Skip to content
Atlassian Cloud Products

About Our Terms for Atlassian
Marketplace Apps

Thank you for choosing our Atlassian Cloud apps. This page outlines the key terms for using our products, including access and data handling. It also highlights 55 Degrees’ specific terms alongside the BonTerms agreement.

To provide a consistent and transparent legal framework, 55 Degrees uses the standardized End User Agreement developed by Bonterms for Atlassian Marketplace apps. This agreement serves as a common baseline for Marketplace transactions and is designed to simplify and align terms between providers and customers. You can review the Bonterms Standard End User Agreement (Version 1.0) here: Bonterms Standard End User Agreement (Version 1.0) The Bonterms Standard End User Agreement governs the general terms under which our products are made available, while allowing providers to include additional or modified terms where necessary. The terms set out below constitute 55 Degrees’ provider-specific additions and deviations from the Bonterms standard agreement (the “Provider-Specific Terms”). In the event of any conflict, these Provider-Specific Terms will take precedence over the standard agreement and apply specifically to 55 Degrees products and services.

ADDITIONAL TERMS - DEVIATIONS FROM THE BONTERMS STANDARD END USER AGREEMENT (VERSION 1.0)

Effective: April 13, 2026.

1. General

1.1 These Additional Terms, including the Attachments referred to herein (together the "Provider-Specific Terms"), applies to the Cloud Service and contains additions to, and modifications of, the Standard Agreement. The Agreement becomes effective when the Customer has signed up to use the Product via the Marketplace.

1.2 Any term that begins with a capital letter is defined in the Standard Agreement or in these Provider-Specific Terms.

1.3 The Provider will not offer or perform Professional Services as described in Section 9 of the Standard Agreement.

1.4 The Customer acknowledges that the Marketplace is a Third-Party Platform and that separate, additional terms may apply to the Customer's use of the Marketplace and/or a Third-Party Platform.

2. The Agreement

2.1 The AUP applicable to the Agreement can be found here.

2.2 The Support Policy applicable to the Agreement can be found here.

2.3 The DPA applicable to the Agreement can be found here.

2.4 The Switching and Exit plan, as applicable to the Agreement, can be found here.

2.5 To avoid misunderstanding, the AUP, DPA, Orders, the Support Policy, information in the Listing and any other Attachments and appendices mentioned in the Agreement forms part of the Agreement.

2.6 The documents included in the Provider-Specific Terms shall have mutual priority in the following order: (i) the Order, (ii) these Additional Terms and (iii) any Attachments, unless expressly stated otherwise. The Attachments shall have priority over each other in relation to the subject matters they specifically regulate. In addition to what is stated in Section 1.4 of the Standard Agreement, the DPA shall prevail in relation to processing of personal data.

3. The Product

3.1 The Provider shall make the Product available as a SaaS service. The Provider provides the Product according to the security practices stated on the website of the Provider.

3.2 The Product is provided in the basic version of the Product (the "Standard Edition") or the version of the Product with additional functionality compared to the Standard Edition of the Product (the "Advanced Edition"). Information about the Customer's chosen edition of the Product is set out, from time to time, in the Atlassian platform. The Customer may upgrade the Product from the Standard Edition to the Advanced Edition at any time with immediate effect during the term of the Agreement, by notifying the Provider.

3.3 The Customer's right to use the Product is non-exclusive, time-limited, and non-transferable and applies to the Customer's own business, unless otherwise agreed in the Order. The right applies provided that the Customer fulfills its payment obligations and other obligations under the Agreement.

3.4 The Customer is given a right to use the Product for the number of Users and during the Subscription Term that the Customer chooses when entering into the Agreement at the Third-Party Platform. The Customer can change the number of Users at the Third-Party Platform at any time.

3.5 The Provider is always trying to improve the Product and may from time to time make developments, additions and changes to the Product, including the different editions of the Product. The Customer may enable specific features and functions within the Product, and such enablement shall not constitute an amendment to the Agreement. These Provider-Specific Terms shall apply also for such enabled features and functions.

