Data Processing Addendum
Effective starting: July 01, 2026 (view previous version)
Data Processing Agreement pursuant to Art. 28 (3) of the GDPR between the customer (“Controller”) and K15t GmbH, Ostendstraße 110, 70188 Stuttgart, Germany (“Processor”) (collectively also "Parties").
§ 1 Subject of the Agreement
(1) The Processor shall provide the Controller with software solutions in accordance with the Main Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the Main Agreement. The Controller is solely responsible for assessing the lawfulness of the data processing pursuant to Art. 6(1) of the GDPR.
(2) The Parties conclude this agreement to specify their mutual rights and obligations under data protection law. In the event of any conflicts, the provisions of this Agreement shall take precedence over the provisions of the Main Agreement.
(3) The provisions of this Agreement apply to all activities related to the Main Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller’s behalf.
(4) The term of this Agreement shall be based on the term of the Main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this.
(5) The provision of the contractually agreed data processing services usually takes place in a Member State of the European Union or another contracting state of the Agreement on the European Economic Area (Decision 94/1/EC). If personal data is transferred to subcontractors outside the EU or the EEA, such subcontractors must have previously committed to complying with the standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914 of June 4, 2021, and thereby ensure an adequate level of data protection within the meaning of Art. 46(2) lit. c of the GDPR. In the case of subcontractors based in the United States, the Processor has verified in advance that they are a certified organization under Commission Implementing Decision (EU) 2023/1795 of July 10, 2023, or that other appropriate guarantees within the meaning of Art. 46 of the GDPR have been put in place.
§ 2 Type of data processed
The personal data to which the Processor will have access in the course of the performance of the Main Agreement are set out in Annex 1. This annex also lists the purposes of the processing, the categories of personal data, and the categories of data subjects.
§ 3 Controller’s right of instruction
(1) The Processor may collect, use, or otherwise process data only within the scope of the Main Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.
(2) The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented, or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2. Any changes shall be taken into account in a timely manner.
(3) All instructions issued must be documented by both the Controller and the Processor and retained for the duration of their validity and for a further three years thereafter.
(4) If the Processor is of the opinion that an instruction of the Controller violates data protection regulations, the Processor shall immediately notify the Controller thereof. The Processor is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.
(5) If, as a result of an instruction from the Controller, the Processor’s effort required to perform a service owed under the Main Agreement increases, the Processor may demand a corresponding adjustment to the agreed remuneration. The Processor must inform the Controller of the additional costs prior to providing the service.
(6) To the extent that the Processor is prevented from performing a service owed under the Main Agreement due to an instruction from the Controller, the Processor shall be released from its performance obligations. The Processor’s claim to the agreed remuneration remains unaffected by this.
§ 4 Basic Obligations of the Processor
(1) The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The TOMs can be viewed here. With regard to the purposes of protecting the data processed on its behalf, the Controller has reviewed the Processor’s technical and organizational measures prior to the conclusion of the contract and deemed them sufficient.
(3) The technical and organizational measures are subject to technical progress and further development. The Processor is entitled to adapt measures to technical and organizational developments, provided that these do not fall short of the agreed standards. Significant changes must be documented and made available to the Controller in a new version without delay.
(4) According to Art. 37 GDPR the Processor has designated a Data Protection Officer: DDSK GmbH, Dr.-Klein-Straße 29, 88069 Tettnang, Germany; e-mail: datenschutzbeauftragter@k15t.com.
(5) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care.
§ 5 Information obligations of the Processor
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security incidents, or other irregularities in the processing of personal data, the Processor shall immediately notify the Controller in writing.
(2) The Processor shall immediately take the necessary measures to secure the data and mitigate any potential adverse consequences for the data subject(s), inform the Controller thereof, and request further instructions from the Controller.
(3) Upon request, the Processor shall assist the Controller in responding to requests and claims from data subjects pursuant to Art. 12 et seq. of the GDPR, as well as in complying with the obligations set forth in Art. 32 – 36 of the GDPR, to the best of its ability and to a reasonable extent. The Processor shall generally provide further assistance only if the Controller bears the associated costs.
(4) Should the Controller’s data held by the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority regarding the data lies exclusively with the Controller (Art. 4 No. 7 GDPR).
(5) The Processor and, where applicable, its representative shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing all information pursuant to Art. 30 (2) of the GDPR. The record shall be made available to the Controller upon request.
§ 6 Control Rights of the Controller
(1) Upon request, the Processor shall demonstrate to the Controller, by appropriate means, compliance with the obligations set forth in this Agreement.
