Data Processing Addendum (DPA)

Owned by Yuri (Unlicensed)
Last updated: Nov 04, 2024 by Yuri Lapin
33 min read

Release Management Data Processing Addendum

IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS SET FORTH IN THIS DATA PROCESSING ADDENDUM (“DPA”). YOU ARE NOT AUTHORIZED TO USE THIS SOFTWARE UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS DPA.

This Data Processing Addendum ("DPA") to End User License Agreement (“EULA”) forms part of the Agreement (defined below) by and between the customer (or its Affiliate(s), as applicable) as identified in the Agreement ("Customer" or “you”) and Y2 ENGINEERING SP ZO.O., a provider of downloadable and cloud-based applications under the Release Management Apps ("Release Management") brand name through the Atlassian Marketplace, and will be effective on the date both parties execute this DPA in accordance with Section 1 below ("Effective Date"). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. Instructions and Effectiveness

1.1 By clicking on the “Accept & Install” (or similar) button that is presented to you at the time of your installation, Customer agrees to be bound by the terms of this DPA. If you do not agree to the terms of this DPA, you may not install, copy, download or otherwise use the Software. 

(a) If you are agreeing to this DPA on behalf of a company or other organization, you represent that you have the authority to bind that company or organization to this DPA, and the terms “Customer”, "you" and “your" refer to that company or organization. 

(b) If you do not have that authority, you may not install, copy, download or otherwise use the Software.

1.2 The date Section 1.1 is executed is becoming the date of the below terms come into effect (as of the “Effective Date”).

1.3 If you want a signed version of this DPA or make a custom version of the below terms it needs to be done together with EULA. Please email to partners@releasemanagement.app. In this case Effective Date is the date defined in the custom version of this DPA.

2. Data Protection

2.1 Definitions

In this DPA, the following terms have the following meanings:

(a) “Australian Data Protection Law” means the Australian Privacy Act 1988 (Cth).

(b) “Agreement” means the agreement in place between Customer and Release Management covering Customer’s use of the Services.

(c) “Applicable Data Protection Law” means all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Law.

(d) “Brazilian Data Protection Law” means the Brazilian General Data Protection Law No. 13,709/2018 (“LGPD”).

(e) “controller”, “processor”, “data subject”, “personal data”, “personal information”, “processing” (and “process”), “commercial purpose”, and “service provider” have the meanings given in Applicable Data Protection Law, as appropriate.

(f) “Customer Personal Data” means any personal data provided by (or on behalf of) Customer to Release Management in connection with the Services, all as further described in Exhibit A, Part A of this DPA.

(g) “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.

(h) “End Users” or “Users” means an individual the Customer permits or invites to use the Release Management Products. For the avoidance of doubt: (a) individuals invited by End Users, (b) individuals under managed accounts, and (c) individuals interacting with a Release Management Product as Customer`s customers are also considered End Users.

(i) “Europe” means, for the purposes of this DPA, the Member States of the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland.

(j) “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK Data Protection Law”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) the Swiss Federal Act on Data Protection and its implementing regulations (“Swiss FADP”), in each case as may be amended, superseded or replaced from time to time.

(k) “Japanese Data Protection Law” means the Japanese Act on the Protection of Personal Information.

(l) “Restricted Transfer” means a transfer (directly or via onward transfer) of personal data subject to European Data Protection Law from Europe to a country outside of Europe that is not subject to an adequacy decision by the European Commission, or the competent UK or Swiss authorities (as applicable).

(m) “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data processed by Release Management and/or its Sub- processors in connection with the provision of the Services. For the avoidance of doubt, "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(n) “Services” means the provision of the products and services by Release Management to Customer pursuant to the Agreement.

(o) “special categories of personal data” or “sensitive data” means any Customer Personal Data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, and (iii) relating to criminal convictions and offences.

(p) “Standard Contractual Clauses” or “EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

(q) “Sub-processor” means any other processor engaged by Release Management in its role as a processor to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA where such entity processes Customer Personal Data. Sub-processors may include Release Management’s affiliates or other third parties.

(r) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

(s) “U.S. Data Protection Law” means all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2.2 Relationship of the parties

Where Applicable Data Protection Law provides for the roles of “controller,” “processor,” and “sub-processor”:

(a) Where Release Management processes Customer Personal Data on behalf of Customer and/or Atlassian in connection with the Services, Release Management will process such personal data as a processor or sub-processor on behalf of the Customer and/or Atlassian (who, in turn, processes such personal data as a controller or a processor) and this DPA will apply accordingly. A description of such processing is set out in Exhibit A, Part A.

