Data Processing Agreement

The Data Processing Agreement (‘DPA’), is entered into on the basis of Article 28(3) of the GDPR and together with the Privacy Policy and the EULA, constitutes the agreement (‘Agreement’) concluded by and between

any person or entity being a customer (hereinafter referred to as ‘Data Controller’ or ‘Controller’, ‘Customer’, ‘You’)

and

Deviniti Sp. z o. o. with its registered office in Wrocław, ul. Sudecka 153, 53-128 Wrocław, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Wrocław – Fabryczna in Wrocław, 6th Commercial Division of the National Court Register under KRS number: 0000223645, NIP: 897-17-00-419, REGON: 933044506, with a share capital of PLN 54,400.00, (hereinafter referred to as ‘Processor’ or ‘Us’)

hereinafter collectively referred to as ‘Parties’ or each individually as ‘Party’.

WHEREAS

  1. The Controller intends to use the applications of the Processor posted on the Atlassian Marketplace (‘Products’),
  2. it is necessary for the Controller to entrust the Processor with the processing of personal data.

The Parties agreed as follows:

For the purposes of the Agreement, the Customer may act as Controller or Processor, with Deviniti Sp. z o.o. acting as Processor or Sub-processor, as the case may be.

§ 1. Subject Matter of the Agreement

  1. The Controller declares that – within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘GDPR’) – it is the controller of the data specified in § 1(2) below.
  2. The Controller entrusts the Processor with the processing of any personal data (‘data’) in connection with the Controller’s use of the Products offered, and the Processor undertakes the processing. 
  3. The Processor may process the data provided only to the extent and for the purpose necessary to maintain the services resulting from the Controller’s use of the Products offered.
  4. It is the sole responsibility of the Controller to assess the permissibility of the processing of personal data in accordance with Article 6(1) of the GDPR.
  5. The Processor shall only use personal data to ensure the proper functioning of the Product. The Processor shall not store, use, sell or disclose the Customer’s personal data for any other purpose, subject to ongoing marketing activities, provided that the Controller has consented to receive content of this nature.
  6. The Data Processing Agreement supplements the provisions of the Privacy Policy and the EULA and is an integral part of them when, in the course of the Customer’s use of the Products offered, data processing is entrusted.
  7. The Parties do not intend to transfer sensitive data.
  8. The frequency with which the Data is transmitted (e.g. whether the Data is transmitted once or continuously) depends on the relevant Product and the Customer’s use of it.

§ 2. Nature of Processing

  1. Personal Data shall be processed in accordance with the provisions of the Agreement and may be the subject to the following Processing activities: collecting, recording, organising, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, restricting, erasing or destroying personal data.
  2. The Processor shall process the Data to the extent necessary to ensure the functioning of the Product.
  3. The Processor, in the performance of the subject matter of the Agreement, depending on the type of Product, may have access to the following data or information concerning the end user:
    A. name and surname,
    B. e-mail address,
    C. IP address,
    D. ID,
    E. telephone number,
    F. information about the end user (avatar, account ID, displayed name),
    G. end-user data contained in Jira submissions, projects, attachments and other Jira units of shared applications,
    H. end-user data contained in Jira submissions, projects, attachments and other Jira units of shared applications,
    I. company name,
    J. information about the country.
  4. Period for which personal data shall be kept
    A. The Processor shall process the personal data in accordance with the duration of the use of the Product, provided that this period will not be longer than 12 months from the date of termination of the Customer’s use of the Product,
    B. sub-processors shall process personal data to the extent necessary to provide access to the Product, in accordance with the law and the provisions of the Agreement.

§ 3. Obligations and Declarations

1. The Processor declares that it has the infrastructure, resources, experience, knowledge and well-qualified personnel capable of performing its duties in accordance with the applicable legislation. In particular, the Processor declares that it is aware of the principles for the processing and protection of personal data arising from Regulation (EU) No 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2. Each Party shall comply with applicable data protection legislation, in particular the GDPR.

3. The Processor is obliged to:

1) process the personal data provided only pursuant to the Agreement, except where it is obliged to do so by law; where the processing of personal data by the Processor is required by law, the Processor shall inform the Controller electronically – prior to the processing – of this compulsion of law, where the law permits such information to be provided for reasons of public interest;

2) process the personal data provided in accordance with the GDPR and the Agreement;

3) implement appropriate technical and organisational measures to ensure a level of security corresponding to the risk of infringement of the rights or freedoms of the natural persons whose personal data will be processed under and within the scope of the Agreement;

4) support the Controller in fulfilling his/her obligation to respond to the data subject’s request for the exercise of his/her right established in the GDPR, Chapter 3. The Processor’s cooperation with the Controller within the scope referred to above shall take place in a form and at a time convenient to the Parties, while allowing them to carry out their activities;

5) assist the Controller, in terms of:

  1. ensuring the security of the processing of personal data by implementing appropriate technical and organisational measures;
  2. notifying the supervisory authority of any personal data protection violations and informing data subjects of these violations.

§ 4. Technical and Organisational Measures

1. The Processor shall implement and apply appropriate technical and organisational measures to ensure a level of security appropriate to the risks posed by the infringement of the rights or freedoms of natural persons whose personal data will be processed in connection with the use of the Product.

2. In assessing whether the level of security referred to above is adequate, the Processor shall take into account the risks associated with the processing, in particular those arising from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or any unlawful access to the personal data transmitted, stored or processed.

3. In implementing the technical and organisational measures, the Processor:

1) shall comply with the Controller’s guidelines on security measures for the processing of personal data, in accordance with the applicable legal provisions;

2) shall take into account the current technical knowledge, context, nature, scope, purposes of the processing and the risk of infringement of the rights or freedoms of the natural persons whose personal data will be processed under and within the scope of the Agreement.

