Data Processing Addendum

Business Sign-off & Approval for Jira Cloud

Effective Date: April 22, 2026
Last Updated: April 22, 2026
Processor: Cahaba Forge LLC
Controller: The Licensee (as defined below)

1. Introduction and Scope

This Data Processing Addendum (“DPA”) forms part of the agreement between Cahaba Forge LLC (“Cahaba Forge”, “we”, “us”, or “Processor”) and the customer (“Licensee”, “you”, or “Controller”) under which Licensee has licensed the Business Sign-off & Approval for Jira Cloud application (“the App”) via the Atlassian Marketplace (the “Agreement”). “The Agreement” means the Cahaba Forge End User License Agreement under which Licensee has licensed the App, together with any applicable Atlassian Marketplace license terms.

This DPA sets out the terms under which Cahaba Forge processes Personal Data on behalf of Licensee in connection with Licensee’s use of the App. It is designed to satisfy the requirements of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR, and, where applicable, the California Consumer Privacy Act of 2018 (“CCPA”).

In the event of any conflict between this DPA and the Agreement or Cahaba Forge’s Privacy Policy, this DPA shall take precedence with respect to the processing of Personal Data.

2. Definitions

Unless otherwise defined in this DPA, capitalized terms have the meanings given to them in the GDPR. For clarity:

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the App on behalf of Licensee.
  • “Processing” means any operation performed on Personal Data, whether or not by automated means.
  • “Controller” means the natural or legal person that determines the purposes and means of Processing. Under this DPA, the Licensee is the Controller.
  • “Processor” means the natural or legal person that Processes Personal Data on behalf of the Controller. Under this DPA, Cahaba Forge is the Processor.
  • “Sub-processor” means any third party engaged by Cahaba Forge to Process Personal Data on its behalf.
  • “Data Subject” means the natural person to whom Personal Data relates — typically end users of Licensee’s Jira Cloud site.
  • “Atlassian” means Atlassian Pty Ltd, the operator of the Forge platform and Jira Cloud.

3. Roles of the Parties

3.1 Licensee is the Controller of all Personal Data Processed by the App within Licensee’s Jira Cloud site.

3.2 Cahaba Forge is the Processor and Processes Personal Data solely on behalf of Licensee and in accordance with Licensee’s documented instructions, including those set out in this DPA, the Agreement, and Licensee’s configuration of the App.

3.3 Atlassian acts as a Sub-processor, providing the Forge runtime, Forge Storage, and Jira Cloud infrastructure on which the App operates. Cahaba Forge does not directly host or operate any infrastructure on which Personal Data resides.

4. Subject Matter, Duration, Nature, and Purpose of Processing

Subject matter: Processing Personal Data as necessary to provide the approval workflow, audit trail, notification, and configuration functionality of the App.

Duration: For the term of the Agreement and until all Personal Data is deleted or returned in accordance with Section 11 of this DPA.

Nature of Processing: Collection, storage, retrieval, display, pseudonymization, and deletion of Personal Data within the Atlassian Forge platform and Jira Cloud.

Purpose of Processing: To enable approval workflows, enforce permission and Separation of Duties rules, record compliance audit trails, deliver notifications, and report stored account identifiers to Atlassian as required by the Atlassian Marketplace Personal Data Reporting program.

5. Categories of Data Subjects and Personal Data

5.1 Categories of Data Subjects

  • End users of Licensee’s Jira Cloud site who interact with the App, including approvers, issue reporters, issue assignees, and administrators.

5.2 Categories of Personal Data

  • Atlassian account identifiers (opaque identifiers assigned by Atlassian)
  • Display name snapshots (captured at the time of an action for compliance audit purposes)
  • Decision comments authored by approvers (free-text, up to 450 characters)
  • Issue metadata with user associations, including reporter and assignee account identifiers captured in audit snapshots
  • Email addresses (read at runtime from the Jira API for UI display and email notification routing; not persisted by the App)

5.3 Data Not Processed

The App does not Process Atlassian passwords, API tokens, customer-managed secrets, third-party service credentials, analytics or tracking data, or special categories of Personal Data as defined in GDPR Article 9.

6. Obligations of Cahaba Forge as Processor

Cahaba Forge shall:

6.1 Process Personal Data only on documented instructions from Licensee, including as set out in the Agreement, this DPA, and Licensee’s configuration of the App, unless required to do otherwise by applicable law. In such a case, Cahaba Forge shall inform Licensee of that legal requirement before Processing, unless the law prohibits such disclosure.

6.2 Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Implement and maintain appropriate technical and organizational measures to protect Personal Data as described in Section 7.

6.4 Assist Licensee, insofar as reasonably possible and taking into account the nature of the Processing, in fulfilling Licensee’s obligations to respond to Data Subject requests (Section 9).

6.5 Assist Licensee in ensuring compliance with its obligations under GDPR Articles 32 to 36, including security of Processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to Cahaba Forge.