(b) Where Release Management processes personal data as a controller, as further detailed in Exhibit A, Part B, Release Management will process such personal data in compliance with Applicable Data Protection Law and only for the purposes that are compatible with those described in Exhibit A, Part B. For these purposes, only Sections 2.3 and 2.6 of this DPA will apply, to the extent applicable.

2.3 Description of Processing

A description of the processing of personal data related to the Services, as applicable, is set out in Exhibit A. Release Management may update the descriptions of processing from time to time to reflect new products, features or functionality comprised within the Services. Release Management will update relevant documentation to reflect such changes. The Customer can subscribe to receive notifications regarding such updates becoming a Watcher to the Confluence page where current  DPA is published.

2.4 Customer Processing of Personal Data

Customer agrees that 

(a) it will comply with its obligations under Applicable Data Protection Law in its processing of Customer Personal Data and any processing instructions it issues to Release Management, and 

(b) It has provided notice and obtained (or will obtain) all consents and rights necessary under Applicable Data Protection Law for Release Management to process personal data (including but not limited to any special categories of personal data) and provide the Services pursuant to the Agreement (including this DPA).

2.5 Release Management Processing of Personal Data

(a) When Release Management processes Customer Personal Data in its capacity as a processor on behalf of the Customer and/or Atlassian, Release Management will (i) comply with Applicable Data Protection Law, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with the documented lawful instructions of Customer (as set forth in the Agreement, in this DPA, or as directed by the Customer/Atlassian or Customer’s End Users through the Services), unless required to do so by the applicable Laws to which Release Management is subject. In this case Release Management shall inform the Customer/Atlassian of such legal requirement before processing, unless relevant Laws prohibit such information on important grounds of public interest. Release Management will promptly inform Customer/Atlassian if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law.

(b) To the extent Customer Personal Data includes personal information protected under the CCPA that Release Management processes as a service provider acting on behalf of Customer/Atlassian, Release Management will process such Customer Personal Data in accordance with the CCPA, including by complying with applicable sections of the CCPA and providing the same level of privacy protection as required by CCPA, and in accordance with Customer's written instructions, as necessary for the limited and specified purposes identified in Exhibit A, Part A of this DPA, the Agreement, and/or any related Order. Release Management will not:

i. retain, use, disclose or otherwise process such Customer Personal Data other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order;

ii. retain, use, disclose or otherwise process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order, or as otherwise permitted under the CCPA;

iii. "sell" or “share” such Customer Personal Data within the meaning of the CCPA; and

iv. retain, use, disclose or otherwise process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under the CCPA.

Release Management must inform Customer/Atlassian if it determines that it can no longer meet its obligations under U.S. Data Protection Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of such Customer Personal Data.

(c) To the extent Customer/Atlassian discloses or otherwise makes available Deidentified Data to Release Management or to the extent Release Management creates Deidentified Data from Customer Personal Data, in each case in its capacity as a service provider, Release Management will:

i. adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;

ii. publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Release Management may attempt to re-identify such data solely for the purpose of determining whether its deidentification processes are compliant with the U.S. Data Protection Law; and

iii. before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.5(c) of the DPA (including imposing this requirement on any further Recipients).

(d) Release Management participates in and certifies compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework (together, the “Data Privacy Framework”). As required by the Data Privacy Framework, Release Management will (i) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) notify Customer if Release Management makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) upon notice, including under Section 2.5(d)(ii), take reasonable and appropriate steps to remediate unauthorized processing.

