DPA - Data Processing Addendum

Effective starting: January 10th, 2023 

 

Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and yasoon GmbH, Glücksteinallee 69, 68163 Mannheim, Germany ("Processor") (collectively also "Parties"). 

§ 1 Subject of the agreement

(1) The Processor shall provide the Controller with software solutions in accordance with the Main Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the Main Agreement. The Controller is solely responsible for assessing the permissibility of the data processing in accordance with Art. 6 (1) GDPR. 

 

(2) The Parties conclude the present agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Agreement. 

 

(3) The provisions of this Agreement shall apply to all activities related to the Main Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller's behalf. 

 

(4) The term of this Agreement shall be based on the term of the Main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this. 

 

(5) The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR. 

§ 2 Type of data processed

The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1.  

§ 3 Controller’s right of instruction

(1) The Processor may only collect, use or otherwise process data within the scope of the Main Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing. 

 

(2) The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2. Any changes shall be taken into account in a timely manner. 

 

(3) All instructions issued shall be documented by both the Controller and the Processor and shall be retained for the duration of their validity and subsequently for three additional full calendar years. 

 

(4) If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful. 

§ 4 Basic obligations of the Processor

(1) The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art. 

 

(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards. The TOMs can be viewed here. 

 

(3) The Processor has appointed as contact person for data protection: Andreas Schmidt, yasoon GmbH, Glücksteinallee 69, 68163 Mannheim ; e-mail: datenschutz@yasoon.com

 

(4) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request. 

§ 5 Information obligations of the Processor 

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller in writing without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain the following information as far as possible: 

 

(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected, and the number of personal data records affected; 

 

(b) a description of the probable consequences of the injury; and 

 

(c) a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its potential adverse effects. 

 

(2) The Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subject(s), inform the Controller thereof and request further instructions from the Controller. 

 

(3) The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data is affected by a violation pursuant to Paragraph 1. 

 

(4) If necessary, the Processor shall support the Controller in fulfilling the Controller's obligations pursuant to Art. 33 and 34 GDPR in an appropriate manner (Art. 28 (3) sentence 2 lit. f GDPR). Notifications for the Controller pursuant to Art. 33 or 34 GDPR may only be made by the Processor after prior instruction by the Controller pursuant to § 3 of this Agreement. 

 

(5) Should the Controller’s data at the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller (Art. 4 No. 7 GDPR). 

 

(6) The Processor shall inform the Controller without undue delay of any significant changes to the security measures pursuant to § 4 para. 2 of this Agreement. 

 

(7) The Processor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Controller upon request.  

§ 6 Control rights of the Controller

(1) The Processor shall demonstrate to the Controller compliance with the obligations set forth in this Agreement by appropriate means. 

 

(2) If, in individual cases, inspections by the Controller or an auditor commissioned by the Controller are necessary, they shall be carried out during normal business hours without disrupting operations. The Processor may make the inspection dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection against him. 

 

(3) In order to carry out the control, the Processor only needs to permit such a person who is under a special obligation to maintain confidentiality, in particular with regard to information about the Processor's operations, its equipment, the Processor's business secrets and security measures. If the control is not carried out by a person already known to the Processor, such person must prove his legitimation by the Controller in writing at least ten calendar days before the control is carried out. 

 

(4) The Controller shall document the inspection result and notify the Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of order results, he shall inform the Processor without undue delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Controller shall inform the Processor of the necessary procedural changes without undue delay. 

§ 7 Use of Subprocessors

(1) Within the scope of its contractual obligations, the Processor shall in principle be authorized to establish further subcontracting relationships with subprocessors ("Subprocessor Relationship"). The Processor shall carefully select subprocessors according to their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its subprocessors. 

 

(2) The subprocessors currently working for the Processor in accordance with Paragraph 1 are linked in Annex 3. The Processor will update the page and announce the new subprocessor at least 1 month before it is actively used. The Controller can watch the page mentioned in Annex 3 to get informed about any changes. The Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the subprocessor. 

 

(3) If subprocessors in a third country are to be involved, this shall only be done under the conditions specified in § 1 para. 5 sentence 2. 

 

(4) A Subprocessor Relationship within the meaning of the above provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, security and cleaning services, as well as telecommunication services without any specific reference to services provided by the Processor to the Controller. 

§ 8 Requests and rights of data subjects

(1) The Processor shall support the Controller as far as possible with appropriate technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and Articles 32 and 36 GDPR. 

 

(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall forward the request to the Controller without undue delay, provided that an allocation to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered in a timely manner by the Controller. 

§ 9 Liability

(1) The Controller and Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR. The Processor shall coordinate any fulfillment of liability claims with the Controller. 

 

(2) The Processor shall indemnify the Controller against all claims asserted by data subjects against the Controller due to the breach of an obligation imposed on the Processor by the GDPR or this Agreement or due to the noncompliance or breach of a lawful instruction separately issued by the Controller. 

 

(3) The Processor does not have to indemnify the Controller if the data processing or measure giving rise to the Parties´ liability was carried out on the basis of instructions from the Controller. The same shall apply to measures that have been previously coordinated with the Controller. Coordination shall also be deemed to have taken place if a provision in this Agreement has been inserted at the request of the Controller. 

 

(4) The Parties shall indemnify each other against liability to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82(5) GDPR shall apply. 

 

§ 10 Termination of the Main Agreement and this Agreement

(1) This Agreement shall remain valid after a termination of the Main Agreement for as long as the Processor has personal data which have been forwarded to him by the Controller or which he has collected for the Controller. 

