Data Processing Agreement
Contract according to Article 28 GDPR- Data Processing Agreement
Between “Controller” –
and
Cross ALM GmbH
Helmholtzstraße 2-9
10587 Berlin
– hereinafter referred to as “Processor” –
1. Subject and duration of processing
This Agreement is part of the contract between the Controller and the Processor of __. __. ____ (Main Contract) and specifies the data protection obligations of the parties, which result from the commissioned data processing agreed in the Main Contract. It shall apply to all activities related to the Main Contract in which employees of the Processor or persons commissioned by the Processor process personal data of the Controller.
2. Specification of the subject-matter of the commissioned data processing
Subject-matter of the processing, nature and purpose of the processing, type of personal data and categories of data subjects:
The subject-matter of the processing and the purpose of the processing are set out in the Main Contract.
The nature of the processing, the type of personal data and the categories of data subjects are further specified in Annex 1 to this Agreement.
Duration of the processing:
The duration of this Agreement and the duration of the processing shall be based on the duration of the Main Contract, unless the provisions of this Agreement impose obligations going beyond this.
3. Scope and responsibility
3.1. The Processor processes personal data on behalf of the Controller. This includes activities that are specified in the Main Contract and in the service description, if applicable. Within the scope of this contractual relationship, the Controller is solely responsible for compliance with the legal provisions on data protection, in particular for the lawfulness of the data transfer to the Processor as well as for the lawfulness of the data processing (“Controller” in the terms of Art. 4 No. 7 GDPR).
3.2. The instructions are initially set out in the Main Contract and may subsequently be amended, supplemented or replaced by individual instructions in text form (e.g. email, fax, letter) by the Controller to the body designated by the Processor (individual instructions). In urgent cases, the Controller may also give instructions orally. The Controller confirms verbal instructions immediately in text form. Instructions that go beyond the performance agreed in the Main Contract are treated as a request for a change of service.
3.3. The provisions of this agreement shall apply accordingly if the Processor carries out the testing or maintenance of automated procedures or data processing systems for the Controller on behalf of the Controller and access to personal data cannot be excluded.
4. Obligations of the Processor
4.1. The Processor may process data of data subjects only within the scope of the Main Contract and the instructions of the Controller, unless there is an exceptional case within the meaning of Article 28 para. 3 a) GDPR. The Processor shall inform the Controller immediately if it is of the opinion that an instruction from the Controller violates the GDPR or other data protection regulations of the European Union or the member states. The Processor may suspend the implementation of such an instruction until it has been confirmed or amended by the Controller.
4.2. The Processor shall design its internal organization in such a way that it meets the special requirements of data protection. The Processor has implemented and will maintain technical and organizational measures for the appropriate protection of the Controller’s data which meet the requirements of the GDPR. These technical and organizational measures must ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of Controller´s personal data. The measures to be taken shall include in particular those set out in Annex 2 to this Agreement. The Controller is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. These measures are subject to technical progress and development. The Processor may use alternative measures if these at least reach the security level of the measures agreed in accordance with Annex 2.
4.3. Upon request, the Processor shall support the Controller to comply with its (the Controller’s) obligation to respond to requests to exercise the rights of the data subjects as set out in Chapter III of the GDPR. The Processor shall also assist the Controller, on request, in complying with the obligations set out in Articles 33 to 36 GDPR, taking into account the nature of the processing and the information available to him.
4.4. The Processor warrants that the employees involved in the processing of the Controller’s data and other persons working for the Processor are prohibited from processing the data outside of the instructions given by the Controller. Furthermore, the Processor warrants that the persons authorized to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/secrecy obligation shall continue to exist after the termination of the contract.
4.5. The Processor shall inform the Controller without undue delay if it becomes aware of a personal data breach regarding Controller’s personal data. In such cases, the Processor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences of the data subjects affected and shall consult with the Controller.
4.6. The Processor warrants to comply with its obligation under Art. 32 para. 1 lit. d) GDPR to implement a procedure to regularly check the effectiveness of the technical and organizational measures to ensure the security of the processing.
4.7. After completion of the processing services, the Processor shall be obliged to either delete or return all personal data of the Controller at the latter’s choice, unless there is an obligation to store the personal data under EU or national law.
5. Obligations of the Controller
5.1. The Controller shall inform the Processor immediately and completely if it discovers errors or irregularities in the results of the processing or in the processing of the data with regard to data protection regulations.
