Data Processing Addendum — Jira App
This Data Processing Addendum ("DPA") applies to personal data processed by the Online Planning Poker for Jira app. It forms part of the app's End User Terms.
Last updated: July 11, 2026
Parties and Roles
This DPA is entered into between the customer organization that installs the app on its Jira Cloud site (the "Customer", acting as data controller) and Online Planning Poker (the "Provider", acting as data processor). It applies to the extent the app processes personal data subject to the GDPR, UK GDPR, or similar data protection laws, and it takes precedence over the End User Terms for that processing.
Installing or continuing to use the app constitutes acceptance of this DPA on behalf of the Customer.
Details of Processing
Subject matter and purpose
Providing collaborative planning-poker estimation sessions inside the Customer's Jira Cloud site. The Provider processes no personal data for its own purposes.
Categories of personal data
Atlassian account IDs (of game creators and participants), participant roles (player or spectator), votes and estimates, and recent-activity timestamps. No special categories of data are processed.
Data subjects
Users of the Customer's Jira site who participate in estimation games.
Duration
For the term of the app subscription, until the relevant game is deleted or the app is uninstalled, whichever comes first.
Where Processing Happens
The app is built on Atlassian Forge and all storage and compute run on Atlassian's infrastructure, within the boundary of the Customer's Atlassian organization. The app makes no network calls outside Atlassian, and the Provider operates no servers for the app and has no access to the personal data it processes. Data location follows the Customer's Atlassian data-residency configuration.
Provider Obligations
- Instructions: the Provider processes personal data only as needed to provide the app's features as configured and used by the Customer's users, which constitute the Customer's documented instructions.
- Confidentiality: by design, the Provider's personnel have no access to personal data processed by the app; any personnel who could ever obtain access are bound by confidentiality obligations.
- Security: the app relies on the technical and organizational measures of the Atlassian Forge platform, including encryption in transit and at rest, tenant isolation, and Atlassian's certified security program.
- Data subject requests: the Customer can fulfil most requests directly (deleting games removes the associated votes and participation records). The Provider will provide reasonable assistance for anything else, typically within 30 days.
- Breach notification: the Provider will notify the Customer without undue delay after becoming aware of a personal data breach affecting the app, including breaches communicated to it by Atlassian.
- Deletion: on uninstall, app data is deleted in accordance with Atlassian's Forge data lifecycle for uninstalled apps. Estimates already written to Jira issues are the Customer's Jira data and are unaffected.
Sub-Processors
The Customer authorizes the Provider's sole sub-processor:
Atlassian Pty Ltd / Atlassian US, Inc.
Hosting of all app storage and compute on the Atlassian Forge platform. Processing by Atlassian is also governed by the Customer's own agreements with Atlassian, including Atlassian's Data Processing Addendum.
No other party processes app data. Any change to this list will be announced on this page at least 30 days in advance; the Customer may object by uninstalling the app and terminating the subscription before the change takes effect.
International Transfers and Audits
Any international transfer of personal data occurs within Atlassian's infrastructure and is safeguarded by the transfer mechanisms in Atlassian's Data Processing Addendum (including Standard Contractual Clauses where applicable), together with the Customer's Atlassian data-residency settings.
Because the Provider has no access to the data and operates no infrastructure for the app, audit requests are satisfied by (i) Atlassian's published compliance certifications and audit reports for the Forge platform, and (ii) the Provider's written responses to reasonable information requests, at most once per year.
Contact
Data protection questions and requests relating to the Jira app, including this DPA, can be sent to:
Email: [email protected]
Support: [email protected]
See also the app's Privacy Policy and End User Terms.