Data Processing Agreement

Secret Scanner & PII Detector for Jira

Last updated: 5 June 2026  ·  Version 1.0  ·  GDPR Article 28 compliant

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller") and Micro SaaS (the "Processor") for the use of Secret Scanner & PII Detector for Jira. By installing the App from the Atlassian Marketplace, you agree to the terms of this DPA. This DPA is supplementary to Atlassian's own Marketplace End User License Agreement.

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • "App" means Secret Scanner & PII Detector for Jira, an Atlassian Forge application published by Micro SaaS on the Atlassian Marketplace.
  • "Controller" means the organisation that installs the App on its Jira Cloud workspace and determines the purposes and means of personal data processing within that workspace.
  • "Processor" means Micro SaaS (operated by Filippo Piconese), which processes personal data on behalf of the Controller to provide the App's functionality.
  • "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the App.
  • "Personal Data" means any information relating to an identified or identifiable natural person that may be present in the Controller's Jira workspace and processed by the App.
  • "Processing" has the meaning given in the GDPR (Regulation (EU) 2016/679) and includes scanning, reading, storing, and deleting data.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
  • "Forge Storage" means Atlassian's key-value storage service available to Forge applications, hosted on Atlassian's infrastructure.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2. Subject Matter, Nature and Duration of Processing

2.1 Subject matter

The Processor provides the Controller with an automated security scanning service that detects credentials, API keys, private keys and personally identifiable information (PII) exposed in Jira issues, comments and custom text fields within the Controller's Jira Cloud workspace.

2.2 Nature of processing

Processing activities include:

  • Reading Jira issue content (titles, descriptions, comments, custom fields) via the Atlassian Jira REST API
  • Applying regular-expression pattern matching to detect secrets and PII (in-memory only; content is not persisted)
  • Writing labels and comments to Jira issues via the Atlassian Jira REST API
  • Storing detection metadata (not raw content) in Forge Storage
  • Deleting scanner labels and comments from Jira issues upon remediation

2.3 Duration

Processing begins upon installation of the App in the Controller's workspace and continues until the App is uninstalled or this DPA is terminated by either party. Upon uninstallation, Atlassian Forge automatically purges all data stored in Forge Storage for that installation.

3. Types of Personal Data and Categories of Data Subjects

3.1 Types of personal data

The App may process the following types of personal data:

  • Personal data incidentally present in Jira issue content (e.g., names, email addresses, phone numbers in issue text — the App scans for PII patterns such as credit card numbers)
  • Jira issue keys (e.g., "PROJ-42") — used to identify which issues have been scanned or flagged
  • Detection metadata: detection type, rule name, timestamp, action taken

The App does not intentionally collect user account information such as Atlassian Account IDs, names or email addresses of Jira users.

3.2 Categories of data subjects

  • Employees and contractors of the Controller who create or update Jira issues
  • Third parties whose personal data may appear in Jira issue content
  • Jira administrators who configure the App

4. Obligations of the Processor

The Processor shall:

  1. Process personal data only on documented instructions from the Controller (including the instructions implied by the installation and use of the App), unless required by applicable law.
  2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement the technical and organisational security measures described in Article 7 of this DPA.
  4. Respect the conditions for engaging sub-processors as set out in Article 5 of this DPA.
  5. Assist the Controller in responding to requests for exercising data subjects' rights under the GDPR (Chapter III), including the right of access, erasure, rectification and restriction, to the extent technically possible given the App's functionality.
  6. Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security of processing, notification of data breaches, data protection impact assessments, prior consultation).
  7. Delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies, unless applicable law requires storage of the personal data.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
  9. Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Sub-Processors

5.1 Authorised sub-processors

The Controller hereby gives general authorisation to the Processor to engage the following sub-processors:

Sub-processorPurposeLocationPrivacy policy
Atlassian Inc. Forge runtime environment, Forge Storage, Jira REST API United States / EU atlassian.com/legal/privacy-policy

5.2 Notification of changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. Notice will be given by updating this DPA and the Privacy Policy at least 30 days before the change takes effect where technically feasible.

5.3 Sub-processor obligations

Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor data protection obligations equivalent to those set out in this DPA.

6. Data Subject Rights

The Controller is responsible for facilitating data subject rights. The Processor provides the following tools to assist the Controller:

  • Access: The admin panel's Findings Summary and Audit Log sections provide visibility into all detection metadata stored by the App.
  • Erasure: The "Reset All Data" function in the Historical Background Scan section deletes all stored scan data, audit events, issue status markers, scanner labels and scanner comments across the entire workspace.
  • Restriction: Individual issues can be marked as "False Positive" to exclude them from future scans. Issue status markers can be cleared individually.
  • Portability: The audit log is available for review in the admin panel. Export functionality is not currently provided; contact us if this is a requirement.

