Data Processing Addendum (DPA)

Effective Date: October 2024

This Data Processing Addendum ("DPA") is entered into by and between the customer (“Data Controller”) and Ricksoft, Inc.,800 W El Camino Real #180, Mountain View, CA 94040 (“Data Processor”), collectively referred to as "Parties. "

This DPA;

• supplements and is incorporated into the End User License Agreement ("Agreement") between the Parties concerning the use of the software applications provided by the Data Processor;
• sets out the additional terms, requirements, and conditions on which Data Processor will process Personal Data provided by Data Controller;
• The Annexes form part of DPA and will have effect as if set out in full in the body of DPA.
• In case of doubt, the provisions of this DPA shall take precedence over the provisions of the other Agreement;
• Contains the mandatory clauses required by Article 28(3) Data Controllers and Data Processors; and
• contains the Standard Contractual Clauses (available in full here) and completed as described in Annex I, as well as additional supplementary measures in connection with the SCCs which the parties have included to take account of the recommendations provided by the European Data Protection Board in June 2021.

"Authorised Persons"; the persons or categories of persons identified in Annex I.

"Business Purposes" means the services described in the Terms of Service or any other purpose specifically identified in Annex I.

"Data Protection Legislation" means the General Data Protection Regulation ((EU)

2016/679); the UK GDPR; the California Consumer Privacy Act (CCPA) and all other legislation and regulatory requirements in force from time to time, which apply to a party relating to the use of Personal Data;

"Data Subject"; an individual who is the subject of Personal Data.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Ricksoft, Inc. as a result of, or in connection with, the use of the software applications under the End-User License Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Processing, processes, and process" means either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes, or process. It includes any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

Annex I describes the nature and purpose of processing, duration, and the Personal Data types and Data Subject categories in respect of which Ricksoft, Inc. may process to fulfill the Business Purposes of the Agreement. This DPA only applies to such Processing.

• The Data Processor shall process data within the scope of the Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of Personal Data to a third country or to an international organization.
• The Data Processor shall inform the Data Controller immediately (i) if, in its opinion, an instruction from the Data Controller constitutes a breach of the GDPR and/or if the Data Processor is unable to follow the instructions for the Processing of Personal Data.
• The Data Processor is obliged to observe the legal provisions on data protection and not disclose or transfer Personal Data obtained from the area of the Data Controller to any third parties or expose it to their access without the prior written consent of the Data Controller, except as required by law.
• The Data Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures to adequately protect the data of the Data Controller pursuant to Art. 32 GDPR. The Data Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards. Ricksoft, Inc. ’s technical and organizational measures can be viewed in Annex II.
• The persons who are employed by the Data Processor in the data processing are prohibited from collecting, using, or otherwise processing personal data without authorization. The Data Processor shall oblige all persons entrusted by it with the processing and fulfillment of this DPA ("Employees") accordingly and shall instruct them about the special data protection obligations resulting from this DPA as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this DPA or the employment relationship between the Employee and the Data Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.
• Notify the Data Controller of any suspected Personal Data Breach without undue delay.
• Keep detailed, accurate, and up-to-date written records regarding any processing of the Personal Data in accordance with European Data Protection Law(s) and shall provide them to the Data Controller promptly upon request.

• The Data Controller’s instructions for the processing of Personal Data shall comply with Data Protection Laws and Regulations.
• The Data Controller shall have sole responsibility for the accuracy, quality, acquisition, and legality of Personal Data.
• The instructions of the Data Controller are established through this DPA and may subsequently be modified, augmented, or substituted at the discretion of the Data Controller through individual written instructions. Refer to Annex I for the contact information. Any alterations will be promptly considered and implemented.
• If, in individual cases, audits by the Data Controller or a third-party auditor commissioned by the Data Controller are necessary, they shall be carried out during normal business hours without disrupting operations. Prior notification with sufficient lead time and the execution of a confidentiality agreement concerning the data of other customers, as well as the established technical and organizational measures, may be requested by the Data Processor for conducting the audit.
• The Data Controller shall document the audit result and notify the Data Processor thereof. In the event of errors or irregularities discovered during the audit, the Data Processor shall inform the Data Processor without undue delay. The Data Controller will promptly notify the Data Processor of any essential procedural changes required to prevent future incidents, which necessitate modifications to the established procedure.

