Legal
Data Processing Agreement
How we process data on your behalf as a data processor.
Last updated: March 20, 2026
This Data Processing Agreement (“DPA”) supplements our Terms of Service and Privacy Policy. It applies where SuperTemplates processes personal data on behalf of the Customer (data controller) as required by GDPR Article 28.
1. Definitions
“Controller” means the Customer — your Atlassian organization that installs and uses SuperTemplates.
“Processor” means Konkret.dev, a registered business (działalność gospodarcza) in Poland, operating as SuperTemplates — we process data only as necessary to provide the App's functionality. Full company details are available on our Contact page.
“Sub-processor” means a third party engaged by the Processor to assist in data processing (AI providers, Atlassian Forge).
“Personal Data” means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
2. Scope and Purpose of Processing
We process personal data solely to provide the App's functionality:
| Subject matter | AI-powered and manual bulk task creation for Jira Cloud |
| Duration | For the term of your Marketplace subscription |
| Nature of processing | Collection, anonymization, transmission to AI providers, storage in Forge KV |
| Categories of data subjects | Your Jira users who interact with the App |
| Types of personal data | User display names (anonymized before AI processing), task content entered by users |
3. Processor Obligations
As data processor, SuperTemplates shall:
- Process personal data only on documented instructions from the Controller (i.e., as needed to operate the App)
- Ensure that persons authorized to process the data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security (see Security Statement)
- Not engage another processor without prior written authorization from the Controller (sub-processors are listed in Section 5)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments)
- Delete or return all personal data upon termination of the service, per Atlassian Forge data retention policies
- Make available all information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, subject to reasonable advance notice and confidentiality obligations (GDPR Article 28(3)(h))
- Inform the Controller immediately if, in our opinion, an instruction infringes GDPR or other applicable data protection law (GDPR Article 28(3), second subparagraph)
Architectural note — no independent data access or storage
SuperTemplates is built exclusively on Atlassian Forge, a sandboxed execution environment that runs within Atlassian's infrastructure. The Processor does not operate its own servers or databases and does not have independent access to, or persistent storage of, the Controller's Jira data. All access to Jira data is mediated by the Forge platform and governed by the scoped permissions the Controller grants during app installation.
When AI features are used, the App transmits pseudonymized* task content to the AI sub-processors listed in Section 5 (or to BYOK providers configured by the Controller). These transmissions are encrypted in transit (TLS 1.2+), contain no Jira credentials or access tokens, and are subject to zero-retention or minimal-retention policies as described in each sub-processor's DPA. The Processor does not retain AI prompt or response data beyond the duration of the request.
*Pseudonymization (GDPR Art. 4(5)): known Jira user display names are automatically replaced with anonymous codes (e.g., U1, U2); system identifiers (account IDs, email addresses, project keys, board names) are stripped entirely and never sent to AI providers. However, free-text content entered by users in prompts (task descriptions, meeting notes, requirements) is sent as written — the Controller is responsible for not including sensitive personal data in AI generation prompts. See our Privacy Policy § AI Data Handling for full details.
This architecture means the Processor cannot independently access, copy, or exfiltrate the Controller's data — processing occurs only within the scope of the Controller's documented instructions, the Forge runtime sandbox, and the sub-processor arrangements described in this DPA.
4. Security Measures
We implement the following technical and organizational measures:
Measures we implement directly
- Smart anonymization of personal identifiers before AI processing
- Minimal data access — only Jira scopes required for functionality
- BYOK (Bring Your Own Key) API keys stored in Forge Secrets (encrypted, isolated)
- Code review and dependency auditing
- Admin controls for AI model management and analytics toggle
Measures provided by Atlassian Forge
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Sandboxed app execution environment
- Data residency compliance
- Egress controls (all outbound calls declared and audited)
5. Sub-processors
The Controller authorizes the use of the following sub-processors. We will notify the Controller of any intended changes to this list (additions or replacements) with at least 30 days' advance notice via email to site administrators.
