1. Introduction & Definitions
1.1 Parties to the Agreement
This Data Processing Agreement (“DPA”) is entered into by and between:
- Data Controller (“Controller” or “User’s Organization”): The business entity or organization that purchases, accesses, or uses the Application for business purposes, acting as the data controller.
- Data Processor (“Processor” or “Service Provider”): Łukasz Wiatrak Firnity, with its registered office at ul. Zamknięta 10, lok. 1.5, 30-554 Kraków, Poland. The Controller and the Processor are collectively referred to as the “Parties” and individually as a “Party.”
1.2 Purpose of the DPA
This DPA outlines the terms and conditions under which the Processor will process Personal Data on behalf of the Controller in connection with the use of the Application and related Services, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1.3 Definitions
For the purposes of this DPA, the following definitions shall apply:
- “Personal Data”: Any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the GDPR and in Section 2 of the Terms of Use.
- “Processing”: Any operation or set of operations performed on Personal Data, such as collection, storage, use, and transmission, as defined under Article 4(2) of the GDPR.
- “Sub-processor”: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Supervisory Authority”: An independent public authority established by an EU Member State responsible for monitoring compliance with the GDPR.
- “Application”: The Discord for Jira application, as defined in the Terms of Use.
- “Services”: The Application and any related services provided by the Processor, including support and feedback mechanisms.
- “Terms of Use”: The agreement between the Controller and the Processor governing the use of the Application.
1.4 Integration with Main Agreement
This DPA is an integral part of the Terms of Use between the Parties. In the event of any conflict between this DPA and the Terms of Use, the terms of this DPA shall prevail concerning data protection matters.
2. Subject Matter of the Agreement
2.1 Scope, Purpose, and Personal Data Processed
The Processor is authorized to process Personal Data on behalf of the Controller as necessary to provide and improve the Application and related Services in accordance with the Terms of Use. This includes, but is not limited to, the following processing activities:
- Jira Data:
- User display names and avatars: Retrieved from the Controller’s Jira instance and used to facilitate integration with Discord.
- Issue content: Including descriptions, comments, and attachments, processed as part of Jira issue and ticket management.
- Discord Data:
- Messages, command values, and attachments: Submitted by Discord users and processed to facilitate communication and data exchange between Discord and Jira.
- Support and Feedback Data:
- Names, email addresses, and communications: Provided voluntarily during support interactions or feedback submissions.
The purpose of processing Personal Data is to:
- Provide core functionalities of the Application, including the integration, communication, and task management features between Jira and Discord.
- Improve and maintain the Application to meet user needs, including customer support and future enhancements.
- Ensure operational security, performance, and compliance with legal obligations related to data protection and the Application’s use.
2.2 Data Subjects
- Jira users who interact with the Application.
- Discord users submitting messages, issues, or tickets through the Application.
- Individuals contacting the Processor for support or feedback.
2.3 Duration of Processing
The Processor will process Personal Data for the duration of the Controller’s use of the Application. Upon termination or at the Controller’s request, the Processor will delete or anonymize Personal Data as required under this DPA, the Privacy Policy, and applicable law.
3. Obligations of the Data Processor
3.1 Processing as Instructed
The Processor shall process Personal Data only on documented instructions from the Controller, as outlined in this DPA and the Terms of Use. By accepting these agreements, the Controller provides instruction to the Processor to process Personal Data for the purposes stated in Section 2.1 of this DPA, including delivering, maintaining, and improving the Application and Services, as well as fulfilling any legal or regulatory obligations.
3.2 Security Measures
The Processor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. Security measures include:
- Access Control: Restricting access to authorized personnel based on their roles and responsibilities.
- Data Encryption: Encrypting Personal Data during transmission and at rest to prevent unauthorized access.
- Secure Data Transmission: Utilizing industry-standard secure protocols for data transfers.
- Backup and Recovery: Regularly performing backups to prevent data loss and ensuring recovery mechanisms are in place.
