Data Processing Agreement (DPA) pursuant to Art. 28 (3) GDPR between the customer ("Controller") and resolution Reichert Network Solutions GmbH, Oklahomastr. 14, 66482 Zweibrücken Rheinland Pfalz, Germany ("Processor") (collectively also "Parties").

1 Subject of the agreement

(1) The Processor shall provide the Controller with software solutions in accordance with the End-User License Agreement. In doing so, the Processor shall obtain access to personal data and shall process such data exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the End-User License Agreement. The Controller is solely responsible for assessing the permissibility of the data processing in accordance with Art. 6 (1) GDPR.

(2) The Parties conclude the present agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the End-User License Agreement.

(3) The provisions of this Agreement shall apply to all activities related to the End-User License Agreement in which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from or collected for the Controller or otherwise processed on the Controller's behalf.

(4) The term of this Agreement shall be based on the term of the End-User License Agreement unless the following provisions give rise to obligations or rights of termination going beyond this.

(5) The provision of the contractually agreed data processing usually takes place in a member state of the European Union or another contracting state of the Agreement on the European Contractual Area (Decision 94/1/EC). If the Processor transfers Personal Data to subcontractors outside the EU or the EEA, they have previously agreed to comply with the standard data protection clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4.6.2021 and thus ensure an adequate level of data protection within the meaning of Art. 46 (2) lit. c GDPR.

2 Type of data processed

The personal data to which the Processor will have access in the course of the performance of the End-User License Agreement are set out per individual app listing, under the "Privacy & Security" tab in the Atlassian Marketplace.

3 Controller’s right of instruction

(1) The Processor may only collect, use or otherwise process data within the scope of the End-User License Agreement and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.

(2) The instructions of the Controller are initially defined by this Agreement and may thereafter be amended, supplemented or replaced by the Controller by individual written instructions. The authorized contact persons of each Party and the communication channel to be used are shown in Annex 2. Any changes shall be taken into account in a timely manner.

(3) All instructions issued shall be documented by both the Controller and the Processor and shall be retained for the duration of their validity and subsequently for three additional full calendar years.

(4) If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.

4 Basic obligations of the Processor

(1) The Processor is obliged to observe the legal provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure that it has taken all appropriate technical and organizational measures (TOMs) to adequately protect the data of the Controller pursuant to Art. 32 GDPR. The Processor is entitled to adapt measures to technical and organizational developments, provided that they do not fall short of the agreed standards. 

(3) The Processor has appointed a contact person for data protection.

(4) The persons employed in the data processing by the Processor are prohibited from collecting, using or otherwise processing personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement ("Employees") accordingly (obligation to confidentiality, Art. 28 (3) lit. b GDPR) and shall instruct them about the special data protection obligations resulting from this Agreement as well as the existing instruction and/or purpose limitation and shall ensure compliance with the aforementioned obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this Agreement or the employment relationship between the Employee and the Processor. The obligations shall be proven to the Controller in an appropriate manner upon request.

5 Information obligations of the Processor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller in writing without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain the following information as far as possible:

(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected, and the number of personal data records affected;

(b) a description of the probable consequences of the injury; and

(c) a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its potential adverse effects.

(2) The Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subject(s), inform the Controller thereof and request further instructions from the Controller.

(3) The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data is affected by a violation pursuant to Paragraph 1.

(4) If necessary, the Processor shall support the Controller in fulfilling the Controller's obligations pursuant to Art. 33 and 34 GDPR in an appropriate manner (Art. 28 (3) sentence 2 lit. f GDPR). Notifications for the Controller pursuant to Art. 33 or 34 GDPR may only be made by the Processor after prior instruction by the Controller pursuant to § 3 of this Agreement.

(5) Should the Controller’s data at the Processor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller thereof without undue delay, unless the Processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller (Art. 4 No. 7 GDPR).

(6) The Processor shall inform the Controller without undue delay of any significant changes to the security measures pursuant to § 4 para. 2 of this Agreement.

(7) The Processor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Controller upon request.

6 Control rights of the Controller

(1) The Processor shall demonstrate to the Controller compliance with the obligations set forth in this Agreement by appropriate means.

(2) If, in individual cases, inspections by the Controller or an auditor commissioned by the Controller are necessary, they shall be carried out during normal business hours without disrupting operations. The Processor may make the inspection dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures set up. If the auditor commissioned by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection against him.

(3) In order to carry out the control, the Processor only needs to permit such a person who is under a special obligation to maintain confidentiality, in particular with regard to information about the Processor's operations, its equipment, the Processor's business secrets and security measures. If the control is not carried out by a person already known to the Processor, such person must prove his legitimation by the Controller in writing at least ten calendar days before the control is carried out.

