Data Processing Addendum (DPA)

 

Parties

Customer:

Customer Company Name

 

Customer Company Name

 

Incorporated and registered in

 

Company/registration number

 

Registered office

 

 

 

The Provider:

Customer Company Name

The Plugin People Ltd

Customer Company Name

The Plugin People Ltd

Incorporated and registered in

Incorporated and registered in England and Wales

Company/registration number

08404380

Registered office

Pure Offices Cheltenham Office Park,Hatherley Lane,

Cheltenham, Gloucestershire, GL51 6SH, UK

 

Background

The Customer uses the Provider’s product, Enterprise Mail Handler for Jira Cloud (Product), and the Customer’s use of the Product may require the Provider to process Personal Data on behalf of the Customer.

This Personal Data Processing Agreement (Agreement) sets out the terms, requirements and conditions on which the Provider will process Personal Data when the Customer uses the Product. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

This Data Processing Agreement is included within the Cloud Software Product EULA forming a blanket agreement, use of the app constitutes agreement with these terms, individually signed DPA contracts (PDF export of this page) scan still be provided if required.

Agreed Terms

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this Agreement.

“Applicable Laws”:

for so long as and to the extent that they apply to the Customer and Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law

“Applicable Laws”:

for so long as and to the extent that they apply to the Customer and Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and appropriate technical and organisational measures:

have the meanings given to them in the Data Protection Legislation

"Data Protection Legislation":

the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications)

“Records”:

has the meaning given to it in clause 3.6.8

“Term”:

this Agreement's term as defined in clause 2

“Customer:”

In GDPR Terms, the Data Controller

“Provider:”

In GDPR Terms, the Data Processor (The Plugin People Ltd)

“Third Party Processors”

means those third parties set out in Appendix B : The Provider’s Sub-Processors

“UK Data Protection Legislation”:

all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended

The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

2. Term

This Agreement will remain in full force and effect so long as the Customer uses the Product or the Provider retains any of the Personal Data in its possession or control related to the Customer’s use of the Product (Term).

3. Data Protection

3.1 The Provider will comply with all applicable requirements of the Data Protection Legislation. This Agreement is in addition to, and does not relieve, remove or replace, a party’s obligation or rights under the Data Protection Legislation.

3.2 The Provider and the Customer agree and acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor.

3.3 Appendix A : Processing, Personal Data and Data Subjects describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data in relation to the Customer’s use of the Product.

3.3.1 The Provider acknowledges that Customer data processed by the system is owned by the customer. Provider use of Customer data will be solely limited to fulfilling our support obligations and disseminated over our sub-processors as a part of that.

3.4 The Customer warrants that the Provider’s processing of the Personal Data resulting from the Customer’s use of the Product and as specifically instructed by the Customer will comply with the Data Protection Legislation.

3.5 Without prejudice to the generality of clause 3.1, the Customer shall ensure it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider and/or lawful collection of the Personal Data by the Provider on behalf of the Customer for as long as the Customer uses the Product and for the purposes of this Agreement.

3.6 Without prejudice to the generality of clause 3.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by it of its obligations under this Agreement:

3.6.1 process that Personal Data only on the Customer’s instructions given in accordance with the Customer’s use of the Product unless the Provider is required by Applicable Laws to otherwise process that Personal Data. Where the Provider is relying on Applicable Laws as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from doing so;

3.6.2 the Provider shall, subject to clause 3.9, ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, the measures set out at Appendix D : Technical and Organisational Measures);

3.6.3 the Provider will ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

3.6.4 the Provider will, so far is it is reasonably practicable to do so, assist the Customer at the Customer’s cost in responding to any request from a Data Subject and in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3.6.5 the Provider will notify the Customer without undue delay on becoming aware of a Personal Data Breach or if, in the Provider’s reasonable opinion, an instruction given by the Customer to the Provider infringes Data Protection Legislation;

3.6.6 the Provider will comply promptly with any written instructions from the Customer requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing;

3.6.7 at the written direction of the Customer, the Provider will delete or return Personal Data and copies thereof to the Customer on termination of the Customer’s licence in relation to the Product unless required by Applicable Law to store the Personal Data; and

3.6.8 the Provider will maintain complete and accurate records and information to demonstrate its compliance with this Agreement (Records). This will primarily be in the form of support ticket history where the provision by the customer of their client data is deemed authority for us to use that data to help the customer.