5.2. In the event of a claim against the Processor by a data subject with regard to any claims under Art. 82 GDPR, the Controller undertakes to support the Processor in defending the claim within the scope of its possibilities.
5.3. If a claim is made against the Processor by a third party who is not a party to this contract, in particular by a data subject, because of the execution of an instruction issued by the Controller, the Controller is obliged to compensate the Processor for the damage incurred by the latter in this connection.
5.4. The Controller shall designate to the Processor the contact person for data protection issues arising within the scope of the contract.
6. Contact person and data protection officer
The contact persons for data protection issues, who shall be in particular entitled and responsible for the issuing (on the part of the Controller) or receipt (on the part of the Processor) of instructions and communications:
Controller:
Name
Processor:
Ali Hamoudi:
Communication channels to be used for instruction:
Cross ALM – Support and Helpdesk – Jira Service Management
In the event of a change or a long-term unavailability of contact persons, the contractual partner must be informed immediately and in text form of the successors or substitutes.
7. Requests from data subjects
Where a data subject approaches the Processor with requests for rectification, erasure or access to information, the Processor shall refer the data subject to the Controller, provided that the data subject can be identified as such. The Processor shall forward the application of the data subject to the Controller without delay. The Processor shall support the Controller within the scope of its possibilities on instruction, if agreed. The Processor shall not be liable if the request of the data subject is not answered, not correctly answered or not answered in time by the Controller.
8. Verification
8.1. Where required by applicable data protection law, Controller may conduct audits (including inspections) during the term of the Agreement to establish Processor’s compliance with the terms of this Agreement. These audits will be carried out during normal business hours without disrupting the operating procedures after prior notification, taking into account an appropriate lead time. The Processor may make this dependent on the signing of a confidentiality agreement. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor has a right of objection against the latter.
8.2. The Controller is obliged to treat all knowledge of company secrets and data security measures of the Processor obtained within the scope of the contractual relationship, in particular in connection with audits carried out, as strictly confidential.
9. Subcontracting
9.1. The contractually agreed services or the partial services described below are carried out with the involvement of the following subprocessors, and to this extent the Controller declares his approval: Data Processing Addendum | Atlassian
Sub-Processor | Address and Country | Services | Guarantees for third country transfer
|
Atlassian Inc. | 350 Bush Street, Floor 13 San Francisco, CA 94104, USA | Providing infrastructure for development and operation of Plug-Ins/Apps for Atlassian Cloud-Services (Atlassian Forge Platform)
| EU-U.S. Data Privacy Framework (EU-U.S. DPF) |
Before assigning further sub-processor or replacing the above-mentioned sub-processors, Processor shall inform Controller in text form. The Controller may object in text form to the involvement of further sub-processors or the replacement of sub-processors employed within a period of four weeks from receipt of the notification from the Processor for important reasons relating to data protection law. If no objection in due form is made within the deadline, the consent to the amendment shall be deemed to have been given; the Processor shall expressly refer to this and to the form and deadline for the objection in the notification of the amendment.
9.2. If the Processor places contracts with sub-processors, the Processor shall be responsible for transferring its data protection obligations under this contract to the sub-processor. Upon written request of the Controller, the Processor shall be obliged to provide information on the essential content of the contract and the implementation of the sub-processors’ obligations relevant to data protection.
10. Third Country Transfers
The parties agree that if the transfer of personal data from the Processor (as “data exporter”) to a sub-processor (as “data importer”) is a transfer to a third country, the Processor is obliged to comply with the requirements of Art. 44 et seq. of the GDPR.
11. Reimbursement of expenses
11.1. Insofar as the obligations arising from this agreement merely specify the Processor’s obligations under the Main Contract (e.g. provision of certain technical and organizational measures), the Processor shall provide these services free of charge.
11.2. All further expenses incurred by the Processor on the basis of this Agreement shall be reimbursed by the Controller on the basis of actual expenditure on the basis of an hourly rate of EUR 175; this shall apply in particular to all expenses incurred by the Processor in connection with the performance of its obligations under Section 7 of this Agreement.
11.3. The provisions of the Main Contract shall apply accordingly to invoicing and billing.
12. General provisions
12.1. Amendments and supplements as well as the cancellation of the agreement on commissioned data processing or these terms and conditions require text form and the express reference to the fact that these terms and conditions have been amended or supplemented in order to be effective. This also applies to the cancellation of the text form requirement itself.
