/
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Between the Customer (as Data Controller) and Deiser (as Data Processor) regarding the use of Exporter Cloud

1. Object and Duration of the Agreement

This Agreement governs the processing of personal data by Deiser, acting as Data Processor, on behalf of the Customer, acting as Data Controller, in connection with the provision and use of the Exporter Cloud application.

The processing shall be carried out exclusively for the purpose of delivering the services inherent to Exporter Cloud and shall continue for the duration of the contractual relationship between the parties. Upon the termination of this relationship, all personal data shall be returned or deleted as specified herein.

2. Purpose and Nature of the Processing

Exporter Cloud is a data export solution integrated with Jira Cloud, designed to allow users to generate downloadable files containing information from their Jira instance. The processing of personal data by Deiser is limited to that which is strictly necessary to enable the application's functionalities. These include the identification and authentication of users via their Jira Cloud credentials, the temporary generation and storage of export files based on data selected by the user, and the optional sending of such files via email when the user configures SMTP credentials for that purpose.

The files generated may include information from various Jira entities such as issues, projects, workflows, time reports, and configuration data. All export files are retained only for a short period, strictly necessary to ensure user download capability. No long-term storage of exported data occurs within Deiser systems.

3. Categories of Data Subjects and Personal Data

The data subjects potentially affected by the processing operations include users of the Customer's Jira Cloud instance, particularly those who initiate export actions or whose identifying information may appear in the exported content.

The types of personal data that may be processed through Exporter Cloud include the Jira Cloud user ID, which is stored in order to manage user sessions and permissions; the user’s name and email address, which are temporarily retrieved from Jira Cloud but not stored; and SMTP credentials (username and password), should the user voluntarily configure them to send export files by email. Additionally, depending on the content selected by the Customer for export, the generated files may include indirect personal data, although such cases are considered exceptional based on typical use.

4. Obligations of the Processor

Deiser undertakes to process personal data solely in accordance with the documented instructions of the Customer, as expressed in this Agreement and in the applicable service terms. Under no circumstances shall Deiser use the data for its own purposes or disclose it to unauthorized third parties.

All persons authorized to process data within Deiser are bound by confidentiality obligations and have received appropriate training on data protection. Deiser shall implement suitable technical and organizational measures to ensure a level of security appropriate to the risk and shall assist the Customer in meeting its obligations, particularly with regard to data subject rights, data breaches, and compliance with supervisory authorities.

Deiser also agrees to maintain a record of processing activities, facilitate any necessary audits, and notify the Customer without undue delay in the event of a data breach affecting personal data under this Agreement.

5. Sub-processing and Third-Party Services

In the provision of Exporter Cloud, Deiser may engage sub-processors, including but not limited to infrastructure providers or platform services, such as Atlassian (as Jira Cloud host) or hosting/cloud services necessary to operate the application securely and efficiently.

All sub-processors are contractually bound to data protection obligations that are no less protective than those set out in this Agreement. The Customer authorizes Deiser to engage such sub-processors provided that Deiser remains fully liable for their actions and ensures full transparency regarding any relevant changes.

6. International Data Transfers

Should the processing involve the transfer of personal data outside the European Economic Area, Deiser shall ensure that such transfers are carried out in compliance with applicable data protection laws. In particular, Deiser will implement appropriate safeguards, such as the execution of Standard Contractual Clauses approved by the European Commission or any other lawful mechanism recognized by the applicable regulations.

7. Security Measures

Deiser applies robust security measures to protect personal data against unauthorized access, loss, or alteration. These measures include, among others: encryption of data in transit through HTTPS, role-based access controls within the organization, restricted and monitored internal access, authentication via secure OAuth mechanisms integrated with Atlassian, and a data minimization approach whereby no unnecessary personal information is stored. The company also performs regular security assessments and maintains up-to-date procedures to prevent and respond to security incidents.

8. Termination, Return and Deletion of Data

Upon the termination of the contractual relationship or at the express request of the Customer, Deiser shall delete all personal data processed on behalf of the Customer, unless applicable law requires retention. Where deletion is not possible due to technical constraints, Deiser shall ensure that data is securely isolated and not subject to further processing. Upon request, Deiser shall provide written certification of the completion of these actions.

9. Audits and Supervision

The Customer has the right to verify, either directly or through a designated auditor, that Deiser complies with the obligations set forth in this Agreement. Deiser agrees to cooperate fully, provide relevant documentation, and facilitate reasonable access to systems and facilities to the extent necessary for such verification, provided that it does not disrupt service continuity or compromise security.

10. Final Provisions

This Agreement forms an integral part of the service relationship between the Customer and Deiser regarding the use of Exporter Cloud. In case of conflict between this DPA and other contractual terms, the provisions of this Agreement shall prevail with respect to the processing of personal data. The Agreement shall be interpreted in accordance with the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation) and other applicable laws.