Data Processing Addendum

Effective starting: January 15th, 2024 (view previous version)

Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and K15t GmbH, OstendstraĂźe 110, 70188 Stuttgart, Germany ("Processor") (collectively also "Parties").

§ 1 Subject of the agreement

(1) The Processor shall provide the Controller with software solutions in accordance with the Main Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the Main Agreement. The Controller is solely responsible for assessing the permissibility of the data processing in accordance with Art. 6 (1) GDPR.

(2) The Parties conclude the present agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Agreement.

(3) The provisions of this Agreement shall apply to all activities related to the Main Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller's behalf.

(4) The term of this Agreement shall be based on the term of the Main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this.

(5) The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR.

§ 2 Type of data processed

The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1.

§ 3 Controller’s right of instruction

(1) The Processor may only collect, use or otherwise process data within the scope of the Main Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.

(2) The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2. Any changes shall be taken into account in a timely manner.

(3) All instructions issued shall be documented by both the Controller and the Processor and shall be retained for the duration of their validity and subsequently for three additional full calendar years.

(4) If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.

§ 4 Basic obligations of the Processor

(1) The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards. The TOMs can be viewed here.

(3) According to Art. 37 GDPR the processor has designated a Data Protection Officer: DDSK GmbH, Dr.-Klein-StraĂźe 29, 88069 Tettnang, Germany; e-mail: datenschutzbeauftragter@k15t.com.

(4) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.

§ 5 Information obligations of the Processor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller in writing without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain the following information as far as possible:

(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected, and the number of personal data records affected;

(b) a description of the probable consequences of the injury; and

(c) a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its potential adverse effects.

(2) The Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subject(s), inform the Controller thereof and request further instructions from the Controller.

(3) The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data is affected by a violation pursuant to Paragraph 1.

(4) If necessary, the Processor shall support the Controller in fulfilling the Controller's obligations pursuant to Art. 33 and 34 GDPR in an appropriate manner (Art. 28 (3) sentence 2 lit. f GDPR). Notifications for the Controller pursuant to Art. 33 or 34 GDPR may only be made by the Processor after prior instruction by the Controller pursuant to § 3 of this Agreement.

(5) Should the Controller’s data at the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller (Art. 4 No. 7 GDPR).

(6) The Processor shall inform the Controller without undue delay of any significant changes to the security measures pursuant to § 4 para. 2 of this Agreement.

(7) The Processor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Controller upon request.

(8) The processor shall cooperate to an appropriate extent in the preparation of the list of procedures by the controller and in the preparation of a data protection impact assessment pursuant to Art. 35 GDPR and, if applicable, in the prior consultation of the supervisory authorities pursuant to Art. 36 GDPR. It must provide the controller with the necessary information in an appropriate manner.

§ 6 Control rights of the Controller

(1) The Processor shall demonstrate to the Controller compliance with the obligations set forth in this Agreement by appropriate means.

(2) If, in individual cases, inspections by the Controller or an auditor commissioned by the Controller are necessary, they shall be carried out during normal business hours without disrupting operations. The Processor may make the inspection dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection against him.

(3) In order to carry out the control, the Processor only needs to permit such a person who is under a special obligation to maintain confidentiality, in particular with regard to information about the Processor's operations, its equipment, the Processor's business secrets and security measures. If the control is not carried out by a person already known to the Processor, such person must prove his legitimation by the Controller in writing at least ten calendar days before the control is carried out.

(4) The Controller shall document the inspection result and notify the Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of order results, he shall inform the Processor without undue delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Controller shall inform the Processor of the necessary procedural changes without undue delay.

§ 7 Use of Subprocessors

(1) Within the scope of its contractual obligations, the Processor shall in principle be authorized to establish further subcontracting relationships with subprocessors ("Subprocessor Relationship"). The Processor shall carefully select subprocessors according to their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its subprocessors.

(2) The subprocessors currently working for the Processor in accordance with Paragraph 1 are listed in Annex 3. The Processor shall inform the Controller of any changes in a timely manner. The Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the subprocessor.

(3) If subprocessors in a third country are to be involved, this shall only be done under the conditions specified in § 1 para. 5 sentence 2.

(4) A Subprocessor Relationship within the meaning of the above provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, security and cleaning services, as well as telecommunication services without any specific reference to services provided by the Processor to the Controller.

