Data Processing Agreement

Last revision date – August 14, 2024.

This Data Processing Agreement ("DPA") has been entered into between Broken Build LLP, a company registered in the United Kingdom (OC445385) with registered office at 61 Bridge Street, Kington, Herefordshire, HR53DJ, United Kingdom (“Broken Build”, "Provider") and a customer (either individual or a legal entity) who accepted the terms of End User Licence Agreement (“EULA”) upon purchase of Broken Build Apps provided through the Atlassian Marketplace ("Customer" or “you”).

This DPA forms an integral part of the EULA. The purpose of this DPA is to reflect the Parties' agreement to the Provider's processing of personal data on behalf of the Customer and to ensure secure and lawful processing of personal data within the scope of EULA in compliance with applicable requirements of data protection laws.

 

Please also consult the Broken Build’s Privacy Policy, which is incorporated in this DPA by reference herein.

Definitions

In this DPA, the terms are defined as follows:

(a) “Applicable Data Protection Laws” means privacy and data protection laws and regulations, including those of the United Kingdom, the European Union, the European Economic Area, and their Member States, as applicable to the processing of personal data under this DPA, in particular the GDPR and the UK Data Protection Law.

(b) “Customer Personal Data” means any personal data provided by (or on behalf of) the Customer to the Provider in connection with the Services, as further described in section (A) of the respective Annex  to this DPA.

(c) “EEA” means the European Economic Area.

(d) “End Users” or “Users” means any individuals for whom the Customer has paid the required fees and to whom access is given to the Apps.

(e) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(f) Provider’s Privacy Policy means any privacy notices and policies the Provider makes available to data subjects and which are available via the link.

(g) “Services” means the services provided to the Customer by Broken Build under the EULA.

(h) "Standard Contractual Clauses" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 (as amended and updated from time to time) (“SCCs”).

(i) “Third party processor” means any processor engaged by the Provider to assist in fulfilling its obligations with respect to providing the Services pursuant to the EULA or this DPA, where such entity processes Customer Personal Data under the instruction or supervision of the Provider. The current list is specified  via the link.

(j) “UK” means the United Kingdom.

(k) “UK Data Protection Law” means the GDPR as it forms part of the law of England, Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK (“UK GDPR”) and the Data Protection Act 2018.

(l) “UK IDTA Addendum” means the Mandatory Clauses of Addendum B.1.0 issued by the ICO and laid before parliament in accordance with S119A of the Data Protection Act of 2018 (as revised under Section 18 of those Mandatory Clauses).

 

The terms “personal data”, “processing” (and “process”), “data subject”, “controller”, “processor”, “personal data breach”, and “supervisory authority” shall have the meaning given in the GDPR and UK GDPR, as applicable, in each case irrespective of other Applicable Data Protection Laws. Other terms used in this DPA and not defined above shall have the meaning set forth in the EULA and the Provider’s Privacy Policy.

Part 1: General Provisions

Roles of the Parties

1.1 The Parties acknowledge and agree that, when processing Customer Personal Data for provision of Services under or in relation to the EULA, the Provider predominately acts as a processor on behalf of and as instructed by the Customer. The Customer is the controller for the personal data processed.

1.2 The Provider shall process such personal data in accordance with the Customer’s documented instructions, which at time of the entering into this DPA are set out in section of the respective Annex 1 and as may subsequently be agreed by the Parties.

1.3 The Parties agree on limited instances where the Provider may act as the controller. Since in such cases, the Provider receives data from data subjects, the types of processing and the categories of data involved are specified in the Provider’s Privacy Policy. 

1.4 Each Party undertakes to act in compliance with the Applicable Data Protection Laws when processing the Customer Personal Data.

Part 2: Obligations of the Customer

2.1 The Customer shall in particular:

2.1.1 Ensure lawful collection and processing of Customer Personal Data.

2.1.2 Maintain internal documentation, which states how and why Customer Personal Data is processed, to the extent required by Applicable Data Protection Laws, and be able to provide to End Users information as required by Articles 13-14 GDPR i.e., on the recipients of the personal data, data transfers to third countries, periods for which the data will be stored, or if that is not possible, the criteria used to determine retention periods. 

2.1.3 Be the contact point and respond to End User’s inquiries on privacy practices and requests for exercising the data subjects’ rights under Applicable Data Protection Laws.

2.1.4 Provide documented instructions to the Provider in relation to the processing of Customer Personal Data, including with regard to subject-matter, duration, nature, and purposes of processing, types of personal data and categories of data subjects. At the time of entering into this DPA the full list of instructions is set out in section (A) of the respective Annex.

2.1.5 Inform about any intended changes that will affect the Provider’s obligations under this DPA, and amend section (A) of the respective Annex) to this DPA, as necessary. 

2.1.6 Timely inform of any legal action brought against the Customer that may affect the Provider, joint-controller appointed for Customer Personal Data, or any other information the Customer deems relevant in relation to fulfilment of this DPA and compliance of Applicable Data Protection Laws.

