Data Processing Addendum (DPA)
- Andy Brook [Plugin People]
- 1 Parties
- 2 Background
- 3 Agreed Terms
- 4 Appendix A : Processing, Personal Data and Data Subjects
- 5 Appendix B: The Provider’s Sub-Processors
- 6 Appendix C : The Provider’s Privacy Policy
- 7 Appendix D : Technical and Organisational Measures
- 7.1 Security
- 7.2 Confidentiality
- 7.3 Integrity
- 8 Appendix E : GDPR, Article 27 : Authorised Representative
Parties
Customer:
Customer Company Name |
|
|---|---|
Incorporated and registered in |
|
Company/registration number |
|
Registered office |
|
The Provider:
Customer Company Name | The Plugin People Ltd |
|---|---|
Incorporated and registered in | Incorporated and registered in England and Wales |
Company/registration number | 08404380 |
Registered office | Pure Offices Cheltenham Office Park,Hatherley Lane, Cheltenham, Gloucestershire, GL51 6SH, UK |
Background
The Customer uses the Provider’s product, Enterprise Mail Handler for Jira Cloud (Product), and the Customer’s use of the Product may require the Provider to process Personal Data on behalf of the Customer.
This Personal Data Processing Agreement (Agreement) sets out the terms, requirements and conditions on which the Provider will process Personal Data when the Customer uses the Product. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
This Data Processing Agreement is included within the Cloud Software Product EULA forming a blanket agreement, use of the app constitutes agreement with these terms, individually signed DPA contracts (PDF export of this page) scan still be provided if required.
Agreed Terms
1. Definitions and interpretation
The following definitions and rules of interpretation apply in this Agreement.
“Applicable Laws”: | for so long as and to the extent that they apply to the Customer and Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law |
|---|---|
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and appropriate technical and organisational measures: | have the meanings given to them in the Data Protection Legislation |
"Data Protection Legislation": | the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) |
“Records”: | has the meaning given to it in clause 3.6.8 |
“Term”: | this Agreement's term as defined in clause 2 |
“Customer:” | In GDPR Terms, the Data Controller |
“Provider:” | In GDPR Terms, the Data Processor (The Plugin People Ltd) |
“Third Party Processors” | means those third parties set out in Appendix B : The Provider’s Sub-Processors |
“UK Data Protection Legislation”: | all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended |
The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
2. Term
This Agreement will remain in full force and effect so long as the Customer uses the Product or the Provider retains any of the Personal Data in its possession or control related to the Customer’s use of the Product (Term).
3. Data Protection
3.1 The Provider will comply with all applicable requirements of the Data Protection Legislation. This Agreement is in addition to, and does not relieve, remove or replace, a party’s obligation or rights under the Data Protection Legislation.
3.2 The Provider and the Customer agree and acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor.
3.3 Appendix A : Processing, Personal Data and Data Subjects describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data in relation to the Customer’s use of the Product.
3.3.1 The Provider acknowledges that Customer data processed by the system is owned by the customer. Provider use of Customer data will be solely limited to fulfilling our support obligations and disseminated over our sub-processors as a part of that.
3.4 The Customer warrants that the Provider’s processing of the Personal Data resulting from the Customer’s use of the Product and as specifically instructed by the Customer will comply with the Data Protection Legislation.
3.5 Without prejudice to the generality of clause 3.1, the Customer shall ensure it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider and/or lawful collection of the Personal Data by the Provider on behalf of the Customer for as long as the Customer uses the Product and for the purposes of this Agreement.
3.6 Without prejudice to the generality of clause 3.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by it of its obligations under this Agreement:
3.6.1 process that Personal Data only on the Customer’s instructions given in accordance with the Customer’s use of the Product unless the Provider is required by Applicable Laws to otherwise process that Personal Data. Where the Provider is relying on Applicable Laws as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from doing so;
3.6.2 the Provider shall, subject to clause 3.9, ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, the measures set out at Appendix D : Technical and Organisational Measures);
3.6.3 the Provider will ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
3.6.4 the Provider will, so far is it is reasonably practicable to do so, assist the Customer at the Customer’s cost in responding to any request from a Data Subject and in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.6.5 the Provider will notify the Customer without undue delay on becoming aware of a Personal Data Breach or if, in the Provider’s reasonable opinion, an instruction given by the Customer to the Provider infringes Data Protection Legislation;
3.6.6 the Provider will comply promptly with any written instructions from the Customer requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing;
3.6.7 at the written direction of the Customer, the Provider will delete or return Personal Data and copies thereof to the Customer on termination of the Customer’s licence in relation to the Product unless required by Applicable Law to store the Personal Data; and
3.6.8 the Provider will maintain complete and accurate records and information to demonstrate its compliance with this Agreement (Records). This will primarily be in the form of support ticket history where the provision by the customer of their client data is deemed authority for us to use that data to help the customer.
