Effective starting: January 10thSeptember 1st, 2023 2024
Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and yasoon GmbH, Glücksteinallee 69, 68163 Mannheim, Germany ("Processor") (collectively also "Parties").
...
(1) The Processor shall provide the Controller with software solutions in accordance with the Main Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the Main Agreement. The Controller is solely responsible for assessing the permissibility of the data processing in accordance with Art. 6 (1) GDPR.
...
(5) The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR.
§ 2 Type of data processed
The personal data to which the Processor will (6) To the extent that Provider Processes Customer Personal Data protected by Data Protection Laws in one of the regions listed in Annex 4 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
§ 2 Type of data processed
The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1.
...
(3) The Processor has appointed as contact person for data protection: Andreas SchmidtTobias Viehweger, yasoon GmbH, Glücksteinallee 69, 68163 Mannheim ; e-mail: datenschutz@yasoon privacy@yasoon.com.
(4) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.
...
Enlarges the table by opening it in a full screen dialogOpen
Process | Purpose of processing | Categories of processing |
Customer support | Help users from the Controller's organization to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation. | In customer support usage problems or error situations are reported by users from the Controller's organization via the mechanism described in Annex 2.
In the course of the support process reporters might be asked to provide
Confluence support zips including log files
Templates used for exporting to different formats
Page exports or space exports from Confluence
JIRA support zips including log files
Outlook log files Logs from the reporters browser console
Data is provided through the support tool (Jira Service Management, see Annex 3), or in cases where the data provided is too large for that mechanism, we offer to use a data transfer service (Sharepoint, see Annex 3). Reporters can choose to provide their own mechanism of data transfer.
The received data is then analyzed manually or automatically for causes or indicators of reported usage problems or error situations. |
Error tracking | For error tracking data is transferred from the end user's browser to an error reporting service, which allows analysis of errors without users having to actively report them. This is used to improve the quality of the apps. | Data describing the error context, like operations invoked, the user interface element clicked, technical context like browser, operating system values are transferred to the error reporting service (Sentry and LogRocket, see Annex 3).
|
Atlassian license distribution | The apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation and community or academic licenses; are distributed through the Atlassian Marketplace | All data attached to a license under my.atlassian.com is transferred to the Processor.
The Processor will send informational email when evaluating or using a new app via sub-processor (Mailchimp, see Annex 3).
The Processor might also send transactional email informing receivers about their licenses via sub-processor (Mailchimp, see Annex 3) |
Microsoft apps license distribution | When installing any app through the Microsoft AppSource, basic licensing information is distributed. | All data attached to this license is transferred to the Processor.
The Processor might also send transactional email informing receivers about their licenses via sub-processor (Mailchimp, see Annex 3) |
On-premise & Cloud
The following table describes the data processing of all apps of the Processor.
...
The Processing is hosted on cloud (AWS, see Annex 3).
Enlarges the table by opening it in a full screen dialogOpen
App | Purposes of processing | Categories of processing | Categories of personal data | Categories of data subjects |
Microsoft 365 for Jira Outlook Email for Jira Outlook Meetings for Jira Microsoft Teams for Jira & JSM - Smart Connect Microsoft To Do for Jira | Connect Microsoft tools with Jira. Optimize Jira with Microsoft features and extend Microsoft tools with Jira functionalities. | We only store content that has been explicitly created by our apps. The most common data we store are:
We do not store Jira content (like Jira issues, comments, etc.) or Microsoft content (like email content) on our servers. | Reports on the
The app is unaware of the type of data supplied to it. Example categories of personal data are:
The Controller must inform the Processor if he processes additional categories of personal data inside Jira or the app. | Jira user
Microsoft Users
The Controller must inform the Processor if he processes additional categories of data subjects with this app. |
Outlook Calendars for Confluence | Add configurable Outlook calendars to display Outlook and Jira data in Confluence. | We only store content that has been explicitly created by our apps. The most common data we store are:
| Reports on the
The app is unaware of the type of data supplied to it. Example categories of personal data are:
The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, Jira or the app. |
Confluence Users
Microsoft Users
The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, Jira or the app. |
Annex 2 - Authorized persons, entitled persons,
...
communication channel
Authorized persons under this Agreements are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).
...
A current list of all sub-processors can be accessed under the following link: Trust Center - yasoon. The customer ("Controller") can set up automatic notification of sub-processors changes via e-mail through the "Subscribe to updates" function.
Annex 4 - Region-Specific Terms
A. CALIFORNIA
Definitions. CCPA and other capitalized terms not defined in this Annex are defined in the DPA.
1.1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.
1.2. The definition of “Data Subject” includes “consumer” as defined under the CCPA.
1.3. The definition of “Controller” includes “business” as defined under the CCPA.
1.4. The definition of “Processor” includes “service provider” as defined under the CCPA.
Obligations.
2.1. Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Service as described in Annex 1 ( Purpose, nature of processing and categories of data subjects) to this DPA and otherwise performing under the Agreement.
2.2. Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
2.3. Provider acknowledges that Customer has the right to:
(i) take reasonable and appropriate steps under Section 5 (Audits) of this DPA to help to ensure that Provider’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA,
(ii) receive from Provider notice and assistance under Section 8 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and
(iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
2.4. Provider will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.
2.5. Provider will not retain, use or disclose Customer Personal Data:
(i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or
(ii) outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA.
2.6. Provider will not sell or share Customer Personal Data received under the Agreement.
2.7. Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.