2.1.7 Subject to the terms of this Agreement, the Customer may make the Software available to its affiliates provided that all licensing restrictions are complied with in each instance by each such affiliate. Customer shall be liable for any breach of the terms and conditions of this Agreement by any of its affiliates.

Part 3: Obligations of the Provider

3.1 When processing Customer Personal Data for provision of Services under or in relation to the EULA, the Provider shall:

3.1.1 Process Customer Personal Data only in accordance with this DPA and specifically the written instructions of the Customer, as set out in section (A) of the respective Annex to this DPA.

3.1.2 Respect the conditions for engaging other processors, in more detail referred to in Clause “Third party processors”. In particular, inform the Customer and obtain authorization to any intended change concerning the addition or replacement of third party processors specified on the Provider’s Website, as long as they process Customer Personal Data.

3.1.3 Ensure that all of its employees and individual contractors who process Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are bound by written or statutory confidentiality obligations.

3.1.4 Implement technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risks posed by processing.

3.1.5 Assist the Customer by technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subjects’ rights. 

3.1.6 Assist the Customer in ensuring compliance with the obligations under Articles 32 through 36 GDPR taking into account the information available to the Provider, in particular with regard to notification of a personal data breach and communication with supervisory authorities. 

3.1.7 At the choice of the Customer, delete or return the personal data after the end of the provision of Services, unless the law requires storage of personal data.

3.1.8 Make available to the Customer all information necessary to demonstrate compliance with data protection requirements and this DPA and allow for and contribute to audits conducted or mandated by the Customer to check such compliance. 

3.1.9 Timely inform the Customer if the Provider is of the opinion that the Customer’s instructions infringe Applicable Data Protection Laws.

3.2 In limited instances when the Provider acts as the controller, the Provider undertakes corresponding obligations to ensure compliance with Applicable Data Protection Laws in respect of types of processing, as described in the Provider’s Privacy Policy. 

Part 4: Third party processors

4.1 The Customer agrees and generally authorises the engagement by the Provider of third party processors in connection with the provision of the Services.

4.2 At the time of entering into this DPA the list of engaged third party processors is  published via the link indicated in the “Definitions” section. The changes may subsequently be agreed by the Parties.

4.3 Engagement of third party processors:

4.3.1 In accordance with Article 28(4) GDPR and UK GDPR, or as may otherwise be required by Applicable Data Protection Laws, the Provider shall impose legally binding written terms on each engaged third party processor that are as restrictive as those contained in this DPA.

4.3.2 The Provider shall ensure that third party processors: (i) have access to Customer Personal Data only as necessary for the purposes of providing the Customer with the Services and in compliance with Applicable Data Protection Laws; (ii) are informed of the confidential nature of the Customer Personal Data and are required to keep it confidential.

4.4 New third party processors and the opportunity to object:

4.4.1 The Provider shall inform the Customer at least 30 days before engaging a new third party processor. This includes updating the list of third party processors, which is published on the Provider’s Website, as necessary with regard to processing Customer Personal Data.

4.4.2 If the Customer believes that the use of a specific third party processor can have an adverse effect on the Provider’s ability to comply with Applicable Data Protection Laws when processing Customer Personal Data, then the Customer shall promptly notify the Provider of its reasonable basis for objection to the use of a specific third party processor.

4.4.3 In the event that the Customer objects to any new third party processor, the Provider shall either (i) refrain from engaging this third party processor to processing of Customer Personal Data or instruct it to cease any further processing that has started, in which event this DPA and EULA shall continue unaffected, or (ii) allow the Customer to terminate this DPA and EULA immediately.

Part 5: International data transfers

5.1 With regard to personal data of EEA and UK data subjects, the Provider and the Customer agree that the Provider may process Customer Personal Data outside the EEA and the UK where the Applicable Data Protection Laws requirements (including, where applicable, Articles 44 through 47 GDPR and UK GDPR) are fulfilled, or exceptions (including, where applicable, those listed in Article 49 GDPR and UK GDPR) apply.

5.2 If Applicable Data Protection Laws require to execute SCCs or UK IDTA Addendum applicable to a transfer of Customer Personal Data to the Provider as a separate agreement, than the Provider shall, on the Customer’s request, timely execute such SCCs or UK IDTA Addendum and incorporate the applicable clauses, annexes, or schedules to this DPA. 

5.3 If any of the means legitimising transfers of Customer Personal Data outside of the EEA or the UK that are referred to in this DPA cease to be valid, or any supervisory authority requires data transfers pursuant to those means to be suspended, then the Provider shall, with reasonable advance notice, amend or put in place alternative arrangements, in respect of such transfers.

Part 6: Data subject requests

6.1 The Customer and the Provider shall individually inform and allow End Users to exercise their data subject rights under Applicable Data Protection Laws. 

6.2 The description of Provider’s privacy practices, including details on how Apps End Users can exercise their data subjects’ rights vis-a-vis the Provider, is set in the Provider’s Privacy Policy. 

6.3 Taking into account the nature of the processing, in most instances the Provider shall promptly inform the Customer where it receives from any End User a data subject request, which relates to the Customer Personal Data. 

