Vendor FAQs about GDPR

gdpr

#1

Below is a list of frequently asked questions that we’ve fielded from a number of our marketplace vendors and partners. We encourage all vendors to evaluate the impact of GDPR with their own legal counsel, and hope that the questions and answers provided here will help in that process. Note that we may make changes/updates to this top-level post based on the questions we continue to receive.

Important: Atlassian does not provide legal advice. This FAQ has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for legal advice. You should consult your own legal counsel on how GDPR applies to your business.

Q1: What is the GDPR and what is Atlassian doing to prepare?
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide regulation that governs the use, sharing, transfer and processing of personal data that originates from the EU.

Our policy is to respect all laws that apply to our business and this includes GDPR. We also appreciate that our customers have requirements under GDPR that are directly impacted by their use of Atlassian products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements. To find out more what Atlassian is doing to prepare, please visit our external GDPR FAQs.

Q2: What are Atlassian’s expectations with respect to my approach to GDPR as a Marketplace Vendor?
You have a direct relationship with the customer who installs your app and are responsible for complying with applicable laws when processing customer data, including GDPR where applicable. We encourage you to look into how you are using, storing, transferring and otherwise processing EU personal data via your app to determine how the GDPR may impact your data processing operations and related compliance requirements.

Q3: As a Marketplace Vendor am I an Atlassian “sub processor” for purposes of GDPR?
No. You provide a service directly to your customers; not on behalf of Atlassian. When a customer integrates your app with an Atlassian product, they establish a direct relationship with you and the customer’s use of your app is subject to the terms you provide.

Marketplace Vendors are likely to be seen as data processors by customers using their apps for most data processing activities. We encourage Marketplace Vendors to review their data processing activities to evaluate the impact of GDPR with their own legal counsel.

Q4: Will Atlassian be updating the Marketplace Vendor Agreement?
Yes. Atlassian is currently undertaking a review and update of our Marketplace Vendor Agreement. We expect to provide a formal announcement with the terms of the updated agreement soon. Once finalized, we will provide all Marketplace Vendors with 30 days notice of the updated Marketplace Vendor Agreement prior to the updated terms becoming effective.

What to start preparing for now:

  • Your own privacy policy is a requirement to list on the Marketplace
  • Your own EULA / Terms of Service is a requirement to list on the Marketplace

This is not an exhaustive list, but we are sharing this information with you ahead of time to help you prepare.

Q5: Are third-party apps in the Atlassian Marketplace covered by Atlassian’s Privacy Policy?
No. Your use of customer personal data is covered by your privacy policy. Please also review the Marketplace Vendor Agreement for other limitations on how you can use customer data.

Q6: Am I required to have an Privacy Policy in order to list an app in the Marketplace?
Yes. As noted above, the upcoming revisions to the Marketplace Vendor Agreement will elaborate on this by requiring all Marketplace Vendors to have legally adequate privacy notices that provide clear and complete information on how you use and process customer data. In most jurisdictions, providing notice to end users on how your app processes personal data is a legal requirement.

If you have not provided a link to your privacy notice in your Marketplace listing, customers will be notified as such prior to the installation of your app and also on your app’s Marketplace listing.

You can update your app’s Marketplace Listing to provide a link to your privacy notice as follows:

  1. Go to marketplace.atlassian.com, and log in.
  2. Click on your avatar and select “manage account”.
  3. Select the Apps tab, click the app and go to the “details” tab.
  4. Find the field “Data security and privacy statement” and enter the link to your privacy notice.

Q7: Am I required to have an End User License Agreement (EULA) or other Terms of Service in order to list an app in the Marketplace?
Yes. The upcoming revisions to the Marketplace Vendor Agreement will remove the Standard EULA included from our Marketplace Terms of Use and will require that all Vendors have their own EULA / Terms of Service.

You can update your app’s Marketplace Listing to provide a link to your EULA / Terms of Service as follows:

  1. Go to marketplace.atlassian.com, and log in.
  2. Click on your avatar and select “manage account”.
  3. Select the Apps tab, click the latest live version of your app, and go to the “links” tab.
  4. Find the field “End user license agreement” and enter the link to your EULA / Terms of Service.

Q8: What is a Data Processing Agreement?
The GDPR places obligations on companies related to the selection and use of third parties who process EU personal data on their behalf (i.e., data processors). This includes a requirement to enter into specific contractual terms with those third parties to ensure that EU personal data is adequately protected. Data Processing Agreements typically include (but are not limited to) the following provisions:

  • Only processing personal data at the written instruction of the controller
  • Implementing appropriate technical and organizational measures to safeguard personal data in a manner that meets Article 32 Security requirements of the GDPR
  • Controller Audit Rights
  • Use and approval of “sub processors”
  • Data Breach Notifications
  • Assisting the controller with the fulfillment of the controller’s obligation to respond to requests from data subjects exercising their rights under GDPR (such as data subject access requests, data deletion requests, etc.)