12.2. Should a provision of the contract or these terms and conditions be or become invalid in whole or in part or should the contract contain an inadvertent omission, the legal validity of the remaining provisions shall remain unaffected. In place of the invalid provisions, the parties to the contract shall agree on a provision that comes as close as possible to the economic intent of the parties to the contract.
12.3. Place of performance is the location of the registered office of the Processor.
12.4. If the Controller is a merchant, a legal entity under public law or a special fund under public law (Vollkaufmann, juristische Person des öffentlichen Rechts oder öffentlich rechtliches Sondervermögen) the place of jurisdiction for all disputes arising from or in connection with the commissioned data processing agreement between the parties is Berlin.
Signature
- Controller
- Processor
Annex 1: Nature of the processing, categories of data subjects and type of the personal data
Type of processing |
|
Data Processed by Apps | 1. User Data: Information such as account Ids, email addresses, and user permissions. 2. Issue Data: Details about Jira issues, including summaries, descriptions, statuses, and custom fields. 3. Project Data: Information about Jira projects, including project names and keys 4. Attachment Data: Files and documents attached to Jira issues. 5. Comment Data: User comments on Jira issues. 6. Transport Request Data: Transport Id, Transport Description 7. App Configuration Data: Target System URL, Sync User Credentials |
Data stored by Apps
This data is stored in “Forge Storage” and can only be accessed by our app.
This data is only visible if explicitly exposed (see below)
| App Configuration Data:
Logs:
Individual Ticket Data: CC4
CC5
|
Data visible by end users | Only for Admins App Configuration Data:
Logs:
For all users of the app Logs:
Individual Ticket Data: CC4
CC5
|
Log Attributes in the Developer Console Atlassian offers developers options to monitor processing details when the cloud version of the app is used. Full details: Developer Console
|
|
Annex 2: Technical and organizational measures
This Annex describes the technical and organizational security measures of the Controller and the data center of the operator of the data center.
- Confidentiality
- Access control
Measures to prevent unauthorized persons from accessing data processing equipment with which personal data are processed or used
– Access to the Controller’s office premises is only possible with a key (security locks) for employees with access rights
– The office premises of the Controller are secured by an alarm system and 24/7 connection to the security guard
– Video surveillance at entrances and exits, security gates and server rooms in the data center
- Access control
Measures to prevent data processing systems from being used by unauthorized persons (including encryption procedures)
– Password procedure: Each user ID has its own password
– The systems are protected against unauthorized access by passwords
– Binding procedures for resetting forgotten passwords
– Employee workstations/notebooks have user accounts with password
- Access control
Measures to ensure that persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, altered or removed (including encryption procedures) without authorization during processing, use and after storage:
– Regulation of user authorization: only authorized persons have access
– Integrated role concept
– Security updates ensure that unauthorized access is prevented
– Binding procedural guidelines for the allocation of allowances
– The communication channels are secured by SSL encryption
- Separation control
Measures to ensure that data collected for different purposes can be processed separately
– Separate processing of data
- Integrity
- Transmission control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to check and establish to which bodies personal data are to be transmitted by data transmission equipment (including encryption procedures):
– Protection of the data lines used during transmission by using state-of-the-art firewalls and secure encryption methods
– SSL-encryption during transmission of all data
– Checking the data transmission for completeness and correctness (end-to-end check)
- Input control
Measures to ensure that it is possible to verify and establish a posteriori whether and by whom personal data have been input, altered or removed from data processing systems:
– Proof of processing authority within the company
– Logging for the purpose of monitoring and tracking all data access
– Blocking of access for legal or technical reasons
- Availability and resilience
- Availability control
Measures to ensure that personal data is protected against accidental destruction or loss:
– Providing a backup for a recovery of the database server
– Fixed time intervals in which backups are performed
– Use of uninterruptible power supply in data centers
– Operating the cloud as a high availability system
– Permanent monitoring of the functionality of the hardware
- Quick recoverability:
– Regular control of backups and test recovery
- Contract control
Measures to ensure that personal data processed under contract can only be processed in accordance with the instructions of the Controller:
– Instructions must always be given in text form. Verbal instructions from the Controller must be confirmed in text form
– Employees are instructed at regular intervals in data protection law
– Subcontracting relationships are commissioned in writing