3.3 Regular Security Reviews and Assessments
The Processor regularly evaluates and updates security measures to address emerging risks and ensure ongoing protection of Personal Data. This includes reviewing policies, procedures, and security controls to meet evolving data protection standards and ensure compliance with legal obligations.
3.4 Assistance with Data Subject Rights
Taking into account the nature of the processing, the Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under the GDPR, including:
- Access Requests: Assisting in providing data subjects with access to their Personal Data.
- Rectification and Erasure: Assisting in correcting or deleting Personal Data as requested by data subjects.
- Restriction of Processing: Assisting in implementing restrictions on the processing of Personal Data as required.
- Data Portability: Assisting in providing Personal Data in a structured, commonly used, and machine-readable format.
Assistance will be provided within reasonable efforts, taking into account available resources and technical feasibility.
3.5 Documentation and Audits
Upon request by the Controller, the Processor shall make available all relevant information necessary to demonstrate compliance with this DPA. The Processor shall also allow for and reasonably cooperate with audits, including inspections by the Controller or an auditor mandated by the Controller.
The Controller shall provide at least 90 days’ prior written notice of any audit or inspection and may conduct such audits no more than once per year, unless required by applicable law or in case of a suspected breach. The Controller shall make reasonable efforts to minimize disruption to the Processor’s business operations during the audit or inspection, and bear its own costs for conducting the audit.
Before being granted access to any documentation or conducting any audit, the Controller or its appointed auditor may be required to sign a non-disclosure agreement reasonably acceptable to the Processor.
4. Obligations of the Data Controller
4.1 Lawfulness of Processing
The Controller shall ensure that all Personal Data provided to the Processor has been collected and is processed in compliance with the GDPR and other applicable data protection laws. This includes:
- Obtaining Necessary Consents: Securing any required consents from data subjects for the processing of their Personal Data, especially when processing sensitive information.
- Providing Information to Data Subjects: Informing data subjects about how their Personal Data will be used, their rights under data protection laws, and any other information required by law.
4.2 Instructions to the Processor
The Controller is responsible for providing clear, documented instructions to the Processor regarding the processing of Personal Data, as specified in this DPA and the Terms of Use. The Controller warrants that all instructions are lawful and comply with applicable data protection laws. The Controller shall immediately inform the Processor if any instructions are amended or if the Controller believes an instruction infringes the GDPR or other applicable data protection provisions.
4.3 Accuracy and Data Minimization
The Controller shall ensure that the Personal Data provided to the Processor is accurate, complete, and up-to-date. The Controller will only provide Personal Data necessary for the Processor to perform the Services, adhering to the principle of data minimization.
4.4 Responding to Data Subject Requests
The Controller is responsible for managing and responding to requests from data subjects concerning their Personal Data under the GDPR. The Processor shall assist the Controller, to the extent possible and within the scope of the Application, in fulfilling these requests as outlined in Section 3.4.
4.5 Compliance with Third-Party Policies and Data Transfers
By accepting the Terms of Use and this DPA, the Controller acknowledges that the Application’s functionality may involve the transfer of Personal Data (such as user display names, messages, and content) to third-party platforms, including but not limited to Discord and Jira Cloud.
The Controller is responsible for ensuring that such transfers comply with applicable data protection laws and the policies and terms of those third-party platforms. This includes, but is not limited to:
- Ensuring Appropriate Safeguards: Implementing measures such as Standard Contractual Clauses or other approved mechanisms for international data transfers, if required.
- Informing Data Subjects: Notifying data subjects about the transfer of their Personal Data to these third-party platforms and the associated risks.
- Obtaining Necessary Consents: Securing any required consents from data subjects prior to transferring their Personal Data.
Once the data is transferred to third-party platforms, the Processor has no control over its further processing, and is not liable for any data handling, storage, or security practices by these platforms. The Controller assumes all responsibility for the compliance of such transfers and subsequent processing with the relevant legal and policy requirements of those platforms.
