Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Phoebuz ("Processor") and the entity or person accepting these terms ("Controller") for the use of the ASYNC application (the "Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and supplements any existing terms of service or end user license agreement between the parties.

1. Definitions

Unless otherwise defined herein, capitalised terms shall have the meanings given to them in the GDPR.

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller in connection with the provision of the ASYNC engineering intelligence platform, which aggregates and synthesises data from the Controller's connected software development and collaboration tools.

2.2 Purpose of Processing

Personal Data is processed solely for the following purposes:

• Engineering intelligence synthesis and metric aggregation across connected tools
• AI-powered insight generation, including standup summaries, sprint health analysis, and predictive alerts
• Dashboard rendering and intelligence card generation within the ASYNC application
• Copilot query processing and natural-language responses (Advanced tier)

2.3 Duration of Processing

Processing shall continue for the duration of the Controller's subscription to the Service and shall cease upon termination, uninstallation, or deletion request, subject to the data retention provisions in Section 10.

3. Types of Personal Data

The following categories of Personal Data may be processed through the Service, depending on the integrations enabled by the Controller:

Data Source	Categories of Personal Data
Jira Cloud	Account IDs, display names, email addresses, issue assignments, sprint participation, work logs, comments
GitHub	Usernames, commit metadata (author, timestamps, messages), pull request data (author, reviewers, status), repository contributions
Slack	User IDs, display names, message content in connected channels, channel membership, message timestamps
Zoom	Meeting participant names and IDs, meeting metadata (duration, timestamps), recording references
Confluence	Page authors, editors, page metadata (titles, timestamps), space membership

4. Data Subjects

The data subjects whose Personal Data is processed under this DPA are the Controller's employees, contractors, consultants, and other authorised users who access or are represented within the Controller's Jira Cloud instance and connected tools.

5. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organisational measures as described in Section 8
• Respect the conditions for engaging Sub-processors as described in Section 7
• Assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under the GDPR
• Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
• At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires storage
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

6. Obligations of the Controller

The Controller shall:

• Ensure that there is a lawful basis for the processing of Personal Data by the Processor, including, where required, obtaining appropriate consents from data subjects
• Provide documented processing instructions to the Processor and ensure those instructions comply with applicable data protection laws
• Be responsible for the accuracy, quality, and legality of Personal Data provided to or made accessible to the Processor
• Notify affected data subjects and relevant supervisory authorities of any Data Breach where required by applicable law

7. Sub-processors

7.1 Authorised Sub-processors

The Controller provides general written authorisation for the Processor to engage the following Sub-processors:

Sub-processor	Purpose	Location
Atlassian Pty Ltd	Forge platform hosting, data storage, compute infrastructure	Australia / Global (Forge regions)
GitHub, Inc.	OAuth-based data retrieval for repository, commit, and pull request data	United States
Slack Technologies, LLC	OAuth-based data retrieval for channel messages and user data	United States
Zoom Video Communications, Inc.	OAuth-based data retrieval for meeting and participant data	United States
Anthropic, PBC	LLM-based synthesis, insight generation, copilot responses	United States
OpenAI, LLC	LLM-based synthesis, insight generation, copilot responses	United States
Google LLC	LLM-based synthesis, insight generation, copilot responses	United States

7.2 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall provide at least 30 days' prior written notice before engaging a new Sub-processor.

7.3 Sub-processor Obligations

The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

8. Security Measures

The Processor implements and maintains the following technical and organisational measures to ensure the security of Personal Data:

8.1 Encryption

• At rest: All data stored within Atlassian Forge Storage is encrypted at rest using AES-256 encryption managed by the Atlassian Forge platform
• In transit: All data transmitted between the Service and connected tools, Sub-processors, and end users is encrypted using TLS 1.2 or higher

8.2 Access Controls

• Access to Personal Data is restricted to authorised personnel on a need-to-know basis
• The Service inherits Atlassian's identity and access management controls within the Forge platform
• OAuth 2.0 scopes are limited to the minimum permissions required for each integration

8.3 Infrastructure Security

• The Service is built on and hosted within Atlassian Forge, which provides sandboxed execution environments, automatic security patching, and infrastructure isolation
• No Personal Data is stored on Phoebuz-owned infrastructure; all persistent storage resides within the Forge platform

8.4 Data Retention Limits

• Free tier: 14-day data retention
• Standard tier: 30-day data retention
• Advanced tier: 90-day data retention

Data beyond the applicable retention window is automatically purged from Forge Storage.

8.5 LLM API Security

• Data sent to LLM providers (Anthropic, OpenAI, Google) for synthesis is transmitted via encrypted API calls and is not used by those providers to train their models
• No Personal Data is persistently stored by LLM Sub-processors beyond the duration of the API request

9. International Data Transfers

The primary processing of Personal Data occurs within the Atlassian Forge infrastructure. However, the following transfers may occur:

• LLM API calls: Data sent to Anthropic, OpenAI, or Google for AI synthesis may transit to and be processed in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by the GDPR
• OAuth data retrieval: Data retrieved from GitHub, Slack, and Zoom may transit through servers located in the United States, subject to those providers' own data processing terms

Where Personal Data is transferred outside the European Economic Area, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR.

10. Data Deletion and Return

10.1 Upon Uninstallation

When the Controller uninstalls the ASYNC application from their Jira Cloud instance, all associated data stored in Forge Storage is automatically and permanently deleted.

10.2 Upon Request

The Controller may request deletion of all Personal Data at any time by contacting info@phoebuz.com. The Processor shall comply with such requests within 30 days.

10.3 Return of Data

Upon written request prior to deletion, the Processor shall make available to the Controller a copy of Personal Data in a commonly used, machine-readable format.

11. Data Breach Notification

11.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting the Controller's Personal Data.

11.2 Content of Notification

The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and data records concerned
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

11.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Data Breach.

12. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR, including requests for access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor shall promptly notify the Controller if it receives a request directly from a data subject and shall not respond to such request without the Controller's prior written authorisation, unless legally required to do so.

13. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.

14. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller or its appointed third-party auditor may conduct an audit of the Processor's processing activities, subject to reasonable advance notice (not less than 30 days) and during normal business hours. The Processor may charge reasonable costs for audit facilitation where audits exceed one per 12-month period.

15. Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the applicable terms of service or end user license agreement between the parties.

16. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service, the Processor's obligations under this DPA shall continue with respect to any Personal Data retained by the Processor until such data is deleted in accordance with Section 10.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the underlying agreement between the parties. To the extent that the GDPR applies, the provisions of this DPA shall be interpreted in a manner consistent with the GDPR.

18. Contact

For any questions, requests, or notifications related to this Data Processing Addendum, please contact:

Phoebuz Data Protection
Email: info@phoebuz.com
Website: phoebuz.com

Last updated: March 2026