Hi @candid ,
Yes, the question is asking whether you, the person or entity that processes End-User Data, is acting as a controller or processor with respect to the processing activities that your app performs. Your point is well taken that the wording could be updated in a future iteration of the questionnaire to be more clear.
As far as the definitions are concerned, we published a blog on the topic of these definitions here last week. I recommend reading the full blog, but here are some relevant pieces:
”A “controller” is a person or entity that determines the purpose and the means of processing personal data. A “processor” is a person or entity that processes personal data on behalf of a “controller.” This means that the processor processes personal data according to the controller’s instructions.”
“This is a legal assessment that each app developer will need to make based on its own processing activities, but it may be helpful to think about the following questions:
- Do you process personal data for your customers on behalf of your customers?;
- Do you process personal data at the instructions of your customers?; or
- Do you process personal data in order to provide app functionality to your customers (and not for your own purposes) ?
- For example: You process customers’ end-users’ account information in order to provide end-users with the ability to login to the app, save and store profiles and create and edit content.
If you answered yes to any of the above questions, you are likely a data processor of at least some subset of the personal data that you process.
For reference, Atlassian predominantly acts as a data processor on behalf of our customers in connection with the provision of our cloud products. For that reason we enter into a DPA with our customers – see Data Processing Addendum Atlassian. Specifically, take a look at Exhibit A, where we describe the personal data that we process as a processor.
For more information on how to determine whether you are a data processor see: What is a data controller or a data processor?”
Does this help answer your question?