2.6 Restricted transfers

Parties agree that when the transfer of personal data from Customer (as “data exporter”) to Release Management (as “data importer”) is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the transfer will be subject to the Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:

(a) In relation to transfers of Customer Personal Data governed by the EU GDPR and processed in accordance with Section 2.2(a) of this DPA, the EU SCCs will apply, completed as follows:

i. Module Two or Module Three will apply (as applicable);

ii. in Clause 7, the optional docking clause will not apply;

iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 2.10 of this DPA;

iv. in Clause 11, the optional language will not apply;

v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

vi. in Clause 18(b), disputes will be resolved before the courts of Ireland;

vii. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and

viii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

(b) In relation to transfers of personal data governed by the EU GDPR and processed in accordance with Section 2.2(b) of this DPA, the EU SCCs apply, completed as follows:

i. Module One will apply;

ii. in Clause 7, the optional docking clause will not apply;

iii. in Clause 11, the optional language will not apply;

iv. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

v. in Clause 18(b), disputes will be resolved before the courts of Ireland;

vi. Annex I of the EU SCCs is deemed completed with the information set out in Exhibit A to this DPA, as applicable; and

vii. Subject to Section 2.8 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Exhibit B to this DPA;

(c) In relation to transfers of personal data governed by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 2 in Part 1 of the UK Addendum is deemed completed respectively with the information set out in Section 2.9, as well as Exhibits A and B of this DPA; Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(d) In relation to transfers of personal data governed by the Swiss FADP, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:

i. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP;

ii. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;

iii. Clause 13 of the EU SCCs and Part C of Annex 1 are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss FADP. Subject to the foregoing, all other requirements of Clause 13 will be observed;

iv. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;

v. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and

vi. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

(e) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses prevail to the extent of such conflict.

2.7 Confidentiality of processing

Release Management must ensure that any person that it authorizes to process Customer Personal Data (including Release Management’s staff, agents and Sub-processors) will be subject to a duty of confidentiality (whether a contractual duty or a statutory duty), and must not permit any person to process Customer Personal Data who is not under such a duty of confidentiality.

2.8 Security

Release Management and, to the extent required under the Agreement, Customer must implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data. Release Management’s current technical and organizational measures are described in Exhibit B (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Release Management may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

2.9 Sub-processing

Customer consents to Release Management engaging Sub-processors to process Customer Personal Data, provided that Release Management maintains an up-to-date list of its sub-processors at Sub-processors, which contains a mechanism for Customer to subscribe to notifications of new Sub-processors. Release Management will: (i) enter into agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Personal Data to the standard required by Applicable Data Protection Law (and in substance, to the same standard provided by this DPA); and (ii) remain liable to Customer if such Sub- processor fails to fulfill its data protection obligations with regard to the relevant processing activities under the Agreement.

2.10 Changes to Sub-processors

If Customer subscribes to Sub-processor notifications, Release Management will provide a notice to Customer of any new Sub-processors as soon as reasonably practicable, however at least fourteen (14) days’ prior to allowing such Sub-processor to process Customer Personal Data (the “Notice Period”). Customer may object in writing to Release Management’s appointment of a new Sub-processor during the Notice Period, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties are not able to achieve resolution within the Notice Period, Customer, as its sole and exclusive remedy, may terminate the applicable Order(s) or parts of the Service provided by the Sub-processor in question for convenience. If the Customer does not object during the Notice Period, Release Management will deem Customer to have authorized the new Sub-processor.

2.11 Cooperation obligations and data subjects’ rights

(a) Taking into account the nature of the processing, Release Management must provide reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Customer Personal Data that Release Management processes on Customer’s behalf;

(b) In the event that any request, correspondence, enquiry or complaint (referred to under paragraph (a) above) is made directly to Release Management, Release Management acting as a processor will not respond to such communication directly without Customer’s prior authorization, unless legally required to do so, and instead, after being notified by Release Management, Customer may respond. If Release Management is legally required to respond to such a request, Release Management will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so; and

(c) To the extent Release Management is required under Applicable Data Protection Law, Release Management will provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities, taking into account the nature of processing and the information available to Release Management.

2.12 Security incidents

Upon becoming aware of a Security Incident, Release Management will notify Customer without undue delay and provide timely information (taking into account the nature of processing and the information available to Release Management) relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Data Protection Law. Release Management will further take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Release Management’s notification of or response to a Security Incident in accordance with this Section 2.12 will not be construed as an acknowledgment by Release Management of any fault or liability with respect to the Security Incident.

2.13 Deletion or return of Data

If requested according to Customer Data Retention, Deletion and Return Policy after the end of the provision of Services, Release Management will delete or return to Customer all Customer Personal Data (including copies) processed on behalf of the Customer in accordance with the procedures and retention periods outlined in the DPA. This requirement does not apply to the extent Release Management is required by applicable Laws to retain some or all of the Customer Personal Data which Customer Personal Data Release Management will securely isolate and protect from any further processing.

