DPA | Data Processing Addendum
Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and lovebyte.codes GmbH, Osterbrooksweg 35-41, 22869 Schenefeld, Germany ("Processor") (collectively also "Parties").
§ 1 Subject of the agreement
The Processor shall provide the Controller with software solutions in accordance with the apps EULA or, if not stated specifically, this Main Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the Main Agreement. The Controller is solely responsible for assessing the permissibility of the data processing in accordance with Art. 6 (1) GDPR.
The Parties conclude the present agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Agreement.
The provisions of this Agreement shall apply to all activities related to the Main Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller's behalf.
The term of this Agreement shall be based on the term of the Main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this.
The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR.
To the extent that Provider Processes Customer Personal Data protected by Data Protection Laws in one of the regions listed in Annex 4 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
§ 2 Type of data processed
The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1.
§ 3 Controller’s right of instruction
The Processor may only collect, use or otherwise process data within the scope of the Main Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.
The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2. Any changes shall be taken into account in a timely manner.
All instructions issued shall be documented by both the Controller and the Processor and shall be retained for the duration of their validity and subsequently for three additional full calendar years.
If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.
§ 4 Basic obligations of the Processor
The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards. The TOMs can be viewed here.
The Processor has appointed as contact person for data protection: Jana Winkelbauer, lovebyte.codes GmbH, Osterbrooksweg 35-41, 22869 Schenefeld, Germany. Contact: privacy@lovebyte.codes
The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.
§ 5 Information obligations of the Processor
In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller in writing without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain the following information as far as possible:
a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected, and the number of personal data records affected;
a description of the probable consequences of the injury; and
a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its potential adverse effects.
The Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subject(s), inform the Controller thereof and request further instructions from the Controller.
The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data is affected by a violation pursuant to Paragraph 1.
If necessary, the Processor shall support the Controller in fulfilling the Controller's obligations pursuant to Art. 33 and 34 GDPR in an appropriate manner (Art. 28 (3) sentence 2 lit. f GDPR). Notifications for the Controller pursuant to Art. 33 or 34 GDPR may only be made by the Processor after prior instruction by the Controller pursuant to § 3 of this Agreement.
Should the Controller’s data at the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller (Art. 4 No. 7 GDPR).
The Processor shall inform the Controller without undue delay of any significant changes to the security measures pursuant to § 4 para. 2 of this Agreement.
The Processor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Controller upon request.
§ 6 Control rights of the Controller
The Processor shall demonstrate to the Controller compliance with the obligations set forth in this Agreement by appropriate means.
If, in individual cases, inspections by the Controller or an auditor commissioned by the Controller are necessary, they shall be carried out during normal business hours without disrupting operations. The Processor may make the inspection dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection against him.
In order to carry out the control, the Processor only needs to permit such a person who is under a special obligation to maintain confidentiality, in particular with regard to information about the Processor's operations, its equipment, the Processor's business secrets and security measures. If the control is not carried out by a person already known to the Processor, such person must prove his legitimation by the Controller in writing at least ten calendar days before the control is carried out.
The Controller shall document the inspection result and notify the Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of order results, he shall inform the Processor without undue delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Controller shall inform the Processor of the necessary procedural changes without undue delay.
§ 7 Use of Subprocessors
Within the scope of its contractual obligations, the Processor shall in principle be authorized to establish further subcontracting relationships with subprocessors ("Subprocessor Relationship"). The Processor shall carefully select subprocessors according to their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its subprocessors.
The subprocessors currently working for the Processor in accordance with Paragraph 1 are linked in Annex 3. The Processor will update the page and announce the new subprocessor at least 1 month before it is actively used. The Controller subscribe to the page mentioned in Annex 3 to get informed about any changes. The Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the subprocessor.
If subprocessors in a third country are to be involved, this shall only be done under the conditions specified in § 1 para. 5 sentence 2.
A Subprocessor Relationship within the meaning of the above provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, security and cleaning services, as well as telecommunication services without any specific reference to services provided by the Processor to the Controller.
§ 8 Requests and rights of data subjects
The Processor shall support the Controller as far as possible with appropriate technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and Articles 32 and 36 GDPR.
If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall forward the request to the Controller without undue delay, provided that an allocation to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered in a timely manner by the Controller.
§ 9 Liability
The Controller and Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR. The Processor shall coordinate any fulfillment of liability claims with the Controller.
The Processor shall indemnify the Controller against all claims asserted by data subjects against the Controller due to the breach of an obligation imposed on the Processor by the GDPR or this Agreement or due to the noncompliance or breach of a lawful instruction separately issued by the Controller.
The Processor does not have to indemnify the Controller if the data processing or measure giving rise to the Parties´ liability was carried out on the basis of instructions from the Controller. The same shall apply to measures that have been previously coordinated with the Controller. Coordination shall also be deemed to have taken place if a provision in this Agreement has been inserted at the request of the Controller.