§ 8 Requests and rights of data subjects

(1) The Processor shall support the Controller as far as possible with appropriate technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and Articles 32 to 36 GDPR.

(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall forward the request to the Controller without undue delay, provided that an allocation to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered in a timely manner by the Controller.

§ 9 Liability

(1) The Controller and Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR. The Processor shall coordinate any fulfillment of liability claims with the Controller.

(2) The Processor shall indemnify the Controller against all claims asserted by data subjects against the Controller due to the breach of an obligation imposed on the Processor by the GDPR or this Agreement or due to the noncompliance or breach of a lawful instruction separately issued by the Controller.

(3) The Processor does not have to indemnify the Controller if the data processing or measure giving rise to the Parties´ liability was carried out on the basis of instructions from the Controller. The same shall apply to measures that have been previously coordinated with the Controller. Coordination shall also be deemed to have taken place if a provision in this Agreement has been inserted at the request of the Controller.

(4) The Parties shall indemnify each other against liability to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82(5) GDPR shall apply.

§ 10 Termination of the Main Agreement and this Agreement

(1) This Agreement shall remain valid after a termination of the Main Agreement for as long as the Processor has personal data which have been forwarded to him by the Controller or which he has collected for the Controller.

(2) The Processor shall return all documents, data and data carriers provided to it to the Controller after termination of the Main Agreement or at any time at the Controller's request or delete them at the Controller's request, unless there is an obligation to store the personal data under EU law or the law of the Federal Republic of Germany. The Processor shall provide documentary evidence of the proper deletion.

(3) Upon termination of this Agreement, the Main Agreement shall also terminate, provided that it cannot be performed without the processing of personal data.

§ 11 Final provisions

(1) Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E mail shall suffice.

(2) The Agreement shall be governed by and construed in accordance with German law.

(3) Should one of the above provisions be or become invalid or should a provision that is necessary in itself not be included, this shall not affect the validity of the remaining provisions. The Parties shall endeavor to find a mutually agreeable provision in this case.

Annex 1 - Purpose, nature of processing and categories of data subjects

The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor's service list.

In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 2).

General processes

The following processes are available no matter which app or apps you use and regardless of whether you use Cloud or on premise apps.

Process

Purpose of processing

Categories of processing

Categories of personal data

Categories of data subjects

Customer support

Help users from the Controller's organisation to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation.

In customer support usage problems or error situations are reported by users from the Controller's organisation via the mechanism described in Annex 2.

In the course of the support process reporters might be asked to provide

  • Confluence support zips including log files
  • Templates used for exporting to different formats
  • page exports or space exports from Confluence
  • JIRA support zips including log files
  • Backbone support zips including log files and data of synchronised issues
  • logs from the reporters browser console

Data is provided through the support tool (Jira Service Management, see Annex 3), or in cases where the data provided is too large for that mechanism, we offer to use a data transfer service (Google Drive, see Annex 3). Reporters can choose to provide their own mechanism of data transfer.

The received data is then analysed manually or automatically for causes or indicators of reported usage problems or error situations.

The process is agnostic of any data supplied to it.

For reporting a problem or error situations the

  • reporter's name

  • reporter's email address

will be stored.

Example categories of personal data are:

  • project reports including project collaborators

  • information on authors of or collaborators on Confluence content

  • Assignees, reporters, participants of issues

  • Field values and changes on fields & comments made by users of JIRA Cloud

The ControlIer must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Users of Confluence (Cloud or on premise)

  • Users of JIRA (Cloud or on premise)

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA or the app.

Error tracking

For error tracking data is transferred from the end user's browser to an error reporting service, which allows analysis of errors without users having to actively report them. This is used to improve the quality of the apps.

Data describing the error context, like operations invoked, the user interface element clicked, technical context like browser, operating system values are transferred to the error reporting service (Sentry, see Annex 3).

Not all apps have implemented this feature yet and disabling can be requested through the channel described in Annex 2.

This service transfers a hash of a technical identifier, to be able to spot cases where single users have reoccurring or interconnected errors.

This process additionally transfers the following data

  • URL

  • Browser and Operating System

  • Invoked operations and clicked user interface elements

  • Users of Confluence (Cloud or on premise)

  • Users of JIRA (Cloud or on premise)

Product analytics

For product usage analytics data is transferred from the end user's browser to an analytics service, which allows to report on the usage of product features. This is used to improve the quality of the apps.

