Data Processing Addendum (DPA)

Version 1.0 | Last Updated: 2024-01-01

This Data Processing Addendum ("DPA") governs Amulent Technologies LLC's processing of Customer Personal Data (i) provided by Customer through Amulent products, including but not limited to CodeMerlin, and their integration with third-party platforms such as Atlassian Jira and GitHub, or (ii) as required to provide AI-powered issue analysis and resolution services under the terms of the Amulent Terms of Use, Atlassian Marketplace Agreement, or other agreements governing Customer's use of Amulent products (the "Agreement").

This DPA is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the terms in this DPA shall control.

1. Definitions

1.1 Agreement

The Agreement between Customer and Provider incorporating the Amulent Cloud Terms.

1.2 Audit and Audit Parameters

Defined in Section 9.3 below.

1.3 Audit Report

Defined in Section 9.2 below.

1.4 Controller

The entity that determines the purposes and means of Processing of Personal Data.

1.5 Customer Personal Data

Personal Data in Customer Data (as defined in the Agreement).

1.6 Data Protection Laws

All laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including:

  • California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act
  • General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • Swiss Federal Act on Data Protection (FADP)
  • UK Data Protection Act 2018
  • EU GDPR as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018 (UK GDPR)

1.7 Data Subject

An identified or identifiable natural person to whom Customer Personal Data relates.

1.8 DPA Effective Date

Specified in the Agreement.

1.9 EEA

European Economic Area.

1.10 Key Terms

Agreement, DPA Effective Date, and Subprocessor List.

1.11 Personal Data

Information about an identified or identifiable natural person, as defined in Data Protection Laws.

1.12 Processing

Any operation performed on Personal Data, such as collection, recording, storage, retrieval, use, disclosure, or erasure.

1.13 Processor

An entity that Processes Personal Data on behalf of the Controller.

1.14 Restricted Transfer

A transfer of Customer Personal Data under GDPR, UK GDPR, or FADP that is not subject to an adequacy determination.

1.15 Security Incident

A breach of security leading to the unauthorized access, destruction, or disclosure of Customer Personal Data.

1.16 Subprocessor

A third party authorized by Provider to Process Customer Personal Data.

1.17 Subprocessor List

Maintained at: https://www.amulent.com/subprocessors

2. Scope and Duration

2.1 Roles of the Parties

This DPA applies to:

  • Provider as a Processor of Customer Personal Data.
  • Customer as a Controller or Processor of Customer Personal Data.

2.2 Scope of DPA

This DPA applies to Provider's Processing of Customer Personal Data under the Agreement in compliance with Data Protection Laws.

2.3 Duration of DPA

This DPA is effective upon the DPA Effective Date and terminates when the Agreement expires or is terminated.

2.4 Order of Precedence

If there is a conflict among documents, precedence is as follows:

  1. Standard Contractual Clauses (Schedule 3) or Region-Specific Terms (Schedule 4)
  2. This DPA
  3. The Agreement

3. Processing of Personal Data

3.1 Customer Instructions

Provider will Process Customer Personal Data only:

  • As instructed by Customer.
  • To comply with applicable laws.

3.2 Confidentiality

Provider ensures personnel handling Customer Personal Data are bound by confidentiality obligations.

3.3 Compliance with Laws

Both parties will comply with Data Protection Laws when Processing Personal Data.

4. Subprocessors

The Subprocessor List is available at: https://www.amulent.com/subprocessors

Provider remains liable for any Processing activities performed by Subprocessors.

5. Security

5.1 Security Measures

  • Encryption: TLS 1.2+ for transit, AES-256 for storage
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures

6. Data Subject Rights

Provider will assist Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws.

7. Data Transfers

Provider will ensure that any Restricted Transfer complies with Data Protection Laws.

8. Data Retention and Deletion

Upon termination of the Agreement, Provider will delete or return Customer Personal Data as instructed by Customer.

9. Audits

9.1 Audit Rights

Customer may audit Provider's compliance with this DPA up to once per year.

9.2 Audit Report

Provider will provide an audit report upon request.

9.3 Audit Parameters

Audits will be conducted during normal business hours and will not interfere with Provider's business operations.

10. Liability

Provider's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

11. General Provisions

This DPA is governed by the laws of the jurisdiction specified in the Agreement.