2.14 Audit

(a) Release Management conducts regular internal audits to assure compliance with current DPA, including but not limited to verifying list of sub-processors and amends to sub-processors’ Data Protection Agreements, changes in Applicable Laws. As a result this DPA, its annexes and list of sub-processors gets updated.

(b) Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Release Management, Release Management will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data that are necessary to confirm Release Management’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.

(c) Only to the extent Customer cannot reasonably satisfy Release Management’s compliance with this DPA through the exercise of its rights under Section 2.14(b) above, or where required by Applicable Data Protection Law or a regulatory authority, Customer, or its authorized representatives, may conduct audits (including inspections) during the term of the Agreement to assess Release Management’s compliance with the terms of this DPA. Any audit must

(i) be conducted during Release Management’s regular business hours, with reasonable advance notice of at least 45 calendar days; (ii) be subject to reasonable confidentiality controls; (iii) occur no more than once annually; (iv) restrict its findings to only data and information relevant to Customer; and (v) obligate Customer, to the extent permitted by law or regulation, to keep confidential any information disclosed that, by its nature, should be confidential.

2.15 Law enforcement

If a law enforcement agency sends Release Management a demand for Customer Personal Data (e.g., a subpoena or court order), Release Management will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Release Management may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then Release Management will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, to the extent Release Management is legally permitted to do so.

3. Relationship with the Agreement

3.1 The parties agree that this DPA replaces and supersedes any existing DPA the parties may have previously entered into in connection with the Services.

3.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. The order of precedence in case of any conflict, exclusively in relation to the processing of personal data under this DPA, will be, in order of priority:

(a) Standard Contractual Clauses, if applicable;

(b) this DPA;

(c) EULA.

3.3 Notwithstanding anything to the contrary in the EULA or this DPA, the liability of each party and each party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

3.4 Any claims against Release Management or its affiliates under this DPA can only be brought by the Customer entity that is a party to the Agreement against the Release Management entity that is a party to the Agreement. In no event will this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

3.5 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

3.6. This DPA and the Standard Contractual Clauses will terminate simultaneously and automatically upon deletion by Release Management of the Customer Personal Data processed on behalf of the Customer, in accordance with Section 2.13 of this DPA.

EXHIBIT A: Description of the Processing Activities / Transfer

The parties acknowledge that Release Management's processing of personal data will include all personal data submitted or uploaded to the Services by Customer from time to time, for the purposes of, or otherwise in connection with, Release Management providing the Services to Customer.

Set out below are descriptions of the processing and transfers of personal data as contemplated as of the date of this DPA. Such descriptions are subject to change or may be supplemented pursuant to Section 2.3 of the DPA.

Part A: Description of processing and transfer (as applicable) for Modules 2 and 3 of the Standard Contractual Clauses (reference to Sections 2.2(a) as well as 2.6(a) DPA)

All Cloud and DC Products

Release Management as a processor or sub-processor

All Cloud and DC Products

Release Management as a processor or sub-processor

Categories of data subjects

Customer, Customers' employees (namely Technical and Billing Contacts specified) , Customers' partners (namely Atlassian Solution Partners) on behalf of the Customer/Atlassian.

Categories of personal data transferred

Technical and Billing Contacts Information, for example:

  • Full name

  • Email address

  • Office / address

  • Office / phone number

  • Company / organization

  • Company web-site URL

Customers' Atlassian Solution Partner, for example:

  • Full name

  • Email address

  • Company / organization

  • Company web-site URL

Additional Release Management/Atlassian Product license information, for example:

  • App entitlement id and number

  • Host entitlement id and number

  • Host product edition and frequency of renewals

  • License type and status

  • License start and end dates

  • License tier

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Daily

Nature of the processing

The nature of the processing (incl. transfer) is the following: export from Atlassian Marketplace (controller or processor), secure transit and import into PLG CRM tools (sub-processor) for the purpose defined below.

Purpose of the data transfer

The purpose of data processing (incl. transfer) is the following:

  • Update Customers about new important features and capabilities delivered

  • Provide support and services to Customers

  • Update Customer about important terms and conditions changed (including pricing tier upgrades), changes to EULA, DPA, Sub-processors list, other policies, etc.

