Versions Compared

Old Version 5

changes.mady.by.user Yuri

Saved on

compared with

New Version 6

changes.mady.by.user Yuri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release Management Data Processing Addendum

...

iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 2.10 of this DPA;

iv. in Clause 11, the optional language will not apply;

...

vii. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and

viii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

...

vi. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and

vii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

(c) In relation to transfers of personal data governed by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 2 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 2.9, as well as Exhibits A and B of this DPA; Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

...

Anchor
Security
Security
2.8 Security: Release Management and, to the extent required under the Agreement, Customer must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. Release Management’s current technical and organizational measures are described in Exhibit B (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Release Management may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

...

All Cloud and DC Products

Release Management as a processor or sub-processor

Categories of data subjects

Customer, Customers' employees (namely Technical and Billing Contacts specified) , Customers' partners (namely Atlassian Solution Partners) on behalf of the Customer/Atlassian.

Categories of personal data transferred

Technical and Billing Contacts Information, for example:

  • Full name

  • Email address

  • Office / address

  • Office / phone number

  • Company / organization

  • Company web-site URL

Customers' Atlassian Solution Partner, for example:

  • Full name

  • Email address

  • Company / organization

  • Company web-site URL

Additional Release Management/Atlassian Product license information, for example:

  • App entitlement id and number

  • Host entitlement id and number

  • Host product edition and frequency of renewals

  • License type and status

  • License start and end dates

  • License tier

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Daily

Nature of the processing

The nature of the processing (incl. transfer) is the following: export from Atlassian Marketplace (controller or processor), secure transit and import into PLG CRM tools (sub-processor) for the purpose defined below.

Purpose of the data transfer

The purpose of data processing (incl. transfer) is the following:

  • Update Customers about new important features and capabilities delivered

  • Provide support and services to Customers

  • Update Customer about important terms and conditions changed (including pricing tier upgrades), changes to EULA, DPA, Sub-processors list, other policies, etc.

  • Informing Customers about P0, P1 incidents (including security incidents), remediate actions taken and time to resolution, follow up with root cause analysis delivered according to Security Vulnerabilities Process

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Release Management and Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Release Management and Roadmaps“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Board Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Jira standard and custom datetime field IDs for Epics Sync

  • Free-text* titles of Versions and Packages workflow steps

  • Automation rules configurations including URLs, Headers, Bodies definition that might include authorization tokens

  • Free-text* custom properties names

  • Version defaults configuration including free-text* names and descriptions as well as milestones names and descriptions as free-text*

  • Definitions of backlout periods that includes free-text* name and dates

Board Usage (could be segregated for Manage and Read Only permissions), for example:

  • Jira Version IDs, Epic IDs, Sprint IDs plus plain JQL* for JQL-based versions, User IDs, Atlassian Compass & Jira Classic Component IDs

  • Free-text* versions and packages names, descriptions, comments, custom properties and milestones names/descriptions + appropriate package templates

  • Encrypted Api Tokens (https://id.atlassian.com/manage-profile/security/api-tokens) if configured to access “Commits/Deployments/Environments” information and/or “Upload to Confluence“ release notes

  • Release notes templates that are combinations of a bunch of Free-text* sections and plain JQL* tables

  • Free-text* deployment environments names and descriptions

  • Free-text* Classic Component names and descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Release Management Boards with predefined workflows, restrictions and automations.

  • Create different type of versions (component releases) and package it into “business releases“, process both through workflows asuring configured quality gateways and approval processes

  • Create release notes according to pre-defined templates

  • Manage and orchestrate deployment environments

  • Manage and orchestrate cross-project components

  • Provide insights about releases health, projected delivery dates and reasons for delays, etc.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Advanced Kanban & Agile Boards for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Advanced Kanban & Agile Boards“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Board Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Plain JQL* to shortlist scope of the board

  • Jira standard and custom fields IDs when used as Columns and/or Swimlanes

Board Usage (could be segregated for Manage and Read Only permissions), for example:

  • Column and/or Swimlane names derived from Jira standard or custom fields values or free-text* title aliases

  • Column and Swimlane descriptions that are free-text* fields

  • Atlassian User IDs, Version IDs, Sprint IDs, Component IDs, Jira Issue IDs if used as columns and/or swimlanes

  • Column Group names that are free-text* fields

  • Quick filters aliases that are free-text* fields and plain JQL* definitions of quick filters

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Kanban & Agile boards with flexible columns and/or swimlanes configurations

  • Provide descriptions of the SDLC statuses / exit criterias / quality gates

  • Manage Jira issues and hierarchy of Jira issues through SDLC lifecycle (including but not limited by managing Versions, Components, Sprints, Parent Jira Issues where Jira Issues attached to)

  • Package columns in Column Groups

  • Outline Dependencies, Statistics, etc.