3.6 If the Customer upgrades the Product to the Advanced Edition in accordance with the terms of the Agreement, the first notification of payment for the Advanced Edition of the Product is received in connection with the Customer's notice to upgrade and after any initial free-trial period. Any fees already paid in advance for the remaining Subscription Term of the Standard Edition of the Product shall be deducted from the invoicing for the Advanced Edition covering the corresponding Subscription Term.

3.7 The Product is provided "as is" and in the edition of the Product which the Customer currently purchases. The Product does not include any integrations to other systems or applications that the Customer may want to use together with the Product unless the parties have explicitly agreed otherwise in the Order or Listing. When integrations are included, the Provider does not take responsibility for the continued functionality of such integrations if a third-party provider changes its service.

3.8 The Product shall be considered to have been made available when the Provider has made it accessible to the Customer through the internet, e.g., by making it accessible for implementation.

3.9 If the Customer does not comply with the terms of the Agreement, including the AUP, and does not rectify within ten (10) days of the Provider notifying the Customer of the non-compliance, the Provider is entitled to suspend the Product until rectification is made. The Provider has the right to suspend the Customer immediately if the Customer's actions impact on how the Product works. The Customer shall indemnify the Provider for any costs or claims by a third-party based on the Customer's use of the Product in violation of the terms of the Agreement.

3.10 In addition to what is stated in Section 3.4 of the Standard Agreement, the following applies. The Provider's right to use Usage Data shall also include the right to use Customer Data for the purpose of improving the Product, including the development and improvement of AI functionality within the Product. For the avoidance of doubt, the Provider will not use any identifiable work product or business-sensitive content of the Customer for these purposes.

4. Prices and Payment for the Product

4.1 The Customer shall pay the prices that are stated at the point of sale (i.e. the Listing) at the time the parties enter into the Agreement, and based on the edition of the Product used. Any prices are stated excluding value-added tax.

4.2 Unless otherwise explicitly agreed, the Provider has the right to adjust prices at any time, such adjustments will take effect on the coming Subscription Term, i.e., when the Agreement is renewed. In addition, the Provider may at any time adjust prices due to changes in regulations, taxes, fees, or similar circumstances beyond the Provider's control.

4.3 All fixed fees for the use of the Product shall be paid in advance. The first notification of payment is received together with the conclusion of the Order, if the Customer uses Trials and Betas, the first notification of payment is received when the trial period ends for such Trial and Beta, and the first Subscription Term starts.

4.4 If payment is late or incomplete, the Provider is entitled to interest on overdue payment in accordance with the Swedish applicable interest act and a late payment charge and/or a debt collection fee according to applicable laws.

4.5 If full payment is not received by the Provider and the Customer has not on reasonable grounds disputed the claim of payment, the Provider has the right to (i) immediately suspend the use of the Product, and/or (ii) terminate the Agreement immediately in accordance with Section 12.3 a) of the Standard Agreement.

5. Term and Termination

5.1 The following shall replace Section 12.2 of the Standard Agreement. This Agreement starts on the Effective Date. The Agreement is automatically renewed for an additional Subscription Term, unless otherwise agreed upon. Either party can terminate the Agreement at any time. Such termination shall take effect immediately if termination is made by the Customer and shall take effect thirty (30) days after the termination if the termination is made by the Provider. The Customer may downgrade the Service from Advanced Edition to Standard Edition with effect from the Customer's next billing period.

5.2 In addition to Section 12.5 of the Standard Agreement, the following Sections of these Additional Terms shall apply even after the termination of the Agreement: 5 (Term and Termination), 7 (Confidentiality), 8 (Intellectual Property Rights), 10 (Limitations of Liability), and 14 (Governing Law and Courts).

5.3 Instead of what is stated in Section 12.4 b) of the Standard Agreement, the following applies. Unless the Customer explicitly asks for the Customer Data to be deleted immediately, any Customer Data is stored up to thirty (30) days after the Agreement has been terminated before it is deleted by the Provider. Each Party will delete any Confidential Information of the other in its possession or control upon termination of the Agreement.