  • Informing Customers about P0, P1 incidents (including security incidents), remediate actions taken and time to resolution, follow up with root cause analysis delivered according to Security Vulnerabilities Process

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Release Management and Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Release Management and Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Release Management and Roadmaps“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Board Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Jira standard and custom datetime field IDs for Epics Sync

  • Free-text* titles of Versions and Packages workflow steps

  • Automation rules configurations including URLs, Headers, Bodies definition that might include authorization tokens

  • Free-text* custom properties names

  • Version defaults configuration including free-text* names and descriptions as well as milestones names and descriptions as free-text*

  • Definitions of backlout periods that includes free-text* name and dates

Board Usage (could be segregated for Manage and Read Only permissions), for example:

  • Jira Version IDs, Epic IDs, Sprint IDs plus plain JQL* for JQL-based versions, User IDs, Atlassian Compass & Jira Classic Component IDs

  • Free-text* versions and packages names, descriptions, comments, custom properties and milestones names/descriptions + appropriate package templates

  • Encrypted Api Tokens (https://id.atlassian.com/manage-profile/security/api-tokens) if configured to access “Commits/Deployments/Environments” information and/or “Upload to Confluence“ release notes

  • Release notes templates that are combinations of a bunch of Free-text* sections and plain JQL* tables

  • Free-text* deployment environments names and descriptions

  • Free-text* Classic Component names and descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Release Management Boards with predefined workflows, restrictions and automations.

  • Create different type of versions (component releases) and package it into “business releases“, process both through workflows asuring configured quality gateways and approval processes

  • Create release notes according to pre-defined templates

  • Manage and orchestrate deployment environments

  • Manage and orchestrate cross-project components

  • Provide insights about releases health, projected delivery dates and reasons for delays, etc.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Advanced Kanban & Agile Boards for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Advanced Kanban & Agile Boards for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Advanced Kanban & Agile Boards“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Board Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Plain JQL* to shortlist scope of the board

  • Jira standard and custom fields IDs when used as Columns and/or Swimlanes

Board Usage (could be segregated for Manage and Read Only permissions), for example:

  • Column and/or Swimlane names derived from Jira standard or custom fields values or free-text* title aliases

  • Column and Swimlane descriptions that are free-text* fields

  • Atlassian User IDs, Version IDs, Sprint IDs, Component IDs, Jira Issue IDs if used as columns and/or swimlanes

  • Column Group names that are free-text* fields

  • Quick filters aliases that are free-text* fields and plain JQL* definitions of quick filters

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Kanban & Agile boards with flexible columns and/or swimlanes configurations

  • Provide descriptions of the SDLC statuses / exit criterias / quality gates

  • Manage Jira issues and hierarchy of Jira issues through SDLC lifecycle (including but not limited by managing Versions, Components, Sprints, Parent Jira Issues where Jira Issues attached to)

  • Package columns in Column Groups

  • Outline Dependencies, Statistics, etc.

  • Filter Jira issues via quick filters

  • Define and manage work-in-progress (WIP) limits

  • Define and manage Aging  limits

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Release Gadgets for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Release Gadgets for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Release Gadgets“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Gadgets Configuration, for example:

  • Free-text* gadgets scope names

  • Jira Project IDs

  • Jira Version IDs

  • Plain JQL* to shortlist scope of the gadget

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Visualise portfolio of releases

  • Outline release progress and status.

  • Show release delays and reasons for it.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Time in Status Calendar & Worklog Roadmap for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Time in Status Calendar & Worklog Roadmap for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Time in Status Calendar & Worklog Roadmap“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Changelog Calendar Configuration, for example:

  • Jira Project IDs

  • Plain JQL* to shortlist scope of the calendar

  • Jira standard and custom datetime field IDs

  • Jira issues workflows steps IDs

Changelog Calendar Usage (could be segregated for Manage and Read Only permissions), for example:

  • Quick filters aliases that are free-text* fields and plain JQL* definitions of quick filters

  • Free-text* worklog comments & descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Outline Jira issues on Calendar and Roadmap view.

  • Show progress according to color coded status changes and worklog made

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Easy Delivery Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Easy Delivery Roadmaps for Jira Cloud

Release Management as a processor

Marketplace Listing, Documentation Space

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the “Easy Delivery Roadmaps“ Product, e.g.:

For any user generated content submitted, Release Management acts as a processor of such personal data and Sections 2.2(a) as well as 2.6(a) DPA apply accordingly.

