Forge Cloud Fortified Explained for Jira App Buyers
Cloud Fortified is Atlassian's security and reliability program for Marketplace apps. The badge requires an independently audited SOC 2 Type II report, a published uptime commitment, and an Atlassian-run security review. It signals “serious vendor” in an enterprise procurement review. It is not the same as Cloud Enterprise, which is a Jira product tier for customers. Here's what the program actually covers and when to require it.
What is Cloud Fortified in plain language?
Every Marketplace app meets a baseline set of security and listing requirements. Cloud Fortified is the next rung up — a voluntary program where vendors submit to an independent SOC 2 Type II audit, publish a reliability commitment, and pass an Atlassian-run security review in exchange for a badge on their Marketplace listing.
In procurement language, it's Atlassian's middle tier of app-trust assurance. When a security questionnaire asks “is this app Cloud Fortified?”, it's asking whether the vendor has cleared that program. A yes gives procurement a published, audited floor to cite. A no doesn't disqualify an app, but it shifts review burden onto the buyer.
What does Cloud Fortified certification actually require?
The program is documented on Atlassian's Cloud Fortified trust page and in the developer program guide. Requirements fall into three buckets.
Security. The vendor must hold a current SOC 2 Type II report covering the app's environment, pass an Atlassian security review (pen-test, code review, design review), and maintain a vulnerability disclosure program with response SLAs. For Connect apps the review covers vendor hosting; for Forge apps it covers the vendor's SDLC plus the Forge platform slice the app uses.
Reliability. The app must publish an availability SLO (most targets sit at 99.5%+ monthly uptime), an incident-response SLA, and a customer-visible status page. This is where Cloud Fortified differs from a pure security program: for business-critical workflows, an app that's secure but frequently down is still a problem.
Support. Vendors commit to 24/5 support coverage, a documented escalation path, and an enterprise customer success motion. That's the line between a serious vendor and a side-project Marketplace app — both can produce quality code, but only one can realistically answer an enterprise incident on a release weekend.
How is Cloud Fortified different from Cloud Enterprise?
This is the most common point of confusion in enterprise Jira buying. Cloud Fortified is for apps. Cloud Enterprise is for customers. Different programs, different teams, different audiences.
Cloud Fortified describes what a Marketplace app vendor has proven — SOC 2, security review, uptime SLO, support commitment. Any app can earn it. Cloud Enterprise describes what Atlassian ships to customers with enterprise-scale needs: multi-site admin, IP allowlisting at scale, cross-product sandboxes, higher tenant caps. It's a product tier you buy from Atlassian. You can run Cloud Fortified apps on a Jira Standard tenant, and you can run non-Cloud-Fortified apps on a Cloud Enterprise tenant. The programs don't constrain each other.
| Attribute | Baseline Marketplace app | Cloud Fortified app | Cloud Enterprise (customer tier) |
|---|---|---|---|
| Independent SOC 2 Type II | Not required | Required | Atlassian's own (covers platform) |
| Atlassian-run security audit | Intake review only | Full review, re-verified annually | Not an app-side concept |
| Published availability SLA | Not required | Required (vendor commits) | Atlassian's SLA on Jira |
| Vendor-managed | Yes (any vendor) | Yes (vendor must be mature) | N/A — Atlassian-managed |
| Target customer | Any Jira customer | Procurement-reviewed buyers | Enterprise IT organizations |
Do all Forge apps get Cloud Fortified automatically?
No. Forge apps inherit several platform-level controls that map cleanly onto Cloud Fortified criteria — data residency, encryption at rest, zero-egress networking by default, scope enforcement. A Forge vendor doesn't have to build or document those; they're inherited from the Forge platform.
But Cloud Fortified also requires vendor-side attestations the platform can't provide: a SOC 2 Type II report on the vendor's own SDLC, a published availability SLO, a documented support escalation, and a 24/5 coverage commitment. Those are on the vendor whether the app runs on Forge or Connect. Forge-native vendors have a structurally easier path — fewer controls to build from scratch — but a Forge app in its first month on the Marketplace does not carry the badge. The vendor still has to apply, audit, and earn it.
Which PPM apps are Cloud Fortified today?
Status in the PPM category is worth checking directly on each vendor's current Marketplace listing, because it updates as vendors complete or renew audits. As of April 2026:
- Structure by Tempo — not Cloud Fortified on the primary Structure listing as of this writing; verify directly before citing in a procurement review.
- BigPicture by Appfire — Appfire has pursued Cloud Fortified across its portfolio; check the BigPicture listing directly since status by listing varies.
- Foundation — not Cloud Fortified today. Foundation is pre-launch in April 2026; certification is on our post-launch roadmap. We'll update this page when the badge is earned.
Don't rely on a cached answer from any comparison article, including this one. Open each vendor's Marketplace listing before finalizing a procurement decision. Badges expire if a vendor lets their SOC 2 lapse or misses a re-audit.