3.7 The Customer consents to the Provider appointing the Third Party Processors as third-party processors of Personal Data under this Agreement. The Provider confirms that it has entered into a written agreement substantially on that third party's standard terms of business. The third-party processors set out at Appendix B : The Provider’s Sub-Processors will process Personal Data outside of the European Economic Area and each self-certify to and comply with the EU-U.S. Privacy Shield Frameworks.
3.8 Other than to the third-party processors set out at Appendix B : The Provider’s Sub-Processors, the Provider will not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
3.8.1 the Customer or the Provider have provided appropriate safeguards in relation to the transfer;
3.8.2 the data subject has enforceable rights and effective legal remedies;
3.8.3 the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
3.8.4 the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.
3.9 The Customer agrees and acknowledges that the Product has not been developed by the Provider to meet the Customer’s individual requirements, and that it is the Customer’s responsibility to determine how to use the Product in accordance with all applicable requirements of the Data Protection Legislation and carry out its own assessment of whether the Product provides the appropriate level of security required for the nature of the processing being carried out by the Customer. See Appendix C : The Provider’s Privacy Policy.
3.10 The Provider will permit the Customer and its third-party representatives to audit the Provider's compliance with this Agreement, on at least 30 days' notice, during the Term. The Provider will give the Customer and its third-party representatives such assistance as is reasonably required to conduct such audits at the cost of the Customer (including reasonable costs in respect of the Provider’s management time).
4. Notices
4.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the address stated on page 1 or such other address is notified in writing to the other party for this purpose.
5. Limitation of Liability
5.1 Notwithstanding any opposing terms in the contractual basis the Provider shall not be liable to the Customer for any indirect loss, including loss of production, sales, profits, time or goodwill unless they are caused intentionally or by gross negligence.
5.2 Claims for compensation can in no case exceed 50% of the agreed annual fee paid though Atlassian Marketplace.
6. Governing law and jurisdiction
5.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
5.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
7. Agreement signatories
The Customer / Data Exporter
For activities relevant to the data transferred under the Clauses: use of JEMHC services
Name
|
|
|---|---|
Signature
|
|
Company Name
|
|
Company Address
|
|
Date |
|
The Provider / Data Importer
Name
| Andy Brook |
|---|---|
Signature
|
|
Company Name
| The Plugin People Ltd |
Company Address
| Pure Offices, Cheltenham Office Park, Hatherley Lane, Cheltenham, Gloucestershire, GL51 6SH, UK |
Date |
|
Appendix A : Processing, Personal Data and Data Subjects
Processing by the Provider
Scope, nature, purpose and duration
The SOFTWARE PRODUCT is an Atlassian Marketplace Cloud App that is used in conjunction with Atlassian’s Jira Cloud. When using the Software Product to interact with your Jira Cloud instance using servers you manage and configure, any Personal Data forming part of the communications being submitted using the Software Product will be processed by The Plugin People Ltd in a server hosted by Amazon Web Services.
You are able configure the SOFTWARE PRODUCT to determine how Personal Data is processed as well as controlling the SOFTWARE PRODUCT audit retention of Personal Data (for example, email and notifications in and out).
The Personal Data is being processed for the purpose of the Customer’s use of the Software Product.
Types of Personal Data
The Personal Data transferred concern the following categories of data:
Direct identifying information (e.g., name, email address, telephone).
Indirect identifying information (e.g., job title, gender, date of birth).
Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
Any personal data supplied by users of the SOFTWARE PRODUCT.
