Release Management Data Processing Addendum
...
iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 2.10 of this DPA;
iv. in Clause 11, the optional language will not apply;
...
vii. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
viii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;
...
vi. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and
vii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;
(c) In relation to transfers of personal data governed by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 2 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 2.9, as well as Exhibits A and B of this DPA; Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
...
Anchor | ||||
---|---|---|---|---|
|
...
All Cloud and DC ProductsRelease Management as a processor or sub-processor | |
---|---|
Categories of data subjects | Customer, Customers' employees (namely Technical and Billing Contacts specified) , Customers' partners (namely Atlassian Solution Partners) on behalf of the Customer/Atlassian. |
Categories of personal data transferred | Technical and Billing Contacts Information, for example:
Customers' Atlassian Solution Partner, for example:
Additional Release Management/Atlassian Product license information, for example:
|
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Daily |
Nature of the processing | The nature of the processing (incl. transfer) is the following: export from Atlassian Marketplace (controller or processor), secure transit and import into PLG CRM tools (sub-processor) for the purpose defined below. |
Purpose of the data transfer | The purpose of data processing (incl. transfer) is the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Release Management and Roadmaps for Jira CloudRelease Management as a processor | |
---|---|
Categories of data subjects | Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer. |
Categories of personal data transferred | Personal data relating to or obtained in connection with the operation, support or use of the “Release Management and Roadmaps“ Product, e.g.: For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly. Board Configuration (for Admins only), for example:
Board Usage (could be segregated for Manage and Read Only permissions), for example:
free text*/plain JQL* Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL. |
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Continuous |
Nature of the processing | Processing of relevant personal data for the purposes identified below |
Purpose of the data transfer | Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Advanced Kanban & Agile Boards for Jira CloudRelease Management as a processor | |
---|---|
Categories of data subjects | Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer. |
Categories of personal data transferred | Personal data relating to or obtained in connection with the operation, support or use of the “Advanced Kanban & Agile Boards“ Product, e.g.: For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly. Board Configuration (for Admins only), for example:
Board Usage (could be segregated for Manage and Read Only permissions), for example:
free text*/plain JQL* Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL. |
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Continuous |
Nature of the processing | Processing of relevant personal data for the purposes identified below |
Purpose of the data transfer | Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Release Gadgets for Jira CloudRelease Management as a processor | |
---|---|
Categories of data subjects | Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer. |
Categories of personal data transferred | Personal data relating to or obtained in connection with the operation, support or use of the “Release Gadgets“ Product, e.g.: For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly. Gadgets Configuration, for example:
free text*/plain JQL* Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL. |
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Continuous |
Nature of the processing | Processing of relevant personal data for the purposes identified below |
Purpose of the data transfer | Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Time in Status Calendar & Worklog Roadmap for Jira CloudRelease Management as a processor | |
---|---|
Categories of data subjects | Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer. |
Categories of personal data transferred | Personal data relating to or obtained in connection with the operation, support or use of the “Time in Status Calendar & Worklog Roadmap“ Product, e.g.: For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly. Changelog Calendar Configuration, for example:
Changelog Calendar Usage (could be segregated for Manage and Read Only permissions), for example:
free text*/plain JQL* Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL. |
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Continuous |
Nature of the processing | Processing of relevant personal data for the purposes identified below |
Purpose of the data transfer | Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Easy Delivery Roadmaps for Jira CloudRelease Management as a processor | |
---|---|
Categories of data subjects | Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer. |
Categories of personal data transferred | Personal data relating to or obtained in connection with the operation, support or use of the “Easy Delivery Roadmaps“ Product, e.g.: For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly. Plan Configuration (for Admins only), for example:
Plan Usage (could be segregated for Manage and Read Only permissions), for example:
free text*/plain JQL* Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL. |
Sensitive data transferred? (as defined in Section 2.1) | None |
Frequency of the transfer | Continuous |
Nature of the processing | Processing of relevant personal data for the purposes identified below |
Purpose of the data transfer | Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:
|
Duration of processing | Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA |
...