What signal does Cloud Fortified send to a security reviewer?
For a reviewer scanning a vendor questionnaire, Cloud Fortified collapses several rows into one line. Instead of separately verifying SOC 2 status, asking for an uptime commitment, requesting a pen-test letter, and reviewing incident response, the reviewer can point at the badge and cite Atlassian's published program criteria as the audited floor.
That doesn't replace vendor-specific due diligence — a serious team still reads the vendor's SOC 2 report under NDA and checks that the scope matches the app being bought. But it shortcuts the initial yes/no conversation. A Cloud Fortified app is, at minimum, a vendor that has survived a real audit and is paying to keep it current.
The inverse signal also matters. An app that's not Cloud Fortified isn't automatically insecure — many newer Forge-native apps haven't pursued it yet. But the reviewer now has to do the work themselves: read the vendor's attestations, verify SOC 2 scope, check uptime history, and decide whether operational maturity matches workload criticality. That's more hours across more apps than most security teams can sustain for non-critical purchases.
Should you require it on your buying checklist?
A reasonable policy splits apps by criticality. For tenant-wide workflows (PPM, service desk, security scanning, SSO, compliance tooling) or regulated data, require Cloud Fortified as a default — these are workloads where a miss propagates across teams.
For team-scoped or experimental apps, Cloud Fortified is a nice-to-have rather than a gate. Requiring it here rules out useful newer entrants, including Forge-native apps that haven't completed their first SOC 2 cycle. A sensible exception process — security review, short trial, documented rollback — gets the team value without dropping the floor on the critical path.
For apps in the middle, ask the vendor two questions: are you Cloud Fortified today? and if not, is it on your published roadmap with a target date? A vendor with a plan is different from a vendor with no answer. Foundation falls into the former — not today, but on the post-launch roadmap once we're stable enough to commit to the SLO requirements.
Where Foundation fits
Foundation is Forge-native, so we inherit the platform-level criteria by construction: Atlassian enforces our data residency, encryption, scope boundaries, and zero-egress networking. The vendor-side requirements are in progress — SOC 2 Type II audit, availability SLO (set once post-launch telemetry gives a defensible baseline), support and incident-response commitments. See the Foundation security page for the current snapshot, and the Forge vs Connect security guide for platform context.
Frequently asked questions
What does Cloud Fortified actually mean?
Cloud Fortified is Atlassian's middle-tier security and reliability program for Marketplace apps. A Cloud Fortified app has an independent SOC 2 Type II report, a published availability and incident-response commitment, and has passed an Atlassian-run security review. It sits above the baseline Marketplace requirements (which every listed app meets) and is distinct from Cloud Enterprise, which is a customer product tier, not an app attestation.
Is Cloud Fortified the same as Cloud Enterprise?
No. Cloud Fortified is a program for third-party Marketplace apps — it describes what an app vendor has proven. Cloud Enterprise is a Jira product tier — it describes what Atlassian ships to customers who need multi-site admin, scale, and enterprise SLAs. You can run a Cloud Fortified app on a Jira Standard site, and run non-Cloud-Fortified apps on a Cloud Enterprise site. The two programs answer different questions for different audiences.
Does every Forge app get Cloud Fortified automatically?
No. Forge apps inherit platform-level controls — data residency, encryption at rest, scope enforcement, zero-egress networking by default — which maps onto several Cloud Fortified requirements. But the vendor still has to complete a SOC 2 Type II audit against their own controls, publish availability and incident-response commitments, and pass the Atlassian security review. A brand-new Forge app is not Cloud Fortified out of the box.
Should I require Cloud Fortified on every Jira app purchase?
It depends on workload. For a critical-path app (the PPM system your portfolio reviews run on, service-desk automation, a security-scanning app), Cloud Fortified is a reasonable baseline. For experimental or team-scoped apps, requiring it may rule out useful newer vendors who haven't yet completed audit. A sensible policy: require it for tenant-wide or compliance-relevant apps, allow exceptions with security review for others.
Is Foundation Cloud Fortified today?
Not yet. Foundation is pre-launch in April 2026 and Cloud Fortified certification is on the post-launch roadmap. We inherit the platform-level requirements by being Forge-native, but the vendor-side requirements (SOC 2 Type II on our SDLC, availability SLO, incident-response SLA) are work we start immediately after Marketplace launch. We'll update this page when the badge is earned.
How do I verify an app is Cloud Fortified?
Open the app's Marketplace listing and look for the Cloud Fortified badge near the top, next to the app name and publisher. The badge is awarded by Atlassian, not self-reported, so its presence is authoritative. If a vendor claims Cloud Fortified on their own website but the Marketplace listing shows no badge, treat the claim as unverified and ask the vendor for their audit report.
Related guides
- Forge vs Connect: a 2026 security guide for Jira app buyers
- Why Forge apps don't store your data outside Atlassian
- Connect-to-Forge: the 2027 vendor migration timeline
- Foundation security — Forge-native, zero egress