DATA PROCESSING AGREEMENT
(hereinafter: “DPA”)
1. Introduction & Definitions
1.1. DPA and its purpose
The DPA is an agreement pursuant to which an entity purchasing Application or otherwise accessing Application in accordance with Terms Of Use (as defined in Section 1.2.1. below), entrusts Personal Data for Processing to Łukasz Wiatrak (described in Section 1.2.2. below) who is the creator of Application.
In its relationship with Łukasz Wiatrak, using Application, the entity referred to in Section 1.2.1. below is Personal Data Controller within the meaning of GDPR, and Łukasz Wiatrak is Processor within the meaning of GDPR. The conclusion of a DPA is necessary in order for the creator of Application to be able to legally Process Personal Data (on the basis described in Article 28 of GDPR) of the entities using Application and those Processed by them, in particular their employees, customers and the like.
1.2. Parties of DPA
1.2.1. Any business entity or organization that purchases, accesses, or uses Application for business purposes, acting as the data controller, who is a Data Controller with the meaning of GDPR;
1.2.2. Łukasz Wiatrak, doing business as “Łukasz Wiatrak Firnity” (the “Service Provider”) with its registered seat in Kraków (address: registered office at ul. Zamknięta 10, loc. 1.5, 30‑554 Kraków, Poland), having Tax Identification Number (NIP): 5130127144 and Statistical Number (REGON): 520124248, who is a Data Processor with the meaning of GDPR.
Controller and Processor are collectively referred to as the “Parties” and individually as a “Party.”
1.3. Definitions
1.3.1. Application: “Discord for Jira” application, a cloud‑based software solution developed by Service Provider to enable integration between Atlassian’s Jira Cloud software and Discord platform, described in Section 2 of Terms of Use.
1.3.2. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.3.3. Personal Data: Any information relating to an identified or identifiable natural person, as defined under Article 4(1) of GDPR and in Section 1 of Terms of Use.
1.3.4. Controller: the data controller of personal data meaning of Article 4 (7) of GDPR (the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of personal data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law) – in DPA it is the business entity defined in Section 1.2.1. above.
1.3.5. Processor: the processor with the meaning of Article 4 (8) of GDPR (a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of Controller) – in DPA it is Łukasz Wiatrak Firnity (described in Section 1.2.2.).
1.3.6. Processing: any operation or set of operations performed on Personal Data, such as collection, storage, use, and transmission, as defined under Article 4(2) of GDPR.
1.3.7. Sub‑Processor: any third party engaged by Processor to Process Personal Data on behalf of Controller with the approval of Controller.
1.3.8. Supervisory Authority: an independent public authority established by an EU Member State responsible for monitoring compliance with GDPR.
1.3.9. Services: Application and any related services provided by Processor, including support and feedback mechanisms.
1.3.10. Terms of Use: the document that describes provisions of agreement between Controller and Processor governing the use of the Application available here.
1.3.11. Privacy Policy: the document that outlines how Processor collects, processes, uses, and protects Personal Data when User interacts with Application and uses Services, available here.
1.4. Integration with other documents
The DPA is an integral part of Agreement entered into between Parties for Controller’s use of Application. The other documents that make up the legal relationship between Parties are: Terms of Use, Privacy Policy and other documents to which they refer. In the event of a conflict between DPA and Terms of Use and Privacy Policy, DPA and Privacy Policy prevail with regard to the data protection provisions.
Capitalized terms in DPA have the meanings given to them in DPA or Terms of Use. In case of inconsistency, the meaning given to them in DPA prevails.
2. Subject of DPA
2.1. Authorization to entrust data to Sub‑processors
Pursuant to DPA, Controller entrusts to Processor for Processing Personal Data of Jira users who interact with Application of his authorization, Discord users submitting messages, issues, or tickets through Application, individuals contacting Processor for support or feedback and any other persons to whom he grants access to Application, in particular its employees and associates on any legal basis, who use Jira, Discord or use Services.
2.2. Purpose of Processing
Processor is entitled to Process the entrusted Personal Data only during the time that Controller uses Application in accordance with Terms of Use for the purposes described in Terms of Use, and in particular to enable the proper use of Application, provide access to Services and develop Application, in particular to:
2.2.1. Provide core functionalities of Application, including the integration, communication, and task management features between Jira and Discord;
2.2.2. Improve and maintain Application to meet user needs, including customer support and future enhancements;
2.2.3. Ensure operational security, performance, and compliance with legal obligations related to data protection and Application’s use.
2.3. Methods of Processing
Processing of Personal Data will be carried out mainly by the use of IT systems, but Processor is entitled to execute it in paper form if necessary.
2.4. The scope of Processing
Processing of Personal Data will include recording, organizing, structuring, storing, retrieving and consulting Personal Data.