6.4 The Provider undertakes to provide reasonable assistance to the Customer to respond to any requests from End Users to exercise any of their rights in respect of Customer Personal Data under Applicable Data Protection Laws (including rights of access, to rectification, to erasure, to restriction, to data portability, and to object, as applicable).

6.5 The Provider undertakes to assist the Customer by notifying of any other correspondence, enquiry, or complaint received from End Users in respect of Customer Personal Data, and to inform promptly and where the Provider is of the opinion that actions are required from the Customer. 

6.6 However, the obligations indicated in clauses 6.3. - 6.6. do not require the Provider to inform the Customer of any data subject requests which are related to the Provider’s role as the controller, as described in the Provider’s Privacy Policy.

Part 7: Security

7.1 In accordance with Article 32 GDPR and UK GDPR, the Provider has implemented and maintained all appropriate technical and organisational measures required to (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing of Customer Personal Data, and (ii) prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed. 

7.2 At the time of entering into this DPA, the full list of security measures is specified in section (C) of the respective Annex. 

7.3 The Customer acknowledges that the security measures are subject to technical progress and development and that the Provider may from time to time review and update these measures, on which the Provider shall notify the Customer.

7.4 The Provider undertakes to comply with Atlassian Marketplace requirements for security and coding practices, and agrees, in principle, to facilitate new and additional security and privacy reviews that Atlassian, or an authorised third party selected by Atlassian, may conduct in relation to supporting infrastructure or the Apps provided to the Customer.

7.5 If during the term of this DPA the Customer requires the Provider to take additional security measures, the Provider shall as far as feasible meet such requirements provided that the Customer takes responsibility for any and all costs associated with such additional measures.

Part 8: Personal data breach notification

8.1 The Provider shall notify the Customer without undue delay of a personal data breach involving Customer Personal Data.  

8.2 The notification shall provide the Customer with a description of the personal data breach to the extent known, the type of data involved, the categories of data subjects, and other information required by Applicable Data Protection Laws, as soon as such information can be collected or otherwise becomes available, and the Provider shall cooperate with any reasonable request made by the Customer relating to personal data breach. 

8.3 The Provider agrees to immediately take action to investigate the personal data breach, to identify, prevent, and mitigate its effects, and with the Customer’s agreement to carry out actions necessary to remedy the breach.

8.4 The Provider’s notification of or response to a personal data breach shall not be construed as an acknowledgment by the Provider of any fault or liability with respect to the personal data breach.

Part 9: Deletion and return of personal data

9.1 At the choice of the Customer, the Provider shall delete or return the Customer Personal Data after the end of the provision of Services, unless the law requires storage of any such data. The Provider undertakes to ensure that each third party processor does the same. 

9.2 The duration of processing and retention periods for Customer Personal Data are outlined in section (A) of the respective Annex to this DPA.

9.3 Upon the Customer’s request, the Provider shall provide written confirmation of the deletion or return of Customer Personal Data.

Part 10:  Term and termination

10.1 This DPA shall terminate automatically upon termination of the EULA. If the Customer is using more than one App, the DPA and the respective Annexes thereto shall terminate with respect to each particular App, which the Customer ceases to use, but remain in force for the Apps the Customer still uses. 

10.2 The Provider’s obligations relating to deleting or returning Customer Personal Data shall survive termination of the EULA and this DPA until the Provider has deleted or returned Customer Personal Data in accordance with this DPA.

10.3 The Parties acknowledge that the termination of this DPA at any time and for any reason does not relieve them from their liability under Applicable Data Protection Laws arising from processing of Customer Personal Data.

Part 11:  Liability and indemnity

11.1 Each Party shall be liable to data subjects for any damage caused by Customer Personal Data processing in accordance with the provision set out in Article 82 GDPR and UK GDPR. 

11.2 The Provider shall indemnify the Customer against claims asserted by data subjects against the Customer due to breach of an obligation imposed on the Provider by this DPA or due to non-compliance or breach of a lawful instruction separately issued by the Customer.

11.3 The Provider does not have to indemnify the Customer if the processing giving rise to the damage was carried out on the basis of instructions from the Customer. 

11.4 The Parties shall indemnify each other against liability to the extent the Party proves that it is not responsible for the event giving rise to the damage to data subjects. In all other respects, Article 82(5) GDPR and UK GDPR shall apply. 

11.5 The provider acknowledges and agrees that it shall remain liable to the Customer for a breach of data protection obligations by any third party processor engaged by the Provider in connection with the provision of the Services.

11.6 Notwithstanding anything to the contrary in the EULA or this DPA, the liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the EULA.

Part 12:  Miscellaneous

12.1 The Parties agree that this DPA replaces and supersedes any existing DPA the Parties may have previously entered into in connection with the Services.

12.2 Except for the changes made by this DPA, the EULA remains unchanged and in full force and effect. If there is any conflict between this DPA and the EULA, this DPA will prevail to the extent of that conflict in connection with the processing of Customer Personal Data.