DPA Annex 5 - Subcomponents for Jira

Last revision date – August 14, 2024.

(A) Description of processing (processor)

Subject matter

Provision of the Services to the Customer by Broken Build (Provider) under the EULA. 

Categories of data subjects 

End Users of the Broken Build Apps, who are provided with access thereto on the basis of the licenses/Services purchased by the Customer.

The table below is aimed to describe how the Provider processes your data as the processor. Although the data shared with us to provide Services to our Customers may include personal data, accessing personal data is not our main objective. In some instances, access to personal data is purely incidental and therefore very limited in practice. We marked places where we could access personal data with “incidentally could process personal data” in the table below.

Please also keep in mind that Broken Build also processes data that is not “personal data” within the meaning of law (does not relate to identified or identifiable person). Such data could still be “End User Data” within the meaning of the Atlassian Marketplace Partner Agreement. 

The Provider as the controller may also process other types of personal data received directly from data subjects or from other controllers/processors. You may find more details on such processing in our Privacy Policy.

Details on the data processed

Purpose(s) of processing

Type of data 

Nature of the processing 

Duration of the processing and retention

Which Service it relates to

To implement the App’s functionality

  1. End User data stored (does not contain personal data):

  • Anonymized user ID

  • Jira project ID

  • Jira project component ID

  • Jira project version ID

Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to cloud storage services; used to provide services; deleted, erased or destructed.

 

For the list of all sub-processors and their roles and data they access check section (B) below.

Data may be processed/stored (if applicable) during the term of EULA and up to 12 months after the termination of EULA. 

 

Cloud App

2. End User data processed:

  • Anonymized user ID

  • Jira project details

  • Jira project components

  • Jira project versions

  • App configuration settings including:

    • Feature enablement status

Data is collected, analysed; organised and/or structured; used to provide services.

To proactively monitor App health and fix issues (troubleshooting)

  1. End User data processed and stored: 

  • Anonymized user ID

  • App configuration excluding any data that may potentially be deemed personal data

 

Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to services that allow monitoring Apps health and troubleshoot; used to provide services; deleted, erased or destructed.

Data may be processed and stored only for 2 days following the collection of data. 

 

Cloud and Software Apps

To support End Users, to fix issues in the Apps, answer End User support requests regarding bugs, product usage, feature requests etc.

  1. End User data (if and as provided by data subject):

  • Email address;

  • Full name.

 

2. Personal data related to our Customer:

  • the Customer’s name and/or email (if the Customer is an individual);

  • Technical contact data (email address, full name);

  • Billing contact data (email address, full name).

 

3. End User data: 

  • Anonymized user ID

  • device and browser information (IP address, browser, locale, operating system)

 

4. Non-personal company data, including: company name, license information.

 

5. App environment data: Atlassian host ID, Jira version, App version.

 

6. Other information End User provides to us in connection with the support matter (screenshots, screen casts, HAR files etc.).

We encourage you to instruct your employees (End Users) not to share sensitive personal data with us, as well as excessive data which we do not need to resolve the issue.

Data is collected, analysed; entered into a database; organised and/or structured; disclosed to third parties, including transferred for storage to aggregate support requests under one company account; used to provide services; deleted, erased or destructed.

 

For the list of all sub-processors and their roles and data they access check section (B) below.

Data will be processed from when the support request was initiated, until we resolve the matter and for 12 months afterwards, to make sure the future requests regarding product usage are properly satisfied, taking into account the history of the requests. However, we aim to delete sensitive attachments such as HAR files within 3 months of the closure of the request.

Cloud and Software Apps 

(B) List of third party processors

For the detailed list of third party processors please follow the link.

(C) Technical and organizational measures

The Provider undertakes to apply the following technical and organizational measures with regard to Customer Personal Data processing:

  1. Detailed by group:

(a) technical security controls

  • 2-steps authentication, strong password policy

  • antivirus software

  • firewalls

  • cloud cluster resides in a private network and is isolated from world wide web, with a help of ingress and egress controllers in-and-out traffic is controlled

  • access audit logs

  • data segregation

  • encryption:

    • secure data at rest via RDS encryption

    • secure data in motion via HTTPS

    • secure data in use by processing data in a cluster deployed to the private network

  • data hashing

  • data loss prevention (RDS by Amazon implements backup Strategy).

  • regular access tokens rotation

(b) administrative security controls

  • data handling policies:

    • Access Policy (access on the least privilege and need-to-know basis, review of access rights, unique users IDs etc.)

    • Business Continuity Plan and Disaster Recovery Plan (approach towards resilience, availability, and continuity of processes, systems, and services)

    • Incident Management Policy (incident response process and responsibilities)

    • Information Security Policy (data classification, risk-based approach, protection means and responsibilities)

    • SDLS and Change Management Policy (procedure dealing with the incorporation of information security considerations into the various stages of the software development lifecycle)

    • Vulnerability Management Policy (procedure and responsibilities as to scanning and corrections of vulnerabilities, testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing)

    • Data Retention Policy (data storage periods, depending on the classification of data)

    • Periodic internal audit procedures

    • Non-disclosure agreements (NDAs) concluded with third party providers, and routines for entering into such agreements

    • Periodic security training for staff