(2) Should inspections by the Controller or an auditor commissioned by the Controller be necessary in individual cases, these shall be conducted during normal business hours without disrupting business operations. The parties shall agree on the time and manner of the inspection well in advance.
(3) For the purpose of conducting the inspection, the Processor shall only permit access to a person who is specifically bound by a duty of confidentiality, particularly with regard to information concerning the Controller’s trade secrets, its operations and equipment, data pertaining to other clients, and existing security measures. If the inspection is not conducted by a person already known to the Processor, such person must provide written proof of authorization from the Controller at least ten calendar days prior to the inspection. The Processor is not required to accept an auditor who is in a competitive relationship with the Processor.
(4) The Controller shall document the results of the inspection and notify the Processor thereof. If the Controller identifies errors or irregularities, particularly during the review of project results, it shall inform the Processor immediately. If the inspection reveals issues whose future prevention requires changes to the established procedural workflow, the Controller shall immediately notify the Processor of the necessary procedural changes.
§ 7 Use of Sub-processors
(1) Within the scope of its contractual obligations, the Processor is generally authorized to enter into further data processing agreements with subcontractors. The Processor shall carefully select subcontractors based on their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of such agreements with its subcontractors.
(2) The sub-processors currently working for the Processor pursuant to § 7 (1) of this Agreement are listed in Annex 3. Consent for these subcontractors to act as additional data processors is deemed granted unless the Controller objects within one month of the contract’s conclusion. The Processor shall promptly notify the Controller of any changes.
(3) If the Processor subsequently engages additional data processors, the Controller may object within one month of being notified if there is a compelling data protection reason precluding the engagement of the subcontractor.
(4) A subcontracting relationship within the meaning of the foregoing provisions does not exist if the Processor engages third parties to perform services that are to be regarded as purely ancillary services. These include, for example, postal, transport, and shipping services, security and cleaning services, as well as telecommunications services without a specific connection to services that the Processor provides for the Controller.
§ 8 Inquiries and Rights of Data Subjects
If a data subject asserts rights, such as the right to access, rectification, or erasure of their data, directly against the Processor, the Processor shall forward the request immediately to the Controller, provided that the data subject’s information allows for such attribution to the Controller. The Processor shall not be liable if the Controller fails to respond to the data subject’s request, or responds incorrectly or late.
§ 9 Liability
(1) The Processor shall be liable to data subjects in accordance with Art. 82 of the GDPR.
(2) The Processor’s liability to the Controller for breach of obligations under this Agreement shall be governed by the provisions agreed upon in the Main Agreement.
§ 10 Termination
(1) The term of this Agreement shall be governed by that of the Main Agreement. The mutual right to terminate this Agreement for cause remains unaffected. A cause for the Controller shall include, in particular, the Processor’s violation of a provision of the GDPR or this Agreement due to at least gross negligence.
(2) Following termination of the Main Agreement, this Agreement shall remain in effect for as long as the Processor retains personal data that was provided to it by the Controller or that it collected on behalf of the Controller. Upon extraordinary termination of this Agreement, the Main Agreement shall also terminate, provided that the Main Agreement requires the processing of personal data.
(3) Upon termination of the Main Agreement, or at any time upon the Controller’s request, the Processor shall return to the Controller all documents, data, and data carriers provided to it, or delete them at the Controller’s request, unless there is an obligation under European or German law to retain the personal data. The Processor shall provide documentary evidence of proper deletion upon the Controller’s request.
§ 11 Final Provisions
(1) Unless otherwise provided, declarations between the parties must be in writing, whereby email is sufficient.
(2) This agreement is governed by German law.
(3) Should any of the foregoing provisions be or become invalid, or should a provision that is otherwise necessary be omitted, this shall not affect the validity of the remaining provisions. In such a case, the parties shall endeavor to reach an amicable agreement.
Annex 1 - Purpose, nature of processing and categories of data subjects
The Controller acknowledges that, given the nature of the service, the Processor can neither review nor maintain the categories listed below. The Controller must notify the Processor of any changes via the communication channel specified in Annex 2, and in particular if personal data beyond the categories listed is processed within any K15t app.
A) Data Center Apps
For Data Center apps, processing at the Processor or its sub-processors is limited to the following general categories as defined in Section C: Support Data, Real-time Error Tracking Data, and Account Data.