The Processor shall promptly notify the Controller (within 5 business days) if it receives a data subject request in relation to the Controller's data.

7. Technical and Organisational Security Measures

Pursuant to GDPR Article 32, the Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

7.1 Technical measures

  • Infrastructure security: All processing occurs within Atlassian's Forge environment, which is ISO 27001 certified and SOC 2 Type II audited.
  • Data minimisation: Issue content is processed in-memory only and is never persisted. Only detection metadata (timestamps, issue keys, rule names, counts) is stored.
  • No secret storage: Actual secret values, API keys, passwords and PII content are never written to storage. Idempotency markers use a one-way hash (not reversible to the original content).
  • Access control: The App admin panel is accessible only to users with Jira Administrator permissions, as enforced by Atlassian's permission model.
  • Network isolation: The Forge runtime operates in a sandboxed environment with no outbound connections to external servers other than the Jira REST API on the same Atlassian instance.
  • Data isolation: Forge Storage keys are namespaced per application to prevent cross-application data access.
  • ReDoS prevention: Detection regexes are bounded (max length constraints) to prevent denial-of-service via maliciously crafted input.

7.2 Organisational measures

  • Access to the App's source code is restricted to authorised developers.
  • Security reviews are conducted before each significant version release.
  • This DPA and the Privacy Policy are reviewed and updated at least annually or following significant changes to the App's data processing activities.

8. Data Breach Notification

In the event that the Processor becomes aware of a Data Breach affecting personal data processed under this DPA, the Processor shall:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
  2. Provide the Controller with sufficient information to allow it to meet any obligations to report the breach to the relevant supervisory authority under GDPR Article 33 and to data subjects under GDPR Article 34.
  3. Cooperate with the Controller and take such steps as are reasonably required to assist in the investigation, mitigation and remediation of the breach.

Notification shall be sent to: privacy@micro-saas.it

Given that the App stores only metadata (no raw personal data content), the risk of a data breach resulting in significant harm to data subjects is substantially mitigated.

9. Deletion and Return of Data

Upon termination of this DPA or uninstallation of the App:

  1. Atlassian Forge automatically and permanently deletes all data stored in Forge Storage for the App's installation within a commercially reasonable period following uninstallation.
  2. The Processor retains no copies of the Controller's data outside of the Forge environment.
  3. Scanner labels and comments added by the App to Jira issues remain in Jira and are under the control of the Controller. The Controller may use the "Reset All Data" feature before uninstalling to remove all labels and comments added by the App.

10. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller where processing carried out by the Processor is likely to result in a high risk to the rights and freedoms of natural persons, for the purposes of a Data Protection Impact Assessment (DPIA) as required by GDPR Article 35.

The Processor's assessment is that the App's processing activities present a low risk to data subjects given: (i) no raw personal data content is stored; (ii) processing is limited to metadata; (iii) the App operates within Atlassian's certified infrastructure with no external data transfers to Micro SaaS systems.

11. International Data Transfers

All data processed under this DPA remains within Atlassian's Forge infrastructure. Atlassian's data transfer mechanisms (including Standard Contractual Clauses where applicable) govern any transfers from the EEA. No data is transferred to Micro SaaS systems, which would constitute a separate international transfer.

If you require additional documentation regarding international data transfers, please contact us at the address in Article 12.

12. Audit Rights

The Controller has the right, upon reasonable prior notice (minimum 14 days) and at its own cost, to conduct audits of the Processor's compliance with this DPA, including inspections of processing activities and documentation. Audits shall be conducted in a manner that does not unreasonably disrupt the Processor's operations.

The Processor may satisfy this requirement by providing up-to-date third-party audit reports, certifications or attestations relevant to the processing activities, where available.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Atlassian Marketplace End User License Agreement and applicable law.

The Processor shall not be liable for any claims arising from the Controller's failure to fulfil its own obligations as data controller under the GDPR or for processing instructions given by the Controller that violate applicable data protection law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Republic of Italy, without regard to its conflict of law provisions. Any disputes shall be subject to the exclusive jurisdiction of the courts of Italy, except where mandatory provisions of applicable EU data protection law require otherwise.

15. Order of Precedence

In the event of any conflict between this DPA and the Atlassian Marketplace End User License Agreement or any other agreement between the parties, this DPA shall take precedence to the extent of the conflict, solely with respect to the processing of personal data.

16. Contact and Execution

This DPA is entered into by installing and using the App. No separate signature is required. For questions regarding this DPA or to make a formal data protection enquiry, contact:

Filippo Piconese — Micro SaaS
Role: Data Processor / App Developer
Email: privacy@micro-saas.it
Website: www.micro-saas.it

For the purposes of GDPR Article 28(3), this DPA constitutes the documented instructions of the Controller for processing personal data under this agreement.