  • Filter Jira issues via quick filters

  • Define and manage work-in-progress (WIP) limits

  • Define and manage Aging  limits

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Release Gadgets for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Release Gadgets“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Gadgets Configuration, for example:

  • Free-text* gadgets scope names

  • Jira Project IDs

  • Jira Version IDs

  • Plain JQL* to shortlist scope of the gadget

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Visualise portfolio of releases

  • Outline release progress and status.

  • Show release delays and reasons for it.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Time in Status Calendar & Worklog Roadmap for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Time in Status Calendar & Worklog Roadmap“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Changelog Calendar Configuration, for example:

  • Jira Project IDs

  • Plain JQL* to shortlist scope of the calendar

  • Jira standard and custom datetime field IDs

  • Jira issues workflows steps IDs

Changelog Calendar Usage (could be segregated for Manage and Read Only permissions), for example:

  • Quick filters aliases that are free-text* fields and plain JQL* definitions of quick filters

  • Free-text* worklog comments & descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Outline Jira issues on Calendar and Roadmap view.

  • Show progress according to color coded status changes and worklog made

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Easy Delivery Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Easy Delivery Roadmaps“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Plan Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Jira standard and custom datetime field IDs for Epics Sync

  • Definitions of backlout periods that includes free-text* name and dates

Plan Usage (could be segregated for Manage and Read Only permissions), for example:

  • Jira Version IDs, Epic IDs, Sprint IDs plus plain JQL* for JQL-based versions and User IDs

  • Free-text* versions names, descriptions, comments and milestones names/descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Delivery Plans.

  • Create different type of deliverables - versions, epics, sprints, JQL versions

  • Outline deliverables om Roadmap and Calendar views

  • Manage intermediate milestones

  • Provide insights about deliverables health, projected delivery dates and reasons for delays, etc.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

...

Measure

Description

Measures of pseudonymisation and encryption of data

Encryption

Release Management has and will maintain: (i) an established method to encrypt Customer Data in transit; (ii) an established method to securely store passwords following industry standard practices; and (iii) use established key management methods.

Any Customer Data customer data is encrypted in transit over public networks using TLS 1.2 or greater, with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.

We encrypt data at rest (on disk/storage). We also use TLS/SSL connection between 3x data cluster nodes for data replication. Backup files in S3 AWS (Germany) are also encrypted.

Pseudonymisation

Release Management has and will maintain: (i) an established method to create pseudonymised data sets using industry standard practices; and (ii) appropriate technical and organisational measures governing the systems capable of remapping pseudonymous identifiers.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Security Program

Release Management will maintain a security management program that includes but is not limited to:

  1. executive review, support and accountability for all security related policies and practices;

  2. a written information security policy and framework that meets or exceeds industry standards and that, as a baseline, includes (i) defined information security roles and responsibilities, (ii) a formal and effective risk mitigation program and (iii) a service provider security management program;

  3. periodic risk assessments of all Release Management owned or leased systems processing Customer Data;

  4. prompt review of security incidents affecting the security of Release Management systems processing Customer Data, including determination of root cause and corrective action;

  5. security review and testing being part of software development and acceptance testing process for our Products

  6. processes to identify and quantify security risks, develop mitigation plans, which must be approved by Release Management’s Chief Security & Data Officer (or one of their delegates), and track the implementation of such plans; and

  7. a comprehensive security testing methodology that consists of diverse and independent approaches that, when combined, are reasonably designed to maximize coverage for a varied and diverse set of attack vectors.

Release Management will periodically (and, in any event, no less frequently than annually) review and, where applicable, update such security management program.

Security Incident Notification

Release Management will notify Customer of Security Incidents in accordance with this DPA and Security Vulnerabilities Process.

Employee Screening, Training, Access and Controls

Release Management will maintain policies and practices that include the following controls and safeguards applied to Release Management staff who have access to Customer Data and/or provide Support and Services to Customer:

  1. pre-hire background checks (including criminal record inquiries) on Release Management job candidates, subject to and in accordance with applicable Laws and generally accepted industry standards;

  2. periodic security awareness training;

  3. a disciplinary policy and process to be used when Release Management staff violate Release Management’s security policies;

  4. access to Release Management IT systems with appropriate technical security controls (including two-factor authentication);

  5. controls designed to limit access to Customer Data to only those Release Management staff with an actual need-to-know such Customer Data. Such controls include the use of a formal access management process for the request, review, approval and provisioning for all Release Management staff with access to Customer Data; and

  6. separation of duties to prevent a single Release Management employee from controlling all key aspects of a critical transaction or business process related to Customer Data or systems.

Measures for ensuring the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident

During the Subscription Term, Release Management’s business continuity and disaster recovery plans (collectively, the “BCDR Plans“) will address at least the following topics:

  1. the availability of human resources with appropriate skill sets;

  2. the availability of all IT infrastructure, telecommunications capabilities and any other technology used or relied upon by Release Management in the provision of the Products;

  3. Release Management’s plans for storage and continuity of use of data and software;

  4. clear recovery time objectives (RTOs) and recovery point objectives (RPOs);

  5. mechanisms for the geographic diversity or back-up of business operations;

  6. the potential impact of cyber events and Release Management’s ability to maintain business continuity in light of such events, as well as a framework and procedure to respond to and remediate such events;

  7. the management of data corruption incidents; and

  8. procedures and frequency of testing of the BCDR Plans.

