Data Processing Agreement
0. Acceptance & relationship to the EULA
This Data Processing Agreement ("DPA") forms part of, and is governed by, the EULA between the Customer ("you", "Controller") and EvidencePack ("we", "our", "Processor") covering use of the EvidencePack Atlassian Marketplace app ("App"). By installing or continuing to use the App, the Controller accepts this DPA. Where this DPA conflicts with the EULA on a data-protection matter, this DPA governs.
1. Roles of the parties
For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR:
- The Customer is the Controller of any personal data inside the Jira issues and Confluence pages it explicitly maps to a control via JQL or CQL queries within the App.
- EvidencePack is the Processor, acting only on the Controller's documented instructions (configured through the App).
- Atlassian is a Sub-processor, providing the underlying Forge runtime, key-value storage, and Atlassian-product APIs that the App calls.
For the purposes of the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), where applicable, EvidencePack acts as a "service provider" to the Customer. We do not "sell" or "share" personal information (as those terms are defined in CCPA/CPRA) under any circumstances.
2. Subject matter, nature, purpose & duration
| Subject matter | Provision of the EvidencePack app: collecting metadata about Jira issues and Confluence pages that the Controller explicitly maps to compliance controls, and presenting that metadata to the Controller's authorised users. |
|---|---|
| Nature of processing | Read access to Atlassian product APIs (JQL search, CQL search, page/issue metadata), in-memory normalisation, persisted summary records in Atlassian Forge KVS, and rendering inside the Atlassian Forge UI. |
| Purpose | To enable the Controller to discover, organise, and export audit evidence supporting frameworks such as SOC 2 and ISO 27001. |
| Duration | For as long as the App remains installed on the Controller's Atlassian site, plus a reasonable wind-down period not exceeding what Atlassian's platform retains after uninstall (which is automatic and short). |
3. Categories of personal data and data subjects
The App processes only the limited personal data that the Atlassian product APIs return as part of issue or page metadata:
- Categories of personal data: Atlassian account identifiers (
accountId); display names of users acting as Jira reporters or assignees, or as Confluence authors or last-updaters; timestamps of activity (created/updated). The App does not process email addresses, IP addresses, profile pictures, geolocation, passwords, tokens, payment data, or any "special category" personal data within the meaning of GDPR Article 9. - Categories of data subjects: employees and contractors of the Controller (or of the Controller's affiliates) who are users of the Controller's Atlassian Cloud sites.
The App does not process Jira issue descriptions or comments, Confluence page bodies or comments, attachments, work logs, or other free-text content from those issues and pages. The App references such content only by hyperlink (the issue or page URL) so the Controller's authorised users can navigate back to it within Atlassian.
4. Processor obligations (GDPR Article 28)
EvidencePack shall:
- Process personal data only on the Controller's documented instructions. The Controller's instructions are expressed through the App's configuration (selected frameworks, JQL/CQL source mappings, control notes, scheduled-collection toggle, etc.).
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organisational measures (see Section 7).
- Engage Sub-processors only as permitted by Section 6.
- Taking into account the nature of the processing, assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR.
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to us.
- At the choice of the Controller, delete or return all personal data after the end of the provision of services relating to processing, and delete existing copies unless retention is required by Union or Member State law (see Section 9).
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (see Section 8).
5. International transfers
EvidencePack itself performs no international transfers of personal data. The App runs inside the Atlassian Forge runtime; data never leaves the Atlassian platform, and we operate no infrastructure outside of Atlassian. Region pinning of stored data is controlled by Atlassian's data-residency configuration on the Controller's Atlassian site.
To the extent the underlying Atlassian platform involves cross-border transfers (e.g. from EEA to a non-adequacy jurisdiction), those transfers are governed by Atlassian's own data-processing addendum and Standard Contractual Clauses, which the Controller accepted when subscribing to Atlassian Cloud. EvidencePack does not introduce any additional transfer mechanism.
6. Sub-processors
The Controller authorises EvidencePack to engage the following Sub-processor:
| Sub-processor | Service | Location |
|---|---|---|
| Atlassian Pty Ltd and affiliates | Forge runtime, key-value storage, and Atlassian product APIs (Jira and Confluence). EvidencePack runs inside this runtime and stores all configuration and run data in Forge KVS. | Per the Controller's Atlassian Cloud data-residency setting. |
EvidencePack will notify the Controller of any intended changes concerning the addition or replacement of Sub-processors via release notes for a new app version on the Atlassian Marketplace, giving the Controller the opportunity to object before the change takes effect. As at the date of this DPA, EvidencePack engages no Sub-processor other than Atlassian.
7. Technical and organisational measures
The App inherits the security posture of the Atlassian Forge platform. Specifically:
- Encryption. Personal data is encrypted at rest (AES-256) and in transit (TLS) by the Forge platform; EvidencePack stores nothing outside the platform.
