/
Rixter Data Protection Addendum (DPA)

Rixter Data Protection Addendum (DPA)

Part of: Rixter Provider-Specific Terms for Atlassian Marketplace

This Data Protection Addendum (“DPA”) forms part of the Agreement between Rixter AB (“Provider”) and the Customer using Rixter’s Products through the Atlassian Marketplace (“Customer”). This DPA reflects the parties’ agreement regarding the processing of Personal Data in accordance with applicable Data Protection Laws.

1. Definitions

  • “Data Protection Laws”: All applicable laws governing the processing of personal data, including:

    • The General Data Protection Regulation (EU) 2016/679 (“GDPR”),

    • The United Kingdom General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), and

    • The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”).

     

  • “Personal Data”: Any information relating to an identified or identifiable natural person processed by Provider on behalf of Customer.

  • “Subprocessor”: Any third party engaged by Provider to process Personal Data on behalf of the Customer.

2. Scope and Roles

  • Provider acts as a Processor (or Service Provider under CCPA) on behalf of the Customer (Controller or Business) when processing Personal Data via the Product.

  • Customer is solely responsible for the accuracy and legality of Personal Data it submits to the Product.

3. Processing Instructions

  • Provider will only process Personal Data as instructed by Customer and as necessary to provide the Product and related support.

  • Provider shall not sell or share Personal Data or use it for its own purposes, in compliance with Article 28 of the GDPR and Sections 1798.100–1798.199 of the CCPA.

4. Subprocessors

  • Provider may engage Subprocessors subject to:

    • A written agreement imposing data protection obligations equivalent to this DPA.

    • List of Subprocessors

      • Atlassian

      • AWS

    • The right for Customer to object on reasonable grounds to any new Subprocessor within 15 days of notice.

5. Security Measures

  • Provider shall implement appropriate technical and organizational measures including:

    • Data encryption in transit.

    • Access controls with user authentication.

    • Routine vulnerability scans and security audits.

    • Secure software development practices.

6. Data Subject Rights

  • Provider will assist Customer in responding to requests from data subjects, including access, correction, erasure, objection, restriction, and data portability under GDPR and UK GDPR.

  • For CCPA, Provider shall assist Customer in responding to consumer rights requests including right to know, delete, and opt-out (where applicable).

  • Requests received directly by Provider will be forwarded to the Customer.

7. Data Breach Notification

  • Provider will notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data.

  • The notification shall include the nature of the breach, impact, and mitigation steps.

8. Data Transfers

  • Where Customer Data is transferred outside the EEA/UK, Provider shall ensure:

    • Transfers are to countries with adequacy decisions, or

    • Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) are in place, or

    • Other lawful transfer mechanisms are used.

    •  

This includes reliance on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as implemented by AWS and Atlassian

9. Data Deletion and Return

  • Upon termination or expiration of the Agreement, Provider will:

    • Return or delete Personal Data upon Customer request.

    • Delete any remaining Personal Data within 60 days unless retention is required by law.

10. Audit Rights

  • Upon reasonable request and subject to confidentiality, Provider will make available information necessary to demonstrate compliance with this DPA.

  • Provider may provide relevant third-party audit reports (e.g., SOC 2) in lieu of direct audits.

11. Liability

  • Notwithstanding Section 14.3 of the Standard Agreement, the General Cap shall apply to all claims, including those arising under the Data Protection Addendum (DPA). The Enhanced Cap shall not apply.

12. Miscellaneous

  • This DPA shall survive termination of the Agreement for as long as Provider retains Personal Data.

  • In case of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to data protection obligations.

 

Rixter AB

support@rixter.se