B) Cloud Apps
The table below describes data processing for all Cloud apps (hosted on AWS, see Annex 3). The following general categories apply to all Cloud apps: Support Data, Real-time Error Tracking Data, Product Analytics Data, and Account Data.
|
App |
Nature and Purpose of Processing |
Categories of Personal Data |
Categories of Data Subjects |
|
Scroll PDF Exporter |
Extraction of Confluence Cloud content, transformation to PDF; provision of a download link. |
Operation Data |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll Word Exporter
|
Extraction of Confluence Cloud content; transformation to DOCX; provision of a download link. |
Operation Data |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll HTML Exporter |
Extraction of Confluence Cloud content; transformation to HTML-ZIP; provision of a download link. |
Operation Data |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll Exporter Extensions |
Extension of Scroll PDF Exporter, Scroll Word Exporter and Scroll HTML Exporter. No additional processing beyond the respective base app. |
No app-specific Operation Data. |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll ImageMap for Confluence |
Processing occurs in the end user's browser only; no content data stored at the Processor. |
No app-specific Operation Data. |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll Content Manager for Confluence |
Extraction and archiving of Confluence Cloud content within the same instance. |
Operation Data |
Users of Confluence Cloud / Instance owners¹ |
|
Variants for Scroll Content Manager |
Extension of Scroll Content Manager for conditional content management. No additional processing beyond Scroll Content Manager. |
No app-specific Operation Data. |
Users of Confluence Cloud / Instance owners¹ |
|
Translations for Scroll Content Manager |
Extension of Scroll Content Manager for translation workflows. No additional processing beyond Scroll Content Manager. |
No app-specific Operation Data. |
Users of Confluence Cloud / Instance owners¹ |
|
Scroll Sites for Confluence |
Extraction of Confluence Cloud content; transformation to a website; hosting including full-text search index. |
Operation Data |
Users of Confluence Cloud / Instance owners¹ Visitors to the publicly hosted Scroll Sites website (incl. anonymous third parties) |
|
Backbone Work Sync for Jira |
Extraction of Jira Cloud work item data; transformation per user-defined rules; storage in Jira Cloud for two-way cross-instance synchronization. |
Operation Data |
Users of Jira Cloud / Instance owners¹
|
|
Scroll Content Quality for Confluence |
Processing occurs in the end user's browser only; no content data stored at the Processor. |
No app-specific Operation Data. |
Users of Confluence Cloud / Instance owners¹ |
¹ Instance owners are only affected as data subjects where the instance URL reveals a person's name.
C) Categories of Personal Data
|
Category |
Definition |
|
Account Data |
Data provided and generated by Atlassian required for license validation, contract administration and communication with the customer instance. Includes: email address, name, postal address (if provided), organization, technical contacts, billing contacts, partner contacts. |
|
Support Data |
Data submitted by users when reporting problems. The process is agnostic of the content supplied. Can include: reporter's name and email address, and any data provided in the course of the support process. |
|
Real-time Error Tracking Data |
Error context captured from end users' browsers and sent to Sentry. Includes: AddOnKey, ClientKey, BaseUrl, anonymized TrackingID, error messages, browser type and version, operating system, URL at time of error, invoked operations, clicked UI elements, IP address. |
|
Product Analytics Data |
Feature usage data collected to support product decisions. Includes: User / Account ID and Site URL. Personal data is anonymized before further processing. After anonymization, individual end users cannot be identified. |
|
Operation Data |
Customer Data temporarily stored by Cloud Apps as required for the operation of the service. This includes data created by end users within the Atlassian product (e.g. pages, spaces, work items, attachments, comments) as well as app-generated data (e.g. logs, configurations). |
Annex 2 - Authorized persons, entitled persons, Communication channel
Authorized persons under this Agreement are the contacts listed at my.atlassian.com for the respective app identified by the SEN (Service Entitlement Number).
Instructions are to be transmitted by the following communication channel:
E-Mail to help@k15t.com or request via support.k15t.com.
Annex 3 - Sub-processors
The Controller approves the following sub-processors to be used for the described purposes by the processor:
|
Sub-processor |
Location |
Purpose |
|---|---|---|
|
Seattle, USA |
We use AWS to host our Cloud apps. |
|
|
Sydney, Australia |
We use Atlassian Teamwork Collection Premium and Service Collection Premium for managing support, software development and internal documentation. |
|
|
Dublin, Ireland |
We use Google Drive for transferring files in our support process. |
|
|
San Francisco, USA |
We use Sentry for real-time error tracking. |