This Data Processing Agreement ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Yes-But-How Ltd, a company registered in England and Wales ("Company"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement, including the Data Classification definitions in Section 1.8 of the Agreement (Operational Metadata, User-Generated Notes, Content Data, and Excluded Data).
1.1 "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party.
1.2 "Authorised Sub-Processor" means a third party who has a need to know or otherwise access Customer's Personal Data to enable the Company to perform its obligations under this DPA or the Agreement, and who is either (1) listed in Exhibit B or (2) subsequently authorised under Section 3.2 of this DPA.
1.3 "Customer Account Data" means personal data that relates to Customer's relationship with the Company, including names or contact information of individuals authorised to access Customer's account and billing information.
1.4 "Customer Usage Data" means Service usage data collected and processed by the Company in connection with the provision of the Services, including activity logs and data used to optimise and maintain performance of the Services.
1.5 "Data Protection Laws" means any applicable laws and regulations relating to the use or processing of Personal Data, including: (i) the UK Data Protection Act 2018; (ii) the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018); (iii) the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"); (iv) the California Consumer Privacy Act ("CCPA"); and (v) the Privacy and Electronic Communications Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor", "controller", and "supervisory authority" shall have the meanings set forth in the UK GDPR.
1.6 "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognised as offering an adequate level of protection.
1.7 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office, Version B1.0, in force 21 March 2022, as amended from time to time.
1.8 "Services" shall have the meaning set forth in the Agreement.
2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, the Company is a processor. Customer shall, in its use of the Services, process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer's instructions will not cause the Company to be in breach of Data Protection Laws. Customer is solely responsible for the accuracy, quality and legality of (i) the Personal Data provided to the Company, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to the Company regarding the processing of such Personal Data.
2.2 The Company shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with this DPA or any other documented instructions provided by Customer, unless required to do so by law; in such case, the Company shall inform Customer of that legal requirement before processing, unless prohibited by law on important grounds of public interest, or (iii) in violation of Data Protection Laws. Customer hereby instructs the Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.
2.3 The subject matter, nature, purpose and duration of processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.
2.4 Following completion of the Services, at Customer's choice, the Company shall return or delete Customer's Personal Data within thirty (30) days, unless further storage is required or authorised by applicable law. For the avoidance of doubt, data that has been irreversibly anonymised such that it can no longer be linked to an identifiable individual is not Personal Data and is not subject to the deletion obligations of this section. Security and access logs may be retained for up to twelve (12) months after termination for the protection of the Service, after which they are purged.
2.5 CCPA. Except with respect to Customer Account Data and Customer Usage Data, the parties acknowledge and agree that the Company is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services, which constitutes a business purpose. The Company shall not sell any such personal information. The Company shall not retain, use or disclose any personal information provided by Customer except as necessary for the specific purpose of performing the Services, or as otherwise permitted by the CCPA.
3.1 Customer acknowledges and agrees that the Company may (1) engage its affiliates and the Authorised Sub-Processors listed in Exhibit B to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services. By way of this DPA, Customer provides general written authorisation to the Company to engage sub-processors as necessary to perform the Services.
3.2 The Company shall notify Customer via email at least fourteen (14) days before enabling any new third party (other than existing Authorised Sub-Processors) to access or participate in the processing of Personal Data. Customer may object to such an engagement by informing the Company within ten (10) days of receipt of notice, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent the Company from offering the Services to Customer.
3.3 If Customer reasonably objects to an engagement in accordance with Section 3.2 and the Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to the Company. Discontinuation shall not relieve Customer of any fees owed under the Agreement.
3.4 If Customer does not object within the period specified in Section 3.2, the third party shall be deemed an Authorised Sub-Processor.
3.5 The Company shall enter into a written agreement with each Authorised Sub-Processor imposing data protection obligations comparable to those imposed on the Company under this DPA. The Company shall remain liable to Customer for the performance of the Authorised Sub-Processor's obligations under such agreement.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about the Company's technical and organisational security measures.
5.1 All Personal Data and Content Data is stored on servers located in Germany within the European Union. The Company is established in the United Kingdom, which benefits from an adequacy decision by the European Commission, permitting the free flow of personal data between the EU and UK without additional safeguards. Personal Data and Content Data is processed only in Germany and the United Kingdom and does not leave these jurisdictions.
5.2 Anonymised Operational Metadata and User-Generated Notes (which should not contain Personal Data) may be transmitted to third-party AI providers located outside the EU/UK for the purpose of AI Features. No Personal Data, Content Data, or Excluded Data is transmitted to such providers.
5.3 To the extent any transfer of Personal Data outside the UK or EEA becomes necessary in the future, the Company shall ensure that appropriate safeguards are in place in accordance with Data Protection Laws, including by entering into the EU SCCs (with the UK Addendum where applicable).
5.4 Ex-EEA Transfers. Should ex-EEA Transfers become necessary, the parties agree that such transfers shall be made pursuant to the EU SCCs, which shall be deemed entered into and incorporated into this DPA by reference. Module Two (Controller to Processor) shall apply where Customer is a controller and the Company is processing Personal Data as a processor. Module Three (Processor to Sub-Processor) shall apply where Customer is a processor and the Company is processing Personal Data as a sub-processor. For each module: (a) in Clause 9, Option 2 (general written authorisation) applies; (b) in Clause 17, the EU SCCs shall be governed by Irish law; (c) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.
5.5 Ex-UK Transfers. Should ex-UK Transfers become necessary, the EU SCCs as described in Section 5.4 shall apply with the UK Addendum appended.
5.6 Supplementary Measures. As of the date of this DPA, the Company has not received any formal legal requests from any government intelligence or security service for access to Customer's Personal Data. If, after the date of this DPA, the Company receives any such request, it shall attempt to redirect the requesting authority to Customer and, if compelled to disclose, shall give Customer reasonable notice unless legally prohibited from doing so. The Company shall not voluntarily disclose Personal Data to any law enforcement or government agency.
6.1 The Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise any of their rights under Data Protection Laws. If the Company receives a Data Subject Request in relation to Customer's data, it shall advise the Data Subject to submit their request to Customer. Customer shall be responsible for responding to such requests.
6.2 The Company shall, at Customer's request and taking into account the nature of the processing, apply appropriate technical and organisational measures to assist Customer in complying with its obligation to respond to Data Subject Requests, provided that Customer is unable to respond without the Company's assistance. Customer shall be responsible for any reasonable costs and expenses arising from such assistance.
7.1 The Company shall, taking into account the nature of the processing and the information available to it, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under Data Protection Laws, including data protection impact assessments.
7.2 The Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3) years after termination of the Agreement.
7.3 Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, the Company shall either (i) make available for Customer's review relevant compliance documentation demonstrating the Company's adherence to its obligations under this DPA, or (ii) if the provision of documentation pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer's independent third-party representative to conduct an audit of the Company's data security infrastructure and procedures, provided that: (a) Customer provides at least thirty (30) days' prior written notice; (b) such audit occurs no more than once per twelve (12) month period; (c) such audit is conducted during business hours and is not unreasonably disruptive; and (d) such audit is restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits.
7.4 The Company shall immediately notify Customer if an instruction, in the Company's opinion, infringes Data Protection Laws.
7.5 In the event of a Personal Data Breach, the Company shall, without undue delay and where feasible no later than seventy-two (72) hours after becoming aware, inform Customer and take such steps as it deems necessary and reasonable to remediate such breach. The notification shall contain at least the information required by Data Protection Laws. If it is not possible to provide all information at the same time, the information may be provided in phases.
7.6 In the event of a Personal Data Breach, the Company shall provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Data Protection Laws with respect to notifying the relevant supervisory authority and affected Data Subjects.
7.7 The obligations described in Sections 7.5 and 7.6 shall not apply to the extent a Personal Data Breach results from the actions or omissions of Customer. The Company's notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability.
The parties acknowledge and agree that with respect to Customer Account Data and Customer Usage Data, the Company is an independent controller, not a joint controller with Customer. The Company shall process Customer Account Data and Customer Usage Data as a controller: (i) to manage the relationship with Customer; (ii) to carry out core business operations such as accounting, audits, tax preparation and compliance; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations; and (vi) as otherwise permitted under Data Protection Laws. The Company may also process Customer Usage Data as a controller to provide, optimise and maintain the Services.
In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable terms in the Standard Contractual Clauses (if applicable); (2) the terms of this DPA; (3) the Agreement; and (4) any other written agreement executed by the parties.
