Starware - Atlassian Verified Marketplace Vendor

Data Processing Agreement (DPA) for Atlassian Marketplace Apps

This Data Processing Agreement (“DPA”) is an integral part of the main agreement (“Agreement”) between The Starware Yazılım LTD. ŞTİ. (“Processor” or “Vendor”) and the customer (“Controller” or “Customer”) for the use of Atlassian Marketplace Apps (“App”). This DPA outlines the specific terms and conditions regarding the processing of Personal Data by the Processor on behalf of the Controller in connection with the App.

This DPA is effective as of the date the Customer agrees to the Agreement.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller as a result of the Customer’s use of the App.
“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
“Processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the entity (the Customer) that determines the purposes and means of the Processing of Personal Data.
“Processor” means the entity (Vendor) that Processes Personal Data on behalf of the Controller.
“Sub-processor” means any third-party processor engaged by the Processor to process Personal Data.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

2. Processing of Personal Data

2.1. Roles of the Parties: The Controller is the controller of Personal Data, and the Processor is the processor of Personal Data.
2.2. Subject Matter, Nature, and Purpose of Processing: The Processor will process Personal Data solely for the purpose of providing, services to the controller as described in the Agreement and its documentation.
- a) Customer Account Id: Account ID associated with Atlassian Users’ email addresses, such as: 557058:12d4c7ae-a271-e6f1-23fe-a4161f711eee.
- b) User Generated Content: Any Personal Data that a Data Subject voluntarily enters into free-text fields, attachments, or other content areas within the Service. Processor has no control over the content of this data.
- c) Logs: IP addresses and technical log data related to the use of the Service for security, operational monitoring, and support purposes. May contain “Account Id” of the user. Access to logs can be revoked by the customer at any time.
- d) Customer’s Contact Information and Profile Picture: Customer’s email, name phone number as provided by the customer or Atlassian in licensing or support case.
2.3. Duration of Processing: The Processor will process Personal Data for the duration of the Agreement or as long as necessary to provide the App services, unless otherwise instructed by the Controller or required by applicable law.
2.4. Types of Personal Data: The types of Personal Data processed may include “Atlassian Account Id”, “content created or uploaded by users within the Atlassian product that interacts with the App”. Only for support and licencing purposes, email addresses, names, and profile pictures of the customers.
2.5. Categories of Data Subjects: The categories of Data Subjects may include the Controller’s end-users who interact with the App within the Atlassian products, technical contact and support contact of the license, and any user of the customer contacting for support.

3. Processor’s Obligations

3.1. Instructions: The Processor shall process Personal Data only on documented instructions from the Controller (which include the Agreement and this DPA), unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2. Confidentiality: The Processor shall ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Security: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. We will use Atlassian’s own infrastructure (Forge Platform) to host the App and you data as long as it is technically doable. Current set of security controls can be checked on our trust center.
3.4. Sub-processing:
- a) The Controller authorizes the Processor to engage Sub-processors as necessary to provide the App services. A list of current Sub-processors is available at our trust center.
- b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.
- c) The Processor remains liable for the acts and omissions of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
3.5. Data Subject Rights: Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Data Protection Laws. If a Data Subject contacts the Processor directly to exercise their rights, the Processor will promptly notify the Controller.
3.6. Assistance to Controller: The Processor shall provide reasonable assistance to the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of processing, Notification of a personal data breach to the supervisory authority, Communication of a personal data breach to the data subject, Data protection impact assessment, and Prior consultation), taking into account the nature of processing and the information available to the Processor.
3.7. Data Breach Notification: The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller’s Personal Data. This notification will include information to allow the Controller to meet its own data breach reporting obligations.
3.8. Data Deletion or Return: Upon termination of the Agreement or at the Controller’s request, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage of the Personal Data.

4. Controller’s Obligations

4.1. Lawful Basis: The Controller represents and warrants that it has a lawful basis for the Processing of Personal Data as contemplated by this DPA and the Agreement.
4.2. Instructions: The Controller shall ensure that its instructions to the Processor are lawful and comply with Data Protection Laws.
4.3. Security: The Controller is responsible for implementing and maintaining appropriate security measures on its side and for its use of the App.

5. Data Transfers

5.1. Data Residency: For apps which support data residency, the data will be stored in the chosen location by the customer. The location must be one of the locations supported by Atlassian’s Forge Platform. Some of our apps may not support data residency due to technical reasons, in that case, Forge apps still stores data on Atlassian’s Storage but we may not provide option to chose data location.
5.2. Data Transfer: For apps which support data residency, you can change the data location at any time.

6. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (at the Controller’s expense), upon reasonable prior notice and during regular business hours, and subject to reasonable confidentiality procedures. Such audits shall be limited to once per year unless a verified Personal Data breach necessitates more frequent audits.

7. General Provisions

7.1. Precedence: In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail with regard to the processing of Personal Data.
7.2. Changes to this DPA: The Processor may update this DPA from time to time. The Controller will be notified of any material changes.
7.3. Governing Law: This DPA shall be governed by the laws of Republic of Türkiye.
7.4. Contact Information: For any questions or requests related to this DPA, please contact dpo@thestarware.com.