/
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Owned by Maksym Babenko
Last updated: Mar 04, 2025
4 min read

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between

Company (Data Controller):
Atlassian Marketplace Customers (the “Company”)

and

Data Processor:
Maksym Babenko (Sole Proprietor Babenko Maksym Anatoliyovych)
Ukraine
Developer of Risk Radar (the “Data Processor”)

(Together, "the Parties")

WHEREAS

(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws.
(D) The Parties wish to lay down their rights and obligations regarding data processing.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meanings:

  • "Company Personal Data" – any Personal Data processed by the Data Processor on behalf of the Company.

  • "Data Protection Laws" – GDPR and any applicable data protection laws.

  • "EEA" – European Economic Area.

  • "GDPR" – EU General Data Protection Regulation 2016/679.

  • "Data Transfer" – transfer of Company Personal Data outside the EEA, subject to GDPR restrictions.

  • "Services" – the Risk Radar application services provided by the Data Processor.

  • "Subprocessor" – any party appointed by the Processor to process Personal Data on behalf of the Company.

2. Processing of Company Personal Data

2.1 Processor’s Obligations:

  • Processor shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data.

  • Processor shall process Company Personal Data only in accordance with the Company's documented instructions.

2.2 Company’s Instructions:

  • The Company instructs Processor to process Company Personal Data only as necessary for the operation of the Risk Radar application.

3. Processor Personnel

Processor shall ensure that any employees or contractors processing Company Personal Data:

  • Have limited access to the data only as necessary.

  • Are bound by confidentiality obligations.

4. Security Measures

4.1 The Processor shall implement appropriate technical and organizational measures to ensure the security of Company Personal Data, including:

  • Data encryption.

  • Secure access controls.

  • Monitoring for unauthorized access.

4.2 In case of a Personal Data Breach, Processor shall notify the Company without undue delay and assist in mitigation.

5. Subprocessing

Processor shall not appoint or disclose any Company Personal Data to any Subprocessor without prior written authorization from the Company.

6. Data Subject Rights

6.1 Processor shall assist the Company in responding to Data Subject rights requests, including:

  • Access, correction, deletion, or restriction of data processing.

  • Providing requested data in a portable format.

6.2 If the Processor receives a Data Subject request, it shall:

  • Notify the Company immediately.

  • Not respond unless instructed by the Company.

7. Personal Data Breach

7.1 Processor shall notify the Company without undue delay of any Personal Data Breach, including:

  • Description of the breach.

  • Possible consequences.

  • Measures taken to mitigate the breach.

7.2 Processor shall assist in investigating and mitigating the breach.

8. Data Protection Impact Assessment

Processor shall assist the Company in any Data Protection Impact Assessment (DPIA) if required under Article 35 or 36 of the GDPR.

9. Data Retention and Deletion

9.1 The Processor does not store any Company Personal Data outside Atlassian's Forge Cloud environment. All data processing occurs in real-time and is not persistently retained by the Processor.

9.2 Upon termination of services, no additional action is required, as the Processor does not maintain any stored Company Personal Data.

10. Audit Rights

10.1 The Processor shall provide the Company with relevant documentation or information necessary to demonstrate compliance with this Agreement upon written request.

10.2 The Company may request an audit of the Processor’s compliance with this Agreement. Such an audit shall be limited to reviewing documentation and security practices relevant to data processing and shall not disrupt the Processor’s operations.

10.3 Any audit request must be made with at least 30 days' written notice, and the Processor may require the Company to enter into a confidentiality agreement before granting access to any sensitive information.

11. Data Transfers

11.1 The Processor does not transfer Company Personal Data outside the EEA.

11.2 If necessary, the Parties shall use EU Standard Contractual Clauses (SCCs) to protect transferred data.

12. Confidentiality & Notices

12.1 Each Party shall keep this Agreement confidential.

12.2 All communications must be in writing and sent to the addresses provided by the Parties.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of Ukraine.

13.2 Any disputes will be submitted to the exclusive jurisdiction of the courts of Ukraine.

IN WITNESS WHEREOF

This Agreement is entered into with effect from the date first set out below.

Company (Atlassian Marketplace Customer)
Signature: ___________________________
Name: _____________________________
Title: ______________________________
Date: ______________________________

Processor (Maksym Babenko, Developer of Risk Radar)
Signature: ___________________________
Name: Maksym Babenko
Title: Individual Entrepreneur (Sole Proprietor Babenko Maksym Anatoliyovych)
Date: ______________________________

Related content