← Back to Qwerty Craft

Data Processing Agreement

Last updated: 2026-05-28

This Data Processing Agreement ("DPA") forms part of the agreement between Qwerty Craft and the customer ("you" or "Customer") that uses Proxy Agent or any other app published by Qwerty Craft on the Atlassian Marketplace (the "Service"). It governs the processing of Personal Data that Qwerty Craft performs on Customer's behalf in connection with the Service.

1. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person that Qwerty Craft processes on behalf of Customer in connection with the Service.
  • Data Protection Laws: all data protection and privacy laws and regulations applicable to the parties' respective processing of Personal Data, as in force from time to time.
  • Processing: any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
  • Controller: the party that determines the purposes and means of Processing Personal Data.
  • Processor: the party that Processes Personal Data on behalf of the Controller.
  • Sub-processor: any third party engaged by Qwerty Craft to Process Personal Data in connection with the Service.
  • Data Subject: the natural person to whom Personal Data relates.

2. Processing of Personal Data

2.1 Roles of the parties

For the purposes of this DPA, Customer acts as the Controller and Qwerty Craft acts as the Processor in respect of Personal Data processed in connection with the Service.

2.2 Scope and purpose of Processing

Qwerty Craft Processes Personal Data solely to provide the Service to Customer as described in the Service documentation and the underlying license terms. Specifically, the Service may Process:

  • Atlassian account identifiers of the acting user and the configured agent.
  • Jira issue and project identifiers associated with each action taken through the Service.
  • Action metadata stored in the audit log (timestamp, action type, mode, success or failure status, and error detail).
  • The structured payload of each action for traceability (for example, the body of a comment that the Service was instructed to post).

2.3 Duration of Processing

Processing continues for the duration of Customer's subscription or evaluation of the Service. Audit-log records are retained inside Customer's Atlassian tenant for 90 days from creation and then auto-expire, unless Customer deletes them earlier from within the app.

2.4 Categories of Personal Data

Account identifiers, user identifiers, display names, action metadata, and the content of actions Customer has instructed the Service to perform.

2.5 Categories of Data Subjects

End users of Customer's Atlassian Cloud instance, including service desk agents, administrators, and (indirectly) any service desk requester referenced in the content of an action.

3. Qwerty Craft's obligations as Processor

3.1 Documented instructions

Qwerty Craft will Process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do otherwise by applicable law. If Qwerty Craft is so required, it will notify Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

3.2 Confidentiality of personnel

Qwerty Craft ensures that any personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, Qwerty Craft implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Because the Service is built on Atlassian Forge, the underlying hosting, encryption at rest and in transit, network controls, and tenant isolation are provided by Atlassian's Forge platform. Qwerty Craft does not operate external servers that process Customer Personal Data.

3.4 Sub-processors

Customer authorises Qwerty Craft to engage the following Sub-processor for the provision of the Service:

  • Atlassian Pty Ltd (and its affiliates) for hosting of the Forge runtime, storage, authentication, and the underlying Jira and Jira Service Management Cloud platform.

Qwerty Craft will inform Customer of any intended changes concerning the addition or replacement of other Sub-processors, giving Customer the opportunity to object to such changes. Where Customer reasonably objects on data protection grounds, the parties will work in good faith to resolve the objection. Qwerty Craft remains responsible to Customer for the performance of any Sub-processor's obligations under this DPA.

3.5 Data Subject rights

Taking into account the nature of the Processing, Qwerty Craft will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights. If a Data Subject contacts Qwerty Craft directly, Qwerty Craft will, without responding to the request, refer the Data Subject to Customer or notify Customer of the request.

3.6 Assistance with Customer's obligations

Qwerty Craft will provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under applicable Data Protection Laws relating to the security of Processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the Processing and the information available to Qwerty Craft.

3.7 Personal data breach notification

Qwerty Craft will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's Personal Data. The notification will, to the extent reasonably available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

3.8 Return or deletion on termination

Upon termination of the Service or at Customer's written request, Qwerty Craft will, at Customer's choice, delete or return all Personal Data Processed on Customer's behalf and delete existing copies, unless retention is required by applicable law. Uninstalling the app triggers Atlassian's standard deletion of app-scoped storage in line with Forge platform policies.

4. Customer's obligations as Controller

4.1 Lawful basis

Customer warrants that it has a valid legal basis for the Processing of Personal Data it instructs Qwerty Craft to perform under this DPA and that it has provided all required notices and obtained all required consents from Data Subjects.

4.2 Lawful instructions

Customer is responsible for ensuring that its instructions to Qwerty Craft comply with applicable Data Protection Laws. Customer is also responsible for how it configures the Service, including which users it grants the Act as Agent permission to and which user it designates as the impersonated agent.

4.3 Customer's own security

Customer is responsible for implementing appropriate security measures within its own Atlassian Cloud environment and for the secure use of the Service by its users.

5. International data transfers and residency

Personal Data is Processed within the Atlassian region selected by Customer for its Atlassian Cloud organisation. Qwerty Craft does not initiate any transfer of Personal Data outside that region. Some app-managed metadata may be Processed in additional Forge runtime regions as determined by Atlassian's platform; Customer can review supported regions and any residency options in Atlassian's documentation.

6. Audit rights

Qwerty Craft will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Where Customer reasonably believes that the information provided is insufficient, Customer may, upon reasonable prior written notice and no more than once per twelve-month period (except where a personal data breach reasonably requires otherwise), request an audit by Customer or by an independent auditor mandated by Customer. Audits will be conducted during normal business hours, subject to appropriate confidentiality obligations, and in a manner that does not unreasonably interfere with the Service or Qwerty Craft's operations.

7. General provisions

7.1 Order of precedence

To the extent of any conflict between this DPA and any other agreement between the parties regarding the Processing of Personal Data, this DPA prevails.

7.2 Updates

Qwerty Craft may update this DPA from time to time to reflect changes in law, the Service, or its Sub-processor arrangements. Material changes will be reflected in the "Last updated" date at the top of this page and, where appropriate, communicated to Customer.

7.3 Governing law

This DPA is governed by the laws of the jurisdiction in which Qwerty Craft is established, without regard to its conflict-of-law principles, except to the extent that mandatory provisions of applicable Data Protection Laws require otherwise.

7.4 Contact

Data protection questions, requests, and notifications under this DPA should be sent to ata@qwertycraft.com.