(4) The Controller shall document the inspection result and notify the Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular, during the inspection of order results, he shall inform the Processor without undue delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Controller shall inform the Processor of the necessary procedural changes without undue delay.

7 Use of Subprocessors

(1) Within the scope of its contractual obligations, the Processor shall in principle be authorized to establish further subcontracting relationships with subprocessors ("Subprocessor Relationship"). The Processor shall carefully select subprocessors according to their suitability and reliability. The Processor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Controller can exercise its rights under this Agreement, in particular its audit and control rights. Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its subprocessors.

(2) The subprocessors currently working for the Processor in accordance with Paragraph 1 are listed in Annex 3. The Processor shall inform the Controller of any changes in a timely manner. The Controller may object within a reasonable period of time if an important reason under data protection law opposes the commissioning of the subprocessor.

(3) If subprocessors in a third country are to be involved, this shall only be done under the conditions specified in § 1 para. 5 sentence 2.

(4) A Subprocessor Relationship within the meaning of the above provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, security and cleaning services, as well as telecommunication services without any specific reference to services provided by the Processor to the Controller.

8 Requests and rights of data subjects

(1) The Processor shall support the Controller as far as possible with appropriate technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12 to 22 and Articles 32 and 36 GDPR.

(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall forward the request to the Controller without undue delay, provided that an allocation to the Controller is possible according to the data subject. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered in a timely manner by the Controller.

9 Liability

(1) The Controller and Processor are liable to data subjects in accordance with the provision set out in Art. 82 GDPR. The Processor shall coordinate any fulfillment of liability claims with the Controller.

(2) The Processor shall indemnify the Controller against all claims asserted by data subjects against the Controller due to the breach of an obligation imposed on the Processor by the GDPR or this Agreement or due to the noncompliance or breach of a lawful instruction separately issued by the Controller.

(3) The Processor does not have to indemnify the Controller if the data processing or measure giving rise to the Parties´ liability was carried out on the basis of instructions from the Controller. The same shall apply to measures that have been previously coordinated with the Controller. Coordination shall also be deemed to have taken place if a provision in this Agreement has been inserted at the request of the Controller.

(4) The Parties shall indemnify each other against liability to the extent that a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a data subject. In all other respects, Art. 82(5) GDPR shall apply.

10 Termination of the End-User License Agreement and this Agreement

(1) This Agreement shall remain valid after termination of the End-User License Agreement for as long as the Processor has personal data which have been forwarded to him by the Controller or which he has collected for the Controller.

(2) The Processor shall return all documents, data, and data carriers provided to it to the Controller after the termination of the End-User License Agreement or at any time at the Controller's request or delete them at the Controller's request unless there is an obligation to store the personal data under EU law or the law of the Federal Republic of Germany. The Processor shall provide documentary evidence of the proper deletion.

(3) Upon termination of this Agreement, the End-User License Agreement shall also terminate, provided that it cannot be performed without the processing of personal data.

11 Final provisions

(1) Unless otherwise provided, declarations between the Parties shall be made in text form, whereby E mail shall suffice.

(2) The Agreement shall be governed by and construed in accordance with German law.

(3) Should one of the above provisions be or become invalid or should a provision that is necessary in itself not be included, this shall not affect the validity of the remaining provisions. The Parties shall endeavor to find a mutually agreeable provision in this case.


Annex 1 - Purpose, nature of processing and categories of data subjects 

The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor's service list.

In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 2).

General processes

The following processes are available no matter which app or apps you use and regardless of whether you use Cloud or on-premise apps.

ProcessPurpose of processingCategories of processingCategories of personal dataCategories of data subjects
Customer supportHelp users from the Controller's organization to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation.

In customer support usage problems or error situations are reported by users from the Controller's organisation via the mechanism described in Annex 2.

In the course of the support process, reporters might be asked to provide Confluence support zips including log files, Templates used for exporting to different formats page exports or space exports from Confluence JIRA support zips including log files Backbone support zips including log files and data of synchronized issues logs from the reporter's browser console.

Data is provided through the support tool (Jira Service Management, see Annex 3). Reporters can choose to provide their own mechanism of data transfer.

The received data is then analyzed manually or automatically for causes or indicators of reported usage problems or error situations.

The process is agnostic of any data supplied to it.

For reporting a problem or error situation the

  • reporter's name

  • reporter's email address

will be stored.

Example categories of personal data are:

  • project reports including project collaborators

  • information on authors of or collaborators on Confluence content

  • Assignees, reporters, and participants of issues

  • Field values and changes on fields & comments made by users of JIRA Cloud

The controller must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA, or the app.