4.6 Indemnification
The Controller shall indemnify and hold harmless the Processor against any claims, damages, losses, liabilities, costs, and expenses arising from the Controller’s breach of its obligations under this DPA or applicable data protection laws.
5. Sub-processing
5.1 General Authorization
The Controller grants the Processor general authorization to engage sub-processors for the processing of Personal Data necessary to provide the Application and related Services under this DPA. The Processor shall ensure that all sub-processors comply with the obligations set out in this DPA and applicable data protection laws.
5.2 List of Sub-processors
The Processor maintains an up-to-date list of sub-processors, which is available here. This list includes the names and locations of all sub-processors engaged in processing Personal Data on behalf of the Controller.
5.3 Notification of Changes
The Processor shall update the list of sub-processors on the website to reflect any intended changes, such as the addition or replacement of sub-processors. The Controller may review the updated list, and if the Controller objects to a new sub-processor, they may discontinue the use of the Services. Continued use of the Services after the update constitutes acceptance of the new sub-processor.
5.4 Liability for Sub-processors
The Processor remains fully liable to the Controller for the performance of its sub-processors’ obligations to the extent that these obligations are within the Processor’s control. If a sub-processor fails to fulfill its data protection obligations, the Processor shall be responsible to the same extent as if it were performing those obligations directly, provided that such failure is not the result of third-party actions beyond the Processor’s reasonable control.
5.5 Obligations of Sub-processors
The Processor shall ensure that any sub-processor engaged to process Personal Data on behalf of the Controller is bound by data protection obligations consistent with those of the Processor under this DPA. This includes:
- Confidentiality: Ensuring that personnel authorized to process Personal Data are committed to confidentiality.
- Security Measures: Implementing appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Assistance: Assisting the Processor in fulfilling its obligations to the Controller under this DPA, including data breach notifications and handling data subject rights requests.
6. Data Breach Notification
6.1 Notification of Personal Data Breach
The Processor shall inform the Controller without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data breach affecting data processed on behalf of the Controller. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate possible adverse effects.
- The name and contact details of the Processor’s contact point for further information.
6.2 Cooperation
The Processor shall reasonably cooperate with the Controller and assist in investigating, mitigating, and remedying the Personal Data breach, as long as such cooperation is reasonable and proportionate based on the nature of the breach. This includes providing necessary information for the Controller to fulfill its obligations under the GDPR, such as notifications to supervisory authorities or affected data subjects.
6.3 Documentation
The Processor shall document all Personal Data breaches, including details of the breach, its effects, and remedial actions taken. This documentation shall be made available to the Controller upon request.
6.4 Communication with Third Parties
The Processor shall not communicate about the Personal Data breach with any third parties without informing the Controller, unless required by law. If communication is legally required, the Processor shall, where permitted, inform the Controller prior to making the disclosure.
7. Data Deletion and Retention
7.1 Data Retention
The Processor shall retain Personal Data only for as long as necessary to fulfill its obligations under the Terms of Use and this DPA, or as required by applicable law.
7.2 Deletion or Return of Personal Data
Upon termination of the Services, the Processor shall delete all Personal Data processed on behalf of the Controller, unless applicable law requires storage of the Personal Data
7.3 Data in Backups
Personal Data stored in backups will be securely isolated and protected from further processing, except as required for security and auditing purposes. Such data will be deleted in accordance with the Processor’s data retention policies.
7.4 Legal Requirements
If the Processor is required by applicable law to retain some or all Personal Data, it shall notify the Controller of such legal requirements prior to retention, unless prohibited by law.
8. Final Provisions
8.1 Entire Agreement
This DPA, together with the Terms of Use, constitutes the entire agreement between the Controller and the Processor concerning data processing and supersedes any prior agreements on this subject matter.
8.2 Amendments
Any amendments to this DPA shall be made by updating the DPA as part of the Terms of Use. Continued use of the Services after any such update constitutes acceptance of the amended DPA
8.3 Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.