6. Publicity and Marketing

6.1 Instead of what is stated in Section 17 of the Standard Agreement, the following applies.

6.2 Unless the Customer has objected according to Section 6.3 below, the Provider may publicly state that the Customer is a customer of the Provider. The Customer grants the Provider the right to include the Customer's name, trademark, logo, or similar identifying material in a listing of customers on the Provider's website and/or promotional material in relation to the Product.

6.3 The Customer may, via the Provider's support portal, ask the Provider not to include information about the Customer in any publicly available material. Such a request can be made at any time, even before the Provider has published information according to Section 6.2 above. After a request from the Customer, the Provider shall stop including information about the Customer in any publicly available material within thirty (30) days and as far as possible delete any already publicized information about the Customer.

7. Confidentiality

7.1 In addition to what is stated in Section 16 of the Standard Agreement, the following applies.

7.2 Each party is responsible for compliance with the confidentiality undertaking by its respective subcontractors, consultants, and employees. The confidentiality undertaking under this Section applies during the term of the Agreement and for a period of three (3) years after the Agreement has expired. The confidentiality undertaking for Customer Data applies for an indefinite period of time.

8. Intellectual Property Rights

8.1 In addition to what is stated in Section 13 of the Standard Agreement, the following applies.

8.2 The Provider or its licensors hold all rights, including intellectual property rights, to the Product and the Documentation (including, without limitation to, such development or improvements specifically performed on behalf of the Customer) including software and source code. Nothing in the Agreement shall be construed as a transfer of such rights, or any part thereof, to the Customer. For the avoidance of doubt, the Customer has no right to use, copy or develop, in any way, the intellectual property rights of the Provider or its licensors, in or related to the Product and the Documentation, such as but not limited to, reverse engineer or decompile software and source code should Customer gain access to such.

8.3 The Provider makes no warranties that any AI generated content will not infringe upon any intellectual property rights or other rights of third parties.

8.4 If it comes to the Provider's knowledge or is finally settled that the Customer's use of the Product in accordance with this Agreement, infringes a third-party's intellectual property rights, the Provider may, in addition to the options set out in Section 15.5 of the Standard Agreement, choose to temporarily cease to provide the Product and, after deducting the Customer's reasonable benefit, repay the Customer's fee that has already been paid for the Product and which relates to time when the Customer is not able to use the Product, without interest.

8.5 Should the Customer be aware of any infringement claims directed towards the Customer related to the Customer's use of the Product, the Customer shall immediately inform Provider.

8.6 The Provider has the right to freely use the know-how, professional knowledge, experience, and skills that the Provider acquires through or in connection with providing the Product.

8.7 The Provider's obligations under this Section 8, including applicable provisions in the Standard Agreement, are conditional upon the Customer's use of the Product exclusively in accordance with the terms of the Agreement and the Customer fulfilling Section 8.5.

8.8 This Section 8 constitutes the Provider's total liability towards the Customer for any claims related to intellectual property rights.

9. Warranties

9.1 Section 6.2 of the Standard Agreement is hereby excluded and shall not apply to this Agreement.

10. Limitations of Liability

10.1 Instead of Section 14 of the Standard Agreement, the following applies.

10.2 The Provider's responsibility for the provision of the Product is limited in accordance with what is stated in these Additional Terms and otherwise in the Agreement.

10.3 The Provider is – with the limitations set out below and otherwise in the Agreement – liable towards the Customer for damages caused due to the Provider's negligence. However, the Provider is not liable for damages caused by third-party platforms as Atlassian, including any fault, disturbance or unavailability caused by such third-party platform, or any integrations to other systems or applications that the Customer may want to use the Product together with, or modifications or changes to the Product made according to the Customer's instructions or performed by anyone other than the Provider (including but not limited to the Customer and Customer's suppliers).

10.4 The Product is provided on an "as-is" basis without any express or implicit promises or guarantees. The Provider shall not be responsible for any decisions made by the Customer based on the use of any integrated AI-functionality in the Product, nor for any outcomes or results derived from the use of any AI-functionality in the Product, including any user-generated content.

