Phase Locked Software Data Processing Agreement
Last updated: 2023-07-07
This data processing agreement is available for Document Control for Confluence Cloud and for Document Metadata for Confluence Cloud and for Keep it up to date!
These application are NOT standalone applications. The applications work only in connection with Atlassian cloud products. Your data processing with Atlassian is NOT covered by this data processing agreement.
Name: Phase Locked Software
Contact details: firstname.lastname@example.org
The contact details of the Processor are available in the Atlassian Marketplace. After install, the contact details of the Controller are available in the Atlassian Marketplace Reporting dashboard.
It is the choice of Controller to enter into a data processing agreement with Processor.
Controller possesses personal data and shares this with Processor. The subject of the processing is Document Control for Confluence Cloud and/or Document Metadata for Confluence Cloud and/or Keep it up to date!
The goal of the processing is to provide service to Controller, such as:
- Reviewing and signing Confluence Cloud pages (Document Control for Confluence Cloud).
- Adding metadata to Confluence Cloud pages (Document Metadata for Confluence Cloud).
- Aiding in updating Confluence Cloud pages (Keep it up to date!).
The category of data subjects / the group of people to whom the data relates is: Confluence Cloud users, which are added to Confluence Cloud by Controller.
The type of data that is shared:
- The public Atlassian account display name.
- Email if made public by user and enabled by Confluence administrator (Document Control). Email access is controlled by Controller's Confluence administrator.
- IP addresses may be shared in theory. However the Controllers users should access Confluence Cloud through Controller's corporate network only. This prevents sharing of an individual's IP address.
- Confluence page names, labels, links, page metadata, and other Confluence data required by the applications to perform service to Controller.
- Access metadata
The processing starts when Controller starts using the application.
The processing ends when Controller uninstalls the application from their Confluence Cloud instance.
Both parties are aware of the General Data Protection Regulation and will jointly endeavor to meet all legal requirements. Processor will adhere to the following requirements:
- Processing takes place exclusively on the basis of instructions from Controller. An install of an application is an instruction to start processing.
- Processor may not use the personal data for its own purposes.
- People employed by or working for Processor who come into contact with the relevant data have a non-disclosure agreement.
- Processor takes appropriate technical and organizational measures so that the processing meets the requirements of this agreement.
- Processor does engage with sub-processor(s) as listed in the Terms and Conditions.
- Processor helps to comply with the obligations of the controller if data subjects exercise their privacy rights (such as the right to access, correction, erasure and data portability). Processor will not charge more than reasonable costs for this (max. € 200 per hour for direct hours only).
- Processor helps to comply with the obligations regarding the data breach reporting obligation. This means that Processor immediately reports possible data leaks to Controller and cooperates with investigation / analysis. Processor does not have to report to the Data Protection Authority, the Controller does this. Processor will not charge any costs regarding handling potential data leaks at Processor.
- Processor helps to comply with the obligations regarding Data Protection Impact Assessment. Processor will not charge more than reasonable costs for this (max. € 200 per hour for direct hours only).
- Processor cooperates with audits by the controller or a third party engaged by the controller.
- After the processing services have ended, Processor will delete the data (or return it to the responsible party), unless it is legally obliged to keep it. Processor does not store personal data, all data is stored in the Confluence Cloud instance of the Controller. Controller has direct access to these data.
- Processor processes data stored by Atlassian outside of the EEA/EU. Atlassian stores user data in the Global region, and user data may be stored and processed in any location worldwide as detailed in the agreement between Controller and Atlassian. Controller has consented to sharing personal data outside of the EEA/EU by the agreement with Atlassian.
- Controller can anonymize and/or delete all personal data by changing/deleting the data in their Atlassian controlled Confluence instance.
- This agreement does not cover Atlassian Marketplace data. Atlassian Marketplace data are data shared by Atlassian with Processor. Atlassian Marketplace data relate to licenses, billing, and security.
- This agreement is governed by Dutch law. Any dispute arising in connection with this data processing agreement must be brought to a Dutch court.
Overview of Security Measures
See Security and links therein.
Data Subject Rights
Processor does not store personal data. All personal data is stored in the Confluence Cloud instance of the Controller. As such, Controller has access to all stored data and Controller is responsible for any request by a Data Subject.
Agreed and signed: