Data Processing Agreement

Last updated: May 30, 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between you ("Customer" or "Controller") and the provider of Project Commander ("Project Commander", "we", "us", or "Processor") governing your use of the Project Commander Jira Cloud app (the "App"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with the App and applies to the extent that Project Commander processes Personal Data on the Customer's behalf as a Processor.

Key point: Project Commander does not copy or store your raw Jira data outside Atlassian's infrastructure. All App data is held in Atlassian Forge storage. The only Personal Data that leaves Atlassian does so through the App's optional AI features — and only when you supply your own AI provider API key and explicitly trigger them.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or, where applicable, in Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA").

"Personal Data" means any information relating to an identified or identifiable natural person that is contained in End-User Data processed through the App.
"End-User Data" means the Jira and App content processed through the App, as described in Annex I.
"Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR.
"Sub-processor" means any third party engaged to process Personal Data in connection with the App.
"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the GDPR, the UK GDPR, and the CCPA.

2. Roles of the Parties

The parties acknowledge that, with respect to the Processing of Personal Data within End-User Data:

The Customer is the Controller (and, under the CCPA, the "Business") of the End-User Data. The Customer determines the purposes and means of Processing.
Project Commander is the Processor (and, under the CCPA, a "Service Provider"). Project Commander processes Personal Data only on the Customer's documented instructions, as set out in this DPA and the Terms of Service.
Where Project Commander collects account or billing-contact information directly (for example, a support email address), it acts as a Controller of that limited data in accordance with the Privacy Policy. That activity is outside the scope of this DPA.

3. Scope and Instructions

Project Commander will Process Personal Data only:

to provide, maintain, secure, and support the App as described in the Terms of Service and Annex I;
in accordance with the Customer's documented instructions, which are constituted by the Terms of Service, this DPA, and the Customer's configuration and use of the App (including whether the Customer enables the optional AI features); and
as required by applicable law, in which case Project Commander will, where legally permitted, inform the Customer of that requirement before Processing.

Project Commander will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

Project Commander ensures that any person authorized to Process Personal Data is bound by an appropriate obligation of confidentiality and processes the data only as necessary to provide the App.

5. Security of Processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, Project Commander implements appropriate technical and organizational measures to protect Personal Data, as described in Annex II. Because the App stores data exclusively within Atlassian Forge storage, much of the underlying infrastructure security is provided by Atlassian's platform.

6. Sub-processing

The Customer grants Project Commander general authorization to engage the Sub-processors listed in Annex III. Project Commander will:

impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, to the extent applicable to the service provided;
remain responsible for each Sub-processor's performance of its data-protection obligations; and
give the Customer notice of any intended addition or replacement of a Sub-processor through the App's documentation or the Marketplace listing, allowing the Customer a reasonable opportunity to object on reasonable data-protection grounds.

AI providers as Sub-processors: The AI providers (Anthropic, OpenAI, Google) act as Sub-processors only when the Customer enables the optional AI features by supplying its own API key and explicitly triggers a feature. If the Customer does not configure an API key, no Personal Data is transmitted to any AI provider. The Customer is responsible for reviewing and accepting the data-use terms of the AI provider whose key it supplies.

7. Assistance to the Controller

Taking into account the nature of the Processing, Project Commander will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligations to:

respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). Customers can view, correct, and delete most App-managed content directly through the App interface, and Jira data remains in Jira; and
ensure the security of Processing, notify and communicate Personal Data Breaches, carry out data protection impact assessments, and consult with supervisory authorities, in each case in relation to Personal Data Processed through the App.

8. Personal Data Breach Notification

Project Commander will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA, and will provide the Customer with information reasonably available to it to assist the Customer in meeting its own breach-notification obligations.

9. International Transfers

End-User Data stored by the App resides in Atlassian Forge storage and is subject to Atlassian's data-residency handling. Where the optional AI features are enabled by the Customer, Personal Data contained in a prompt may be transferred to and Processed by the selected AI provider, which may operate outside the European Economic Area or the United Kingdom. Such transfers rely on the transfer mechanisms maintained by those providers (including Standard Contractual Clauses where applicable) under the data-processing terms the Customer accepts with that provider.

10. Deletion and Return of Data

Upon termination of the Customer's use of the App, or on the Customer's request, Personal Data Processed under this DPA is deleted as follows:

Uninstalling the App removes all App data held in Atlassian Forge storage — including configuration, velocity history, sprint snapshots, team capacity, risks, action items, retrospectives, governance policies, portfolio data, alert dismissals, the AI prompt-enrichment cache, and the AI API key held in Forge encrypted secret storage.
Jira data is never copied outside Atlassian and therefore requires no separate return or deletion; it remains under the Customer's control in Jira.
Project Commander does not retain prompts or responses exchanged with AI providers.

11. Audit

Project Commander will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable confidentiality and security safeguards. Given that the App runs within Atlassian's Forge platform, audit information may include references to Atlassian's own platform certifications and controls.

12. CCPA Terms

To the extent the CCPA applies, Project Commander acts as a Service Provider. Project Commander does not sell or share Personal Data, does not retain, use, or disclose Personal Data for any purpose other than performing the services described in the Terms of Service, and does not combine Personal Data with information from other sources except as permitted by the CCPA. Project Commander certifies that it understands and will comply with these restrictions.

13. General

This DPA is governed by the same law and dispute-resolution provisions as the Terms of Service (State of California, United States). In the event of a conflict between this DPA and the Terms of Service with respect to the Processing of Personal Data, this DPA prevails. If any provision of this DPA is held unenforceable, the remaining provisions continue in effect. This DPA supplements, and does not replace, the data-protection terms provided by Atlassian for the Atlassian platform; where Atlassian's platform terms apply, they govern Processing performed by Atlassian as the infrastructure provider.

Annex I — Details of Processing

Subject matter and duration

Processing of End-User Data to provide the App's sprint-planning, capacity, forecasting, and optional AI features, for the duration of the Customer's installation and use of the App.

Nature and purpose

Reading Jira sprint, issue, board, project, and user data through Atlassian APIs; computing capacity, workload, velocity, feasibility, and risk metrics; storing App configuration and App-managed content in Forge storage; writing sprint and issue changes the Customer initiates; and, where enabled, sending project-context prompts to a Customer-selected AI provider.

Categories of Data Subjects

The Customer's Jira users and team members (e.g., assignees and team-capacity members)
The authenticated user operating the App

Categories of Personal Data

User display names and Atlassian account identifiers
Assignee names and per-user workload, capacity, utilization, and velocity figures
Time-off entries (member name, dates, and free-text reason) and holiday entries
Free-text fields that may incidentally contain Personal Data (notably sprint goals, time-off reasons, and AI Chat messages)

The App does not process special categories of Personal Data, and such data should not be entered into free-text fields.

Annex II — Technical and Organizational Measures

The Jira Cloud app runs entirely within Atlassian's Forge platform sandbox; no Customer data is transmitted to or stored on servers operated by Project Commander.
All App data is stored in Atlassian Forge storage, isolated to the Customer's Atlassian instance and scoped to the Customer's account.
The Customer-supplied AI API key is stored in Forge encrypted secret storage, separate from regular Forge storage, and is read server-side only at the moment an AI request is dispatched.
All network communications use HTTPS/TLS encryption.
Access to data is controlled by the Customer's existing Jira permissions; the App requests only the scopes necessary for its features.
The App does not log End-User Data; backend logging is limited to error diagnostics that do not include issue, user, or sprint content.
No external databases, analytics services, or third-party logging services are used.

Annex III — Sub-processors

Sub-processor	Purpose	When engaged
Atlassian Pty Ltd	Hosting and storage platform (Atlassian Forge), including Forge storage and encrypted secret storage; delivery of the App.	Always (the App runs on Atlassian's platform).
Anthropic (api.anthropic.com)	Processing AI prompts for the optional AI features when Anthropic is the selected provider.	Only when the Customer supplies an Anthropic API key and triggers an AI feature.
OpenAI (api.openai.com)	Processing AI prompts for the optional AI features when OpenAI is the selected provider.	Only when the Customer supplies an OpenAI API key and triggers an AI feature.
Google (generativelanguage.googleapis.com)	Processing AI prompts for the optional AI features when Google Gemini is the selected provider.	Only when the Customer supplies a Google API key and triggers an AI feature.

Contact

Questions About This DPA?

For questions about this Data Processing Agreement or to raise a data-protection request, contact us:

Email: support@projectcommander.app