• Within the parameters of its contractual responsibilities, the Data Processor is generally authorized to establish sub-contracting relationships with sub-processors. In this process, the Data Processor will meticulously choose sub-processors based on their suitability and reliability, mandating adherence to the terms outlined in this DPA. The Data Processor will guarantee the retention of the Data Controller's rights, particularly the audit and control rights specified in this DPA. Upon request, the Data Processor will furnish the Data Controller with evidence of the execution of agreements with its sub-processors.
• A list of sub-processors currently engaged by the Data Processor in accordance with 4.1. are provided in Annex III. The Data Processor shall inform the Data Controller of any changes in a timely manner. The Data Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the sub-processor.
• The Data Processor shall initiate the engagement of a new sub-processor by first notifying the Data Controller of this intention. In this notification, the Data Processor provides comprehensive details, including the name and intended role of the sub-processor, along with a clear explanation of the purpose of their involvement in data processing activities. This communication ensures transparency and allows the Data Controller to assess and approve the addition of the new sub-processor in accordance with this DPA

*A list of our sub-processors, including their functions and locations, is available upon request to legal@ricksoft-inc.com.

Any transfers (whether between the Data Controller and the Data Processor, or the Data Processor and a Sub-Processor) of Personal Data protected by the GDPR, and/or the UK GDPR, to outside the European Economic Area (“EEA”) or United Kingdom ("UK") that does not offer adequate protection for such Personal Data, shall be subject to the applicable Standard Contractual Clauses. In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this DPA or other agreements between the Parties, the Standard Contractual Clauses shall take precedence, but solely concerning the transfer of Personal Data outside the EEA or UK. The information set forth in Annex I constitutes the information required to be included in the appendices to the Standard Contractual Clauses, and the Parties’ signatures to this DPA are deemed to also constitute signature of the Standard Contractual Clauses to the extent the same may be required to be separately executed.

• This DPA shall become effective on the effective date of the Agreement and shall continue in force until termination of the Agreement even after a termination of the Agreement for as long as the Data Processor has Personal Data which have been forwarded by the Data Controller or collected for the Data Controller.
• Upon termination of the DPA, the Data Processor shall return or erase Personal Data from the systems, retaining only such data as may be necessary to demonstrate compliance with any applicable laws and regulations or as reasonably may be required for archiving purposes. Any such retained data shall be subject to provisions no less onerous than those of this DPA.
• From time to time and at the Data Processor’s sole discretion, we may publish updates or amendments or additions to this DPA on its website with or without notice to you. “Necessary DPA Updates”
• You hereby give your written consent that through your continued use of the Products under the terms of the Agreement, you agree to the terms of the Necessary DPA Updates, and that these shall supersede terms of this DPA.

• To the extent applicable and pursuant to the CCPA, with respect to “Personal Data” as defined by the CCPA which the Data Processor may process in connection with its performance of the products and services, the Data Processor agrees and certifies that it will not
• Sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such Personal Data to another business or a third party for monetary or other valuable consideration; or
• Retain, use, disclose, collect, sell, use, or otherwise process such personal information for any purpose other than for the specific purpose of, and as necessary for, performing services pursuant to the Agreement, or as otherwise permitted by the CCPA.
• The Data Processor further agrees to cooperate and assist Data Subjects in fulfilling and complying with any rights request pursuant to the CCPA.

• The Parties acknowledge and agree that the limitations and exclusions of liability set forth in the Agreement shall also apply with respect to this DPA.
• Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E-mail shall suffice.

Ricksoft, Inc.(“Data Processor”) shall process Personal Data on behalf of, with the consent of and upon instruction from the customer (“Data Controller”), in compliance with Article 6 of the GDPR. The basis of consent for the processing of Personal Data gathered in the course of providing a product to the customer shall be considered to be the acceptance of this DPA.

The duration of the processing is for as long as the Data Processor performs the services related to its products for the Data Controller , or processes Personal Data received from the Data Controller, or in the context of providing the services under the Agreement.