 

(2) The Processor shall return all documents, data and data carriers provided to it to the Controller after termination of the Main Agreement or at any time at the Controller's request or delete them at the Controller's request, unless there is an obligation to store the personal data under EU law or the law of the Federal Republic of Germany. The Processor shall provide documentary evidence of the proper deletion. 

 

(3) Upon termination of this Agreement, the Main Agreement shall also terminate, provided that it cannot be performed without the processing of personal data. 

 

§ 11 Final provisions

(1) Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E mail shall suffice. 

 

(2) The Agreement shall be governed by and construed in accordance with German law. 

 

(3) Should one of the above provisions be or become invalid or should a provision that is necessary in itself not be included, this shall not affect the validity of the remaining provisions. The Parties shall endeavor to find a mutually agreeable provision in this case. 

Annex 1 - Purpose, nature of processing and categories of data subjects

The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor's service list. 

 

In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 2).  

General processes

The following processes are available no matter which app or apps you use and regardless of whether you use Cloud or On-premise apps. 

Process 

Purpose of processing 

Categories of processing 

Customer support 

Help users from the Controller's organization to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation. 

In customer support usage problems or error situations are reported by users from the Controller's organization via the mechanism described in Annex 2

 

In the course of the support process reporters might be asked to provide 

 

Confluence support zips including log files 

 

Templates used for exporting to different formats 

 

Page exports or space exports from Confluence 

 

JIRA support zips including log files 

 

Outlook log files 

Logs from the reporters browser console 

 

Data is provided through the support tool (Jira Service Management, see Annex 3), or in cases where the data provided is too large for that mechanism, we offer to use a data transfer service (Sharepoint, see Annex 3). Reporters can choose to provide their own mechanism of data transfer. 

 

The received data is then analyzed manually or automatically for causes or indicators of reported usage problems or error situations. 

Error tracking 

For error tracking data is transferred from the end user's browser to an error reporting service, which allows analysis of errors without users having to actively report them. This is used to improve the quality of the apps. 

Data describing the error context, like operations invoked, the user interface element clicked, technical context like browser, operating system values are transferred to the error reporting service (Sentry and LogRocket, see Annex 3). 

 

 

Atlassian license distribution 

The apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation and community or academic licenses; are distributed through the Atlassian Marketplace 

All data attached to a license under my.atlassian.com is transferred to the Processor. 

 

The Processor will send informational email when evaluating or using a new app via sub-processor (Mailchimp, see Annex 3). 

 

The Processor might also send transactional email informing receivers about their licenses via sub-processor (Mailchimp, see Annex 3

Microsoft apps license distribution 

When installing any app through the Microsoft AppSource, basic licensing information is distributed. 

All data attached to this license is transferred to the Processor. 

 

The Processor might also send transactional email informing receivers about their licenses via sub-processor (Mailchimp, see Annex 3

 

On-premise & Cloud

The following table describes the data processing of all apps of the Processor. 

The General processes that also apply to On-premise and Cloud apps are described above. 

The Processing is hosted on cloud (AWS, see Annex 3). 

 

 

App 

Purposes of processing 

Categories of processing 

Categories of personal data 

Categories of data subjects 

Microsoft 365 for Jira

Outlook Email for Jira

Outlook Meetings for Jira

Microsoft Teams for Jira & JSM - Smart Connect

Microsoft To Do for Jira 

Connect Microsoft tools with Jira. Optimize Jira with Microsoft features and extend Microsoft tools with Jira functionalities.  

We only store content that has been explicitly created by our apps. The most common data we store are: 

 

  • User / instance settings 

 

  • Metadata mappings between Atlassian & Microsoft objects 

 

  • User login tokens retrieved by OAuth login 

We do not store Jira content (like Jira issues, comments, etc.) or Microsoft content (like email content) on our servers. 

Reports on the 

 

  • Name of the JIRA instance 

 

  • Atlassian account ID 

 

  • Microsoft account ID 

 

The app is unaware of the type of data supplied to it. Example categories of personal data are: 

 

  • Assignees, reporters, participants of issues 

 

  • Field values and changes on fields & comments made by users of JIRA 

 

The Controller must inform the Processor if he processes additional categories of personal data inside Jira or the app. 

Jira user 

 

Microsoft Users 

 

The Controller must inform the Processor if he processes additional categories of data subjects with this app. 

Outlook Calendars for Confluence 

Add configurable Outlook calendars to display Outlook and Jira data in Confluence. 

We only store content that has been explicitly created by our apps. The most common data we store are: 

 

  • User / instance settings 

 

  • Metadata mappings between Atlassian & Microsoft objects 

 

  • User login tokens retrieved by OAuth login 

 

 

Reports on the 

  • Name (URL) of the Confluence instance 

  • Atlassian account ID 

  • Microsoft account ID

The app is unaware of the type of data supplied to it.

Example categories of personal data are: 

 

  • project reports including project collaborators 

  • information on authors of or collaborators on Confluence content and Microsoft content 

 

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, Jira or the app. 

 

Confluence Users 

 

Microsoft Users 

 

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, Jira or the app. 

 

 

Annex 2 - Authorized persons, entitled persons, Communication channel

Authorized persons under this Agreements are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number). 

Instructions are to be transmitted by the following communication channel: 

E-Mail to support@yasoon.com or request via service desk

 

Annex 3 - Sub-processors

A current list of all sub-processors can be accessed under the following link: Contractors - Support Portal yasoon GmbH - Confluence . The customer ("Controller")  can set up automatic notification of sub-processors changes via e-mail through the "Watch Page" function