| Element | Description |
|---|---|
| Nature and Purpose of Processing | The Company will process Customer's Personal Data as necessary to provide the Services under the Agreement, including indexing and displaying Jira project and issue data, providing AI-powered summaries and analytics (using anonymised Operational Metadata and User-Generated Notes only), and managing Customer accounts. |
| Duration of Processing | For as long as required to provide the Services under the Agreement, or as required by applicable law. |
| Categories of Data Subjects | Customer employees and contractors who register for or administer the Service, and individuals referenced in Customer's Jira data (e.g., assignees, reporters) whose identifiers are included in Operational Metadata. |
| Categories of Personal Data | Name, email address, username, IP address, browser and operating system information, Jira user identifiers, and billing information. Issue descriptions may incidentally contain Personal Data (e.g., names of individuals); such data is processed locally for classification purposes only and is treated as Content Data — it is not transmitted to external AI providers. User-Generated Notes should not contain Personal Data; Customer is responsible for ensuring compliance. |
| Sensitive Data | The Service is not designed to process special categories of data. However, Customer controls what data exists in its Jira instance. Customer is responsible for ensuring it has a lawful basis for any sensitive data that may be incidentally present. |
| Frequency of Transfer | As initiated by Customer through authorising the Service to connect to and index data from Customer's Jira instance. |
The following classification governs how different categories of data are processed by the Service:
| Classification | Examples | Processing | External AI Transmission |
|---|---|---|---|
| Operational Metadata | Status names, transition timestamps, sprint configurations, workflow patterns, assignee/reporter identifiers, role classifications applied by Users | Indexed, stored, displayed to Users, may be anonymised for analytics | Yes, when anonymised |
| User-Generated Notes | Free-text action items, annotations, and operational inputs submitted by Users within the Service | Stored, displayed to authorised Users. Should not contain Personal Data; Customer responsible for compliance. | Yes |
| Content Data | Issue descriptions, comments | Read locally for categorical classification only (e.g., detecting presence of user stories, use of acceptance criteria, adherence to planning conventions). Not used to interpret semantic content. May be used to train internal classifiers within the Company's infrastructure. | No |
| Excluded Data | File attachments, images other than issue icons, binary content | Not accessed or processed | No |
If analysis of Content Data through third-party AI providers or access to Excluded Data becomes a feature in the future, it will be offered on an explicitly opt-in basis.
The following sub-processors are authorised to process Personal Data in connection with the provision of the Services:
| Company | Description | Location | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting and data storage | Germany (EU) | All Customer Data |
| Cloudflare, Inc. | Encrypted tunnel, CDN, DDoS protection | Global (transit only) | Network traffic (encrypted in transit) |
| New Relic, Inc. | Performance analytics | United States (EU data centre, Germany) | Pseudonymous identifiers, browser performance data |
| Crunch Accounting Ltd | Billing and invoicing | United Kingdom | Customer Account Data (name, email, billing address) |
Note: Third-party AI providers used by AI Features do not receive Personal Data and are therefore not listed as sub-processors. The Company will disclose current AI providers upon request. This sub-processor list will be updated as sub-processors are added or changed. Customers will receive at least fourteen (14) days' notice before any new sub-processor is enabled, in accordance with Section 3.2 of this DPA.
The following describes the technical and organisational security measures implemented by the Company:
| Measure | Details |
|---|---|
| Encryption of data at rest | Sensitive data is encrypted at rest through multiple layers of encryption on Hetzner servers in Germany. |
| Encryption of data in transit | All data outside the Company's private network is encrypted via HTTPS/TLS. Access to the application is exclusively through an encrypted Cloudflare tunnel; servers are not directly accessible from the internet. |
| Network security | Strict firewall and network boundaries. Servers are inaccessible to the internet except through the encrypted Cloudflare tunnel. SSH access is restricted by IP allowlist and requires public-private key authentication. |
| Access control | Role-based access controls. Customer data is logically segmented by clientId. The Jira Plugin enforces project-level access based on the user's existing Jira permissions, verified at the API gateway. |
| Data classification | Data is classified into Operational Metadata, User-Generated Notes, Content Data, and Excluded Data, with different processing rules for each classification. Content Data is processed locally only and is not transmitted to external services. Excluded Data is not accessed. |
| Data minimisation | Customer chooses which Jira projects to index. Customer can flush indexes at any time to remove historical data, including data for individuals who have been removed from Jira. The Service does not display data beyond what is already available to the user in Jira. |
| Data residency | All Personal Data and Content Data is stored on Hetzner servers in Germany. The Company is established in the UK, which has an EU adequacy decision. Personal Data and Content Data does not leave Germany and the UK. |
| Backup and recovery | Regular database backups with tested restore capabilities. Backups are encrypted. |
| Personnel security | Personnel with access to Personal Data are bound by written confidentiality obligations. |
| Tenant isolation | Multi-tenant architecture with logical separation between Customer instances via clientId. Data indexed for one Customer is not accessible to other Customers. |
| Incident response | The Company maintains incident response procedures. Personal Data Breaches are notified to Customer without undue delay and where feasible within 72 hours. |
| AI Features | AI Features process only anonymised Operational Metadata and User-Generated Notes. No Personal Data, Content Data, or Excluded Data is transmitted to external AI providers. Content Data may be used to train internal classification models within the Company's own infrastructure; these classifiers identify categorical and scoring features (such as the presence of user stories or the use of acceptance criteria) and do not interpret the semantic content of descriptions. Customer may request that AI Features be disabled entirely. No Customer Data is used to train external AI models. |
| Data deletion | Personal Data is deleted within thirty (30) days of termination. Customer can flush indexes at any time during the Subscription Period. Backups containing deleted data are purged within ninety (90) days. Anonymised data is not subject to deletion obligations. |
| Events logging | The Company maintains access and activity logging for security monitoring and incident investigation. Security logs may be retained for up to twelve (12) months after termination, after which they are purged. |
Last updated: 3 March 2026