Release Management will periodically (and, in any event, no less frequently than annually) review and where applicable, update the BCDR Plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Vulnerability Management

Release Management will maintain the following vulnerability management processes:

Vulnerability Scanning and Remediation. Release Management employs processes and tools in line with industry standards to conduct frequent vulnerability scanning to test Release Management’s network and infrastructure and application vulnerability testing to test Release Management applications and services. Release Management applies security patches to software components in production and development environments as soon as commercially practicable in accordance with our Information Security Policy.

Identifying Malicious Threats. Release Management employs processes and tools in line with industry standards to identify malicious actors and prevent them from accessing Customer Data or Release Management systems that process Customer Data. These include, but are not limited to, maintaining software that attempts to identify and detect attempted intrusions, behaviors consistent with Internet-based attacks, and indicators of potential compromise. Release Management will maintain a security incident and event management system and supporting processes to notify appropriate personnel in response to threats.

Vulnerability Testing.

  1. Release Management conducts internal vulnerability testing. This includes dependent libraries vulnerabilities scan at every build, security review and testing as integral part of SDLC. This includes also Atlassian-powered bug bounty/cloud fortified programs. We make the results of these programs available on request and commit to making bug fixes in line with our Security Vulnerabilities Process.

  2. Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Release Management), perform its own vulnerability testing of its Cloud Products, provided that Customer cannot exercise this right more than once per calendar year. Customer may report any vulnerabilities impacting the Release Management Products to Release Management in via Service Desk portal or security@releasemanagement.app email address.

  3. Release Management will use commercially reasonable efforts to address identified security vulnerabilities in our Products and our infrastructure in accordance with the Security Vulnerabilities Process. The parties acknowledge that Release Management may update the Security Vulnerabilities Process from time to time in its discretion, provided such updates do not result in a material derogation of the Security Vulnerabilities Process.

Measures for user identification and authorisation

Atlassian cloud users can authenticate using username and password, or external IPs (incl. via SAML, Google, Microsoft and Apple). All credentials are hosted in the Atlassiandatabase, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm.

Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access:

Atlassian' Manage Passwords Policy. Administrators are also able to enforce SSO via Atlassian Access.

We (as Release Management) fully delegate identification and authorisation to Atlassian and assure permissions check and control for any actions in accordance with roles and configurations set.

Measures for the protection of data during transmission

See the item above titled “Measures of pseudonymisation and encryption of data

Measures for the protection of data during storage

Data Hosting Facilities

Release Management will, no less frequently than annually, request assurances from its data hosting providers that store or process Customer Data that:

  1. such data hosting provider’s facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference;

  2. such data hosting provider’s facilities employ physical security appropriate to the classification of the assets and information being managed; and

  3. such data hosting provider’s facilities limit and screen all entrants employing measures such as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV).

Measures for ensuring physical security of locations at which data are processed

See the item above titled “Measures for the protection of data during storage“.

Measures for ensuring events logging

For Atlassian entities audit logging is available via API (See Track organization activities from the audit log).

For Release Management entities audit logging is available via UI for specific Application. Contact support@releasemanagement.app for details.

Measures for ensuring system configuration, including default configuration

See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“.

Measures for internal IT and IT security governance and management

See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“.

Measures for certification/assurance of processes and products

See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“.

Measures for ensuring data minimisation

See Privacy Policy - Data Security and Privacy Statement

Measures for ensuring data quality

See the items above titled “Measures of pseudonymisation and encryption of data“, “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“, and “Measures for the protection of data during storage“.

Measures for ensuring limited data retention

Data Retention and Destruction Standard

Release Management maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles:

  • Records should be maintained as long as they serve a business purpose.

  • Records that serve a business purpose, or which Release Management has a legal, regulatory, contractual or other duty to retain, will be retained.

  • Records that no longer serve a business purpose, and for which Release Management has no duty to retain, should be disposed. Copies or duplicates of such data should also be disposed. To the extent Release Management has a duty to retain a specified number of copies of a Record, such number of copies should be retained.

  • Release Management’s practices implementing this Standard may vary across departments, systems and media, and will of necessity evolve over time. These practices will be reviewed under our company-wide policy review practices.

Measures for ensuring accountability

See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“.

Measures for allowing data portability and ensuring erasure

Data Export

See Customer Data Retention/Deletion Policy

Secure Deletion

Release Management will maintain a process reasonably designed to ensure secure destruction and deletion of any and all Customer Data as provided in this DPA. Such Customer Data will be securely destroyed and deleted by Release Management so that: (a) Customer Data cannot be practicably read or reconstructed, and (b) the Release Management systems that store Customer Data are securely erased.

...