/
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Between the Customer (as Data Controller) and Deiser (as Data Processor) regarding the use of Projectrak Cloud

1. Object and Duration of the Agreement

This Agreement governs the processing of personal data by Deiser, acting as Data Processor, on behalf of the Customer, acting as Data Controller, in connection with the provision and use of the Projectrak Cloud software.

The processing shall be carried out exclusively for the purpose of delivering the services inherent to Projectrak Cloud and shall continue for the duration of the contractual relationship between the parties. Upon the termination of this relationship, all personal data shall be returned or deleted as specified herein.

2. Purpose and Nature of the Processing

The purpose of the processing is the provision of the functionalities offered by Projectrak Cloud, a project tracking solution for Jira Cloud. The processing is strictly limited to what is necessary to enable the application’s core features, including the identification and authentication of users via their Jira Cloud user ID, the dynamic retrieval and display of user names and email addresses from Jira Cloud APIs (only when necessary and never stored), and the management of project-related information through custom fields configured by the users themselves.

The nature of the processing involves automated processing through the Projectrak Cloud interface integrated with Jira Cloud, and may include limited human access strictly for support or maintenance tasks, always under conditions of confidentiality and restricted access.

3. Categories of Data Subjects and Personal Data

The data subjects affected by the processing are primarily the users of the Customer’s Jira Cloud environment. These are typically employees or authorized collaborators who interact with the Projectrak Cloud application.

Personal data processed include the Jira Cloud user ID, which is stored to ensure functionality; user name and email address, which are accessed on demand through Jira Cloud but not retained; and any information entered voluntarily by users into the custom fields defined in the application. These fields may contain data indirectly linked to individuals, depending on how the Customer configures them, but are generally used to store organizational or operational data related to project tracking.

4. Obligations of the Processor

Deiser undertakes to process personal data solely in accordance with the documented instructions of the Customer, as expressed in this Agreement and in the applicable service terms. Under no circumstances shall Deiser use the data for its own purposes or disclose it to unauthorized third parties.

All persons authorized to process data within Deiser are bound by confidentiality obligations and have received appropriate training on data protection. Deiser shall implement suitable technical and organizational measures to ensure a level of security appropriate to the risk and shall assist the Customer in meeting its obligations, particularly with regard to data subject rights, data breaches, and compliance with supervisory authorities.

Deiser also agrees to maintain a record of processing activities, facilitate any necessary audits, and notify the Customer without undue delay in the event of a data breach affecting personal data under this Agreement.

5. Sub-processing and Third-Party Services

In the provision of Projectrak Cloud, Deiser may engage sub-processors, including but not limited to infrastructure providers or platform services, such as Atlassian (as Jira Cloud host) or hosting/cloud services necessary to operate the application securely and efficiently.

All sub-processors are contractually bound to data protection obligations that are no less protective than those set out in this Agreement. The Customer authorizes Deiser to engage such sub-processors provided that Deiser remains fully liable for their actions and ensures full transparency regarding any relevant changes.

6. International Data Transfers

Should the processing involve the transfer of personal data outside the European Economic Area, Deiser shall ensure that such transfers are carried out in compliance with applicable data protection laws. In particular, Deiser will implement appropriate safeguards, such as the execution of Standard Contractual Clauses approved by the European Commission or any other lawful mechanism recognized by the applicable regulations.

7. Security Measures

Deiser applies robust security measures to protect personal data against unauthorized access, loss, or alteration. These measures include, among others: encryption of data in transit through HTTPS, role-based access controls within the organization, restricted and monitored internal access, authentication via secure OAuth mechanisms integrated with Atlassian, and a data minimization approach whereby no unnecessary personal information is stored. The company also performs regular security assessments and maintains up-to-date procedures to prevent and respond to security incidents.

8. Termination, Return and Deletion of Data

Upon the termination of the contractual relationship or at the express request of the Customer, Deiser shall delete all personal data processed on behalf of the Customer, unless applicable law requires retention. Where deletion is not possible due to technical constraints, Deiser shall ensure that data is securely isolated and not subject to further processing. Upon request, Deiser shall provide written certification of the completion of these actions.

9. Audits and Supervision

The Customer has the right to verify, either directly or through a designated auditor, that Deiser complies with the obligations set forth in this Agreement. Deiser agrees to cooperate fully, provide relevant documentation, and facilitate reasonable access to systems and facilities to the extent necessary for such verification, provided that it does not disrupt service continuity or compromise security.

10. Final Provisions

This Agreement forms an integral part of the service relationship between the Customer and Deiser regarding the use of Projectrak Cloud. In case of conflict between this DPA and other contractual terms, the provisions of this Agreement shall prevail with respect to the processing of personal data. The Agreement shall be interpreted in accordance with the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation) and other applicable laws.