Data Protection Addendum (DPA)
This Data Protection Addendum ("DPA") supplements the terms and conditions of Cappsule Sarl ("Processor") Privacy Policy and is incorporated into the Cappsule's agreement with its customers ("Controller") who use the Timesheet Tracking for JIRA plugin ("Plugin") in accordance with the EU General Data Protection Regulation 2016/679 ("GDPR").
1.Introduction
This DPA sets out the data protection obligations of the Processor to its customers who use the Plugin in accordance with the GDPR.
2. Definitions
The terms used in this DPA shall have the meaning set forth in the GDPR, unless otherwise defined in this DPA.
3. Processing of Personal Data
3.1 The Processor shall only process Personal Data on behalf of the Controller and only when explicitly accepted by the Controller.
3.2 The Processor shall take all necessary technical and organizational measures to ensure that the Personal Data is processed in a manner that ensures its security, integrity, and confidentiality.
3.3 The Processor shall not process Personal Data other than on the documented features of the Plugin or use it for any purpose other than to perform the services under the Agreement, unless required to do so by law.
3.4 The Personal Data processed by the Processor is limited to worklogs, worklog attributes, and Display names. The Processor associates the worklogs to the display name of the user who entered the worklog within the Atlassian services. However, the Processor does not store or process any personal data outside of Atlassian services.
3.5 The parties agree that Atlassian's terms of service and privacy policy, as applicable to the use of the Atlassian platform, shall apply to the processing of personal data by the Processor through the Timesheet Tracking for JIRA plugin.
4. Confidentiality
4.1 The Processor shall ensure that all personnel who have access to the Personal Data are subject to confidentiality obligations.
4.2 The Processor shall ensure that access to the Personal Data is restricted to personnel who need to access it to perform the services under the Agreement.
4.3 The Processor shall log and monitor each access to Personal Data
5. Sub-Processors
5.1 The Processor shall ensure that any third-party sub-processors used in connection with the provision of the services under the Agreement are bound by written agreements that contain data protection obligations equivalent to those in this DPA.
5.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.
6. Security Measures
6.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of the Personal Data.
6.2 The Processor shall regularly monitor and evaluate the effectiveness of its security measures.
7 Data Breaches
7.1 The Processor shall notify the Controller promptly in the event of a Personal Data breach.
7.2 The Processor shall provide the Controller with all necessary information relating to the Personal Data breach, including the cause of the breach, the categories of Personal Data involved, and the measures taken to mitigate the risk of harm to the affected data subjects.
7.3 The Processor, being a partner of Atlassian marketplace, is required to follow its security policies and report any breach of Controller's Personal Data to Atlassian
Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the country where the Controller is located, without giving effect to its conflict of laws provisions.
Changes to the DPA
The Processor reserves the right to modify this DPA from time to time.