Plan Configuration (for Admins only), for example:

  • Jira Project IDs

  • Atlassian User IDs, Groups IDs for Permission Management

  • Jira standard and custom datetime field IDs for Epics Sync

  • Definitions of backlout periods that includes free-text* name and dates

Plan Usage (could be segregated for Manage and Read Only permissions), for example:

  • Jira Version IDs, Epic IDs, Sprint IDs plus plain JQL* for JQL-based versions and User IDs

  • Free-text* versions names, descriptions, comments and milestones names/descriptions

free text*/plain JQL*

Customer as controller of the data has to assure implementation of internal policies so that there is no sensitive data (as defined in Section 2.1) being submitted to above mentioned free text fields and plain JQL. Implemented permission model allows to shortlist users that can enter/alter these free text fields and plain JQL.

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Processing of relevant personal data for the purposes identified below

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • Create multiple custom Delivery Plans.

  • Create different type of deliverables - versions, epics, sprints, JQL versions

  • Outline deliverables om Roadmap and Calendar views

  • Manage intermediate milestones

  • Provide insights about deliverables health, projected delivery dates and reasons for delays, etc.

Duration of processing

Data will be deleted upon request according to Data Deletion Policy in accordance with Section 2.13 of this DPA

Part B: Description of processing and transfer (as applicable) for Module 1 of the Standard Contractual Clauses (reference to Sections 2.2(b) as well as 2.6(b) DPA)

All Cloud and DC Products

Release Management as a controller

All Cloud and DC Products

Release Management as a controller

Categories of data subjects

Customer, Customers' employees, Customers' collaborators, as well as all relevant End Users of the Services on behalf of the Customer.

Categories of personal data transferred

Personal data relating to or obtained in connection with the operation, support or use of the Products, e.g.:

Information on the use of the Products, for example:

  • Event Name (i.e., what action the user performed)

  • Event Timestamp

  • Page URL

  • Referring URL

Actor information, for example:

  • Actor ID

  • Actor Display Name

  • Actor Email (for DC Products Only)

Device and connection information, for example:

  • IP address

  • Cookie information

  • Device information

  • Browser information

Additional Release Management/Atlassian Product license information, for example:

  • App entitlement id and number

  • Host entitlement id and number

  • Host product edition and frequency of renewals

  • License type and status

  • License start and end dates

  • License tier

Sensitive data transferred?

(as defined in Section 2.1)

None

Frequency of the transfer

Continuous

Nature of the processing

Collection, storage, and processing of relevant personal data for the purposes identified in this Part B.

Purpose of the data transfer

Personal data will be processed for Release Management’s legitimate business purposes. This entails in particular the following:

  • To facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery in order to protect Customers, End Users and Release Management.

  • To engage and to provide support and assistance to Customer and End Users as requested from time to time.

  • To comply with legal and financial reporting obligations

  • To administer the Services, including to calculate usage-based billing

  • To derive insights in order to maintain, develop, and improve the Services and support, including for research and development purposes

  • To derive insights in order to inform internal business analysis and product strategy.

Duration of processing

Release Management may process personal data for the purposes described above for the duration of the DPA, and for as long as Release Management has a legitimate need to retain the personal data for the purposes it was collected or transferred, in accordance with Applicable Data Protection Law.

EXHIBIT B: Technical and Organizational Security Measures

1. Purpose.

This Exhibit describes Release Management’s security program, also physical, technical, organizational and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the “Security Measures“). The Security Measures are intended to be in line with the commonly-accepted standards of similarly-situated software-as-a-service providers (“industry standard“). Unless otherwise specified in the applicable Product-Specific Terms, the Security Measures apply to all Release Management Products (other than No-Charge Products or Free and Beta Products) that are available under the Agreement.

2. Updates and Modifications.

The Security Measures are subject to technical progress and development and Release Management may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Release Management Products, as described in this document.

We suggest to become a Watcher for this Confluence Page to receive in-time updates about all the update and modifications to Release Management Security Measures.

3. Definitions.

Any capitalized terms used but not defined in this document have the meanings set out in the Agreement. The term “Customer Data“ means any data, content or materials provided to Release Management by or at the direction of Customer or its End Users via the Release Management Products, including from Third-Party Products.