Data describing the invoked functionality of the app is sent to the analytics service. The data is stored by a sub-processor (Segment and Amplitude, see Annex 3).

This service transfers a hash of a technical identifier, to be able to track typical usage patterns of functions inside the apps.

  • Users of Confluence, that also use an app from the Processor (Cloud)

  • Users of JIRA, that also use an app from the Processor (Cloud)

License distribution

The apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation and community or academic licenses; are distributed through the Atlassian Marketplace

All data attached to a license under my.atlassian.com is transferred to the Processor.

The Processor will send informational email when evaluating or using a new app via sub-processor (ActiveCampaign, see Annex 3).

The Processor might also send transactional email informing receivers about their licenses via sub-processor (Google Gmail, see Annex 3)

Data for a license includes:

  • email address

  • name

  • postal address, if provided

  • organisation

  • technical contacts

  • sales contacts

  • partner contacts

On premise

The Processor's on premise apps do not process data at the Processor or one of its sub-processors other than other than for the processes described above.

Cloud

The following table describes the data processing of all Cloud apps of the Processor.

The General processes that also apply to Cloud apps are described above.

The Processing is hosted on cloud (AWS, see Annex 3).

App

Purposes of processing

Categories of processing

Categories of personal data

Categories of data subjects

Scroll PDF Exporter for Confluence

Turns Confluence pages into beautiful PDF documents with rich output functionality and full control over styling.

Extraction of data from Confluence Cloud, transforming extracted data to PDF document and supplying a link to the exported document.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

Additionally this Cloud app can create a Support ticket directly (see table above) from the app on the user's request.

The app is unaware of the type of data supplied to it. Example categories of personal data are:

  • project reports including project collaborators

  • information on authors of or collaborators on Confluence content

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

Owners of the Confluence Cloud instance, if the URL reveals the person's name.

Users of Confluence Cloud

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA or the app.

Scroll Word Exporter for Confluence

Export Confluence content to Word – happily. Turns Confluence pages into professionally styled Microsoft Word documents.

Extraction of data from Confluence Cloud, transforming extracted data to Microsoft Word document format and supplying a link to the exported document.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

Additionally this Cloud app can create a Support ticket directly (see table above) from the app on the user's request.

The app is unaware of the type of data supplied to it. Example categories of personal data are:

  • project reports including project collaborators

  • information on authors of or collaborators on Confluence content

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.

  • Users of Confluence Cloud

The Controller must inform the Processor if he processes additional categories of data subjects with this app.

Scroll HTML Exporter for ConfluenceCreate great static HTML exports of your Confluence content. Deploy content from Confluence to a web server or embed it anywhere.Extraction of data from Confluence Cloud, transforming extracted data to ZIP file (containing HTML files) and supplying a link to the exported document.

Reports on the

  • Name (URL) of the Confluence Cloud instance
  • Atlassian account ID

Additionally this Cloud app can create a Support ticket directly (see table above) from the app on the user's request.

The app is unaware of the type of data supplied to it. Example categories of personal data are:

  • project reports including project collaborators
  • information on authors of or collaborators on Confluence content

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.
  • Users of Confluence Cloud

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA or the app.

Scroll Exporter Extensions

Expand the functionality of Scroll Exporters for Cloud for finer control over content usage and formatting.

No additional data is processed through this app, it is only usable in combination with Scroll Word Exporter for Confluence or Scroll PDF Exporter for Confluence.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.

  • Users of Confluence Cloud

Scroll ImageMap for Confluence

Bring Confluence images to life with multiple clickable link areas and mouseover tooltips that engage and inform your team.

The data is stored in Confluence and processed in the user's browser.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.

  • Users of Confluence Cloud

Scroll Documents for Confluence

Define a tree of pages as a Document—track changes, control versions, get powerful document management functionality in Confluence.

Extraction of data from the Confluence Cloud instance and archiving it on the Confluence Cloud instance.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

The app is unaware of the type of data supplied to it.

Example categories of personal data are:

  • project reports including project collaborators

  • information on authors of or collaborators on Confluence content

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.

  • Users of Confluence Cloud

The Controller must inform the Processor if he processes additional categories of data subjects with this app.

