We take your privacy seriously. We are committed to upholding your privacy and adhering to the stringent standards set by Atlassian for the protection of personal data.
- Data means Personal Information and User Data.
- Data Controller has the meaning given in Rec. 22, Art 3(1) of the GPDR, that is, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Information, where the purposes and means of processing are determined by EU or Member State laws.
- Data Subject means an identified or identifiable natural person who is a user of our Product.
- GDPR means the European Union General Data Protection Regulation.
- Law means all relevant legal and regulatory requirements applicable to you or us (including, for the avoidance of doubt, the Australian Privacy Act 1988 (Cth) and the GDPR).
- Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
- Product means software owned, developed and sold by us.
- Supervisory Authority means the authority with the primary responsibility for dealing with the relevant data processing activity.
- Unsolicited Information includes any unsolicited communications by you to the Company.
- User Data means all information collected passively or actively from our Customers that is not Personal Information
3. Collection and use
- The processing activities that we undertake include
- email notifications of new software versions to contacts;
- analysis of anonymised Product analytics to understand usage patterns;
- You agree that we may collect and use technical data and related information, including without limitation, technical information relating to your device, system, and use of the Product(s), that is gathered periodically to facilitate the provision of software updates, product support, marketing efforts and other services and communications to you related to the Products, including providing you with information about services, features, surveys, newsletters, offers, promotions; providing other news or information about us and our select partners; and sending you technical notices, updates, security alerts, and support and administrative messages. We may use this technical data and related information, as long as it is in a form that does not personally identify you, except to the extent necessary to provide you with support, or communications to improve our products or to provide services or technology to you.
4. Security measures
- We have implemented the following security measures:
- Two Factor Authentication to access all development and production services;
- Anonymisation of all analytics events captured;
- FileVault encryption on employees laptops;
- Use of a password manager, ensuring a unique password is used for each development and production service;
- We will:
- maintain a list of our employees that have been granted access to Data.
- Data is stored on an Amazon Web Services DynamoDB Database in the United States. The Product is hosted on Amazon Web Services. We will notify you if the storage location of your Data changes.
5. Incident response
Where there has been a security breach, data leakage or Personal Information is lost, destroyed or becomes damaged, corrupted or unusable, we will notify you as soon as practicable.
6. Your obligations
You agree and warrant that:
- the processing, including the transfer itself, of Personal Information has been and will continue to be, carried out in accordance with all applicable Laws (and, where applicable, you have notified the Supervisory Authority in your country of such processing);
- all Data that you provide on behalf of a Data Subject has been obtained with the informed consent of the Data Subject;
- you have assessed our security measures as described in clause 4 and believe our security measures ensure a level of security appropriate to the nature of the Data you provide to us;
7. Access to Data
- Data Subjects have the right to request that we update, correct or, upon request, erase Personal Information in our possession. We will endeavour to provide the requested Personal Information within a reasonable time.
- If you request a correction to your Personal Information then we will take reasonable steps to correct that Personal Information.
- To guard against fraudulent requests, we will require information to confirm your identity before granting access or making corrections.
- We may decline to provide a Data Subject with access to Personal Information including where we determine that the information requested:
- may disclose:
- the Personal Information of another individual; or
- trade secrets or other business confidential information;
- is subject to legal professional privilege;
- is not readily retrievable and the burden or cost of providing the information would be disproportionate to the nature or value of the information;
- does not exist, is not held, or cannot be located by us;
- would pose a serious threat to the life, health or safety of any individual, or to public health or safety if it were accessed; or
- is not permitted by Law to be accessed.
- We will not disclose your Data to any other party other than at your request or in accordance with this clause 9.
- There are also a limited number of circumstances in which we may share your Data with third parties. This may be done without further notice to you. These circumstances are:
- Legal requirements: We may disclose your Data and any other information if required to do so by law or in good faith belief that such action is necessary to:
- comply with a legal obligation;
- protect and defend the rights or property of the Company; or
- protect against legal liability.
- Business transfers and related activities: We may sell, buy, restructure or reorganise our business or assets. In the event of any sale, merger, reorganisation, restructuring, dissolution or similar event involving our business or assets, Personal Information may be part of the transferred assets.
