Data Processing Addendum

Access Governance for Jira · Version 1.0 · Last updated 15 June 2026

Where we process personal data on your behalf, the Bonterms Data Protection Addendum (Version 1.0) applies, incorporated by reference, as set out in this DPA Setup Page. Capitalized terms not defined here have the meanings given in the DPA or the Agreement.

Key Terms

Agreement: The Cloud Service Agreement between Customer and Kade Schemahorn (Access Governance for Jira), incorporating the Bonterms Cloud Terms (Version 1.0).
DPA Effective Date: The Effective Date of the Agreement (the date Customer installs the Cloud Service via the Atlassian Marketplace).
Specified Notice Period: 48 hours (as defined in the DPA).
Subprocessor List: As set out below and maintained at Subprocessors.
Notice of new Subprocessors: By posting to the Subprocessors page at least 30 days in advance; Customers should monitor that page. (The app stores no customer contact emails, so notice is by page update rather than direct email.)

Subprocessor List

Subprocessor	Purpose / Processing	Location
Atlassian Pty Ltd (and affiliates)	Cloud platform, hosting, and storage on which the Cloud Service (a Forge app) runs; hosts and stores Customer Personal Data within the Atlassian platform.	Per Atlassian’s cloud infrastructure

No other Subprocessors. No third-party analytics, error monitoring, or external storage in the data path.

Schedule 1 — Subject Matter and Details of Processing

Subject matter: Provider’s provision of the Cloud Service to Customer under the Agreement.
Duration: For the term of the Agreement; data is deleted on uninstall / termination.
Nature and purpose: Reading and analyzing the Customer’s Jira access and permission configuration to provide access-governance features. Processing is read-only with respect to the Customer’s Jira data.
Categories of Data Subjects: The Customer’s Jira users and administrators.
Categories of Customer Personal Data: Atlassian account IDs; user display names; group and project-role memberships; permission grants; activity-derived (in)activity signals. (The app does not read or store email addresses.)
Special categories: None.
Frequency: Continuous / on-demand during the Customer’s use of the Cloud Service.
Retention: Held only in Atlassian-hosted Forge storage and deleted when the app is uninstalled, in accordance with Atlassian’s Forge platform data lifecycle.

Schedule 2 — Technical and Organizational Measures

Provider’s technical and organizational measures are the Security Measures, incorporated by reference.

Schedule 3 — Cross-Border Transfer Mechanisms

Customer Personal Data remains within the Atlassian platform that already hosts the Customer’s Jira data, and Provider operates entirely on Atlassian’s infrastructure with no egress. Where a Restricted Transfer applies to a Customer, the transfer mechanisms in Schedule 3 of the Bonterms DPA (e.g., Standard Contractual Clauses) apply. (Final transfer-mechanism determination pending legal review.)

Schedule 4 — Region-Specific Terms

The default Region-Specific Terms in Schedule 4 of the Bonterms DPA (Version 1.0) apply, as applicable to the Customer’s jurisdiction (e.g., US/CCPA, EU GDPR, UK GDPR, Swiss FADP).

Accepted together with the Agreement on installation through the Atlassian Marketplace (click-through). Provider: Kade Schemahorn — legal@citizenkade.com — 101 Short St, Chapel Hill, NC 27517, USA.