Measure | Description |
---|---|
Measures of pseudonymisation and encryption of data | Encryption Release Management has and will maintain: (i) an established method to encrypt Customer Data in transit; (ii) an established method to securely store passwords following industry standard practices; and (iii) use established key management methods. Any Customer Data customer data is encrypted in transit over public networks using TLS 1.2 or greater, with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. We encrypt data at rest (on disk/storage). We also use TLS/SSL connection between 3x data cluster nodes for data replication. Backup files in S3 AWS (Germany) are also encrypted. Pseudonymisation Release Management has and will maintain: (i) an established method to create pseudonymised data sets using industry standard practices; and (ii) appropriate technical and organisational measures governing the systems capable of remapping pseudonymous identifiers. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Security Program Release Management will maintain a security management program that includes but is not limited to:
Release Management will periodically (and, in any event, no less frequently than annually) review and, where applicable, update such security management program. Security Incident Notification Release Management will notify Customer of Security Incidents in accordance with this DPA and Security Vulnerabilities Process. Employee Screening, Training, Access and Controls Release Management will maintain policies and practices that include the following controls and safeguards applied to Release Management staff who have access to Customer Data and/or provide Support and Services to Customer:
|
Measures for ensuring the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident | During the Subscription Term, Release Management’s business continuity and disaster recovery plans (collectively, the “BCDR Plans“) will address at least the following topics:
Release Management will periodically (and, in any event, no less frequently than annually) review and where applicable, update the BCDR Plans. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Vulnerability Management Release Management will maintain the following vulnerability management processes: Vulnerability Scanning and Remediation. Release Management employs processes and tools in line with industry standards to conduct frequent vulnerability scanning to test Release Management’s network and infrastructure and application vulnerability testing to test Release Management applications and services. Release Management applies security patches to software components in production and development environments as soon as commercially practicable in accordance with our Information Security Policy. Identifying Malicious Threats. Release Management employs processes and tools in line with industry standards to identify malicious actors and prevent them from accessing Customer Data or Release Management systems that process Customer Data. These include, but are not limited to, maintaining software that attempts to identify and detect attempted intrusions, behaviors consistent with Internet-based attacks, and indicators of potential compromise. Release Management will maintain a security incident and event management system and supporting processes to notify appropriate personnel in response to threats. Vulnerability Testing.
|
Measures for user identification and authorisation | Atlassian cloud users can authenticate using username and password, or external IPs (incl. via SAML, Google, Microsoft and Apple). All credentials are hosted in the Atlassiandatabase, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm. Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access: Atlassian' Manage Passwords Policy. Administrators are also able to enforce SSO via Atlassian Access. We (as Release Management) fully delegate identification and authorisation to Atlassian and assure permissions check and control for any actions in accordance with roles and configurations set. |
Measures for the protection of data during transmission | See the item above titled “Measures of pseudonymisation and encryption of data“ |
Measures for the protection of data during storage | Data Hosting Facilities Release Management will, no less frequently than annually, request assurances from its data hosting providers that store or process Customer Data that:
|
Measures for ensuring physical security of locations at which data are processed | See the item above titled “Measures for the protection of data during storage“. |
Measures for ensuring events logging | For Atlassian entities audit logging is available via API (See Track organization activities from the audit log). For Release Management entities audit logging is available via UI for specific Application. Contact support@releasemanagement.app for details. |
Measures for ensuring system configuration, including default configuration | See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“. |
Measures for internal IT and IT security governance and management | See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“. |
Measures for certification/assurance of processes and products | See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“. |
Measures for ensuring data minimisation | |
Measures for ensuring data quality | See the items above titled “Measures of pseudonymisation and encryption of data“, “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“, and “Measures for the protection of data during storage“. |
Measures for ensuring limited data retention | Data Retention and Destruction Standard Release Management maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles:
|
Measures for ensuring accountability | See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“. |
Measures for allowing data portability and ensuring erasure | Data Export See Customer Data Retention/Deletion Policy Secure Deletion Release Management will maintain a process reasonably designed to ensure secure destruction and deletion of any and all Customer Data as provided in this DPA. Such Customer Data will be securely destroyed and deleted by Release Management so that: (a) Customer Data cannot be practicably read or reconstructed, and (b) the Release Management systems that store Customer Data are securely erased. |
...