FORGE · MANAGED BITBUCKET DATA CENTER

Managed Bitbucket Data Center. Inside your trust boundary. Hardened, governed, Reign-ready.

Atlassian preserved Bitbucket Data Center for a reason. Source code workloads stay self-hosted for regulated buyers. Forge runs Bitbucket Data Center inside the customer's authorization boundary. Reign governs every AI coding tool that touches the code. Continuous assurance of every read and every write.

Talk to Forge engineering Download the Bitbucket DC on Forge hardening sheet

ProofSOC 2 Type II·HIPAA-eligible·FedRAMP-aligned·AWS Advanced Tier·Atlassian heritage since 2005

2026 TO 2029 TIMELINE

Decisions you need to make.

Atlassian's Data Center timeline forces a near-term decision for every Atlassian customer. Bitbucket Data Center is the only Atlassian product without a 2029 read-only deadline. The decision is not whether to keep Bitbucket DC. The decision is what posture to run it in.

March 30, 2026New DC license cutoff

Atlassian stops selling new Data Center licenses to new customers. After this date, if you do not already own a Bitbucket Data Center license, you cannot buy one as a new customer.

Mid-2026Hybrid license launch

Atlassian launches a hybrid Bitbucket Data Center plus Bitbucket Cloud license at no extra cost. Existing Data Center customers can run both side by side.

March 30, 2028Expansion window closes

Existing Bitbucket Data Center customers can continue to expand their license footprint through this date. After this date, expansions also close.

March 28, 2029Other Atlassian DC products go read-only

Jira, Confluence, and Jira Service Management Data Center go read-only. Bitbucket Data Center continues to be supported and developed because Atlassian acknowledges source code workloads have unique security and compliance requirements that Cloud cannot serve for regulated enterprises.

Forge is the posture

Customer Cloud, dedicated, or on-prem. Hardened. Reign-governed. iTmethods has operated Atlassian for regulated enterprises since 2005.

DEPLOYMENT OPTIONS

Three deployment shapes. One operating posture.

Bitbucket Data Center in Customer Cloud

Your AWS, Azure, or GCP account. Your VPC. Forge operates the substrate. Multi-node Atlassian DC clustering wired to your hyperscaler's load balancer and storage primitives. Default posture for organizations standardizing on a single cloud.

Bitbucket Data Center in dedicated managed deployment

Forge-operated single-tenant deployment. iTmethods runs the substrate; you own the artifacts. For organizations that want a managed envelope without standing up the Atlassian DC operational competency in-house.

Bitbucket Data Center in air-gapped sovereign deployment

Defense, classified, and sovereign-national programs. FIPS 140-2 Level 3. ITAR, NIST 800-171, and CMMC alignment. No outbound calls to Atlassian. The substrate lives entirely inside the customer's authorization boundary.

THE HARDENING SHEET

What Forge applies on day one.

Twelve named controls, Bitbucket Data Center-specific. Each is policy-as-code, not manual configuration. The full deliverable lives in the gated hardening sheet PDF.

01SAML or OIDC identity boundary, bound to the customer's IdP. SSO-only enforced.
02IP allow-list at the platform edge and at integration edges.
03Bitbucket Pipelines runners isolated per environment, short-lived tokens, no long-lived runner registration.
04Code Insights (SAST integrations), code search, and merge checks enforced.
05Branch permissions enforced via policy-as-code, not manual configuration.
06Audit logs streamed to the customer's SIEM and to the Reign Audit Ledger (CAVR).
07Atlassian Intelligence, Copilot, Cursor, Claude Code, and Cortex governed through the Reign AI Gateway.
08Approved-model registry for any LLM the coding agents call.
09Repository data-classification labels propagated to Reign for policy enforcement.
10Egress controls. Private Link or Private Endpoint to AWS, Azure, and GCP services.
11Backup, DR, and Atlassian DC clustering operated to audit-grade.
12Quarterly hardening review by the FDE pod. Continuous-remediation SLA on findings (P0 within 7 days, P1 within 21 days, P2 within 60 days).

REIGN-READY · AI CODING TOOL LAYER

The AI coding tools. Governed at the call layer.

Atlassian Intelligence, Copilot, Cursor, Claude Code, Cortex are productivity multipliers. They are also the largest emerging side-channel for source code and secrets exposure. Reign governs them as first-class call-layer subjects.

Every AI coding tool call routed through the Reign AI Gateway. Identity-bound. Content-classified. Policy-enforced before the LLM sees the code.
Tamper-evident audit trail of every coding-agent decision in the Reign Audit Ledger (CAVR).
Approved-model registry mapped to the customer's AI governance posture (SR 26-2, EU AI Act, FDA PCCP, FINOS AIGF where applicable).

