1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR or CCPA, as applicable. “Personal Data,” “processing,” “data controller,” “data processor,” and “data subject” have the meanings in the GDPR. “Business,” “service provider,” “sell,” “share,” and “consumer” have the meanings in the CCPA. “End-User Data” means Personal Data that we process on your behalf in connection with an App, as described in Annex A. “Sub-processor” means a third party engaged by us to process End-User Data.
2. Roles of the parties
With respect to End-User Data, you are the data controller (and business), and Magrathea is the data processor (and service provider). Atlassian Pty Ltd (“Atlassian”) acts as a Sub-processor by providing the Forge platform on which the Apps run and store data. You are responsible for the lawfulness of the Personal Data within your Atlassian instance and for your instructions to us.
3. Scope and instructions
We will process End-User Data only: (a) to provide, maintain, and support the Apps; (b) in accordance with your documented instructions, including those given through your configuration and use of the Apps; and (c) as required by applicable law (in which case we will, where legally permitted, inform you first). The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are set out in Annex A.
4. Architecture & data minimization
Our Apps are built natively on Atlassian Forge and run entirely within Atlassian’s cloud infrastructure. We operate no external servers that receive your Atlassian data (“no egress”). End-User Data we store is held exclusively in Atlassian Forge storage, and our Apps reference users solely by their Atlassian account ID — not by name, username, or email address. We do not export End-User Data to any Magrathea-operated system.
5. Confidentiality
We ensure that any person authorized to process End-User Data is bound by an appropriate obligation of confidentiality and processes End-User Data only as instructed by us in line with this DPA.
6. Security
We implement and maintain appropriate technical and organizational measures designed to protect End-User Data, as described in Annex B. Because our Apps run on Atlassian Forge, they inherit the security controls and certifications of Atlassian’s underlying platform (for example, encryption in transit and at rest, SOC 2, and ISO 27001), which are held by Atlassian as the platform provider.
7. Sub-processors
You authorize us to engage the Sub-processor(s) listed in Annex C. We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will inform you of intended changes to our Sub-processors (by updating Annex C or the App’s privacy notice) and give you a reasonable opportunity to object on legitimate data protection grounds.
8. Data subject and consumer requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects or consumers exercising their rights (such as access, correction, deletion, or restriction). Because you control the Personal Data within your instance, such requests are best fulfilled by you directly; we will support you as processor or service provider. If we receive such a request directly, we will, where permitted, refer the requester to you.
9. Personal data breach
We will notify you without undue delay after becoming aware of a Personal Data breach affecting End-User Data, and will provide information reasonably available to us to help you meet your notification obligations.
10. Assistance, audits, and records
Taking into account the nature of processing and the information available to us, we will assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation. We will make available information reasonably necessary to demonstrate compliance with this DPA. Given the no-egress architecture, such information may include this DPA, the App’s privacy notice and data-handling documentation, and reference to Atlassian’s platform certifications, in lieu of on-site audits of infrastructure we do not operate.
11. Return and deletion
End-User Data stored by an App is retained only as described in the App’s privacy notice and is automatically and permanently deleted when the App is uninstalled. Upon termination of your use of an App, all End-User Data stored by that App is deleted in the ordinary course via Atlassian’s uninstall lifecycle, except where retention is required by law.
12. CCPA service provider terms
To the extent the CCPA applies, we act as a service provider. We will not: (a) sell or share End-User Data; (b) retain, use, or disclose End-User Data for any purpose other than the business purpose of providing the Apps, or as otherwise permitted by the CCPA; (c) retain, use, or disclose End-User Data outside the direct business relationship with you; or (d) combine End-User Data with personal information from other sources, except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.
13. International transfers
End-User Data is stored in Atlassian Forge storage, which is pinned to your Atlassian product’s data residency location. Where any transfer of Personal Data occurs through the Atlassian platform, it is governed by Atlassian’s data residency arrangements and transfer mechanisms as the platform provider and Sub-processor.
14. Liability & precedence
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the agreement between the parties and the applicable Atlassian Marketplace terms. In the event of a conflict between this DPA and those terms regarding the processing of Personal Data, this DPA controls.
15. Contact
Magrathea Software, LLC
Missouri, USA
Email: hello@magratheasoftware.com
Annex A — Details of processing
Subject matter: provision of the App(s) you install from the Atlassian Marketplace.
Duration: for the period the App is installed, until uninstalled (subject to the retention periods in the App’s privacy notice).
Nature and purpose: reading Jira data you select, performing the bulk operations you direct, and storing operational metadata and a per-issue audit trail to provide and support the App.
Types of Personal Data:
- Atlassian account IDs of end users (the user who launches an operation, and users referenced in user-type field operations and audit records);
- Jira issue field values processed in the course of an operation you direct, which your organization may have populated with Personal Data.
Categories of data subjects: your authorized Atlassian users and any individuals whose Personal Data your organization stores in its Jira issues.
Annex B — Technical & organizational measures
- Runs on Atlassian / no egress: no external servers receive or store your Atlassian data; the exposure surface is intentionally minimal.
- Least privilege: operations act as the user who launched them, so an App can only access or change what that user could manually; we request the minimum Atlassian scopes required.
- Data minimization: users are referenced by account ID only; no names, usernames, or email addresses are stored.
- Encryption: data in transit and at rest is protected by the Atlassian Forge platform.
- Data residency: stored data is pinned to the host product’s residency location.
- Deletion: all App data is deleted automatically on uninstall.
- Vulnerability reporting: a documented process is published at magratheasoftware.com/security.html.
Annex C — Sub-processors
- Atlassian Pty Ltd — provides the Atlassian Forge platform (compute and storage), hosting, data residency, and billing/licensing for paid Apps. End-User Data remains within Atlassian’s cloud infrastructure.