Q9: As a Marketplace Vendor am I covered by Atlassian’s Data Processing Agreement?

No. Atlassian’s standard Data Processing Agreement does not cover your processing of personal data. Atlassian’s DPA is an extension of our Customer Agreement and is specific to where Atlassian is a processor of our customers’ personal data.

Q10: As a Marketplace Vendor do I need to have a Data Processing Agreement in place with customers?
Customers who have integrated your app with their use of Atlassian products may approach you to enter into a separate Data Processing Agreement that would be applicable to your specific contractual relationship with that customer and the data processing operations you are conducting on their behalf.

Q11: How can I certify that my app is GDPR compliant?
Currently, there is no “GDPR certification” that companies can earn. The EU Commission is currently exploring allowing certain third parties to audit and certify companies as “GDPR compliant.” Until there is more guidance on GDPR certifications, we encourage you to implement other measures that help to approximate a company’s investment in GDPR compliance including the adoption of specific security practices, technical certifications (including ISO27001, ISO27002 and ISO27018), and participation in EU-US Privacy Shield framework.

In the short-term, we have no plans to “certify” apps as GDPR compliant or non-compliant. However, we are exploring ways to surface the above-mentioned metrics in Marketplace Listings so that enterprise customers who are interested in integrating third party apps into their Atlassian cloud platform are able to make an informed choice around which Marketplace Vendors meet their own data privacy and security requirements.

Q12: Will Atlassian be making any immediate changes to the Atlassian Cloud Security Program or Verified Program?
No. We will not be making any changes to the Atlassian Verified and Cloud security programs at this time. However, we will be reviewing and evaluating these programs and may make changes in the future. If we do, we will provide sufficient notice and time for program members and the broader ecosystem to adapt. If you are a member of the Cloud security program, now is a great time to review the program requirements to ensure that your checklist and corresponding documentation is up to date.

Q13: Will Atlassian require me to obtain technical certifications such as: ISO27001, ISO27002, ISO27018 in order to participate in the Atlassian Ecosystem as a vendor listed on Atlassian Marketplace?
No. We will not be requiring technical certifications at this time. However, as noted above we will be reviewing our current programs and may require certain certifications for participation in those programs in the future.

However, we do encourage you to pursue technical certifications due to the fact that:

  • Some customers may not be able to use your app without these types of certifications due to their own internal security and privacy requirements; and
  • Certain technical certifications can help demonstrate your compliance with related GDPR requirements. For example, an organization that has obtained an ISO27001 certification will be in a good position to demonstrate compliance with the Security related obligations outlined in Article 32 of the GDPR:
    • Take measures to pseudonymise and encrypt personal data;
    • Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    • Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing; and or
    • Identify and mitigate risks “from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” to be identified and mitigated.

Q14: Will Atlassian require me to participate in the EU-US Privacy Shield Framework in order to participate in the Atlassian Ecosystem as a vendor listed on Atlassian Marketplace?
No. We do not require participation in EU-US Privacy Shield Framework in order to list in the Marketplace, but certain customers might see this as a requirement in order to use your app. The GDPR imposes certain restrictions on the transfer personal data from the EU to other countries. If you are currently processing / storing EU customer data in the US or any other country outside of the EU that has not been deemed to provide an adequate level of data protection under the GDPR, you may be approached by customers to address EU data transfer legal requirements (such as certification to the EU-US Privacy Shield or by entering into EU approved Standard Contractual Clauses).


#2

#3

Hey @ldellatorre thanks for this!

What happened to Q13 btw? :smiley:


#4

Bonus for the catch :slight_smile:


#5

You do recon that this post is dated 23th of May… 2 days prior to GDPR going into effect right?


#6

@ldellatorre @nmansilla @akassab can you please ask your legal department to elaborate on the Customer > Atlassian as Reseller > Vendor relationship for Paid via Atlassian add-ons?

Given that vendors have our own relationship with the Customer, and Atlassian acts as a Reseller on behalf of Vendor, doesn’t this automatically mean that we as a vendor should engage in a Data Processor agreement with Atlassian, wheres the Vendor is the Data Processor for Customer and Atlassian is Data Subprocessor to enable the transfer of PII of the customer between Atlassian and Vendor?

Also, will Atlassian ensure that only Enterprise customers can engage with their products to ensure that the premise that “Atlassian / Vendor is a Data Processor and not Data Controller” is correct? If natural persons can still use Atlassian / Vendor products, this will change the relationship from Data Processor to Data Controller.


#7

Hi @ldellatorre

Would you be able to elaborate on why the Standard EULA is being withdrawn? A key selling point of using the Atlassian Marketplace is the Standard EULA, because it has already been approved by the legal departments at potential customers and reduces purchase friction by avoiding vendor approval processes.

