Data Processing Addendum

1. Overview

This Data Processing Addendum ("DPA") forms part of the Terms of Service between CriticalRidge ("Processor," "we," "us," or "our") and the customer ("Controller," "Customer," or "you") for the provision of CriticalRidge applications through the Atlassian Marketplace.

This DPA is designed for enterprise customers who require a formal data processing agreement to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

This DPA applies to the extent that CriticalRidge processes Personal Data on behalf of the Customer in connection with the provision of our Apps.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by CriticalRidge on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR and CCPA.
• "Sub-processor" means any third party engaged by CriticalRidge to process Personal Data on behalf of the Customer.

3. Role of the Parties

3.1 Customer as Controller

The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data. The Customer is responsible for:

• Ensuring a lawful basis exists for processing Personal Data
• Providing appropriate notices to data subjects
• Responding to data subject rights requests
• Ensuring compliance with applicable Data Protection Laws

3.2 CriticalRidge as Processor

CriticalRidge acts as the Data Processor and processes Personal Data only on behalf of and under the instructions of the Customer. CriticalRidge will:

• Process Personal Data only in accordance with the Customer's documented instructions
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer in responding to data subject requests
• Delete or return Personal Data upon termination of services, as directed by the Customer

4. Sub-processors

The Customer acknowledges and agrees that CriticalRidge engages the following sub-processor for the provision of its Apps:

As CriticalRidge Apps are built exclusively on Atlassian Forge, Atlassian serves as the primary infrastructure provider. All Personal Data processing occurs within Atlassian's secure cloud environment, and data is processed in the same region as the Customer's Atlassian products.

CriticalRidge will notify the Customer of any intended changes to sub-processors by updating this DPA. The Customer may object to such changes within thirty (30) days of notification.

5. Data Security

Security for CriticalRidge Apps is handled by the Atlassian Forge infrastructure. The following security measures are in place:

5.1 Atlassian Forge Security

• Encryption: All data is encrypted at rest and in transit using industry-standard encryption protocols
• Access Controls: Strict access controls and authentication mechanisms are enforced by the Forge platform
• Isolation: App data is isolated per tenant within the Forge environment
• Monitoring: Continuous security monitoring and logging by Atlassian

5.2 CriticalRidge Security Practices

• Secure development practices following OWASP guidelines
• Regular security reviews and code audits
• Principle of least privilege in data access
• Incident response procedures

6. Data Transfers

CriticalRidge does not independently transfer Personal Data outside of Atlassian's infrastructure. All data processing occurs within the Atlassian Forge environment.

To the extent that Personal Data is transferred internationally within Atlassian's infrastructure, such transfers are governed by Atlassian's data transfer mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Adequacy decisions for transfers to approved jurisdictions

For details on Atlassian's international data transfer practices, please refer to Atlassian's Privacy Trust Center .

7. Audit Rights

The Customer's audit rights are satisfied through Atlassian's compliance certifications and third-party audit reports. Atlassian maintains the following certifications relevant to Forge-hosted applications:

• SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
• ISO 27001: Information security management system certification
• ISO 27018: Protection of personal data in public clouds
• GDPR Compliance: Atlassian maintains GDPR compliance for its cloud services

Customers may request access to relevant compliance documentation through Atlassian's Trust Center or by contacting CriticalRidge.

Upon reasonable request and subject to confidentiality obligations, CriticalRidge will provide additional information about its data processing activities to assist Customers with their compliance obligations.

8. Data Subject Rights

CriticalRidge will assist the Customer in fulfilling its obligations to respond to data subject requests, including:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

If CriticalRidge receives a request directly from a data subject, we will promptly notify the Customer unless prohibited by law.

9. Data Breach Notification

In the event of a Personal Data breach affecting Customer data, CriticalRidge will:

• Notify the Customer without undue delay after becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and measures taken or proposed
• Cooperate with the Customer in investigating and mitigating the breach
• Assist the Customer in meeting its breach notification obligations to supervisory authorities and data subjects

10. Term and Termination

This DPA shall remain in effect for as long as CriticalRidge processes Personal Data on behalf of the Customer. Upon termination of the Customer's use of CriticalRidge Apps, CriticalRidge will, at the Customer's election:

• Delete all Personal Data processed on behalf of the Customer, or
• Return such Personal Data to the Customer in a commonly used format

CriticalRidge may retain Personal Data to the extent required by applicable law, and such retained data will remain subject to the confidentiality provisions of this DPA.