10.5 Notwithstanding the above, the Provider shall under no circumstance be liable for indirect damages (Sw. indirekt skada), including damages caused by loss of profit, revenue, anticipated savings or goodwill, loss of information or Customer Data, loss due to operational, business, power or network interruptions, loss due to modifications of the Product made in accordance with the Customer's instructions or performed by anyone other than the Provider, as well as any claims due to the Customer's possible liability to third parties. The Provider is neither liable for any claims deriving from the Customer's relationship with any third-party platform such as Atlassian where the Product was purchased or integrated with.

10.6 The Provider's total and aggregate liability under the Subscription Agreement regardless of the number of incidents, is limited to the amount paid by the Customer according to the Subscription Agreement during the twelve (12) months prior to the time the damage occurred.

10.7 The Customer shall, in order not to lose its right, submit a claim for compensation in writing no later than ninety (90) days after the Customer noticed, or should have noticed, the actual damage or loss, however in no case later than six (6) months from when the loss arose.

10.8 In case of a claim from a third-party, the party responsible for such claim shall indemnify and hold the other party harmless.

10.9 The Provider takes no responsibility for the Customer's use of any Third-Party Platform, such as the Atlassian platform, or any fault, damage or unavailability of the Product which is due to such Third-Party Platform, regardless of whether such third-party takes responsibility according to its third-party terms. The Agreement, including the terms in these Additional Terms, apply only to the Customer's use of the Product. For the avoidance of doubt, the Provider is not liable for damages caused by Third-Party Platforms as Atlassian, including any fault, disturbance or unavailability caused by such Third-Party Platform, or any integrations to other systems or applications that the Customer may want to use the Product together with, or modifications or changes to the Product made according to the Customer's instructions or performed by anyone other than the Provider (including but not limited to the Customer and Customer's suppliers). The Provider is neither liable for any claims deriving from the Customer's relationship with any Third-Party Platform such as Atlassian where the Product was purchased or integrated with.

10.10 The limitations set out above as regards the Provider's liability under the Agreement shall also apply in relation to Section 15 of the Standard Agreement.

11. Trials and Betas

11.1 If the Customer registers to use Trials and Betas, the Agreement shall apply, in applicable parts, during the trial period (as specified in Section 11.3 below). Sections that by their nature are not applicable during the use of Trials and Betas shall be inapplicable during such trial period.

11.2 When the Provider offers Trials and Betas, the Provider's obligation is limited to providing the Customer with access to use the Product. Thus, the Provider has no responsibility for the Product functioning in a certain way, or responsibility for providing the Customer with support or remedying any unavailability. However, the Provider will usually make sure that the Product works as intended. The Provider is neither liable for any direct or indirect damages due to the Customer's use of the Product, and thus the liability of the Provider stipulated in Section 18 of the Standard Agreement shall not apply.

11.3 The term of the Agreement for the Customer's use of Trials and Betas, i.e. the trial period, is stated when the Customer starts to use the Trials and Betas. When the term of the trial period has expired, the Customer may choose to continue using the Product and then pay for it in accordance with what is stated in the Agreement. When the term of the Trials and Betas has ended, the Customer will no longer have access to the Customer Data in the Product.

11.4 The Customer does not have the right to use more than one free Trials and Betas unless explicitly allowed by the licensing platform or the Provider. The Customer shall reimburse the Provider for any unallowed continued use of the Product during any additional Trials and Betas. Such reimbursement shall be coherent with the Provider's highest prices for the Product at that point in time.

11.5 The parties may at any time choose to end the Trials and Betas and the Customer will (i) in case the Customer uses a trial version no longer have access to the Product, and (ii) in case the Customer uses a beta version have access to the Product without the early access features.

12. Amendments

12.1 Instead of Section 19.5 of the Standard Agreement, the following applies.

12.2 The Provider may at any time make changes to the Agreement or the Product that do not impair the Agreement or the Product by giving the Customer a thirty (30) days' prior written notice or as otherwise expressly stated in the Agreement, including Attachments. Notwithstanding the foregoing, the Provider may at any time modify the packaging of the different editions of the Product. The Provider shall inform the Customer in advance of any such changes.