3.7 The Customer consents to the Provider appointing the Third Party Processors as third-party processors of Personal Data under this Agreement. The Provider confirms that it has entered into a written agreement substantially on that third party's standard terms of business. The third-party processors set out at Appendix B : The Provider’s Sub-Processors will process Personal Data outside of the European Economic Area and each self-certify to and comply with the EU-U.S. Privacy Shield Frameworks.

3.8 Other than to the third-party processors set out at Appendix B : The Provider’s Sub-Processors, the Provider will not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

3.8.1 the Customer or the Provider have provided appropriate safeguards in relation to the transfer;

3.8.2 the data subject has enforceable rights and effective legal remedies;

3.8.3 the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

3.8.4 the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.

3.9 The Customer agrees and acknowledges that the Product has not been developed by the Provider to meet the Customer’s individual requirements, and that it is the Customer’s responsibility to determine how to use the Product in accordance with all applicable requirements of the Data Protection Legislation and carry out its own assessment of whether the Product provides the appropriate level of security required for the nature of the processing being carried out by the Customer. See Appendix C : The Provider’s Privacy Policy.

3.10 The Provider will permit the Customer and its third-party representatives to audit the Provider's compliance with this Agreement, on at least 30 days' notice, during the Term. The Provider will give the Customer and its third-party representatives such assistance as is reasonably required to conduct such audits at the cost of the Customer (including reasonable costs in respect of the Provider’s management time).

4. Notices

4.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the address stated on page 1 or such other address is notified in writing to the other party for this purpose.

5. Limitation of Liability

5.1 Notwithstanding any opposing terms in the contractual basis the Provider shall not be liable to the Customer for any indirect loss, including loss of production, sales, profits, time or goodwill unless they are caused intentionally or by gross negligence.

5.2 Claims for compensation can in no case exceed 50% of the agreed annual fee paid though Atlassian Marketplace.

6. Governing law and jurisdiction

5.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

5.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).

7. Agreement signatories

The Customer / Data Exporter

For activities relevant to the data transferred under the Clauses: use of JEMHC services

Name

 

 

Name

 

 

Signature

 

 

Company Name

 

 

Company Address

 

 

Date

 

The Provider / Data Importer

Name

 

Andy Brook

Name

 

Andy Brook

Signature

 

 

Company Name

 

The Plugin People Ltd

Company Address

 

Pure Offices, Cheltenham Office Park, Hatherley Lane, Cheltenham,

Gloucestershire, GL51 6SH, UK

Date

 

 

Appendix A : Processing, Personal Data and Data Subjects

Processing by the Provider

Scope, nature, purpose and duration

The SOFTWARE PRODUCT is an Atlassian Marketplace Cloud App that is used in conjunction with Atlassian’s Jira Cloud. When using the Software Product to interact with your Jira Cloud instance using servers you manage and configure, any Personal Data forming part of the communications being submitted using the Software Product will be processed by The Plugin People Ltd in a server hosted by Amazon Web Services.

You are able configure the SOFTWARE PRODUCT to determine how Personal Data is processed as well as controlling the SOFTWARE PRODUCT audit retention of Personal Data (for example, email and notifications in and out).

The Personal Data is being processed for the purpose of the Customer’s use of the Software Product.

Types of Personal Data

The Personal Data transferred concern the following categories of data:

  • Direct identifying information (e.g., name, email address, telephone).

  • Indirect identifying information (e.g., job title, gender, date of birth).

  • Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).

  • Any personal data supplied by users of the SOFTWARE PRODUCT.

Categories of Data Subject

The Personal Data concerns end users of the SOFTWARE PRODUCT, in addition to individuals whose personal data is supplied by end users of the SOFTWARE PRODUCT.

 

Appendix B: The Provider’s Sub-Processors

In order to provide the JEMHC service, the following sub-processors are involved:

Name

Purpose

Usage

DPA

Signed/ Accepted

Name

Purpose

Usage

DPA

Signed/ Accepted

Amazon Web Services

Infrastructure

Our cloud app processes customer traffic using services running within AWS infrastructure

DPA

Google

Infrastructure +

Customer Support

JEMHC notifications and support service are powered by email hosted on Google Workspace. Billing for your per-user subscription providing baseline capacity is handled by Atlassian, billing for additional capacity is handled by us.