6.6 Not engage any Sub-processor without compliance with Section 8.

6.7 Make available to Licensee all information reasonably necessary to demonstrate compliance with the obligations under Article 28 of the GDPR and allow for and contribute to audits in accordance with Section 10.

6.8 Notify Licensee without undue delay if, in Cahaba Forge’s opinion, an instruction from Licensee infringes the GDPR or other applicable data protection law.

7. Technical and Organizational Measures

Cahaba Forge implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk of Processing:

7.1 Platform and Infrastructure Security

  • The App runs entirely within Atlassian’s Forge platform. All infrastructure, hosting, transport encryption (TLS), encryption at rest, backup, and tenant isolation are managed by Atlassian.
  • Cahaba Forge does not operate or host any servers, databases, or storage systems that hold Personal Data.
  • The App makes no external network egress to Cahaba Forge systems or third-party services during normal operation. The App’s only outbound call outside the Jira REST API is a weekly scheduled POST to Atlassian’s Personal Data Reporting endpoint (https://api.atlassian.com/app/report-accounts/), which is an Atlassian-operated service required by the Marketplace for apps that store personal data.

7.2 Access Control

  • The App uses the principle of least privilege, requesting only the Forge and Jira scopes necessary for its functionality.
  • Privileged operations are gated by permission checks at the resolver level; UI visibility is not treated as the sole security boundary.
  • Configurable Separation of Duties controls are available to restrict self-approval.
  • Cahaba Forge personnel do not have direct access to Licensee’s Jira instance or Forge Storage data.

7.3 Secure Development

  • Input validation on resolver payloads and user-controlled inputs.
  • Output handling designed to reduce XSS risk in Forge UI surfaces.
  • Dependency review, secrets scanning, and code review before each release.
  • Static analysis via SonarQube on each release, covering vulnerabilities, bugs, and security hotspots.

7.4 Logging and Secrets Handling

  • Diagnostic logging is time-bounded and administrator-controlled.
  • Logs may include Atlassian account IDs and issue keys for troubleshooting; logs do not include passwords, API tokens, email addresses, display names, or decision-comment text.
  • No credentials or customer-managed secrets are collected or stored.

7.5 Audit Trail Integrity

  • Audit records are protected by SHA-256 hashing with hash-chain linking between consecutive records to support tamper detection.

7.6 Ongoing Review

  • Security measures are reviewed as part of release preparation and updated as the App evolves.

For additional detail, see the Trust & Security page.

8. Sub-processors

8.1 Licensee authorizes Cahaba Forge to engage the following Sub-processor in connection with the App:

  • Atlassian Pty Ltd — provides the Forge runtime, Forge Storage, and Jira Cloud infrastructure on which the App operates and stores Personal Data.

8.2 Cahaba Forge shall ensure that any Sub-processor it engages is bound by data protection obligations substantially equivalent to those set out in this DPA, particularly regarding appropriate technical and organizational measures.

8.3 If Cahaba Forge intends to engage any new Sub-processor, or replace an existing Sub-processor, it shall provide Licensee with at least thirty (30) days’ prior written notice (which may be by email to the Licensee’s notice contact or by update to Cahaba Forge’s Trust & Security or Privacy pages). Licensee may object to such change on reasonable data-protection grounds within that notice period. If the parties cannot resolve the objection in good faith, Licensee may terminate the affected App license and this DPA.

9. Data Subject Rights

9.1 Licensee, as Controller, is responsible for responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection.

9.2 Cahaba Forge shall assist Licensee in fulfilling such requests, taking into account the nature of the Processing, including through the following App capabilities:

  • Access / Portability: Administrators may use the User Data Report feature and the audit CSV export to retrieve stored data.
  • Erasure: Deleting a Jira issue removes associated Personal Data from Forge Storage via event trigger. Uninstalling the App deletes all Forge Storage data. When Atlassian reports a user account as closed, the App pseudonymizes the user’s data — replacing display names with “Deleted user” and clearing decision comments authored by that user — to preserve audit trail integrity while removing direct identifiers.
  • Rectification: Current approver assignments can be removed and re-added. Historical audit records are point-in-time snapshots by design and are preserved for compliance purposes.

9.3 If Cahaba Forge receives a Data Subject request directly, it shall promptly forward the request to Licensee and shall not respond to the Data Subject directly except to confirm receipt and redirect the Data Subject to Licensee, unless legally required to do so.

9.4 Licensee acknowledges that certain audit records are retained in pseudonymized form rather than deleted, to satisfy compliance audit trail integrity requirements. Complete deletion occurs when the associated Jira issue is deleted or when the App is uninstalled. Pseudonymization (rather than full deletion) of audit records is the standard approach for compliance tools where regulatory retention obligations may apply. Erasure of audit records may conflict with such obligations — Licensee should consult its Data Protection Officer.

10. Audit Rights

10.1 Cahaba Forge shall make available to Licensee, upon reasonable written request, information necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.

