Data Processing Agreement

1. Parties

This Data Processing Addendum ("DPA") forms part of the agreement between MyStatement, Inc. ("Processor") and the customer entity installing or using Sign for Jira ("Controller").

2. Purpose

This DPA reflects the parties' agreement regarding the processing of personal data in connection with the Controller's use of the App in Atlassian Cloud, in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

3. Subject Matter and Duration

The Processor processes personal data solely to provide the App functionalities, for as long as the App is installed or as otherwise agreed in writing.

4. Nature and Categories of Data

The Processor may process the following categories of personal data:

• Atlassian account identifiers (e.g. accountId, display name)
• Signature records and audit events (who signed, when, which Jira issue, reason)
• Configuration and usage metadata related to the App

Special categories of personal data are not required nor intended to be processed by the App.

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller;
• Ensure persons authorized to process personal data are bound by confidentiality;
• Implement appropriate technical and organizational measures to protect personal data;
• Assist the Controller, where feasible, with data subject requests and security obligations;
• Notify the Controller without undue delay after becoming aware of a personal data breach affecting the App.

6. Sub-processors

The Controller authorizes the use of Atlassian as a sub-processor via the Atlassian Forge platform. Additional sub-processors (if any) will be subject to data protection obligations no less protective than those set out in this DPA.

7. International Transfers

Where personal data is transferred outside the EU/EEA by Atlassian or other sub-processors, such transfers rely on appropriate safeguards, such as Standard Contractual Clauses, as provided by those providers.

8. Security Measures

The Processor implements measures aligned with Atlassian Forge capabilities, including encryption, access control, and immutable audit logs for signing activities. Further details are available in our Cloud Security Statement.

9. Deletion or Return of Data

Upon uninstallation of the App or upon written request from the Controller, the Processor will delete or anonymize personal data processed via the App within a commercially reasonable period, typically within 30 days, unless retention is required by law.

10. Liability

The parties' liability under this DPA is subject to the limitations of liability agreed in the underlying agreement and the Bonterms Standard Marketplace Transaction, where applicable.

11. Contact