4. As a general rule, data processing takes place within the EU or EEA. The Processor shall transfer personal data to certified entities and countries for which the European Commission has issued adequacy decisions on the protection of Personal Data and on the basis of Standard Contractual Clauses, with additional safeguards (technical and legal) or Binding Corporate Rules, which ensures an adequate level of data protection.

5. The Processor shall inform the Controller of the option to choose the provision of services exclusively by means of an infrastructure located in the European Economic Area whenever the chosen Product will enable such a solution.

§ 5. Sub-processing

1. The Controller agrees that the Processor may further entrust the processing of its data to other entities in connection with ensuring the proper functioning of the Product.

2. The Processor shall ensure that it will only use services rendered by processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR, as well as complying with current data protection legislation.

3. The Processor shall be fully liable to the Controller for compliance with the contractual obligations under the GDPR concluded between the Processor and the further processor. If the further processor fails to comply with the data protection obligations, the Processor shall be liable to the Controller for non-compliance with the contractual obligations.

4. A list of sub-processors can be found on the Processor’s website. Please refer to their privacy policies for details regarding the protection of their personal data.

5. Natural persons running sole proprietorships and cooperating with the Processor on the basis of permanent civil law contracts are treated as Processor’s personnel. The Processor stipulates that the transfer of personal data to such persons shall be carried out in accordance with current legislation.

6. If the Controller chooses to provide the services using only infrastructure located in the European Economic Area, only those entities identified as being located in the EU or EEA for the Controller shall apply.

7. The Processor shall be entitled to amend the list of entities referred to in sec. 4 above by making the appropriate modification on its website below. If the Processor has notified the Controller of the change being made, an effective objection may be lodged within 7 days of such notification.

§ 6. Audits

1. The Controller shall be entitled to audit the compliance of personal data processing by the Processor with the Agreement and the applicable laws, in particular the Controller may verify the compliance and adequacy of technical and organisational security measures for personal data processing implemented by the Processor.

2. The audit is first performed by the Controller issuing a request to the Processor to provide the necessary clarifications within 14 days of receiving the request. If no response is provided within this timeframe, the Controller shall be entitled to conduct a direct audit on the terms set out below.

3. The Controller shall inform the Processor at least 14 days before the planned date of the audit of its intention to carry out the audit. If, for valid reasons, in the Processor’s opinion, the audit cannot be carried out within the indicated timeframe, the Processor should inform the Controller by e-mail, indicating the justification for such an opinion. In such a case, the Parties shall mutually agree on a later date of the audit.

4. A direct audit may be carried out by the Controller or external entities commissioned by the Controller on business days between 8.00 a.m. and 4.00 p.m., provided, however, that the audit carried out does not interfere with the Processor’s business operations.

5. The Processor is obliged to co-operate with the auditors, in particular to provide them with access to the premises and documents covering personal data and information on how personal data is processed, the ICT infrastructure and IT systems, as well as to persons with knowledge of the processes relating to personal data processing carried out by the Processor.

6. Following the audit, a representative of the Controller shall draw up an audit protocol to be signed by representatives of both Parties. The Processor undertakes, within the timeframe agreed with the Controller, to comply with the post-inspection recommendations contained in the protocol, aimed at removing the infringements and improving the security of personal data processing.

7. The costs associated with the audit shall be borne by the Party that commissioned the audit, without the right to claim reimbursement of such costs or payment of additional remuneration.

§ 7. Data Security Breaches

1. The Processor is required to implement and comply with procedures to detect data breaches and implement appropriate remedial measures.

2. Upon noticing a breach of the data entrusted to the Processor by the Controller, the Processor shall, without undue delay and as soon as possible not later than 48 hours after the discovery of the breach, notify the Controller of the situation.

3. The Processor shall, without undue delay, take all reasonable measures to minimise and remedy the adverse effects of the breach.

4. The Processor is required to document any breach of the personal data entrusted to it, including the circumstances of the breach, its impact and the corrective actions that were taken.

§ 8. Duration of the Agreement

1. The duration of the Agreement is strictly linked to the period of use of the Product, unless obligations or rights arise from the Agreement that exceed this period.

2. The Controller shall have the right to terminate the Agreement with immediate effect for valid reasons, including for breach by the Processor or sub-processors of the provisions of the GDPR and other mandatory provisions of law or the provisions of the Agreement, in particular when:

1) Regulatory Authority for Compliance with Data Processing Rules determines that the Processor or sub-processor is in breach of the data processing rules;

2) a final decision of a common court will show that the Processor or sub-processor does not comply with the data processing rules.

List of Processing Subcontractors

NamePrivacy Policy
Salesforce, Inc (Heroku)https://www.salesforce.com/privacy/overview/
Amazon Web Services, Inchttps://aws.amazon.com/privacy/
Functional Software, Inc. / Sentry.iohttps://sentry.io/about/
SolarWinds Worldwide, LLChttps://www.solarwinds.com/legal/privacy
New Relic, Inchttps://newrelic.com/termsandconditions/privacy
Google Inc., https://policies.google.com/privacy
OpenAI, L.L.C.https://openai.com/pl/policies/eu-privacy-policy
Better Stack, Inc.https://betterstack.com/privacy
Coralogix LTDhttps://coralogix.com/privacy-policy/
Tableau Software, LLChttps://www.salesforce.com/company/privacy/
Survicate S.A,https://survicate.com/
Google Ireland Limitedhttps://policies.google.com/privacy
Hotjar Limitedhttps://www.hotjar.com/legal/policies/privacy/
Twilio Ireland Limited https://www.twilio.com/en-us/legal/privacy
84codeshttps://www.cloudamqp.com/legal/privacy_policy.html