10.2 Because the App runs entirely on Atlassian’s Forge platform and Cahaba Forge does not operate infrastructure that holds Personal Data, audit activities shall be satisfied as follows:

a) Cahaba Forge shall respond to reasonable written security questionnaires (including CAIQ or equivalent) within a reasonable time.

b) Cahaba Forge shall, upon request, provide summaries of its most recent security scan results, dependency review practices, and secure development practices.

c) For aspects of the Processing that occur within Atlassian-managed infrastructure, Cahaba Forge shall cooperate with Licensee’s review of Atlassian’s published security and compliance materials.

10.3 On-site audits of Cahaba Forge or Atlassian infrastructure are not supported given the Forge-native architecture. Third-party attestations and questionnaire responses shall be deemed to satisfy Licensee’s audit right under this DPA, consistent with industry practice for Forge-based applications. Cahaba Forge shall engage in good faith to address any reasonable follow-up questions arising from questionnaire responses or attestation reviews.

11. Return or Deletion of Personal Data

11.1 Upon termination of the Agreement or uninstallation of the App, Personal Data held in Forge Storage is deleted by Atlassian as part of the standard Forge app uninstall process.

11.2 Jira custom field values and issue properties written by the App are native Jira data and persist after uninstall until removed by Licensee through Jira’s standard data management tools. Licensee acknowledges this behavior and is responsible for removing such data from its Jira instance if required.

11.3 Cahaba Forge does not retain copies of Personal Data outside the Atlassian Forge platform and therefore has no additional deletion or return obligations beyond those managed by the Forge platform.

12. Personal Data Breach Notification

12.1 Cahaba Forge shall notify Licensee without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Licensee’s Personal Data Processed by the App. Where the breach originates in Atlassian-managed infrastructure, Cahaba Forge’s notification obligation begins when Atlassian notifies Cahaba Forge of the breach.

12.2 The notification shall include, to the extent known at the time:

  • the nature of the breach, including categories and approximate numbers of Data Subjects and records affected;
  • the likely consequences of the breach;
  • measures taken or proposed to address the breach and mitigate its effects; and
  • a contact point for further information.

12.3 Cahaba Forge shall cooperate with Licensee and provide reasonable assistance in meeting Licensee’s breach notification obligations under applicable law.

12.4 Licensee acknowledges that breaches originating in Atlassian-managed infrastructure are subject to Atlassian’s own incident response and notification processes. Cahaba Forge shall assist in coordination where applicable.

13. International Data Transfers

13.1 Personal Data Processed by the App resides within the Atlassian infrastructure in the region of Licensee’s Jira Cloud site, subject to Atlassian’s data residency and international transfer policies.

13.2 To the extent any Personal Data is transferred outside the European Economic Area or the United Kingdom, such transfers shall be made in accordance with Atlassian’s international transfer mechanisms, which may include the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum as applicable.

13.3 Cahaba Forge itself does not transfer Personal Data outside Atlassian infrastructure in connection with the App.

14. CCPA Terms

14.1 Where the CCPA applies, Cahaba Forge acts as a “service provider” to Licensee (where Licensee is a “business”) as those terms are defined in the CCPA.

14.2 Cahaba Forge shall not:

a) sell or share Personal Data as defined under the CCPA;

b) retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the services described in the Agreement and this DPA;

c) retain, use, or disclose Personal Data outside the direct business relationship between the parties;

d) combine Personal Data received from Licensee with Personal Data received from or on behalf of any other source, except as permitted by the CCPA.

14.3 Cahaba Forge certifies that it understands the restrictions in this Section 14 and will comply with them.

15. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

16. Term and Termination

This DPA shall remain in effect for the term of the Agreement and shall automatically terminate upon termination of the Agreement, except that provisions which by their nature are intended to survive (including confidentiality, liability, and obligations regarding deletion of Personal Data) shall survive such termination.

17. Governing Law

This DPA shall be governed by the governing law specified in the Agreement, provided that the mandatory data protection laws of the jurisdiction in which the Data Subjects are located shall apply to the extent required by law.

18. Changes to This DPA

Cahaba Forge may update this DPA from time to time to reflect changes in applicable law, the App’s functionality, or Sub-processor arrangements. Material changes will be communicated with at least thirty (30) days’ prior notice. Continued use of the App after the effective date of an updated DPA constitutes acceptance of the revised terms. If Licensee objects to any material change, Licensee may terminate the Agreement in accordance with the EULA’s termination provisions (Section 11.2).

19. Contact

For questions regarding this DPA or to request a signed copy:

Cahaba Forge LLC Privacy: privacy@cahabaforge.com
Security: security@cahabaforge.com
Website: https://cahabaforge.com

This Data Processing Addendum applies to Business Sign-off & Approval for Jira Cloud. It should be read together with the Cahaba Forge Privacy Policy and Trust & Security documentation.