This Data Processing Addendum ("DPA") forms part of the agreement between the customer organisation ("Controller", "you") and OrgPulse ("Processor", "we", "us") governing the processing of personal data through the OrgPulse application.
This DPA supplements and is incorporated into the OrgPulse End User Terms. In the event of a conflict between this DPA and the End User Terms, this DPA prevails with respect to the processing of personal data.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1) |
| Processing | Any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction |
| Data Subject | An identified or identifiable natural person whose Personal Data is processed |
| Sub-processor | A third party engaged by the Processor to process Personal Data on behalf of the Controller |
| Applicable Data Protection Law | GDPR (EU 2016/679), UK GDPR, and any other applicable data protection legislation in the jurisdictions where Controller operates |
2. Scope and Purpose of Processing
2.1 Purpose
OrgPulse processes Personal Data solely to provide the team health diagnostics service described in the OrgPulse End User Terms, including:
- Ingesting Jira issue status transition histories and sprint metadata
- Computing team-level workflow metrics (cycle time, lead time, throughput, WIP, cycle time variance)
- Detecting dysfunction patterns and generating diagnostic events
- Delivering weekly digest summaries via Slack webhook or email
2.2 Categories of Data Subjects
- Members of Jira projects monitored by OrgPulse (identified by Jira account IDs for team grouping purposes only)
2.3 Types of Personal Data Processed
| Data Type | Processing Purpose | Stored? |
|---|---|---|
| Jira account IDs | Team membership grouping during computation | No — used transiently, never persisted |
| Issue status transition timestamps | Metric computation (cycle time, lead time) | No — only derived aggregates stored |
| Issue creation timestamps | Lead time computation | No — only derived aggregates stored |
| Sprint membership | Sprint-boundary metric calculations | No — only sprint IDs retained for ordering |
2.4 Data Not Processed
OrgPulse does not access or process: issue titles, descriptions, comments, attachments, assignee names, email addresses, or any free-text content from Jira.
3. Obligations of the Processor
3.1 Processing Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The installation and configuration of OrgPulse by the Controller constitutes the Controller's documented instructions for processing.
3.2 Confidentiality
The Processor ensures that all personnel authorised to process Personal Data are bound by obligations of confidentiality.
3.3 Security Measures
The Processor implements the following technical and organisational measures:
| Measure | Implementation |
|---|---|
| Infrastructure isolation | OrgPulse runs entirely on Atlassian's managed Forge platform. No external servers are operated. |
| Encryption at rest | Forge Storage provides encryption at rest for all stored data. |
| Encryption in transit | All communication between the Forge app and Jira APIs uses TLS 1.2+. |
| Access control | OrgPulse uses role-based access with an allowlist model. Only authorised users (configured by the workspace admin) can view dashboard data. |
| Minimal data retention | Personal Data is processed transiently. Only team-level aggregates are persisted. |
| Credential protection | Third-party API keys (SendGrid, Slack webhook) are stored in Forge's encrypted environment variable store. |
| Read-only scopes | OrgPulse requests only three read-only OAuth scopes: read:jira-work, read:jira-user, read:sprint. No write access to Jira data. |
3.4 Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Atlassian (Forge platform) | Application hosting, Forge Storage, Jira API access | All data described in Section 2.3 | As per Atlassian's data residency settings |
| SendGrid (Twilio) | Email digest delivery (optional, admin-configured) | Formatted digest content only — no Personal Data | United States |
| Slack (Salesforce) | Slack digest delivery (optional, admin-configured) | Formatted digest content only — no Personal Data | United States |
The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Notification will be provided via email to the workspace administrator's registered address at least 30 days before the change takes effect.
3.5 Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:
- Right of access (Article 15) — The Processor can confirm what categories of data are processed. Since no Personal Data is stored, there is no stored personal data to export.
- Right to erasure (Article 17) — Uninstalling OrgPulse triggers immediate deletion of all configuration, baselines, and diagnostic events for the workspace. Individual erasure requests are satisfied by the fact that no Personal Data is persisted.
- Right to restriction (Article 18) — The Controller can pause processing by disabling the OrgPulse scheduled trigger or uninstalling the app.
- Right to data portability (Article 20) — Not applicable as no Personal Data is stored in a structured, machine-readable format attributable to individuals.
3.6 Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. Notification shall include:
- The nature of the breach, including categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Contact for breach notifications: security@orgpulse.io
3.7 Data Protection Impact Assessment
The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required under Article 35 of the GDPR, taking into account the nature of the processing and the information available to the Processor.
4. Obligations of the Controller
The Controller warrants that:
- It has a lawful basis for the processing of Personal Data by OrgPulse (typically legitimate interest in monitoring team workflow health, or consent where required)
- It has provided appropriate notice to Data Subjects (team members) that workflow metadata will be processed for team-level analytics
- It will not configure OrgPulse in a manner that causes the Processor to violate Applicable Data Protection Law
5. Data Retention and Deletion
5.1 During the Subscription
- Personal Data (Jira account IDs) is processed transiently during each computation cycle and is not persisted
- Derived aggregates (metric values, baselines, diagnostic events) are retained for 18 months and then automatically purged
5.2 Upon Termination
Upon uninstallation of OrgPulse from the Controller's Jira workspace:
- All stored configuration, baselines, and diagnostic events for that workspace are immediately deleted from Forge Storage
- No copies are retained by the Processor
- Deletion is automatic and does not require a separate request
6. International Data Transfers
OrgPulse processes data within the Atlassian Forge infrastructure, which follows Atlassian's data residency policies. Where data is transferred outside the European Economic Area (EEA), such transfers rely on:
- Atlassian's own data transfer mechanisms (Standard Contractual Clauses or adequacy decisions) for Forge infrastructure
- Standard Contractual Clauses for SendGrid and Slack sub-processors, where applicable
The Processor shall ensure that any international transfer of Personal Data complies with Chapter V of the GDPR.
7. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller or an independent auditor mandated by the Controller
- Provide audit results upon reasonable request (no more than once per year unless a breach has occurred)
Given that OrgPulse runs entirely on managed Forge infrastructure, audit scope is limited to the Processor's application code, configuration, and data handling practices. Atlassian's own infrastructure security is covered by Atlassian's SOC 2 and ISO 27001 certifications.
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the End User Terms. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law where such limitation is not permitted by law.
9. Term and Termination
This DPA takes effect when the Controller installs OrgPulse and remains in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. Upon termination, the Processor shall comply with the deletion obligations in Section 5.2.
10. Governing Law
This DPA is governed by the same law that governs the End User Terms. For Data Subjects in the EEA, the provisions of the GDPR apply regardless of the governing law of the End User Terms.
Contact
For questions about this DPA or to exercise audit rights:
- Data Protection Officer: privacy@orgpulse.io
- Security incidents: security@orgpulse.io
- General support: support@orgpulse.io