Legal

Data Processing Addendum

Last updated: May 29, 2026 · GDPR — Article 28 compliant

This Data Processing Addendum ("DPA") forms part of the Terms of Service between George Grachev ("Processor") and the Customer ("Controller") and applies where the Customer is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") or equivalent data protection legislation.

1. Definitions

In this DPA, the following terms have the meanings given:

"Controller" — the Customer (Jira instance administrator) who determines the purposes and means of processing personal data
"Processor" — George Grachev, who processes personal data on behalf of the Controller
"Personal Data" — any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1)
"Processing" — any operation performed on personal data, as defined under GDPR Article 4(2)
"Sub-processor" — any third party engaged by the Processor to process Personal Data

2. Scope and Purpose of Processing

The Processor shall process Personal Data only for the following purposes:

Providing time tracking functionality within the Jira application
Storing and retrieving time entries associated with Jira issues and projects
Generating reports on time usage per user, project, and issue

The Processor shall not process Personal Data for any other purpose without the prior written consent of the Controller.

3. Categories of Personal Data

The following categories of Personal Data may be processed:

Atlassian account ID and display name
Email address (as provided by the Atlassian platform)
Time entries: timestamps, duration, associated issue and project keys
Optional notes or comments attached to time entries

4. Processor Obligations

The Processor agrees to:

Process Personal Data only on documented instructions from the Controller
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organisational measures to ensure security of processing (Article 32 GDPR)
Not engage any Sub-processor without prior written authorisation of the Controller, except as set out in Section 5
Assist the Controller in responding to data subject rights requests (Articles 15–22 GDPR)
Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA)
Delete or return all Personal Data upon termination of services, at the choice of the Controller
Make available all information necessary to demonstrate compliance with this DPA

5. Sub-processors

The Controller grants general authorisation to the Processor to engage the following Sub-processors, which are necessary to operate the app:

Atlassian Pty Ltd — Forge platform infrastructure provider. Personal Data is stored exclusively within Atlassian Forge Storage. Atlassian's data processing terms apply: atlassian.com/legal/data-processing-addendum

The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

6. International Transfers

Personal Data is processed and stored within Atlassian's Forge infrastructure. Atlassian offers data residency options; the location of your data depends on your Atlassian site configuration. The Processor does not independently transfer Personal Data outside the European Economic Area.

7. Security Measures

The Processor relies on the following technical and organisational measures:

Encryption in transit (TLS) and at rest, provided by the Forge platform
Access controls: data is accessible only to authenticated users within the same Jira instance
No storage of Personal Data outside Atlassian Forge Storage
Regular monitoring of app code for security issues

8. Data Breach Notification

In the event that the Processor becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

Notifications shall be sent to the email address associated with the Controller's Atlassian account or to the address on record with the Processor.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling requests from data subjects exercising their rights under GDPR (Articles 15–22). The Processor will respond to such requests within 5 business days of receipt.

Data subjects may also contact the Processor directly at george@grachev.app.

10. Duration and Termination

This DPA remains in force for the duration of the service agreement (the Terms of Service). Upon termination of the service, the Processor shall delete or return all Personal Data within 30 days, unless applicable law requires longer retention.

11. Governing Law

This DPA is governed by the laws of the Slovak Republic. Where GDPR applies, the provisions of GDPR shall take precedence.

12. Contact

For any data protection queries or to exercise your rights:
George Grachev
george@grachev.app
grachev.app