Data Processing Agreement

This agreement is between the customer ("Customer") who might be a Controller or Processor of End User Personal Data as defined by the GDPR, and Kolibri Digital Ltd, who is a Processor and operates the service Confluence to Zendesk (/Freshdesk/Freshservice) Sync

Definitions

  • Customer Personal Data: Personal data of Customer. May include email address of primary contact at Customer, provided via the Atlassian marketplace

  • End User: The user or customer of Customer for which Customer is a Controller or Processor.

  • End User Personal Data: Personal data of End User, such as content authored on Confluence.

Subject Matter

Subject of these terms is providing the service Confluence to Zendesk Sync as outlined in the terms of service. This agreement supplements the terms of service and existing privacy policy.

The main purpose of Confluence to Zendesk Sync is to process and forward End User data, namely content authored in Confluence, from Atlassian to a target platform such as Zendesk/Freshdesk/Freshservice. Customer warrants that they have permission to use Kolibri Digital Ltd as a processor.

Duration of the Agreement

These terms took effect on 25 May 2019 or when Customer accepts these terms when installing the add-on via the Atlassian marketplace. The agreement will stay in effect as long as Kolibri Digital Ltd provides the services to Customer.

Kolibri Digital’s Obligations

Kolibri Digital Ltd processes data and processing results exclusively within the scope of Customer's written orders.

Kolibri Digital Ltd declares that they have obligated all persons commissioned with data processing to confidentiality prior to commencing the activity or that they are subject to an appropriate statutory confidentiality obligation. In particular, the obligation of confidentiality of persons commissioned with data processing also remains valid after the termination of their duties and their departure from Kolibri Digital Ltd.

Kolibri Digital Ltd hereby declares that they have taken all necessary measures to ensure the safety of the processing under Art. 32 GDPR (details can be found in Appendix 1).

Kolibri Digital Ltd shall take technical and organizational measures to assist Customer in meeting the rights of the data subject in accordance with Chapter III of the GDPR (information, correction and deletion, data portability, objection and automated decision-making in individual cases) within the statutory periods and gives Customer all necessary information.

Kolibri Digital Ltd shall assist Customer in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notification of personal data breaches to the supervisory authority, notification of the person concerned by an infringement of the protection of personal data, data protection impact assessment, prior consultation).

Kolibri Digital Ltd will grant Customer, including third parties commissioned by them, the right to inspect and conduct audits to check Kolibri Digital Ltd for compliance with these terms. Kolibri Digital Ltd provide Customer with the information necessary to control compliance with the obligations set out in this Agreement.

After termination of this agreement, Kolibri Digital Ltd delete all End User Personal Data and Customer Personal Data if legally permissible.

Kolibri Digital Ltd inform Customer immediately if Kolibri Digital Ltd believes that an instruction by Customer violates data protection regulations of the European Union or the member states.

Place of Data Processing

Data processing activities part of the Confluence to Zendesk Sync app are carried out inside the EU / EEA.

Sub-Processors

Kolibri Digital Ltd is entitled to involve sub-processors. Information about the current sub-processors, their location and function, may be found at the list of subprocessors:

Customer shall be notified by email about intended changes or addition of sub-processors at least 14 days in advance. Customer may object to changed or new sub-processors by terminating their subscription to the sync app on the Atlassian marketplace immediately. This termination right is Customer’s only remedy should they object to any new sub-processors.

Kolibri Digital Ltd concludes the necessary agreements with the sub-processor within the meaning of Art. 28 (4) GDPR. In doing so, it must be ensured that the subcontractor undertakes the same obligations as Kolibri Digital Ltd under this agreement.

Appendix 1: Technical and organizational measures

Confidentiality

  • Access control: protection against unauthorized system use: passwords (including appropriate policies), two-factor authentication, encryption of data; No unauthorized reading, copying, modification or removal within the system;

Integrity

  • Encryption: All network traffic is encrypted.

Availability and resilience

  • Availability control: backups, redundancy;

  • Deletion deadlines: End User Personal Data is not persisted. All Customer Personal Data is deleted within 90 days after account cancellation. Where necessary for documentation purposes data records are kept and pseudonymized.

Procedures for periodic review, evaluation and evaluation

  • Evaluation of sub-processors;

  • Incident response management;