Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Agreement between Raian Pollock dba Sync-o ("Processor") and the organization identified as the customer ("Controller") and applies to the processing of Personal Data on behalf of the Controller.

1. Context & Architecture (The "Atlassian-Native" Model)

Unlike traditional SaaS platforms that ingest and store all customer data, Sync-O operates as a "Minimal-Footprint Processor" within your Atlassian ecosystem.

Ephemeral Processing: Sync-O is designed to be stateless regarding your content. We fetch the body text of Jira tickets and Confluence pages on-the-fly for AI analysis. This content is not written to our persistent databases and is discarded immediately after the synchronization/generation task is complete.
Metadata Retention: Sync-O retains only metadata (e.g., Atlassian Site URL, User IDs, Configuration Settings) and mathematical vector representations necessary to provide the service and audit logs.
Hosting: Sync-O's core infrastructure is hosted in the European Union (AWS Ireland / GCP Belgium).

2. Definitions

"GDPR" means the General Data Protection Regulation (EU) 2016/679.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
"Sub-processor" means any third party appointed by Processor to process Personal Data.

3. Scope and Details of Processing

Subject Matter: Provision of the Sync-O Atlassian Forge app services (Jira-to-Confluence automated documentation and synchronization).

Duration: The term of the Agreement plus the period until all Personal Data is deleted or returned (automated deletion occurs upon app uninstallation).

Nature and Purpose: Automated analysis of Jira issues and Confluence pages to generate summaries, updates, and cross-links; providing enterprise analytics and audit logs.

Categories of Data:

User Profile Data: Atlassian User IDs, Email addresses, Names (provided by Forge context).
Atlassian Context Metadata: Site URL (Cloud ID), Issue Keys, Page IDs, Parent Space IDs.
Configuration Data: AI provider preferences, confidence thresholds, notification settings.
Vector Embeddings: Mathematical representations of text snippets used for relevance matching (content body not stored).

Data Subjects: Users within the Controller's Atlassian Cloud site.

4. Processor Obligations

Processor shall:

Instructions: Process Personal Data only on documented instructions from Controller (including this DPA and the Agreement), unless required by law.
Confidentiality: Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
Security: Implement appropriate technical and organizational measures (TOMs) as outlined in Annex 1.
Sub-processors: Only engage sub-processors listed in the Sync-O Trust Center or otherwise notified to the Controller.
Data Breach: Notify Controller without undue delay after becoming aware of a Personal Data Breach.

5. International Data Transfers

Primary Processing Location: European Union (EU).
Transfers: Any transfers to sub-processors outside the EEA (e.g., US-based AI providers like OpenAI or Anthropic when configured by the Controller) shall be governed by Standard Contractual Clauses (SCCs).

6. Deletion or Return of Data

Upon uninstallation of the Sync-O app, Processor shall initiate the automated deletion of all tenant-specific configuration, installation IDs, and vector data within 30 days, unless applicable law requires storage.

ANNEX 1: SECURITY MEASURES

Encryption: Data in transit is encrypted via TLS 1.3. Data at rest (metadata, API keys) is encrypted via AES-256 using AWS KMS.
Access Control: Least-privilege IAM models for all internal infrastructure. MFA required for all developer access.
Isolation: Multi-tenant data is strictly isolated within DynamoDB via logical keys (Cloud ID).
Ephemeral Design: Message/Ticket/Page bodies are processed in-memory and not written to persistent disk storage.