Data Processing Agreement

Last updated:

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Huminder OÜ (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the use of Board Studio for Jira (“the App”).

This DPA reflects the parties’ commitment to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Subject: The individual to whom Personal Data relates.

3. Scope and Roles

3.1 Controller

You (the customer) are the Data Controller. You determine the purposes and means of processing Personal Data within your Atlassian Jira instance.

3.2 Processor

Huminder OÜ acts as a Data Processor, processing Personal Data solely on your behalf and in accordance with your instructions through use of the App.

4. Data Processing Details

4.1 Categories of Data Subjects

  • Your organization’s Jira users
  • Individuals referenced in Jira issues (assignees, reporters, commenters)

4.2 Types of Personal Data Processed

The App may access the following Personal Data from your Jira instance:

  • User display names
  • User avatars (profile images)
  • User account identifiers
  • Issue content that may contain Personal Data (summaries, descriptions)

4.3 Purpose of Processing

Personal Data is processed solely to:

  • Display Jira work items in visual dependency graphs
  • Show user information on issue cards (assignees, reporters)
  • Provide board visualization and configuration features

4.4 Duration of Processing

Processing occurs only during active use of the App. No Personal Data is retained by the Processor independently of Atlassian’s infrastructure.

5. Processing Location and Infrastructure

5.1 Runs on Atlassian

The App is built on Atlassian development technology and participates in the “Runs on Atlassian” program. This means:

  • All code execution occurs within Atlassian’s secure cloud infrastructure
  • No Personal Data is transmitted to external servers
  • No Personal Data is stored outside of Atlassian’s infrastructure

5.2 Data Storage

  • Configuration data: Stored in Atlassian Forge Storage, encrypted at rest
  • Jira data: Read in real-time from your Jira instance; not copied or stored by the App
  • No external storage: The Processor does not maintain any databases or storage systems outside Atlassian

5.3 Sub-processors

The sole sub-processor is:

Sub-processor Purpose Location
Atlassian Pty Ltd Cloud infrastructure, data hosting As per Atlassian’s Sub-processor List

Atlassian’s Data Processing Addendum applies: https://www.atlassian.com/legal/data-processing-addendum

6. Security Measures

6.1 Technical Measures

The App inherits Atlassian Forge’s security controls, including:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest for stored data
  • Isolated execution environment per tenant
  • No direct database access; all data accessed via Atlassian APIs
  • Authentication via Atlassian’s identity system (no passwords stored)

6.2 Organizational Measures

  • Access to App source code is restricted to authorized personnel
  • Security updates are deployed via Atlassian’s Forge deployment system
  • No access to customer data outside of Atlassian’s infrastructure

7. Processor Obligations

The Processor shall:

  1. Process only on instructions: Process Personal Data only in accordance with your documented instructions, which are implemented through your use and configuration of the App.
  2. Confidentiality: Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  3. Security: Implement appropriate technical and organizational measures as described in Section 6.
  4. Sub-processors: Not engage additional sub-processors without prior notice. The current sub-processor (Atlassian) is approved by acceptance of this DPA.
  5. Data Subject Rights: Assist you in responding to Data Subject requests (access, rectification, erasure, portability) to the extent technically feasible within the App’s functionality.
  6. Breach Notification: Notify you without undue delay upon becoming aware of a Personal Data breach affecting your data.
  7. Deletion: Upon termination of the App subscription, all configuration data stored in Forge Storage will be deleted in accordance with Atlassian’s data retention policies. No Personal Data is independently retained by the Processor.
  8. Audit: Make available information necessary to demonstrate compliance with this DPA upon reasonable request.

8. Controller Obligations

The Controller shall:

  1. Ensure a lawful basis exists for processing Personal Data through the App
  2. Provide any necessary notices to Data Subjects regarding the App’s use
  3. Ensure the accuracy of Personal Data in your Jira instance
  4. Comply with applicable data protection laws

9. International Data Transfers

9.1 EU Data Location

As the Processor is established in Estonia (EU), and the App runs on Atlassian’s infrastructure, data processing complies with GDPR requirements.

9.2 Atlassian Infrastructure

Data may be processed in Atlassian data centers globally. Atlassian’s Standard Contractual Clauses and Data Processing Addendum govern any international transfers. See: Atlassian Trust Center.

10. Liability

Liability under this DPA is subject to the limitations set forth in the main agreement between the parties. Each party is liable for damages caused by its breach of this DPA or applicable data protection laws.

11. Term and Termination

This DPA is effective as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of App usage:

  • Processing ceases immediately
  • Configuration data is deleted per Atlassian Forge retention policies
  • No Personal Data is retained independently by the Processor

12. Governing Law

This DPA is governed by the laws of Estonia, without regard to conflict of law principles, and subject to the jurisdiction of Estonian courts.

13. Contact Information

Data Processor:

Huminder OÜ

For data protection inquiries or to exercise Data Subject rights, use the contact form.

14. Amendments

This DPA may be updated to reflect changes in applicable laws or processing activities.

© 2025 Huminder OÜ. All rights reserved.