This agreement (the “Data Processor Agreement”) regulates how “WISOFT” Adrian Wieczorek, ul. Milczańska 16g/5, 61-131 Poznan, Poland, registration number (REGON) 300696133, VAT No. PL7822231172 (the “Data Processor”) is processing the personal data on behalf of the customer (the “Data Controller”) and is attached as an addendum to the EULA in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.

The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

The purpose of data processing is the provision of the Services by the Data Processor as specified in the EULA. In connection with the Data Processor’s delivery of the Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.

As ”Personal data” we understand “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are:

The Data Processor processes the following types of Personal Data in connection with its delivery of the Services under EULA:

• email, IP address, license number, Atlassian user key, user language, user display name, user browser information (browser, version, locale, operating system, user agent, timezone).

The Data Processor processes personal data of the following categories of data subjects on behalf of the Customer:

• Tech contacts, billing contacts, end-users (e.g. customer employees using our applications or contacting us via the support channel)

The Data Processor only performs processing activities necessary and relevant for provided Services. The categories and types of Personal Data processed by the Data Processor shall be updated whenever changes occur that require an update.

The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Services as described in the EULA.

The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller will be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which they were obtained.

The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the EULA or DPA, unless the Data Controller has agreed to same in writing.

The Data Processor’s employees shall be subject to the confidentiality obligation to ensure that they treat all the Personal Data under this DPA with strict confidentiality.

Personal Data will only be made available to that personnel which require access to such Personal Data for the purpose of providing Services under EULA and this Data Processor Agreement.

The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time to time provided that such updates and modifications do not result in degradation of the overall security. 

If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

The Data Processor shall give immediate notice to the Data Controller in the event of any breach which can lead to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed with reference to the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

The Data Processor shall make reasonable efforts to identify the cause of such a breach and take such steps as are deemed necessary to establish the cause, and to prevent such a breach from reoccurring.

Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 90 days, and shall not be conducted more than once a year.

The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

The Data Controller shall upon request remunerate the Data Processor based on the time spent to perform the obligations regarding ‘Security’ (data protection impact assessments), ‘Rights of the data subjects’, ‘Personal Data Breach’, and ‘Documentation of compliance and Audit Rights’ of this Data Processor Agreement based on the Data Processor’s hourly rates.

Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA). Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.

The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller via WISOFT website or email, in-app notification about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.

In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate providing the Services by giving written notice to the Data Processor.

The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law.

The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in Appendix A. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Appendix A.

For more information about our Sub-Processors please also refer to “WISOFT Approved Sub-Processors” section under WISOFT's Privacy Policy.

The total aggregate liability towards the Customer, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the EULA.

Nothing in this DPA will relieve the processor of its own direct responsibilities and liabilities under the GDPR.

The Data Processor Agreement shall remain in force until the support service is provided under EULA.

The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

Following expiration or termination of the DPA, the Data Processor will delete the Data Controller’s all Personal Data in its possession except to the extent the Data Processor is required by the Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.