The Personal Data collected during the use of Data Processor’s products and services falls broadly into the following categories;

• Contact Information: Name (including Atlassian user name and avatar), email address, and professional information (such as company name, job title, department, or job role).
• Transaction Information: As an Atlassian Marketplace Partner, we maintain transaction information shared by Atlassian Pty Ltd. (“Atlassian”), including company name, contact name, and email address. We DO NOT have access to any purchase and financial information.
• Network Identification: Atlassian ID, Account Name, and Avatar
• Location Data: Device Information, IP address, MAC address, etc.
• Usage Information: Application logs containing the application’s activities, properties, and processes.
• Communication Information: This may include audio, electronic, visual information, as well as any data in any files uploaded, emailed or provided through a support ticket, and the contents of your communications with us via email, social media, telephone or voice calls, or via whatever interaction you participated in.

We will not collect additional categories of Personal Data or use Personal Dara collected for additional purposes without your prior consent.

Personal Data processed relating to the following categories of Data Subjects: Employees and other personnel of the customer who are the users of Confluence and/or Jira.

To the extent permitted by law, the Personal Data provided by the Data Controller will be used to:

• Provide the products and services requested and send the customer related information.
• Provide support and improve the services and manage system administration and security.
• Respond to the comments, inquiries, and requests and provide customer service.
• Link or combine information that is collected directly with information from Atlassian to help understand the customer’s needs and provide a better experience.
• Perform statistical and analyses of user behavior to develop new features, improve existing ones, and optimize the performance of the app to better meet user needs.
• Marketing and promotional communications (in accordance with the customer’s marketing preferences).
• Send e-mail newsletters and alerts (in accordance with the customer’s newsletter and alerts preferences).
• Conduct surveys.
• Comply with or enforce legal requirements, agreements, and policies.
• Evaluate candidate applications for job postings.
• Carry out any other purpose for which the information was collected.
• Perform other activities that are in our legitimate business interests and consistent with our Privacy Policy

Ricksoft, Inc. implements and maintains industry standard technical and organizational measures to protect the security of Personal Data that it processes in connection with its products and services.

1. Access Controls: Ricksoft, Inc. established secure access procedures to our IT systems, networks, and data, using strong authentication mechanisms and only permitting access on an as-needed basis.

• Role-Based Access Control (RBAC): Implement RBAC to assign appropriate access privileges based on job roles and responsibilities.
• User Authentication: Employ strong authentication mechanisms such as multi-factor authentication to ensure that only authorized individuals can access personal data.
• Password Security: Internal password policy requires periodical mandatory password changes and minimum length and the use of special characters.
• Automatic Computer Lock: After a short period of inactivity, the computer will automatically lock itself. A valid username and password are required to access the computer again.

2. System and Network Security:

• Anti-virus software is installed on all systems
• Protection of the network via Firewall
• Use of content filter/Proxys
• Regular backups of relevant data

3. Data Protection and Privacy: Guidelines for the secure handling, storage, and disposal of confidential and personal data, in compliance with relevant laws and regulations, which cover the following areas;

a. Data Access and Storage
b. Data Encryption
     i. Data Encryption in Transit Annex 2 - Technical and Organizational Measures
     ii. Data Encryption at Rest c. Secure File Sharing
d. Regular Backups
e. Software and Application Usage
f. Social Media and Online Presence

4. Incident Response and Data Breach Management:

• Incident Response Plan
• Data Breach Notification Procedure
• Policy for Responding Data Subject Access Request (DSAR)

• 5. Data Minimization and Retention:

• Data Minimization Principle: We only collect and process personal data that is necessary for the intended purpose.
• Data Retention Policy: Defined retention periods to ensure that personal data is stored ONL Y for as long as it is needed to fulfill the purposes of the data processing.

• 6. Employee Training and Awareness:

a. Confidentiality Agreement signed with all our employees and other personnel.
b. Periodical Data Protection Training
c. Data Breach Handling Procedure

7. Vendor Management:

• Due Diligence: Evaluating and selecting vendors based on their adherence to security standards and their ability to protect our data when engaging in partnerships or outsourcing arrangements.
• Contractual Obligations
• Employees are to instruct the outsourcees and contractors to follow our policies and information security measures while they are assigned to our projects.

8. Regular Security Audits and Assessments:

Conduct periodical internal audits and external assessments which include third-party security assessments, various types of testing, and vulnerability scanning to identify potential risks.

A list of our sub-processors, including their functions and locations, is available upon request to legal@ricksoft-inc.com.