12.3 Notwithstanding the above, the Provider may at any time, make amendments to the Agreement or the Product as necessary to comply with mandatory legal requirements or governmental recommendations. Such amendments enter into force at the time specified by the Provider.

12.4 The Provider may at any time make changes to the Agreement, other than as set out above, by giving the Customer a three (3) months' prior written notice. The Customer may terminate the Agreement with immediate effect if such change entails a significant inconvenience for the Customer by giving notice to the Provider at latest one (1) month before the new Agreement will come into force. In such case, the Provider shall pay back the amounts corresponding to the period the Customer has not been able to use the Product. The Customer may not terminate the Agreement if the grounds for a significant change to the Agreement is due to changes in law, constitution, by authority decision, or changes in other circumstances outside of the Provider's control.

12.5 For the avoidance of doubt, the Customer's activation of new features and functionality within the Product shall not constitute an amendment to the Agreement. Any new features or functionality that require the Customer's active enablement shall become effective upon such activation and shall not be subject to the notice requirements set forth in this Section 12.

13. Force Majeure

13.1 Instead of "15 or more consecutive days" as stated in Section 19.8 of the Standard Agreement, "60 or more consecutive days" shall apply.

13.2 The Customer's right to refund under the circumstances stipulated in Section 19.8 of the Standard Agreement shall not apply.

14. Governing Law and Courts

14.1 Instead of what is stated in Section 19.2 of the Standard Agreement, the following applies as regards Governing Law and Courts.

14.2 The Agreement shall be governed by and construed in accordance with the laws of Sweden.

14.3 Any dispute arising out of or in connection with the Agreement shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the "SCC Institute").

14.4 The Rules for Expedited Arbitrations shall apply, unless the SCC Institute, considering the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.

14.5 The place of arbitration shall be Malmö. The language of the proceedings shall be Swedish and Swedish law shall apply to the dispute. Regardless of what has just been said, the Provider shall always have the right to apply for an injunction to payment or bring an action regarding non-payment in a general court.

ADDITIONAL TERMS - DEVIATIONS FROM THE BONTERMS STANDARD END USER AGREEMENT (VERSION 1.0)

ACCEPTABLE USE POLICY ("AUP")

1. In addition to Section 19.13 of the Standard Agreement, when entering into the Agreement, the Customer confirms that it is not listed on any official terrorist-list or associated with any country or organization sanctioned by Sweden, the European Union, or the United States.

2. The Customer is a company or organization and the individual representing the Customer warrants that he or she has authority to enter into an agreement with the Provider.

3. Unless otherwise agreed, the Customer is responsible for the following:

a) not using the Product for competitive analysis or similar purposes;

b) only use the Product for the number of Users or similar limitations that have been set out and agreed on when concluding the Order (e.g. as stated in the Listing);

c) to maintain any equipment and software required to use the Product, maintain the security of its IT-environment and to always use the Product in accordance with the Provider's Documentation;

d) to provide the Provider with information about the Customer and its use of the Product reasonably required by the Provider to be able to provide the Product and make improvements, additions and changes to the Product, the Customer can be required to provide information about connection details and information about authorized users;

e) notify the Provider immediately at the Provider's support portal if the Product is unavailable; and

f) to use the Product in accordance with all applicable laws, regulations and guidelines issued by a competent authority.

4. The Customer shall not use, copy, modify or give access to the Product to a greater extent than has been agreed on or is considered within the intended use of the Product.

5. The Provider is not responsible for changes in the Product that occur because of the Customer's actions.

SUPPORT POLICY

1. Availability

1.1 The Provider's objective is that the Product shall be continuously available.

1.2 Minor or insignificant inconveniences shall not be deemed to constitute unavailability of the Product.

1.3 The Product shall not be considered unavailable in particular where:

a) the Provider performs scheduled maintenance or upgrades affecting availability, provided that the Customer has been given no less than forty-eight (48) hours' prior notice; or

b) the Product is unavailable due to circumstances beyond the Provider's reasonable control, including but not limited to failures in networks, communications, or Third-Party Platforms (including, without limitation, Atlassian services).