DPA

Atlassian

Customer Support

Out support service is powered by Atlassian Jira/ServiceDesk. Some orders are processed through support.

DPA

Mailtrap.io

Customer Support

Our support service may handle email content provided by you. We may use a dead-end mailbox service provided by Mailtrap.io when doing mail notification related testing. This service is used to prevent any exposure of your data to ‘real’ recipients.

DPA

Twilio

Communication

SMS alerts used in support

DPA

Slack

Communication

Our support service uses Slack to notify us of issue updates, license transitions and system level events

DPA

PayPal

Payment Processing

You may use credit cards to purchase top-up capacity, executed through PayPal clearing

DPA

req sent

E-Junkie

Payment Processing

Top-up capacity shop is powered by e-junkie

DPA

Vanta

Compliance

Provides real-time infrastructure monitoring for SOC2 compliance testing

DPA

 

AWS DPA is part of their standard terms

Google Workspace DPA is accepted, the DPA are appendices to Google Workspace standard terms

Twilio DPA is part of their standard terms

E-Junkie main terms make no reference to the DPA which just declares applicability to the standard terms

 

Appendix C : The Provider’s Privacy Policy

The Privacy Policy is too large to include here, it is maintained online, can be printed from, can be updated periodically and would be deemed to be in effect at that time.

https://thepluginpeople.atlassian.net/wiki/spaces/PP/pages/874283131

 

Appendix D : Technical and Organisational Measures

The Provider will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data transferred to the Provider as described in Appendix C : The Provider’s Privacy Policy , including but not limited to:

Security

  • Use of AWS hosting (https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html) that is in compliance with:

    • SOC 1/ISAE 3402, SOC 2, SOC 3

    • FISMA, DIACAP, and FedRAMP

    • PCI DSS Level 1

    • ISO 9001, ISO 27001, ISO 27017, ISO 27018

  • Use of Google hosting (https://workspace.google.com/learn-more/security/security-whitepaper/page-5.html)

  • Implementation of 2FA for cloud services where supported

  • Implementation of policy defining how access is granted in AWS IAM (Internal Policy: Data Access Policy)

  • Where accessible, use of firewall protection for all unknown IP addresses, use of client SSH certificates

  • Division of premises into different security zones

  • Firewall protection for all unknown IP addresses

  • The automated system of vulnerability evaluation in the application source code

  • Automated user data retention according to policy

  • Implementation of partial access rights for respective data and functions;

  • Enrolment in a public Bug-Bounty for security vulnerability discovery

Confidentiality

  • SSL and TLS (1.2+) transport level security using minimum AES256 cipher suite

  • Storage secret management

  • Encryption of user email data at rest

  • Storage billing data of customer upgrades through Bank, PayPal and Google Workplace

Integrity

  • Realisation of a regular backup schedule

  • Deployment of fault tolerant multi-AZ application/database

Appendix E : GDPR, Article 27 : Authorised Representative

UK Authorized Representative

For United Kingdom GDPR and the Data Protection Act 2018 is The Plugin People Ltd

Email address: privacy@thepluginpeople.com

Telephone number: +44 1242 802 757

Address: The Plugin People Ltd, Pure Offices, Hatherley Lane, Cheltenham, GL51-6SH, UK

EU Authorized Representative

When contacting our Representatives please ensure you include our company name The Plugin People Ltd in any correspondence.

To comply with (Art. 27 GDPR – Representatives of controllers or processors not established in the Union - General Data Protection Regulation (GDPR) ), we have appointed IT Governance Europe Limited to act as our EU Representative. If you wish to exercise your rights under the EU General Data Protection Regulation (GDPR), or have any queries in relation to your rights or privacy matters generally as applicable to EU customers please email our Representative:

Email: eurep@itgovernance.eu

Address: EU Representative, IT Governance Europe, The Mill Enterprise Hub, Stagreenan, Drogheda,

Co. Louth, A92 CD3D, Ireland.