  • Users of Confluence (Cloud or on-premise)

  • Users of JIRA (Cloud or on-premise)

The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA, or the app.

Error trackingFor error tracking data is transferred from the end user's browser to an error reporting service, which allows analysis of errors without users having to actively report them. This is used to improve the quality of the apps.

Data describing the error context, like operations invoked, the user interface element clicked, and technical context like browser, and operating system values are transferred to the error reporting service (see Annex 3).

Not all apps have implemented this feature yet and disabling can be requested through the channel described in Annex 2.

This service transfers a hash of a technical identifier, to be able to spot cases where single users have reoccurring or interconnected errors.

This process additionally transfers the following data

  • URL

  • Browser and Operating System

  • Invoked operations and clicked user interface elements

  • Users of Confluence (Cloud or on-premise)

  • Users of JIRA (Cloud or on-premise)

Product analyticsFor product usage analytics data is transferred from the end user's browser to an analytics service, which allows to report on the usage of product features. This is used to improve the quality of the apps.Data describing the invoked functionality of the app is sent to the analytics service. The data is stored by a sub-processor (Segment and Mixpanel, see Annex 3).This service transfers a hash of a technical identifier, to be able to track typical usage patterns of functions inside the apps.

  • Users of Confluence, that also use an app from the Processor (Cloud)

  • Users of JIRA, that also use an app from the Processor (Cloud)

License distributionThe apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation, and community or academic licenses; are distributed through the Atlassian Marketplace

All data attached to a license under my.atlassian.com is transferred to the Processor.

The Processor will send informational emails when evaluating or using a new app via sub-processor (ZohoCampaign, see Annex 3).

The Processor might also send transactional emails informing receivers about their licenses via sub-processor (ZohoCampaign, see Annex 3)

Data for a license includes:

  • email address

  • name

  • postal address, if provided

  • organisation

  • technical contacts

  • sales contacts

  • partner contacts

Out of Office Assistant for Jira Cloud

The data shall be processed exclusively for the purposes of provision of software solutions to the Controller in accordance with the End-User License Agreement. 

Processing the data consists of the following: collecting, sorting, saving, transferring, restricting, and deleting data.

Sending absence messages when a Jira Software user, a Jira Work Management user, or a Jira Service Desk agent is assigned an issue during their time off.

Reassigning issues automatically to a delegate owner (coverer) when they are assigned to a user who is absent.

Delegating JSM approvals automatically to a delegate approver coverer, when the original approver is absent.

Warning that a user who has been mentioned is on leave or will be on leave soon.

Fetching dates and times of absences from external systems like Outlook or apps like Tempo, on behalf of the user.

  • Slack Team ID
  • Slack Team Names
  • Slack User ID
  • User Account ID
  • Out of Office Rules
  • Out of Office Templates
  • Outlook Client ID
  • Outlook User ID



Users of Jira services (employees and/or contractors of the Controller)

Annex 2 - Authorized persons, entitled persons, Communication channel

Authorized persons under this Agreement are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).

Instructions are to be transmitted by the following communication channel:

E-Mail to Atlassian.apps@resolution.de or request via www.resolution.de/support.


Annex 3 - Sub-processors

The controller approves the following sub-processors to be used for the described purposes by the processor:

  • Amazon Web Services Inc, USA: We use AWS to host our Cloud apps. The AWS privacy statement can be found here.

  • Heroku by Salesforce, USA: We use Heroku to host our Cloud apps. The Heroku privacy statement can be found here.
  • MongoDB Inc, USA: We use MongoDB to host our database. The MongoDB privacy statement can be found here.
  • Papertrail by Solarwinds, USA: We use Papertrail to host our logs. The Papertrail privacy statement can be found here.
  • Sentry: We use Sentry for application error and performance reporting. The Sentry privacy statement can be found here.

  • Atlassian Corporation Plc, UK: We use Jira Service Management from Atlassian for the creation, tracking and administration of support tickets, Jira Software Cloud for tracking software development and task management, and Atlassian Confluence Cloud for the internal documentation of customer use cases. The Atlassian privacy statement can be found here.

  • Segment.io Inc, USA: We use Segment to collect data on how our apps are used. The Segment privacy statement can be found here.

  • Mixpanel, USA: We use Mixpanel to collect data on how our apps are used. The Mixpanel privacy statement can be found here.
  • Zoho Corporation, India: We use Zoho as a CRM Tool for the purpose of sending evaluation and product-related emails to system administrators. The Zoho privacy statement can be found here