1.4 The Customer can read more about the Provider's non-binding service level expectations at the Provider's website as updated from time to time.

2. Scope of Support

2.1 The Provider may, at its sole discretion, provide the Customer with support services in relation to the Product ("Support"). The Provider does not provide support during weekends or Swedish public holidays. Further details of dates and times during which support services are offered are specified on the Provider's website from time to time.

2.2 To receive support, the Customer shall create support requests through the Provider's chosen support portal available at the Provider's website. The Customer acknowledges that the Customer will need to register as a customer on the support portal chosen by the Provider in order to receive support.

2.3 Support is limited to reasonable assistance provided by the Provider in accordance with this Support Policy and for the purpose of:

a) identifying, diagnosing, and resolving technical errors or malfunctions in the Product; and

b) clarifying the intended functionality and documented use of the Product.

2.4 Support shall not include any assistance other than as set out above, and the Provider shall have no obligation to provide:

a) consulting services, advisory services, or process-related guidance;

b) training services beyond standard documentation or generally available materials;

c) custom development, configuration, or data analysis;

d) support for issues arising from misuse of the Product or use contrary to the Agreement, the Provider's documentation or the Provider's instructions; or

e) support for issues caused by Third-Party Platforms, except to the extent such issues are directly caused by the Product.

3. Customer Responsibilities

3.1 The Customer shall:

a) provide accurate and sufficient information necessary for the Provider to investigate and resolve issues, including but not limited to reproducible steps, relevant data, and supporting materials;

b) use the Product in accordance with the Provider's documentation, instructions and intended use;

c) ensure that its systems and any Third-Party Platforms are properly configured and maintained; and

d) cooperate in good faith with the Provider in connection with Support and issue resolution.

4. Limitations on Support Obligations

4.1 The Provider shall not be obligated to remedy any unavailability or error where doing so would require efforts or costs that are unreasonable in relation to the significance of the issue for the Customer.

4.2 The Provider does not warrant that all errors will be corrected or that the Product will operate without interruption.

5. Exclusions

5.1 The obligations set out in this Support Policy shall not apply to Trials or Betas.

DATA PROTECTION ADDENDUM (DPA)

1. Background and Interpretation

1.1. The Provider will upon performance of the Agreement when providing its Product process personal data on behalf of Customer, in the capacity of Customer's processor. Provider will process personal data for which Customer is the controller.

1.2. This DPA forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.

1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the European Parliament and the Council Regulation (EU) 2016/679 (the "GDPR") and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances.

1.4. In light of the above, the parties have agreed as follows:

2. Instructions and Responsibilities

2.1. The type of personal data and categories of data subjects processed by Provider under this DPA and the purpose, nature, duration, and objects of this processing, are described in the instructions on processing of personal data in Appendix A in relation to each applicable Product or the written instructions that Customer provides from time to time. Provider shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix A for the applicable Product utilized by the Customer.

2.2. The Customer is responsible for complying with the GDPR. The Customer shall in particular:

a) be a contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;

b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;

c) provide Provider with documented instructions for Provider's processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;

d) immediately inform Provider of changes that affect Provider's obligations under this DPA;

e) immediately inform Provider if a third party takes action or lodges a claim against Customer as a result of Provider's processing under this DPA; and

f) immediately inform Provider if anyone else is a joint controller with Customer of the relevant personal data.

2.3. When processing personal data, the Provider shall:

a) only process personal data in accordance with Customer's documented instructions, which at the time of the parties entering into this DPA are set out in Appendix A;

b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

c) maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in Section 3 below;

d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;

e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Provider;

g) at the choice of Customer, delete or return all the personal data to Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and

h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor agreed upon by the parties.

2.4. Provider shall notify Customer without undue delay, if, in Provider's opinion, an instruction infringes the GDPR. In addition, Provider is to immediately inform Customer of any changes affecting Provider's obligations pursuant to this DPA.