SHARED RESPONSIBILITY

What we run, what you run. Scoped to Bitbucket Data Center.

Forge Automated

Decisions Forge closes inside the Bitbucket Data Center substrate without human intervention.

Operate Bitbucket Data Center inside the customer's authorization boundary, with Atlassian DC clustering wired to your hyperscaler.
Enforce the customer-bound IdP (SAML, OIDC) at the platform edge. SSO-only.
Run Bitbucket Pipelines runners isolated per environment, short-lived tokens, no long-lived registration.
Stream Bitbucket audit logs to the customer's SIEM and to the Reign Audit Ledger (CAVR).
Patch the substrate and Atlassian DC cluster on a continuous-remediation SLA.

Customer Authored

Decisions the customer owns. The customer is the author, not just the approver.

Own repositories, intellectual property, PR review policy, and branch permissions.
Author the catalog of AI coding tools sanctioned (Atlassian Intelligence, Copilot, Cursor, Claude Code, Cortex).
Approve evaluators the FDE pod authored during the on-ramp phase against the customer's AI inventory.
Sign off on examination snapshots (Assurance Pack outputs) before delivery to the regulator.
Approve new agentic tool integrations and policy exceptions surfaced by the evaluator fleet.

FDE Intervention

Decisions where iTmethods Forward Deployed Engineers run the work. Authoring on-ramp plus continuous-remediation SLA.

Stand up the initial hardening configuration on the Bitbucket Data Center substrate.
Author the first 10 to 15 evaluators against the customer's Bitbucket surface (Atlassian Intelligence use, repository access patterns, secret exposure, pipeline drift).
Operate the continuous-remediation SLA on findings the evaluator fleet emits.
Lead quarterly posture reviews with the customer's CRO, CISO, audit committee, and Independent Assurance function.
Train the customer's audit and MRM teams to author their own evaluators.

REIGN TIER ALIGNMENT

Which Reign tier do customers typically enroll into?

Most regulated Bitbucket Data Center on Forge customers also enroll in Reign Assurance or Reign Continuous. The coding-agent governance is delivered by Reign at the call layer. The hardening and operations are delivered by Forge. The same FDE pod runs both.

iTmethods has operated Atlassian managed services since 2005. The Bitbucket Data Center on Forge engagement leans on that heritage.

FAQ

Five questions before the scoping call.

I am not yet a Bitbucket Data Center customer. Can I acquire a license before March 30, 2026?

Yes, but the window is short. After March 30, 2026, Atlassian stops selling new Data Center licenses to net-new customers. iTmethods can scope the license acquisition through FSAI Assess and stand up the Forge substrate in parallel, so you cross March 30 with both the license and the hardened deployment in place.

What does the mid-2026 hybrid Bitbucket Data Center plus Cloud license mean for me?

If you are an existing Bitbucket Data Center customer, Atlassian's mid-2026 hybrid license adds Bitbucket Cloud access at no additional cost. You can run both side by side. On Forge, the Data Center side stays inside your trust boundary; the Cloud side, if you adopt it, sits under Reign AI Gateway and Reign Audit Ledger governance the same way other vendor SaaS surfaces do.

We use Bitbucket Pipelines today. How does that work alongside external CI?

Bitbucket Pipelines runners are isolated per environment, scoped to short-lived tokens, no long-lived runner registration. For organizations that want to standardize on one runner topology across the source-code platforms they operate, the FDE pod scopes a phased move to a shared runner layer. Pipelines and external CI (Jenkins, GitHub Actions, GitLab Runners) can coexist on Forge.

How is Atlassian Intelligence governance handled?

Every Atlassian Intelligence call routed through the Reign AI Gateway. Identity bound to your IdP, content classified before the model sees it, repository and workspace classification labels propagated to Reign for policy enforcement. Tamper-evident audit trail in the Audit Ledger (CAVR). Approved-model registry maps to your AI governance posture.

What changes if Atlassian shifts its Data Center posture again?

Your code stays in your trust boundary. Your authorization to your repositories is independent of Atlassian's vendor-side posture. iTmethods has operated Atlassian managed services for regulated enterprises since 2005; the FDE pod leads the response to any future Atlassian product change and delivers a customer-side impact analysis your audit committee can present.

Talk to Forge engineering.

Scope a hardened Bitbucket Data Center deployment inside your trust boundary. Customer Cloud, dedicated, or air-gapped. Reign-ready for Atlassian Intelligence and the AI coding tool fleet.

Talk to Forge engineering

Download the Bitbucket DC on Forge hardening sheet.

The full 12-control policy-as-code reference, organized by audit framework. Drops into the FSAI Assess scoping conversation.

Get the hardening sheet