This change represents a new cost of doing business via the Marketplace and it would be useful to understand why.


#8

@ldellatorre @remie
I have similar concerns. We are aligned that we as Vendors are sub-processors for our customer private data. But what our company has been advised is that in regards to tech and billing contacts that we get during the process of reselling by Atlassian we are becoming the sub-processor of Atlassian for the purpose of handling the sales. That would mean that Atlassian would need to sign the DPA with vendors for the purpose of handling sales. Can you please elaborate?


#9

Those of us Vendors who offer a Cloud app (add-on) are in an even more obscure situation with regards to GDPR. Our apps access and modify data stored inside Atlassian apps (e.g. Jira) and thus Atlassian is a “sub-processor” for us. Likewise, if you are using webhooks or post-functions, Jira is delegating processing to our apps, and thus we become sub-processors for Atlassian (this is especially true for add-ons that offer workflow post-functions as the primary feature).

When Atlassian realizes this, they will ask to sign a DPA with us.

But in any case, we as vendors need a DPA from Atlassian, because they store and process all of our sales data for us.

David


#10

Hi @remie,

Our legal team has determined that these changes to the Marketplace Vendor Agreement are not bound by GDPR requirements, and thus would not be required by the GDPR deadline. As mentioned, we will provide all Marketplace Vendors with 30 days notice of the updated Marketplace Vendor Agreement prior to the updated terms becoming effective.

Laura


#11

@ldellatorre How can we get users consent upon evaluation or purchase? We are sending our customers evaluation/ post sale emails as part of our marketing. Currently marketplace doesn’t allow us to get customers consent upon trial/purchase. This is absolutely important for us.


#12

There is no need to get explicit consent, you can argue that you can use the legal ground of legitimate interest. The fact that someone signed up for the evaluation allows you to assume they have an interest in your product. If you make sure that there is a very easy way to opt-out of receiving additional communications, you should be fine in regard to sending marketing emails to evaluators.

For post-sale emails, you have already received consent in the form of the acceptance of your EULA / Privacy Policy. Like Atlassian, it is recommended to assume the role of Data Processor. As such, you can use contractual obligation to justify post-sales communications. Again, make sure that you allow for an easy opt-out.

So the only thing you should make sure to do are:

  1. Add an custom EULA (incl. Data Processing Agreement) and Privacy Policy to your marketplace app listing in which you assume the role of Data Processor (making the customer the Data Controller) and in which you explicitly mention that only business entities can make use of your app.
  2. Add a very easy and visible opt-out feature to all your e-mail communications

These two steps should be sufficient to replace explicit consent.

Disclaimer: I’m not a legal counsel, don’t blame me if you get fined.


#13

@alan.parkinson - As the number of offerings in Atlassian Marketplace have proliferated and diversified, Atlassian can no longer provide a “one-size-fits-all” default set of terms for Marketplace Vendors. For example, as the software industry and Atlassian’s software offerings have evolved to Data Center and the Cloud, apps may be both hosted or downloaded and may be perpetual (e.g., Server) or subscription (e.g., Data Center and Cloud). The default EULA terms only apply to downloaded Server apps.

We also believe that it is in the best interests of our Customers for each app vendor to have their own EULA and/or Terms of Service, as is applicable for the given app, and in fact, to not do so has become a bit confusing for our Customers.

We would also note that this change brings the Atlassian Marketplace in line with the practices of other similar app marketplaces (such as the AWS marketplace, Chrome store, etc.).


#14

Thanks @akassab for the details. I understand the diversified product lineup causing an issue with having a standard EULA.

Will vendors have to provide separate EULA’s for Cloud, Server and Datacenter deployment options? or can we provide separate EULAs for the different deployment options if we want to?

Will there be any standard terms that need to be included in vendors own EULAs?


#15

I ordered my own EULA from my lawyer long time ago before I launched my server apps to Marketplace and that EULA cost me a high sum of money because lawyers is not cheap.

Btw, my web-site is made by WordPress and it made me a almost ready made Privacy Policy from template and I had only made some fixes and my own terms for it.


#16

It seems to have always been the case that where a cloud addon is installed but unlicensed it will continue to receive ALL webhooks from any customer with it installed, regardless of license status AC-1732. As the addon vendor in that case, we would have no relationship with the customer (no license agreement in place), so the platform would be leaking customer data to 3rd party data processors. Will this scenario be incorporated into the whole GDPR compliance effort - its a request logged for years already.


#17

Hi @ldellatorre,
How will the upcoming acknowledgment of EULA and Privacy Policy during the purchase process work when the sale is done through a Partner or a Reseller? In that case, it’s the Partner/Reseller that buys the product (to later resell it), so the Customer never sees the EULA and Privacy Policy and never accepts them explicitly.
What’s your take on this?