The specific Customer Personal Data we use per Application are defined in #EXHIBIT-A:-Description-of-the-Processing-Activities-/-Transfer

4. Security Measures.

The Security Measures are described in the following table:

Measure

Description

Measure

Description

Measures of pseudonymisation and encryption of data

Encryption

Release Management has and will maintain: (i) an established method to encrypt Customer Data in transit; (ii) an established method to securely store passwords following industry standard practices; and (iii) use established key management methods.

Any customer data is encrypted in transit over public networks using TLS 1.2 or greater, with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.

We encrypt data at rest (on disk/storage). We also use TLS/SSL connection between 3x data cluster nodes for data replication. Backup files in S3 AWS (Germany) are also encrypted.

Pseudonymisation

Release Management has and will maintain: (i) an established method to create pseudonymised data sets using industry standard practices; and (ii) appropriate technical and organisational measures governing the systems capable of remapping pseudonymous identifiers.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Security Program

Release Management will maintain a security management program that includes but is not limited to:

  1. executive review, support and accountability for all security related policies and practices;

  2. a written information security policy and framework that meets or exceeds industry standards and that, as a baseline, includes (i) defined information security roles and responsibilities, (ii) a formal and effective risk mitigation program and (iii) a service provider security management program;

  3. periodic risk assessments of all Release Management owned or leased systems processing Customer Data;

  4. prompt review of security incidents affecting the security of Release Management systems processing Customer Data, including determination of root cause and corrective action;

  5. security review and testing being part of software development and acceptance testing process for our Products

  6. processes to identify and quantify security risks, develop mitigation plans, which must be approved by Release Management’s Chief Security & Data Officer (or one of their delegates), and track the implementation of such plans; and

  7. a comprehensive security testing methodology that consists of diverse and independent approaches that, when combined, are reasonably designed to maximize coverage for a varied and diverse set of attack vectors.

Release Management will periodically (and, in any event, no less frequently than annually) review and, where applicable, update such security management program.

Security Incident Notification

Release Management will notify Customer of Security Incidents in accordance with this DPA and Security Vulnerabilities Process.

Employee Screening, Training, Access and Controls

Release Management will maintain policies and practices that include the following controls and safeguards applied to Release Management staff who have access to Customer Data and/or provide Support and Services to Customer:

  1. pre-hire background checks (including criminal record inquiries) on Release Management job candidates, subject to and in accordance with applicable Laws and generally accepted industry standards;

  2. periodic security awareness training;

  3. a disciplinary policy and process to be used when Release Management staff violate Release Management’s security policies;

  4. access to Release Management IT systems with appropriate technical security controls (including two-factor authentication);

  5. controls designed to limit access to Customer Data to only those Release Management staff with an actual need-to-know such Customer Data. Such controls include the use of a formal access management process for the request, review, approval and provisioning for all Release Management staff with access to Customer Data; and

  6. separation of duties to prevent a single Release Management employee from controlling all key aspects of a critical transaction or business process related to Customer Data or systems.

Measures for ensuring the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident

During the Subscription Term, Release Management’s business continuity and disaster recovery plans (collectively, the “BCDR Plans“) will address at least the following topics:

  1. the availability of human resources with appropriate skill sets;

  2. the availability of all IT infrastructure, telecommunications capabilities and any other technology used or relied upon by Release Management in the provision of the Products;

  3. Release Management’s plans for storage and continuity of use of data and software;

  4. clear recovery time objectives (RTOs) and recovery point objectives (RPOs);

  5. mechanisms for the geographic diversity or back-up of business operations;

  6. the potential impact of cyber events and Release Management’s ability to maintain business continuity in light of such events, as well as a framework and procedure to respond to and remediate such events;

  7. the management of data corruption incidents; and

  8. procedures and frequency of testing of the BCDR Plans.

Release Management will periodically (and, in any event, no less frequently than annually) review and where applicable, update the BCDR Plans.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Vulnerability Management

Release Management will maintain the following vulnerability management processes:

Vulnerability Scanning and Remediation. Release Management employs processes and tools in line with industry standards to conduct frequent vulnerability scanning to test Release Management’s network and infrastructure and application vulnerability testing to test Release Management applications and services. Release Management applies security patches to software components in production and development environments as soon as commercially practicable in accordance with our Information Security Policy.