Categories of Data Subject
The Personal Data concerns end users of the SOFTWARE PRODUCT, in addition to individuals whose personal data is supplied by end users of the SOFTWARE PRODUCT.
Appendix B: The Provider’s Sub-Processors
In order to provide the JEMHC service, the following sub-processors are involved:
Name | Purpose | Usage | DPA | Signed/ Accepted |
|---|---|---|---|---|
Amazon Web Services | Infrastructure | Our cloud app processes customer traffic using services running within AWS infrastructure |
| |
Infrastructure + Customer Support | JEMHC notifications and support service are powered by email hosted on Google Workspace. Billing for your per-user subscription providing baseline capacity is handled by Atlassian, billing for additional capacity is handled by us. |
| ||
Atlassian | Customer Support | Out support service is powered by Atlassian Jira/ServiceDesk. Some orders are processed through support. | ||
Mailtrap.io | Customer Support | Our support service may handle email content provided by you. We may use a dead-end mailbox service provided by Mailtrap.io when doing mail notification related testing. This service is used to prevent any exposure of your data to ‘real’ recipients. | ||
Twilio | Communication | SMS alerts used in support |
| |
Slack | Communication | Our support service uses Slack to notify us of issue updates, license transitions and system level events | ||
PayPal | Payment Processing | You may use credit cards to purchase top-up capacity, executed through PayPal clearing | req sent | |
E-Junkie | Payment Processing | Top-up capacity shop is powered by e-junkie |
| |
Vanta | Compliance | Provides real-time infrastructure monitoring for SOC2 compliance testing |
AWS DPA is part of their standard terms
Google Workspace DPA is accepted, the DPA are appendices to Google Workspace standard terms
Twilio DPA is part of their standard terms
E-Junkie main terms make no reference to the DPA which just declares applicability to the standard terms
Appendix C : The Provider’s Privacy Policy
The Privacy Policy is too large to include here, it is maintained online, can be printed from, can be updated periodically and would be deemed to be in effect at that time.
Appendix D : Technical and Organisational Measures
The Provider will maintain reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data transferred to the Provider as described in Appendix C : The Provider’s Privacy Policy , including but not limited to:
Security
Use of AWS hosting (Security and compliance - Overview of Amazon Web Services) that is in compliance with:
SOC 1/ISAE 3402, SOC 2, SOC 3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018
Use of Google hosting (Independent Third-Party Certifications - Google Workspace)
Implementation of 2FA for cloud services where supported
Implementation of policy defining how access is granted in AWS IAM (Internal Policy: Data Access Policy)
Where accessible, use of firewall protection for all unknown IP addresses, use of client SSH certificates
Division of premises into different security zones
Firewall protection for all unknown IP addresses
The automated system of vulnerability evaluation in the application source code
Automated user data retention according to policy
Implementation of partial access rights for respective data and functions;
Enrolment in a public Bug-Bounty for security vulnerability discovery
Confidentiality
SSL and TLS (1.2+) transport level security using minimum AES256 cipher suite
Storage secret management
Encryption of user email data at rest
Storage billing data of customer upgrades through Bank, PayPal and Google Workplace
Integrity
Realisation of a regular backup schedule
Deployment of fault tolerant multi-AZ application/database
Appendix E : GDPR, Article 27 : Authorised Representative
UK Authorized Representative
For United Kingdom GDPR and the Data Protection Act 2018 is The Plugin People Ltd
Email address: privacy@thepluginpeople.com
Telephone number: +44 1242 802 757
Address: The Plugin People Ltd, Pure Offices, Hatherley Lane, Cheltenham, GL51-6SH, UK
EU Authorized Representative
When contacting our Representatives please ensure you include our company name The Plugin People Ltd in any correspondence.
To comply with (Art. 27 GDPR – Representatives of controllers or processors not established in the Union - General Data Protection Regulation (GDPR) ), we have appointed IT Governance Europe Limited to act as our EU Representative. If you wish to exercise your rights under the EU General Data Protection Regulation (GDPR), or have any queries in relation to your rights or privacy matters generally as applicable to EU customers please email our Representative:
Email: eurep@itgovernance.eu
Address: EU Representative, IT Governance Europe, The Mill Enterprise Hub, Stagreenan, Drogheda,
Co. Louth, A92 CD3D, Ireland.