3. Security

3.1. Provider shall implement technical and organizational security measures in order to protect the personal data against destruction, alteration, unauthorized disclosure and unauthorized access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Provider may amend its technical and organizational measures provided that such amendments do not result in a lower level of security for the personal data.

3.2. Provider shall notify Customer of accidental or unauthorized access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that Provider has committed any wrongful act or omission, or that Provider shall become liable for the personal data breach.

3.3. If Customer during the term of this DPA requires that Provider takes additional security measures exceeding the level required under section 3.1, Provider shall as far as possible meet such requirements provided that Customer pays and takes responsibility for any and all costs associated with such additional measures.

4. Sub-processors and Transfers to Third Countries

4.1. Customer hereby grants Provider a general authorization to engage sub-processors. The Customer further acknowledges that the Provider may add new sub-processors in connection with new features or functionality that the Customer actively enables, and that such additions shall not be deemed as changes under Section 4.2. below concerning sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix B. Provider shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor. Provider is responsible towards Customer for sub-processors' performance of its undertakings in relation to Customer.

4.2. Provider shall inform Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after Provider has informed Customer about the intended changes. If Customer objects to Provider engaging a sub-processor and the parties cannot agree, within reasonable time, on the new sub-processor's engagement in the processing of personal data, Provider can terminate the Agreement.

4.3. If Provider and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. Provider shall keep Customer informed about the legal grounds for the transfer.

4.4. Customer is aware that, if they use the Product within a host product, the vendor of the host product (e.g. Atlassian or Microsoft) from time to time may update or change its data processing agreement, including but not limited to its list of used sub-processors or regarding transfers to third countries. Customer acknowledges that Provider cannot control or impact any such update or change and that a change to such a third party's data processing agreement, including any addition or change of a sub-processor, may be effective immediately. Customer understands that it therefore will be practically impossible for Customer to successfully object to such changes or updates and still continue to use the Product.

5. Compensation and Limitation of Liability

5.1. Provider is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA.

5.2. Each party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.

5.3. Notwithstanding any limitation of liability in the Agreement, each party's liability under this DPA shall be limited to direct damages. In addition, Provider's liability shall be limited to an amount corresponding to the fees paid by Customer to Provider under the Agreement for a period of six (6) months before the damage occurred. This limitation applies solely to the contractual relationship between the parties and does not limit or affect (i) the rights of data subjects to full compensation under Article 82 GDPR, or (ii) either party's statutory liability towards data subjects under Article 82 GDPR.

6. Term and Termination

6.1. This DPA becomes effective when the Agreement has been entered into.

6.2. Upon termination of the Agreement, Provider shall at the choice of Customer, delete all the personal data or return it to Customer, and ensure that each sub-processor does the same.

6.3. This DPA remains in force as long as Provider processes personal data on behalf of Customer, including deletion or returning of personal data according to Section 6.2 above. This DPA shall thereafter cease to apply. Sections 5 and 6.2 shall continue to apply even after this DPA has been terminated.

APPENDIX A

Instructions on Processing of Personal Data

Purposes

Provider processes personal data in order to fulfill the Agreement. This means that Provider processes personal data for the following purposes:

  • Enabling Subscription management,
  • Provide the Product to Users,
  • Provide features of the Product to Users,
  • Authenticate and authorize Users,
  • Enable customer feedback, and
  • Handle customer Support cases.

Categories of personal data

Categories of personal data that will be processed by the Provider include:

  • Name,
  • E-mail address,
  • Unique identifier of the device using the Product,
  • Information about how the Product is used, and
  • Pseudonymized End-User data, such as ID, and
  • Encrypted Information related to End-User found in the Company work data (UGC) being analyzed (this category is used only if AI features are enabled by the Customer).

Categories of data subjects

Users.

Retention time

Personal data gathered for the purposes of end user authentication and authorization or for providing the service and its features to Users will be kept for the duration of this Agreement and up to 90 days afterward to ensure smooth restoration of data if you return as a customer.

Encrypted personal data stored by us for the purposes of utilizing AI-related features is meant to be transient and will have a time-limited retention (TTL) of no more than 30m. Each usage of the stored data in the 30m period resets the TTL. The data is automatically purged when the TTL expires.

