Data Processing Addendum

Crimsalytics LLC Cloud Apps for Atlassian Products

Last Updated: January 15, 2025

This Data Processing Addendum (“DPA”) forms part of the End User License Agreement (“EULA”) between Crimsalytics LLC (“Crimsalytics”) and you, the End User, and governs the processing of personal data in connection with your use of Crimsalytics’ Cloud Apps through Atlassian’s Marketplace. This DPA is incorporated by reference into the EULA and is applicable when Crimsalytics processes personal data on behalf of the End User as a data processor.

  1. Definitions
  • “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • “Data Controller” means the End User, who determines the purposes and means of processing Personal Data.
  • “Data Processor” means Crimsalytics, which processes Personal Data on behalf of the Data Controller.
  • “Data Subject” means the individual to whom the Personal Data relates.
  • “Applicable Data Protection Laws” refers to all laws and regulations relating to data protection and privacy, including but not limited to the General Data Protection Regulation (GDPR).
  1. Scope and Role
    This DPA applies to the Personal Data processed by Crimsalytics in connection with the End User’s use of Crimsalytics’ Cloud Apps. The End User acts as the Data Controller, and Crimsalytics acts as the Data Processor with respect to such Personal Data.
  2. Data Processing
    Crimsalytics agrees to process Personal Data only in accordance with the following provisions:
  • Purpose: Personal Data will be processed solely for the purpose of providing the Cloud Apps and related services, including support services, as outlined in the EULA.
  • Instructions: Crimsalytics will process Personal Data only in accordance with the End User’s written instructions, unless otherwise required by law.
  • Types of Data: Personal Data may include Atlassian User Account IDs and other user data stored within the Atlassian environment strictly using the Atlassian Forge platform, which is necessary for the operation of the Cloud Apps.
  • Duration: Personal Data will be processed for the duration of the End User’s use of the Cloud Apps, and until the deletion of the app or termination of the EULA.
  1. Data Security
    Crimsalytics implements appropriate technical and organizational measures to protect Personal Data from unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are designed to ensure the confidentiality, integrity, and availability of Personal Data, and include:
  • Strict use of the Atlassian Forge platform for the implementation of all data processing capabilities.
  • Only use of anonymized Atlassian Account IDs
  1. Data Subject Rights
    Crimsalytics will assist the End User, as reasonably necessary, in fulfilling any requests by Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
    End Users are responsible for responding to such Data Subject requests. Should Crimsalytics receive any requests directly from Data Subjects, it will notify the End User without undue delay.
  2. Sub-processors
    Crimsalytics may engage sub-processors to process Personal Data on its behalf. Crimsalytics will ensure that such sub-processors are bound by data protection obligations similar to those in this DPA.
    At present, Crimsalytics does not use any sub-processors.
  3. Data Breach Notification
    Crimsalytics will notify the End User without undue delay upon becoming aware of any unauthorized access, use, disclosure, or breach of Personal Data (a “Data Breach”). Crimsalytics will provide all reasonable assistance to the End User in investigating and mitigating the Data Breach and complying with applicable data breach notification obligations.
  4. Data Deletion
    Upon termination of the EULA or at the End User’s request, Crimsalytics will delete or anonymize all Personal Data processed on behalf of the End User, except to the extent required by law. Deleting the Cloud App from the Atlassian instance will automatically delete all associated data.
  5. Audit Rights
    Crimsalytics will maintain appropriate records of its data processing activities and make such records available to the End User or its designated auditors to demonstrate compliance with this DPA. Any such audit must be limited to once per year and conducted during regular business hours with reasonable notice.
  6. Cross-Border Transfers
    Personal Data processed under this DPA will be solely stored and processed within the Atlassian environment.  Therefore, there will not be any transfers outside the European Economic Area (EEA). 
  7. Limitation of Liability
    Crimsalytics’ liability under this DPA is subject to the limitations set out in the EULA. Crimsalytics will not be liable for any damages, losses, or claims arising out of the End User’s failure to comply with Applicable Data Protection Laws.
  8. Confidentiality
    Crimsalytics will ensure that its personnel, agents, or sub-processors who have access to Personal Data are bound by appropriate confidentiality obligations.
  9. Amendments
    Crimsalytics reserves the right to modify this DPA. Any modifications will be published on the Crimsalytics website, and continued use of the Cloud Apps after such publication constitutes acceptance of the updated DPA.
  10. Entire Agreement
    This DPA, together with the EULA, constitutes the entire agreement between the parties with respect to data processing and supersedes all prior agreements or understandings related to data processing.

By using Crimsalytics’ Cloud Apps, you acknowledge that you have read, understood, and agree to this DPA and Crimsalytics’ processing of Personal Data as described herein.

DPA Appendix Red Line Burndown

Data Processing Description

Nature and Purpose of Processing:
The data is processed to provide burndown chart analytics and project management insights within the Jira environment. This includes calculating project progress, resource utilization, and predictive analytics for project completion.
Types of Personal Data:
  • Jira user identifiers (e.g. anonymized user IDs)
  • Issue metadata (e.g., issue keys, status changes, story points, time estimates)
  • Timestamps of user actions related to issue updates
Categories of Data Subjects:
  • Jira users (including project managers, team members, and other stakeholders)
Processing Operations:
   a. Data Collection:
  • Retrieval of issue data and associated metadata from Jira
  • Collection of user interaction data related to issue updates
  b. Data Analysis:
  • Calculation of burndown metrics
  • Analysis of project progress and resource utilization
  • Generation of predictive analytics for project completion
   c. Data Storage:
  • Temporary storage of processed data for performance optimization solely in Atlassian Forge
  • Caching of calculated results for improved response times
  • All data is deleted when the application is uninstalled from an end-user’s Atlassian Jira instance.
   d. Data Presentation:
  • Display of burndown charts and analytics in the Jira dashboard
Duration of Processing:
Data is processed for the duration of the user’s interaction with the burndown chart gadget and for a short period thereafter to facilitate caching and performance optimization solely within Atlassian Forge
Data Security Measures:
  • Encryption of data in transit and at rest
  • Access controls to limit data access to authorized personnel only
  • Compliance with Atlassian’s security requirements for Forge apps
Data Minimization:
Only necessary data for the functioning of the burndown chart and related analytics is collected and processed. Personal data is anonymized where possible for analytical purposes.
Data Subject Rights:
Procedures are in place to facilitate data subject rights as per GDPR, including the right to access, rectification, erasure, and data portability, in coordination with the Jira instance administrator.

admin