10. Cross-border transfer of data
- If you are using our Products in a country other than the United States, your communications will result in the transfer of Data across international boundaries. The countries in which recipients of your Personal Information are likely to be located are the United States, Australia and countries within the European Union.
- If you provide Personal Information, you acknowledge and agree that Personal Information may be transferred from your current location to the offices and servers of the Company and Subprocessors located primarily in Australia, the United States and countries within the European Union.
We warrant that:
- you may withdraw your consent for us to process your Data at any time at which time the process under clause 13 will be followed;
- we will implement and maintain appropriate technical and organisation measures to meet the requirements of the Australian Privacy Act 1988 (Cth) and the GDPR. This does not alter your own obligations under these legal regimes;
- we will only use your Data for the purposes for which it is provided by you;
- we will not sell or otherwise redistribute to third parties the Data we collect from you;
- we will promptly notify you of:
- any legally binding request for disclosure of the Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- any unauthorised access to or disclosure of Personal Information or any circumstances that are likely to give rise to such unauthorised access or disclosure, where there is a likely risk of serious harm to any Data Subject as a result of the unauthorised access or disclosure; and
- any request received directly from one of your customers or a Data Subject, without responding to that request, unless we have been otherwise authorised by you to do so;
- we will deal promptly and properly with all inquiries from you relating to the processing of your Data and we will abide by the advice of any Supervisory Authority with regard to the processing of the Data transferred; and
- the processing services by any Subprocessor will be carried out in accordance with clause 20.
On termination, you will have the choice of having all Data transferred to you or the Data being destroyed, unless Laws imposed on us prevent us from returning or destroying all or part of the Data. If we cannot return or destroy the Data, we warrant that we will guarantee the confidentiality of the Data and will not actively process the Data after termination.
14. Audit of measures
- Where you are required by a Supervisory Authority to demonstrate compliance with privacy obligations, we allow and contribute to audits, including inspections.
- We will submit our data processing facilities for an audit of the measures referred to in clause 14(a) at the request of you and/or the Supervisory Authority.
15. Unsolicited information
16. European Union General Data Protection Regulation
- Clauses 17 to 21 apply only if you are a Data Controller.
17. Notifying the data protection authority
In the event that you receive a notification from us or any Subprocessor under clause 11(d) or 14(c), you must forward such notification to the Supervisory Authority if you decide to continue the transfer of Personal Information or to lift the suspension.
- Any Data Subject who has suffered damage as a result of any breach of the obligations referred to in clause 20 by us, a Subprocessor or yourself, is entitled to receive compensation from you for the damage suffered.
- Where either the Company or a Subprocessor has breached the obligations referred to in clause 20 and a Data Subject is unable to bring a claim for compensation in accordance with clause 18(a) because you have disappeared, ceased to exist in Law, or have become insolvent, the Data Subject may issue a claim against us, unless any successor entity has assumed your entire legal obligations by contract or by operation of law, in which case the Data Subject can enforce its rights against the successor entity.
19. Mediation and jurisdiction
- refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority; or
- refer the dispute to the courts in your country.
- The choice made by the Data Subject will not prejudice their substantive or procedural rights to seek remedies in accordance with other provisions of Law.
20. GDPR-compliant subprocessing
- In addition to our obligations under clause 8, we will not subcontract any of our processing operations performed on your behalf without your prior written consent.
- Where a Subprocessor is engaged to process your Data in accordance with clause 20(a), we will enter into a written agreement with the Subprocessor. A copy of this written agreement will be provided to you. Where the Subprocessor fails to fulfil its data protection obligations under the written agreement, we will remain fully liable to you for the performance of the Subprocessor’s obligations under such agreement.
- The prior written agreement between the Company and the Subprocessor will provide for:
- the Supervisory Authority’s right to conduct an audit of the Subprocessor; and
- the Subprocessor’s warranty that upon the request of you and/or the Supervisory Authority, it will submit its data processing facilities for an audit of the measures referred to in clause 14(a).
21. Your obligations under GDPR
As a condition of our provision of the Products to you, you agree to comply with all of your obligations under the GDPR.
23. Making a complaint
You are entitled to lodge a complaint about our treatment of your Data with the relevant Supervisory Authority.
Before lodging a complaint with a Supervisory Authority, we encourage you to first attempt to resolve the complaint by contacting us using the details below. We will respond to your complaint within 30 days.