2.5. The scope of Personal Data entrusted for Processing includes
2.5.1. Jira data
- User account IDs, display names and avatars: retrieved from Controller’s Jira instance and used to facilitate integration with Discord.
- Issue content: including descriptions, comments, attachments and other issue field values, Processed as part of Jira issue and ticket management.
2.5.2. Discord data
- Messages, command values, user IDs, user names and attachments: submitted by Discord users and Processed to facilitate communication and data exchange between Discord and Jira.
2.5.3. Support and Feedback data
- Names, email addresses, and communications: provided voluntarily during support interactions or feedback submissions.
2.6. Data Processing period and further proceeding
Processor will Process Personal Data for the duration of Controller’s use of Application, for as long as necessary to fulfil its obligations under Terms of Use and this DPA, or as required by applicable law. Upon termination or at Controller’s request, Processor will delete or anonymize Personal Data as required under this DPA, Privacy Policy, and applicable law, unless applicable law requires storage of Personal Data.
3. Declarations and Obligations of Processor
3.1. Technical and organisational measures of Processor
Processor declares that it provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that Processing of Personal Data entrusted under Agreement complies with the requirements of GDPR and protects the rights of data subjects.
3.2. Controller’s instructions
The Processor Processes Personal Data only on documented instructions from Controller, as outlined in this DPA and Terms of Use, if Controller decides to provide them. By accepting these agreements, Controller provides instruction to Processor to Process Personal Data for the purposes stated in Section 2 of DPA, including delivering, maintaining, and improving Application and Services, as well as fulfilling any legal or regulatory obligations.
3.3. General declarations and obligations
Processor agrees to Process Personal Data entrusted to it in accordance with DPA, Terms of Use and the law, including GDPR, and in particular Processor:
3.3.1. Processes Personal Data only on documented instructions from Controller— including with regard to transfers of Personal Data to a third country or an international organisation— unless required to do so by Union or Member State law to which Processor is subject; in such a case, Processor informs Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
3.3.2. Ensures that persons authorised to Process Personal Data are adequately trained in protection of Personal Data and that such persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.3.3. Takes all measures required pursuant to Article 32 GDPR;
3.3.4. Without the knowledge and consent of Controller, does not transfer Personal Data to countries outside the European Economic Area (i.e. other than European Union countries and Iceland, Norway and Liechtenstein);
3.3.5. Ensures that the implemented measures for the protection of Personal Data are regularly tested, measured and evaluated;
3.3.6. Taking into account the nature of the Processing, assists Controller— by appropriate technical and organisational measures— for the fulfilment of Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of GDPR;
3.3.7. Taking into account the nature of Processing and the available information, assists Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR;
3.3.8. After the end of the provision of services relating to Processing, at the choice of Controller, deletes or returns all Personal Data to Controller and deletes existing copies unless a generally applicable law dictates that all or some of Personal Data must be stored by Processor;
3.3.9. Makes available to Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR and allows for and contributes to audits, including inspections, conducted by Controller or another auditor mandated by Controller;
3.3.10. Documents all Personal Data breaches, including details of the breach, its effects, and remedial actions taken. This documentation shall be made available to Controller upon request;
3.3.11. Cooperates with Controller for the proper Processing of Personal Data, in particular to communicate with Supervisory Authorities;
3.3.12. Does not disclose any provisions of DPA or Personal Data, unless Processor is obligated to do so by applicable law or authorised Supervisory Authority;
3.3.13. Notifies Controller, once Processing of Personal Data under DPA has been completed, of any legal requirement to retain some or all Personal Data, unless prohibited by law.
3.4. Notification of Personal Data breach
In the case of a Personal Data breach, Processor, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notifies the breach to Controller, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to Controller is not made within 72 hours, it will be accompanied by reasons for the delay. The notification includes information required by Article 33(3) GDPR.
Processor reasonably cooperates with Controller and assists in investigating, mitigating, and remedying the Personal Data breach, as long as such cooperation is reasonable and proportionate based on the nature of the breach. This includes providing necessary information for Controller to fulfil its obligations under GDPR, such as notifications to Supervisory Authorities or affected data subjects.
4. Declarations and Obligations of Controller
4.1. Lawfulness of Processing
The Controller shall ensure that all Personal Data provided to Processor has been collected and is Processed in compliance with GDPR and other applicable data protection laws. This includes:
4.1.1. Obtaining Necessary Consents: securing any required consents from data subjects for Processing of their Personal Data, especially when Processing sensitive information;
4.1.2. Providing Information to Data Subjects: informing data subjects about how their Personal Data will be used, their rights under data protection laws, and any other information required by law and determining the purposes and means of Processing Personal Data within their use of Application.