Personal data gathered for the purpose of handling support cases is kept while the support matter is resolved and for up to 12 months thereafter. The retention of this data allows us to provide you with a history of reported issues from your account. Please note that we aim to delete sensitive attachments such as HAR files within three months of the closure of the support request.

Requests from the Customer to delete specific User data early will be carried out whenever it is possible to do so without disrupting the ongoing provision of services to the Customer.

Processing operations

The Provider processes the personal data of Users in the following ways.

  • To provide information about User Subscription utilization.
  • To technically enable the Product to be used by Users.
  • To enable product features, such as enabling sharing of protected content, including to develop and improve AI functionality in the Product.
  • To provide customer Support when Customers open a Support request via email or via Provider's Support portal.

Information Security Measures

The Supplier maintains technical and organizational measures designed to protect Personal Data in accordance with Article 32 GDPR.

The technical and organizational measures described in this Agreement are provided for illustrative purposes only. The Provider's technical and organizational security measures include, in particular, measures relating to:

  • Documented information security and data protection policies, reviewed on a regular basis.
  • Clearly defined internal roles and responsibilities for information security and personal data protection.
  • Confidentiality obligations applicable to personnel authorized to process personal data.
  • Role-based access controls and least-privilege access principles.
  • Strong authentication mechanisms, including multi-factor authentication for privileged access.
  • Encryption of personal data in transit and at rest using industry-standard cryptographic methods.
  • The ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures.
  • Secure system development practices and controlled change management processes.
  • Procedures for the detection, handling, and management of personal data breaches, including notification procedures.
  • Data backup, recovery, and business continuity arrangements to ensure availability and timely restoration of access to personal data.
  • Sub-processor management processes and contractual data protection commitments.

The above measures are provided for illustrative purposes only. The detailed, complete, and authoritative description of the Supplier's technical and organizational measures, as implemented from time to time, is available in the Supplier's Trust Center at https://trust.55degrees.se. Additional assurance documentation, including the Supplier's SOC 2 Type II report, is available upon request under a mutually agreed non-disclosure agreement.

APPENDIX 2B

Sub-Processors

The tables below list sub-processors used by the Provider for the specific purposes listed in this DPA. Specific information about what data is processed for these purposes and a full list of the Provider's sub-processors used for various purposes are described on the Supplier's support portal.

General sub-processors

Sub-processor Purpose Location of Processing

Atlassian Corporation Plc

Links: DPA | International Data Transfers

The Customer and End-User support management service provider. Forge Platform provider.

Europe. Customer Account data (name, email address) cannot be pinned to a single region and is stored across the Global AWS Regions. Read more about Atlassian's data residency.

Product Fruits

Links: DPA

Processing User questions regarding product usage in order to provide AI-powered self-service support. Requires Jira Administrators to explicitly enable this feature.

Europe.

Released

Links: DPA

Processing of User product feedback and roadmap wish list.

USA (AWS US East).

Additional product-specific sub-processors

ActionableAgile for Jira Cloud

Sub-processor Purpose Location of Processing

Amazon AWS

Links: DPA | Supplementary Addendum | UK Addendum

To enable the provision and operation of the product, including configuration management, user authentication and authorization, access control, and encrypted time-limited caching of operational data in support of application features.

Processing customer data with LLMs hosted in AWS (Amazon Bedrock) to provide AI insights and coaching advice (Requires Jira Administrators to explicitly enable these features).

Europe (Stockholm)

Additional options for qualifying customers: USA (Virginia), Australia (Sydney)

Portfolio Forecaster for Jira Cloud

Sub-processor Purpose Location of Processing

Amazon AWS

Links: DPA | Supplementary Addendum | UK Addendum

To enable the provision and operation of the product, including configuration management, user authentication and authorization, access control, retrieval of data from connected systems, storage of computed data to support application features, and product-related communications.

Europe (Stockholm)

Additional options for qualifying customers: USA (Virginia), Australia (Sydney)