Identifying Malicious Threats. Release Management employs processes and tools in line with industry standards to identify malicious actors and prevent them from accessing Customer Data or Release Management systems that process Customer Data. These include, but are not limited to, maintaining software that attempts to identify and detect attempted intrusions, behaviors consistent with Internet-based attacks, and indicators of potential compromise. Release Management will maintain a security incident and event management system and supporting processes to notify appropriate personnel in response to threats.

Vulnerability Testing.

  1. Release Management conducts internal vulnerability testing. This includes dependent libraries vulnerabilities scan at every build, security review and testing as integral part of SDLC. This includes also Atlassian-powered bug bounty/cloud fortified programs. We make the results of these programs available on request and commit to making bug fixes in line with our Security Vulnerabilities Process.

  2. Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Release Management), perform its own vulnerability testing of its Cloud Products, provided that Customer cannot exercise this right more than once per calendar year. Customer may report any vulnerabilities impacting the Release Management Products to Release Management in via Service Desk portal or security@releasemanagement.app email address.

  3. Release Management will use commercially reasonable efforts to address identified security vulnerabilities in our Products and our infrastructure in accordance with the Security Vulnerabilities Process. The parties acknowledge that Release Management may update the Security Vulnerabilities Process from time to time in its discretion, provided such updates do not result in a material derogation of the Security Vulnerabilities Process.

Measures for user identification and authorisation

Atlassian cloud users can authenticate using username and password, or external IPs (incl. via SAML, Google, Microsoft and Apple). All credentials are hosted in the Atlassian database, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm.

Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access:

Atlassian' Manage Passwords Policy. Administrators are also able to enforce SSO via Atlassian Access.

We (as Release Management) fully delegate identification and authorisation to Atlassian and assure permissions check and control for any actions in accordance with roles and configurations set.

Measures for the protection of data during transmission

See the item above titled “Measures of pseudonymisation and encryption of data

Measures for the protection of data during storage

Data Hosting Facilities

Release Management will, no less frequently than annually, request assurances from its data hosting providers that store or process Customer Data that:

  1. such data hosting provider’s facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference;

  2. such data hosting provider’s facilities employ physical security appropriate to the classification of the assets and information being managed; and

  3. such data hosting provider’s facilities limit and screen all entrants employing measures such as on-site security guard(s), badge reader(s), electronic lock(s), or a monitored closed caption television (CCTV).

Measures for ensuring physical security of locations at which data are processed

See the item above titled “Measures for the protection of data during storage“.

Measures for ensuring events logging

For Atlassian entities audit logging is available via API (See Track organization activities from the audit log).

For Release Management entities audit logging is available via UI for specific Application. Contact support@releasemanagement.app for details.

Measures for ensuring system configuration, including default configuration

See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“.

Measures for internal IT and IT security governance and management

See the item above titled “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“.

Measures for certification/assurance of processes and products

See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“.

Measures for ensuring data minimisation

See Privacy Policy - Data Security and Privacy Statement

Measures for ensuring data quality

See the items above titled “Measures of pseudonymisation and encryption of data“, “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services“, and “Measures for the protection of data during storage“.

Measures for ensuring limited data retention

Data Retention and Destruction Standard

Release Management maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. The Data Retention and Destruction Standard is guided by the following principles:

  • Records should be maintained as long as they serve a business purpose.

  • Records that serve a business purpose, or which Release Management has a legal, regulatory, contractual or other duty to retain, will be retained.

  • Records that no longer serve a business purpose, and for which Release Management has no duty to retain, should be disposed. Copies or duplicates of such data should also be disposed. To the extent Release Management has a duty to retain a specified number of copies of a Record, such number of copies should be retained.

  • Release Management’s practices implementing this Standard may vary across departments, systems and media, and will of necessity evolve over time. These practices will be reviewed under our company-wide policy review practices.

Measures for ensuring accountability

See the item above titled “Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing“.

Measures for allowing data portability and ensuring erasure

Data Export

See Customer Data Retention, Deletion and Return Policy

Secure Deletion

Release Management will maintain a process reasonably designed to ensure secure destruction and deletion of any and all Customer Data as provided in this DPA. Such Customer Data will be securely destroyed and deleted by Release Management so that: (a) Customer Data cannot be practicably read or reconstructed, and (b) the Release Management systems that store Customer Data are securely erased.