Last Updated: January 23, 2025
This Data Processing Agreement ("DPA") forms part of the Agreement between Plugin Vault, located at 49 Gleason Crescent, Kitchener, Ontario, Canada ("Processor"), and the entity using Plugin Vault's services ("Controller"), collectively referred to as the "Parties." By installing or using the Software, the Controller automatically agrees to the terms of this DPA. If the Controller does not agree to these terms, they must not install or use the Software.
1.1. Applicable Data Protection Law: Refers to the EU General Data Protection Regulation (GDPR) and any other applicable data protection laws.
1.2. Personal Data: Information related to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
1.3. Processing: Any operation or set of operations performed on Personal Data, as defined under GDPR.
1.4. Sub-Processor: Any third party engaged by the Processor to assist with Processing Personal Data on behalf of the Controller.
1.5. Supervisory Authority: An independent public authority established under GDPR to oversee data protection compliance within the EU.
2.1. Controller's Role: The Controller determines the purposes and means of Processing Personal Data.
2.2. Processor's Role: The Processor processes Personal Data on behalf of the Controller strictly in accordance with this DPA and the Controller's documented instructions.
3.1. Subject Matter: The Processor provides the Software to enhance functionality within Atlassian products by enabling additional features.
3.2. Duration: Processing will continue for as long as the Controller uses the Software. Upon termination, data will be retained for no more than 90 days and subsequently deleted.
4.1. The Processor processes Personal Data (e.g., user group names, email addresses, user names, ticket metadata) solely to provide the Software’s functionality and as dictated by Atlassian's Forge platform.
4.2. No sensitive personal data (e.g., health data, political opinions) will be processed.
4.3. The Processor will not use Personal Data for any purposes other than those outlined in this DPA, unless required to do so by law, in which case the Processor shall inform the Controller before processing.
5.1. Processing Instructions: The Processor will process Personal Data only under the Controller's documented instructions.
5.2. Confidentiality: The Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.
5.3. Security Measures: The Processor implements appropriate technical and organizational measures, including:
5.4. Sub-Processing: The Processor does not engage Sub-Processors, aside from Atlassian, which provides the Forge infrastructure.
5.5. Data Transfers: Personal Data may be processed outside the EU in compliance with Atlassian's DPA and applicable safeguards, including standard contractual clauses where applicable.
5.6. Data Breach Notification: The Processor will notify the Controller without undue delay, and within 72 hours of becoming aware of a breach.
5.7. Accountability and Documentation: The Processor will maintain appropriate records of its processing activities as required by GDPR Article 30(2).
6.1. The Processor will assist the Controller in responding to data subject requests, including access, rectification, erasure, and data portability, provided such requests pertain to the Software.
6.2. The Processor will assist the Controller in conducting Data Protection Impact Assessments (DPIAs), as required under GDPR.
6.3. The Processor will provide assistance to the Controller in meeting obligations under Articles 32 to 36 of GDPR, including ensuring security, breach notifications, and consultation with Supervisory Authorities where required.
7.1. Upon termination of the Agreement, the Processor will delete all Personal Data within 90 days, unless required to retain it under applicable law.
7.2. No Personal Data will be stored on the Processor's systems outside the Atlassian Forge infrastructure.
8.1. The Processor will make available necessary information to demonstrate compliance with this DPA.
8.2. Upon reasonable notice, the Controller may conduct audits (not more than once annually) to verify compliance, provided the audit is conducted during normal business hours and ensures confidentiality.
8.3. If requested, the Processor will provide Controller with relevant certifications or audit reports to demonstrate compliance with GDPR requirements.
9.1. The Processor’s liability for breaches of this DPA will be limited to the fees paid by the Controller for the use of the Software in the 12 months preceding the breach.
9.2. Both Parties agree to indemnify each other for claims arising from violations of GDPR caused by their own respective actions or negligence.
10.1. This DPA is governed by the laws of Canada.
For any inquiries related to data protection, the Processor can be reached at: Email: privacy@pluginvault.dev