DPA Annex 1 - Subcomponents for Jira
Last revision date – August 4, 2023.
(A) Description of processing (processor)
Subject matter
Provision of the Services to the Customer by Broken Build (Provider) under the EULA.
Categories of data subjects
End Users of the Broken Build Apps, who are provided with access thereto on the basis of the licenses/Services purchased by the Customer.
The table below is aimed to describe how the Provider processes your data as the processor. Although the data shared with us to provide Services to our Customers may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice. We marked places where we could access personal data with “incidentally could process personal data” in the table below.
Please also keep in mind that Broken Build also processes data that is not “personal data” within the meaning of law (does not relate to identified or identifiable person). Such data could still be “End User Data” within the meaning of the Atlassian Marketplace Partner Agreement.
The Provider as the controller may also process other types of personal data received directly from data subjects or from other controllers/processors. You may find more details on such processing in our Privacy Policy.
Details on the data processed
Purpose(s) of processing | Type of data | Nature of the processing | Duration of the processing and retention | Which Service it relates to |
To implement the App’s functionality |
| Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to cloud storage services; used to provide services; deleted, erased or destructed.
For the list of all sub-processors and their roles and data they access check section (B) below. | Data may be processed/stored (if applicable) during the term of EULA and up to 12 months after the termination of EULA.
| Cloud App |
2. End User data processed:
| Data is collected, analysed; organised and/or structured; used to provide services. | |||
To proactively monitor App health and fix issues (troubleshooting) |
| Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to services that allow monitoring Apps health and troubleshoot; used to provide services; deleted, erased or destructed. | Data may be processed and stored only for 2 days following the collection of data.
| Cloud and Software Apps |
To support End Users, to fix issues in the Apps, answer End User support requests regarding bugs, product usage, feature requests etc. |
2. Personal data related to our Customer:
3. End User data:
4. Non-personal company data, including: company name, license information.
5. App environment data: Atlassian host ID, Jira version, App version.
6. Other information End User provides to us in connection with the support matter (screenshots, screen casts, HAR files etc.). We encourage you to instruct your employees (End Users) not to share sensitive personal data with us, as well as excessive data which we do not need to resolve the issue. | Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to aggregate support requests under one company account; used to provide services; deleted, erased or destructed.
For the list of all sub-processors and their roles and data they access check section (B) below. | Data will be processed from when the support request was initiated, until we resolve the matter and for 12 months afterwards, to make sure the future requests regarding product usage are properly satisfied, taking into account the history of the requests. However, we aim to delete sensitive attachments such as HAR files within 3 months of the closure of the request. | Cloud and Software Apps |
(B) List of third party processors
For the detailed list of third party processors please follow the link.
(C) Technical and organizational measures
The Provider undertakes to apply the following technical and organizational measures with regard to Customer Personal Data processing:
Detailed by group:
(a) technical security controls:
2-steps authentication, strong password policy
antivirus software
firewalls
cloud cluster resides in a private network and is isolated from world wide web, with a help of ingress and egress controllers in-and-out traffic is controlled
access audit logs
data segregation
encryption:
secure data at rest via RDS encryption
secure data in motion via HTTPS
secure data in use by processing data in a cluster deployed to the private network
data hashing
data loss prevention (RDS by Amazon implements backup Strategy).
regular access tokens rotation
(b) administrative security controls:
data handling policies:
Access Policy (access on the least privilege and need-to-know basis, review of access rights, unique users IDs etc.)
Business Continuity Plan and Disaster Recovery Plan (approach towards resilience, availability, and continuity of processes, systems, and services)
Incident Management Policy (incident response process and responsibilities)
Information Security Policy (data classification, risk-based approach, protection means and responsibilities)
SDLS and Change Management Policy (procedure dealing with the incorporation of information security considerations into the various stages of the software development lifecycle)
Vulnerability Management Policy (procedure and responsibilities as to scanning and corrections of vulnerabilities, testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing)
Data Retention Policy (data storage periods, depending on the classification of data)
Periodic internal audit procedures
Non-disclosure agreements (NDAs) concluded with third party providers, and routines for entering into such agreements
Periodic security training for staff