Thank you @SeanBourke. this is very helpful. In discussions with our TPM yesterday we talked about how what “the app” does and what we as a company do with information surrounding their subscription are not the same. (ie, we get marketplace data from the company, we have support case data, etc. - none of which come from the app). So, I think the tab should be explicitly clear to the reader, as well as us, what the scope of the questions really is. That we may handle more of their company data outside of the app but that information isn’t in scope and they should refer to our provided links for more information about those aspects.
When we look at the definitions of a “Data Controller” and a “Data Processor” in the link provided as a helpful resource on the new privacy & security tab (https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en) they make it clear that both of those terms relate to Personal Data.
The data controller determines the purposes for which and the means by which personal data is processed
The data processor processes personal data only on behalf of the controller
Personal Data is not any user-generated content or end-user data as explained here - What is personal data?
However, when we fill out the new form, we are asked about the “End-User Data with respect to which your app is a data processor/data controller”
Isn’t this question fundamentally wrong? If data controllers and data processors are by definition limited to personal data, what end-user data are we supposed to provide here?
Looking for some guidance as we are stuck on those questions. If the app doesn’t process personal data should we just check “Not applicable - App is not subject to the GDPR.”?
Hi Julia - thanks for the feedback. It sounds like what you’re looking for is more specific clarity at the question or section-level on whether the information refers to an app or to a company (ie: the Marketplace Partner who runs the app).
We’ve taken note of this as something to consider for future updates to the questionnaire.
Please note that the tab will also have a feedback button at the bottom so we can track whether customers are similarly confused about the information they’re seeing.
Hi @sbrudzinski - thanks for your question.
The definition of “End-User Data” is “any data, content or information of an end user that is accessed, collected or otherwise processed by you or your app in connection with use of the Atlassian Marketplace.”
This definition is broad enough to include data types that would constitute “personal data” under the GDPR. So if the GDPR applies to your processing activities (for example, if you process personal data relating to European Economic Area (EEA) residents), you should specify the personal data (which is a type of data covered by the umbrella definition of “End-User Data”) over which you are a controller. If you’ve determined that the GDPR does not apply to you, you can answer "Not applicable - App is not subject to the GDPR.”
Hope this helps clarify.
Hi @sbrudzinski ,
you are right about the GDPR definition of Data Controller and Data Processor. It only applies to Personal Data.
However, as soon as your app manipulates user-generated content that is readable (any text really), it can actually unknowingly be manipulating Personal Data. For example, the issue summary or description could contain Personal Data because the user put it there. But it can be more tricky: a project name or key, a Component name, a Version name, etc., could also contain Personal Data, and you have no way of determining that and avoiding access to this potentially Personal Data.
So the only case where you are not manipulating potentially Personal Data is if you only access numerical or otherwise opaque entity IDs (not an issue key but an issue ID for example). Which is probably very rare amongst apps.
Just my two cents,
Hi all! Dropping in to flag this latest update: Privacy & Security tab improvements: new PATCH API and adjustments to Data Residency and Disk Encryption response options
I have just submitted responses to one of the apps. However, I have noticed a bug in showing DPA question answer:
The answer is
Yet it shows
Hi @RaimisJ Many thanks for reporting this issue. I confirm that this is indeed a bug, I was able to validate this on my test app. We will update this thread, once the issue is fixed.
What’s the appropriate answer, if we ‘keep’ logs for 1 month in Cloudwatch and then AWS Cloudwatch deletes them for good via log retention settings?
- Does this relate to End-user-data?
- Is temporary retention for debugging classed as storing?
Hi Ulrich - The goal of the question is to let customers know if your app stores logs in general. There is a separate question for End User Data access via logs where you can clarify how your logs relate to EUD. For this question, if your app stores logs, the answer is yes.
We’ve added a note to look into providing more opportunities for you to clarify a temporary retention period for log storage in the event that this is the only data your app stores. This is something we’ll explore for the next iteration of the questionnaire.
- Does this question:
Does your app log End-User Data?
Include Google Analytics connected to our apps, or is this strictly about application logs?
- According to Atlassian, is this “end-user data”?
- email address
- saved app configurations (app settings)
- translations/proper names
- JQL saved by app provided by end-user
- any data entered into text fields of forms provided by our apps
- user accountId
It seems apps cannot be data cotrollers, only legal entities can be called so.
I think because of this reason the only valid answer to this question is always in every case: no
Would you consider changing it to read something like:
Is your organization a “data controller” under the General Data Protection Regulation (GDPR) in relation to the data processed and/or stored by this app?
Possibly it’s a similar case with this question:
Is your app a “business” under the California Consumer Privacy Act of 2018 (CCPA)?
Hi Radoslaw - thanks for the comment. We’ve received this feedback before and plan to update the language in the next iteration of the tab and questions (we’re working on this now and plan to deliver updates in the coming months).
In general, we’re exploring ways to make it more clear whether each question refers to an app or to the partner behind the app.
Yeah Atlassian staff need to be explicit on this one instead of giving the vague cover-your-ass shrug that’s occurred throughout this thread.
Any competent developer on the marketplace is using 3rd-party analytics and error logging tools. Is this “logging end-user data” and “sharing logs with 3rd-parties”?
If so, the common customer is going to look at that questionnaire response and think “oh shit they’re logging our private data” when the reality is the app is logging basic pseudonymous analytics and thrown errors.
Additionally when will this questionnaire be finalised? Marketplace developers have got better things to be doing than continually jumping through bureaucratic hoops.
I have a question regarding “Does your app log End-User Data?”.
We need to internally log the exceptions that are returned by Atlassian in order to debug different problems.
Could we assume that Atlassian did the necessary to avoid sending of user data in the exception details? For example could we assume that when we log the exception returned from Jira or Confluence we will not find the value of the issue description or any other field potentially containing user data? If this is not the case - how do you answer this question and what do you do?
Is the Atlassian Connect app install payload (including client_key, shared_secret, oauth_client_id, base_url, …) considered “End-User data”?
Are you aware that for Bitbucket Cloud, the Atlassian Connect payload even includes the nickname, display name etc. for user accounts (before the migration to workspaces)? If so, what about this?
Please see the comment above explaining the reasoning behind our broad definitions.
This is your opportunity to be transparent with customers about where your app is sending any End User Data to anywhere outside of Atlassian’s infrastructure, so customers have the information they need to assess your app. We have also given lots of spaces for you to detail the types of data your app stores or processes, and where that data is shared. This should give you flexibility to clarify for customers so that they do not jump to conclusions about the type of data your app is sharing.
Re: questionnaire changes - as with security requirements and industry best practices, the questionnaire will be updated occasionally to ensure it’s reflecting the latest needs of customers. We are working on a plan for a predictable cadence and set of principles to drive changes so that you know when to expect them. While we encourage you to keep your responses up to date, we will avoid changes that disrupt the customer experience if you do not take immediate action.
In the short term, we may see more questionnaire adjustments as your feedback and initial customer feedback is incorporated. Again, we’ll communicate these changes in advance.
Ok so in regular human language that directly addresses the question: “yes, you do need to include information about third-party tools such as analytics (eg Google Analytics) or error reporting (eg Sentry)”.
It appears there is a Google Analytics and Segment example in the expanded view screenshot here: https://developer.atlassian.com/platform/marketplace/security-privacy-tab/