is built to integrate with their Jira or Confluence instances smoothly. As it was specifically created to fit Atlassian products and workflows.
For the companies looking for a reliable app that is highly compatible with other Atlassian products and provides long-term support, the Runs on Atlassian badge is a strong assurance.
2. Cloud Fortified

What it means:
The Cloud Fortified badge signifies extra dedication to security, reliability, and support.
Having this badge means that the app meets the maximum security standards and is subject to continuous monitoring. This badge tells users that the app meets Atlassian's expectations for cloud app operational practices and performance.
Cloud Fortified apps are subject to the four initiatives:
Ecoscanner - the platform continuously monitors marketplace cloud apps for common security vulnerabilities
Vulnerability Disclosure Program - Through this Atlassian-run program, customers can report cloud app vulnerabilities to Atlassian and Marketplace Partners.
Cloud App Security Requirements - A minimum set of mandatory security requirements that all Marketplace cloud apps must meet.
Security Bug Fix Policy: Security Bug Fix SLAs that marketplace partners are expected to meet to ensure cloud app vulnerabilities are addressed properly.
Why it matters for companies:
Companies that install third-party applications need to be confident about the app's security, stability and support. When apps are powered by Forge it means that the app provider is committed to maintain a high-quality cloud experience for this app. t also indicates a stronger operational maturity, which can be especially valuable for teams that manage business-critical workflows.
3. Bug Bounty
What it means:
It is another strong signal for secure Atlassian apps. A bug bounty program is part of the marketplace app security requirements. It allows security researchers to find and report potential vulnerabilities in an app in exchange for rewards and recognition. Any user who thinks that they have found an issue in marketplace apps that meets Atlassian's Definition of a Vulnerability can report it directly to Atlassian. This creates a continuous process of identifying vulnerabilities and helps app providers fix them before the issues affect customers.
Why it matters for companies:
To put it simply, being part of a bug bounty program shows that the app provider actively searches for ways to improve protection. Such a proactive approach shows that the developer takes security seriously and helps reduce risks over time.
4. Penetration Testing
What it means:
Marketplace Penetration Testing Program is another Atlassian app security initiative. App providers participating in this program get a security assessment where experts simulate real-world attacks to uncover weaknesses in infrastructure, app, and security controls before they are found and possibly exploited by attackers. The program helps identify and address critical vulnerabilities.
Why it matters for companies:
This trust signal shows once more that the company is taking security seriously. Teams searching to install a new Atlassian app want to know that the applications handling their data have been tested beyond basic security checks. This signal indicates that the app provider invests in identifying and fixing potential security issues. Penetration testing can give organizations additional confidence when evaluating whether an app meets their security expectations.
Looking for a trusted Atlassian Marketplace app?
See how our apps meet enterprise security and compliance standards with trust signals designed to help you choose with confidence.
5. SOC 2
What it means:
SOC 2 (Service Organization Control 2) is an independent audit framework. It evaluates how well an organisation handles customer's data. It is a widely recognized and trusted audit. When a company achieves SOC 2 certification, it also receives a repot that can be viewed by anyone. A SOC 2 report shows hows insights into the processes and safeguards a company has in place to protect customer information. Usually,
Why it matters for companies:
For any company working with external software providers, it is of the utmost importance to understand how the company handles customer data. A SOC 2 certification signals that customer data is protected and helps companies assess whether the app provider has established security practices and operational controls.
Request Narva Software’s SOC 2 Report here
6. ISO 27K
What it means:
ISO 27K is part of ISO/IEC 27000, a family of standards built around how organisations handle information security risk. Organizations following these standards typically have structured processes for protecting data, managing risks, and improving security practices.
Why it matters for companies:
This signal helps organizations identify app providers that have invested in formal information security management practices. It is another assurance that the app provider follows recognized security frameworks. It can be an important consideration for businesses with strict security requirements or compliance obligations.
7. Partner Trust Center
What it means
A partner Trust Center is simply a centralised resource. An app provider has a Trust Center to share the important information and documentation about security, privacy, compliance, certifications, and operational practices.
Why it matters for companies:
When selecting an app companies often need to review more than just trust signals. Security and procurement teams might need to see detailed information about app provider's security posture and data protection practices. Having trust center means that an app provider has all this information in one place. It makes it easier to complete internal evaluation processes and be confident that the app provider matches the security level the company seeks.
8. Standard Legal Agreement
What it means:
Standard Legal Agreement is a document that outlines the relationship between the app provider and customer. It describes the terms, obligations and expectations for using the app.
Why it matters for companies:
Companies can better grasp the responsibilities and duties associated with implementing a new application when they have clear legal agreements. Similar to having a trust center, this document makes it easier to assess the app and offers clarity regarding its usage rules. Ultimately, it assists organisations in making well-informed decisions.
How to use trust signals when choosing an Atlassian Marketplace app
Should you choose the app that has all the trust signals? As of today, if you tick all eight boxes on the trust signal dropdown menu, you'll get exactly zero apps in the search results.

So how should you actually use Atlassian Marketplace trust signals when choosing an app to install? Which Trust Signals are important to have?
It depends.
Each company has its own criteria for evaluating the app. Usually it depends how big the company is, which industry it operates in, what are their business goals and security requirements.
A startup, for instance, may care most about apps that are reliable, easy to implement, and backed by solid development practices. A regulated organization looking for enterprise-ready Atlassian apps will likely need compliance certifications, documented security processes, and evidence of regular assessments before an app gets considered. In that case, the security team may focus heavily on signals tied to vulnerability management, penetration testing, and how transparent the provider is about its overall security posture.
It's worth remembering that trust signals aren't a substitute for a company's own due diligence. What they do is give teams a faster, more structured way to compare apps on the Marketplace. By filtering based on the signals that matter most, organizations spend less time sifting through options and more time evaluating the solutions that genuinely meet their security, compliance, and operational needs.
For one company, it might be essential that a provider participates in a bug bounty program. For another, that detail might barely register.
At the end of the day, the best Atlassian Marketplace app is the one that fits both your business needs and your security requirements. Used well, trust signals help companies get there and choose with more confidence.