The Controller may object to a new sub-processor by notifying us in writing within 14 days of receiving our notice. If the Controller objects and we cannot reasonably accommodate the objection, either party may terminate the affected service with 30 days' notice. We will not engage the objected sub-processor for the Controller's data during the objection period.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Atlassian (Forge) | App hosting, data storage, authentication | Per your data residency |
| Cerebras | AI task generation (default) | US (zero retention) |
| Google Vertex AI | AI task generation (default) | EU available (regions depend on model version; currently includes Netherlands, Belgium, Finland, France, Spain, Poland) |
| PostHog | In-app product analytics (admin can disable) | US / EU available |
| Vercel | Website hosting, analytics & speed insights | US (cookieless) |
| Google Analytics | Website analytics (supertemplates.ai only) | US |
| Snitcher | Website B2B visitor identification | EU (Netherlands) |
BYOK Providers (Controller-directed, not sub-processors)
The following AI providers are available when a site administrator configures their own API key (BYOK). In this scenario, the Controller has a direct contractual relationship with the provider and directs data transfers using the Controller's own account and API credentials. SuperTemplates acts solely as a technical conduit facilitating the API call. The Controller configures their own API credentials, selects the provider, and maintains a direct contractual relationship with the provider. SuperTemplates executes the Controller's documented instructions to route pseudonymized prompts via the Controller's own account — we do not independently determine the purposes or essential means of processing for BYOK providers, and they are not our sub-processors under this DPA.
| Provider | Purpose | Data Location |
|---|---|---|
| OpenAI | AI task generation (BYOK) | US |
| Anthropic | AI task generation (BYOK) | US |
| Google Gemini | AI task generation (BYOK) | US / EU |
The Controller is responsible for ensuring that their use of BYOK providers complies with applicable data protection laws, including having appropriate transfer mechanisms in place for international transfers.
BYOK providers are inactive by default and only engaged when a site administrator explicitly configures their API key.
6. Data Subject Rights
We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Requests should be directed to privacy@supertemplates.ai. We will respond without undue delay and within one calendar month, in accordance with GDPR Article 12(3).
7. Data Breach Notification
In the event of a personal data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, enabling the Controller to fulfill its obligation to notify the supervisory authority under GDPR Article 33.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will assist the Controller in notifying affected data subjects without undue delay, in accordance with GDPR Article 34.
The notification will include sufficient information for the Controller to fulfill its own obligations under GDPR Articles 33 and 34, including:
- The nature of the breach
- Categories and approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach, including mitigation
- Contact details of our Data Protection Lead for further information
8. International Transfers
Personal data may be transferred to sub-processors located outside the EEA. We ensure lawful transfer through the following mechanisms:
- EU-US Data Privacy Framework (DPF): Where the sub-processor is certified under the DPF (e.g., Google LLC). We verify certification status annually.
- Standard Contractual Clauses (SCCs): For sub-processors not certified under the DPF, we rely on the European Commission's Standard Contractual Clauses (Module 3: Processor to Sub-processor) as the legal basis for transfer. For Cerebras (US-based), SCCs with UK Addendum are incorporated in the Cerebras DPA. A Transfer Impact Assessment (TIA) has been conducted; supplementary measures include zero data retention and a contractual no-training guarantee.
- Technical safeguards: Known Jira user display names are pseudonymized (replaced with anonymous codes) before data leaves Forge. System identifiers (account IDs, emails, project keys, board names) are stripped entirely and never transmitted. We acknowledge that user-entered prompts may contain personal data and treat all prompt data accordingly.
- EU-only processing: Available via Google Vertex AI European regional endpoints (regions depend on model version; currently includes Netherlands, Belgium, Finland, France, Spain, Poland). When AI models are updated or replaced, available regions are determined by Google and may change. We will always prefer EU endpoints when available.
Customer obligation: Users should avoid including sensitive personal data (health data, financial data, national ID numbers) in AI generation prompts. The App is designed for project management content, not processing of special category data.
9. Data Deletion
The Processor does not independently store or have direct access to the Controller's personal data. All data (including any Forge Key-Value Storage entries) resides within the Controller's Atlassian instance and is managed exclusively by the Controller's Atlassian site administrator.
AI generation sessions are transient — prompt and response data is not retained by the Processor or its AI sub-processors beyond the duration of the request.
Upon termination, the Controller's Atlassian administrator should uninstall the App, which triggers automatic deletion of all Forge-stored data in accordance with Atlassian's Forge data lifecycle policy (28-day retention post-uninstall). The Processor will cooperate with any deletion requests but holds no independent copies to delete.
10. Term and Termination
This DPA is effective for the duration of the Controller's use of the App. It terminates automatically when the App is uninstalled or the Marketplace license expires. Because the Processor holds no independent copies of personal data, termination requires no data return — the Controller's Atlassian administrator controls deletion via App uninstallation. Obligations regarding confidentiality survive termination.
Contact
For DPA-related questions or to request a signed copy: privacy@supertemplates.ai
Data Protection Lead: privacy@supertemplates.ai