- Region pinning. Personal data resides in the same region as the Controller's Atlassian site, per Atlassian's data-residency feature.
- Least-privilege scopes. The App's manifest declares only the five minimum permission scopes necessary for its operation (
read:jira-work,write:jira-work,read:confluence-content.summary,search:confluence,storage:app). The App makes no external network calls; it declares zeroexternal.fetchpermissions, enforced by the Forge runtime. - Metadata-only processing. The App stores summary records — issue keys, page titles, URLs, accountIds, display names, and timestamps — never the underlying issue or page content.
- Bounded retention. The App retains at most the 25 most recent evidence runs and the 200 most recent audit log entries per installation; older records are auto-pruned in code.
- Personal Data Reporting API. The App subscribes to Atlassian's
avi:lifecycle:user:anonymizedandavi:lifecycle:user:deletedlifecycle events. On any such event, the App's lifecycle handler scrubs the affected user'saccountIdand display name from all stored audit log entries and evidence run records (see Section 10). - No third-party services. The App makes no calls to large language models, machine-learning APIs, analytics providers, error-reporting services, or any other third party. Personal data is never transmitted to anyone outside Atlassian.
- Source-code custody. EvidencePack's source code is held by a limited set of authorised maintainers under standard access controls. Production deployments are gated by version control and Atlassian Marketplace approval.
8. Audits and demonstrations of compliance
EvidencePack will, on reasonable written request from the Controller and no more than once in any twelve-month period, provide responses to a standard security questionnaire (such as CAIQ Lite) and a description of its technical and organisational measures sufficient for the Controller to verify compliance with Article 28(3)(h) GDPR. On-site or third-party audits are not standard for a Forge-native app of EvidencePack's footprint and will be considered only where required by mandatory law; such audits, if agreed, will be at the Controller's cost, scheduled no less than thirty (30) days in advance, and subject to reasonable confidentiality and scope agreements.
9. Return or deletion of personal data on termination
On termination of the EULA, or earlier on the Controller's documented instruction, EvidencePack will delete or return all personal data held by the App. In practice, uninstalling the App triggers Atlassian's automatic data-deletion of the App's Forge KVS namespace on the Controller's site; no manual action by EvidencePack is required. Additionally, the Controller may at any time clear all stored data on demand via Settings → Danger zone → Reset all data.
EvidencePack does not retain any backup copies of Controller personal data outside Atlassian Forge KVS.
10. Personal data breaches
EvidencePack will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Controller data processed under this DPA. Notification will be sent to the partner-of-record email address that the Controller's Atlassian site administrator provided on installation or to the customer's nominated contact, and will include — to the extent then known — the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
Because the App runs entirely inside the Atlassian Forge platform and makes no external calls, the most likely vector for a personal data incident is a flaw in the App's code (e.g. an audit log that retained personal data beyond its intended scope). EvidencePack continually reviews its codebase and dependencies for such issues.
11. Data subject requests
The Controller is responsible for responding to requests from data subjects to exercise their rights under GDPR Articles 12–22 (and equivalent rights under other applicable laws). The App provides the Controller with the tools needed to comply with such requests:
- Right of erasure / right to be forgotten: Atlassian's user-anonymization or user-deletion lifecycle events, when received, automatically trigger the App's scrub handler — clearing the user's
accountIdand display name from every stored record. The Controller can also reset all App data via Settings → Danger zone. - Right of access: The Controller's site administrator can export the full App configuration and run history as JSON via Settings → Backup & restore → Export full config.
- Right to rectification: The Controller's site administrator can edit any stored data in-app (source mappings, control notes, custom controls).
If the Controller requires EvidencePack's assistance to respond to a specific data subject request, the Controller may contact us at [email protected].
12. Confidentiality
EvidencePack treats all personal data processed under this DPA as confidential. Personnel with access to personal data are bound by written confidentiality obligations and are granted access only to the extent strictly necessary to operate, maintain, or support the App.
13. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the EULA. Nothing in this DPA limits any liability that cannot be limited under applicable law (including liability for fraud or gross negligence).
14. Governing law and jurisdiction
This DPA is governed by the same law and subject to the same jurisdiction as the EULA. Where the EULA designates a jurisdiction within the EEA, this DPA is enforceable directly under that jurisdiction's implementation of the GDPR.
15. Changes
EvidencePack may update this DPA from time to time. Material changes that materially reduce the Controller's data-protection rights will be announced in the App's Marketplace release notes, and the Controller may object by uninstalling the App, which is the Controller's remedy and termination right for such changes.
16. Contact
Data-protection enquiries, data subject requests forwarded by the Controller, and breach communications: [email protected].