The Parties shall indemnify each other against liability to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82(5) GDPR shall apply.
§ 10 Termination of the Main Agreement and this Agreement
This Agreement shall remain valid after a termination of the Main Agreement for as long as the Processor has personal data which have been forwarded to him by the Controller or which he has collected for the Controller.
The Processor shall return all documents, data and data carriers provided to it to the Controller after termination of the Main Agreement or at any time at the Controller's request or delete them at the Controller's request, unless there is an obligation to store the personal data under EU law or the law of the Federal Republic of Germany. The Processor shall provide documentary evidence of the proper deletion.
Upon termination of this Agreement, the Main Agreement shall also terminate, provided that it cannot be performed without the processing of personal data.
§ 11 Final provisions
Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E mail shall suffice.
The Agreement shall be governed by and construed in accordance with German law.
Should one of the above provisions be or become invalid or should a provision that is necessary in itself not be included, this shall not affect the validity of the remaining provisions. The Parties shall endeavor to find a mutually agreeable provision in this case.
Annex 1 - Purpose, nature of processing and categories of data subjects
The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor's service list.
In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 2).
General processes
The following processes are available no matter which app or apps you use.
Process | Purpose of processing | Categories of processing |
Customer support | Help users from the Controller's organization to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation. | In customer support usage problems or error situations are reported by users from the Controller's organization via the mechanism described in Annex 2. In the course of the support process reporters might be asked to provide Confluence support zips including log files Templates used for exporting to different formats Page exports or space exports from Confluence JIRA support zips including log files Google Workspace log files Logs from the reporters browser console Data is provided through the support tool (Jira Service Management, see Annex 3), or in cases where the data provided is too large for that mechanism, we offer to use a data transfer service (Google Drive, see Annex 3). Reporters can choose to provide their own mechanism of data transfer. The received data is then analyzed manually or automatically for causes or indicators of reported usage problems or error situations. |
Error Tracking | For error tracking data is transferred from the end user's browser to an error reporting service, which allows analysis of errors without users having to actively report them. This is used to improve the quality of apps. | Data describing the error context, like operations invoked, the user interface element clicked, technical context like browser, operating system values are transferred to the error reporting service (Sentry and LogRocket, see Annex 3).
|
Usage Analysis | Data is transfered from the end user’s browser to an usage analysis/metrics service, which allows monitoring the usage of our apps and features. This is used to improve the quality of and implement new features. | Data describing the usage context, like specific page sections, button presses, technical context like browser and operating system. A token is generated to identify an unique user than can not be decrypted back to the actual user (Mixpanel, see Annex 3). |
Atlassian license distribution | The apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation and community or academic licenses; are distributed through the Atlassian Marketplace | All data attached to a license under my.atlassian.com is transferred to the Processor. |
Google license distribution | When installing any app through the Google Workspace Marketplace, basic licensing information is distributed. | All data attached to this license is transferred to the Processor. |
Cloud
The following table describes the data processing of all apps of the Processor.
If not stated otherwise, the Processing is hosted on cloud (AWS, see Annex 3).
Annex 2 - Authorized persons, entitled persons, communication channel
Authorized persons under this Agreements are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).
Instructions are to be transmitted by the following communication channel:
E-Mail to support@lovebyte.codes or request via service desk.
Annex 3 - Sub-processors
If not stated otherwise, these are the general subprocessors used by lovebyte.codes:
Amazon Web Services | Web hosting
Cloud service, infrastructure, uses contact details.Google | Customer communication
General communication (mail, chat, web conferences), file storage, uses contact details.Atlassian Jira | Support, Project Management
Support management, uses contact details.Mixpanel | Usage Analysis
Tracks usage of app, contact details are anonymized.LogRocket | Debugging
Debugging our products remotely, contact details are anonymized.Sentry | Error Logging
Cloud service for logging application errors, contact details are anonymized.Hubspot | Newsletters
Marketing, uses contact details after opt-in.
Annex 4 - Region-Specific Terms
A. CALIFORNIA
Definitions. CCPA and other capitalized terms not defined in this Annex are defined in the DPA.
“business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.
The definition of “Data Subject” includes “consumer” as defined under the CCPA.
The definition of “Controller” includes “business” as defined under the CCPA.
The definition of “Processor” includes “service provider” as defined under the CCPA.
Obligations.
Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Service as described in Annex 1 ( Purpose, nature of processing and categories of data subjects) to this DPA and otherwise performing under the Agreement.
Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
Provider acknowledges that Customer has the right to:
take reasonable and appropriate steps under Section 5 (Audits) of this DPA to help to ensure that Provider’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA,
receive from Provider notice and assistance under Section 8 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and
upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
Provider will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.
Provider will not retain, use or disclose Customer Personal Data:
for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or
outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA.
Provider will not sell or share Customer Personal Data received under the Agreement.
Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.