Legal
Data Processing Agreement
How we process data on your behalf as a data processor.
Last updated: February 19, 2026
This Data Processing Agreement (“DPA”) supplements our Terms of Service and Privacy Policy. It applies where SuperTemplates processes personal data on behalf of the Customer (data controller) as required by GDPR Article 28.
1. Definitions
“Controller” means the Customer — your Atlassian organization that installs and uses SuperTemplates.
“Processor” means SuperTemplates — we process data only as necessary to provide the App's functionality.
“Sub-processor” means a third party engaged by the Processor to assist in data processing (AI providers, Atlassian Forge).
“Personal Data” means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
2. Scope and Purpose of Processing
We process personal data solely to provide the App's functionality:
| Subject matter | AI-powered and manual bulk task creation for Jira Cloud |
| Duration | For the term of your Marketplace subscription |
| Nature of processing | Collection, anonymization, transmission to AI providers, storage in Forge KV |
| Categories of data subjects | Your Jira users who interact with the App |
| Types of personal data | User display names (anonymized before AI processing), task content entered by users |
3. Processor Obligations
As data processor, SuperTemplates shall:
- Process personal data only on documented instructions from the Controller (i.e., as needed to operate the App)
- Ensure that persons authorized to process the data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security (see Security Statement)
- Not engage another processor without prior written authorization from the Controller (sub-processors are listed in Section 5)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, impact assessments)
- Delete or return all personal data upon termination of the service, per Atlassian Forge data retention policies
- Make available all information necessary to demonstrate compliance with this DPA
4. Security Measures
We implement the following technical and organizational measures:
Measures we implement directly
- Smart anonymization of personal identifiers before AI processing
- Minimal data access — only Jira scopes required for functionality
- BYOK API keys stored in Forge Secrets (encrypted, isolated)
- Code review and dependency auditing
- Admin controls for AI model management and analytics toggle
Measures provided by Atlassian Forge
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- Sandboxed app execution environment
- Data residency compliance
- Egress controls (all outbound calls declared and audited)
5. Sub-processors
The Controller authorizes the use of the following sub-processors. We will notify the Controller of any changes to this list with at least 14 days' advance notice.
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Atlassian (Forge) | App hosting, data storage, authentication | Per your data residency |
| Cerebras | AI task generation (default) | US (zero retention) |
| Groq | AI task generation (default) | US (zero retention) |
| Google Vertex AI | AI task generation (default) | EU available (NL, UK) |
| OpenAI | AI task generation (BYOK only) | US |
| Anthropic | AI task generation (BYOK only) | US |
| Google Gemini | AI task generation (BYOK only) | US / EU |
| PostHog | In-app product analytics (admin can disable) | US / EU available |
| Vercel | Website hosting, analytics & speed insights | US (cookieless) |
| Google Analytics | Website analytics (supertemplates.ai only) | US |
| Snitcher | Website B2B visitor identification | EU (Netherlands) |
BYOK sub-processors are only engaged when a site administrator explicitly configures their API key. They are not active by default.
6. Data Subject Rights
We will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Requests should be directed to support@supertemplates.ai. We will respond within 30 days.
7. Data Breach Notification
In the event of a personal data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. International Transfers
Personal data may be transferred to AI sub-processors located outside the EEA. We mitigate this by:
- Anonymizing all personal identifiers before data leaves Forge — AI providers receive no personal data
- Offering EU-only processing via Google Vertex AI regional endpoints (Netherlands, London)
- Selecting only providers with zero data retention or no-training guarantees for API data
9. Data Deletion
Upon termination of the service (App uninstallation or license expiry), all personal data stored in Forge Key-Value Storage will be deleted in accordance with Atlassian's data retention policies. AI generation sessions are transient and are not stored beyond the request lifecycle. The Controller may request early deletion at any time by contacting us.
10. Term and Termination
This DPA is effective for the duration of the Controller's use of the App. It terminates automatically when the App is uninstalled or the Marketplace license expires. Obligations regarding data deletion and confidentiality survive termination.
Contact
For DPA-related questions or to request a signed copy: support@supertemplates.ai