4.2. Instructions to Processor
The Controller is responsible for providing clear, documented instructions to Processor regarding Processing of Personal Data, as specified in this DPA and Terms of Use. Controller warrants that all instructions are lawful and comply with applicable data protection laws. Controller immediately informs Processor if any instructions are amended or if Controller believes an instruction infringes GDPR or other applicable data protection provisions.
The Controller may omit to provide additional instructions. Then Processor, while Processing, fully follows DPA, Privacy Policy, Terms of Use and applicable law, especially GDPR.
4.3. Accuracy and Data Minimization
The Controller ensures that Personal Data provided to Processor is accurate, complete, and up‑to‑date. Controller will only provide Personal Data necessary for Processor to perform Services, adhering to the principle of data minimization.
4.4. Responding to Data Subject Requests
The Controller is responsible for managing and responding to requests from data subjects concerning their Personal Data under GDPR. Processor assists Controller, to the extent possible and within the scope of Application.
4.5. Compliance with Third‑Party Policies and Data Transfers
The Controller declares that, by accepting Terms of Use and this DPA, he acknowledges that Application’s functionality and provision of Services may involve the transfer of Personal Data (such as user display names, messages, and content) to third‑party platforms, including but not limited to Discord and Jira Cloud. Controller is responsible for ensuring that such transfers comply with applicable data protection laws and the policies and terms of those third‑party platforms.
Once the data is transferred to third‑party platforms, Processor has no control over its further Processing, and is not liable for any data handling, storage, or security practices by these platforms. Controller assumes all responsibility for the compliance of such transfers and subsequent Processing with the relevant legal and policy requirements of those platforms.
4.6. Indemnification
The Controller shall indemnify and hold harmless Processor against any claims, damages, losses, liabilities, costs, and expenses arising from Controller’s breach of its obligations under this DPA or applicable data protection laws.
5. Sub‑Processing
5.1. Authorization to entrust data to Sub‑processors
The Controller gives Processor a general authorization to engage third parties (Sub‑Processors) for Processing of Personal Data.
5.2. The scope of Processing by Sub‑processors
Processing by Sub‑Processors may be performed in order to provide Application and related Services under DPA and Terms of Use, in particular to enable users of Application to contact Processor, exchange messages and fully use the functionality of Application through the exchange of data between Jira and Discord. Personal Data will be provided to Sub‑Processors only to the extent necessary to ensure the ability to use the full functionality of Application and to provide other Services (in particular, support) described in Section 2.2 of DPA.
5.3. List of Sub‑processors
The Processor is entitled to entrust Personal Data for Processing to parties listed in the sub‑page “Sub‑Processors” available here.
5.4. Declarations and Obligations of Processor
Processor:
5.4.1. Informs Controller of any intended changes concerning the addition or replacement of other Sub‑Processors, thereby giving Controller the opportunity to object to such changes;
5.4.2. Ensures that all Sub‑Processors comply with the obligations set out in this DPA and applicable data protection laws, in particular that they provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of DPA and GDPR;
5.4.3. Entrusts Sub‑Processors only with data to the necessary and justified extent under Section 2 of DPA.
5.5. Objection to changes of Sub‑processors
The Controller is entitled to object to changes of Sub‑Processors by discontinuing use of Application. Continued use of Application by Controller after 14 days of the notice of changes to Sub‑Processors shall be deemed as consent to the changes made.
5.6. Liability
The Processor remains fully liable to Controller for the performance of its Sub‑Processors’ obligations to the extent that these obligations are within Processor’s control. If a Sub‑Processor fails to fulfil its data protection obligations, Processor will be responsible to the same extent as if it were performing those obligations directly, provided that such failure is not the result of third‑party actions beyond Processor’s reasonable control.
6. Final Provisions
6.1. Complete agreement
This DPA, together with Terms of Use, Privacy Policy and other annexes (like the list of Sub‑processors) constitutes the entire agreement between Controller and Processor concerning data Processing and supersedes any prior agreements on this subject matter.
6.2. Governing law
DPA is governed by the laws of Poland.
6.3. Dispute resolution, general court jurisdiction and territorial jurisdiction of the court
The Parties shall make an effort to settle any disputes arising during the term of and in relation with DPA in an amicable manner.
In the event of failure to resolve a dispute as defined above, the court of jurisdiction will be a court in Poland, having territorial jurisdiction over the place marked by the address of Processor.
6.4. Change of DPA
Any amendments to this DPA shall be made by updating DPA in accordance with the provisions of the Terms of Use. Failure to cancel the Services in accordance with the provisions of the Terms of Use within 14 days after the notice referred to above is deemed acceptance of the changes by Controller.
6.5. Application of law
To the extent not regulated by DPA, the regulations of Polish law and relevant regulations of international law, in particular GDPR, apply.