Variants for Scroll DocumentsManage conditional content and publish variants of your documentation based on audience needs.This extension app can only be used with Scroll Documents for Confluence and adds no categories of processing.This extension app can only be used with Scroll Documents for Confluence and introduces no categories of personal data.This extension app can only be used with Scroll Documents for Confluence and adds no categories of data subjects.
Translations for Scroll DocumentsTranslate your Scroll Documents into other languages – in Confluence or collaborate with translation professionals using XLIFF.

This extension app can only be used with Scroll Documents for Confluence and adds the following categories of processing:

  • Extraction of data from Confluence Cloud, transforming extracted data to XLIFF format and supplying a link to the exported document.
This extension app can only be used with Scroll Documents for Confluence and adds no categories of personal data.This extension app can only be used with Scroll Documents for Confluence and adds no categories of data subjects.

Scroll Viewport for Confluence

Publish your Confluence documentation as a help center: customize the theme & domain, version content & integrate with other tools.

Extraction of data from the Confluence Cloud instance, transforming extracted data to a stand-alone, public website and hosting that website including a full-text search index.

Reports on the

  • Name (URL) of the Confluence Cloud instance

  • Atlassian account ID

The app is unaware of the type of data supplied to it.

Example categories of personal data are:

  • information on authors of or collaborators on Confluence content

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.

  • Users of Confluence Cloud

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA or the app.

Backbone Issue Sync for JIRA

Synchronize Jira to Jira – map issue data across departmental and B2B borders with ease, flexibility, and security.

Extraction of issue data from the JIRA Cloud, transforming it according to user defined rules and storing it in JIRA Cloud.

Reports on the

Name of the JIRA Cloud instance

Atlassian account ID

The app is unaware of the type of data supplied to it. Example categories of personal data are:

Assignees, reporters, participants of issues

Field values and changes on fields & comments made by users of JIRA Cloud

The Controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.

  • Owners of the JIRA Cloud instance, if the URL reveals the person's name.

  • Users of JIRA Cloud

The Controller must inform the Processor if he processes additional categories of data subjects with this app.

Scroll Content Quality for ConfluenceCheck content quality (ie. check spelling, terminology, macros, links etc) and enforce style standards in your Confluence pages.The data is stored in Confluence and processed in the user's browser.

Reports on the:

  • Name (URL) of the Confluence Cloud instance
  • Atlassian account ID
  • Owners of the Confluence Cloud instance, if the URL reveals the person's name.
  • Users of Confluence Cloud

Annex 2 - Authorized persons, entitled persons, Communication channel

Authorized persons under this Agreements are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).

Instructions are to be transmitted by the following communication channel:

E-Mail to help@k15t.com or request via support.k15t.com.


Annex 3 - Sub-processors

The controller approves the following sub-processors to be used for the described purposes by the processor:

  • ActiveCampaign, Inc., Chicago, USA: We use ActiveCampaign to send informational email when you evaluate or buy a new app. The ActiveCamapign privacy policy can be found here.

  • Amazon Web Services, Inc., Seattle, USA: We use AWS to host our Cloud apps and Product Analytics service. The AWS privacy statement can be found here.

  • Amplitude, Inc., San Francisco, USA: We use Amplitude to visualize and analyze how our apps are used. The Amplitude privacy statement can be found here.

  • Atlassian Corporation Plc, London, UK: We use Jira Service Management from Atlassian for the creation, tracking and administration of support tickets, Jira Software Cloud for tracking software development and task management, and Atlassian Confluence Cloud for the internal documentation of customer use cases. The Atlassian privacy statement can be found here.

  • Google Cloud EMEA Limited, Dublin, Ireland: We use Google Gmail for sending and receiving emails. This includes incoming and outgoing emails to and from K15t email lists, personal mailboxes, emails for support issues or transactional emails to inform about licenses. We use Google Drive for transferring files in our support process. The Google Cloud privacy statement can be found here.

  • Sentry (Sentry is a registered trademark of Functional Software, Inc.), San Francisco, USA: We use Sentry for real-time error tracking of our Cloud Apps' resources executed in the end users' browsers to reproduce and fix crashes. The Sentry privacy statement can be found here.

  • Segment.io, Inc, San Francisco, USA: We use Segment to collect data on how our apps are used. The Segment privacy statement can be found here.