Sistemas Humanos Agenda demo

Data Processing Addendum · RaiSE for Jira

Data Processing Addendum

Governs the processing of Personal Data by HumanSys on behalf of Customer in connection with the Service. Part of the Terms of Service.

Vigente desde
2026-04-28
Última revisión
2026-04-14
Responsable
Sistemas Humanos · Ciudad de México · México
Contacto
privacy@humansys.ai
§ D / Data Processing Addendum · RaiSE for Jira

Canonical language: English. Adendum en español (traducción informativa). In case of discrepancy, the English version prevails.
Version: 1.1 (Free Beta) · Related documents: Privacy Policy · Terms of Service

This Data Processing Addendum ("DPA") forms part of the Terms of Service and governs the processing of Personal Data (as defined in GDPR Art. 4(1) and LFPDPPP Art. 3(V)) by HumanSys on behalf of Customer in connection with the Service.

By installing or using the Service, Customer accepts this DPA. A countersigned copy is available on request at privacy@humansys.ai.

Definitions

Terms not defined here have the meanings assigned in the GDPR, UK GDPR, or LFPDPPP, as applicable.

  • Controller: the Customer, who determines the purposes and means of processing.
  • Processor: HumanSys, acting on documented instructions from Customer.
  • Sub-processor: any third party engaged by HumanSys to process Personal Data on Customer's behalf.
  • Personal Data: any information processed under this DPA that identifies or can identify a natural person.
  • Data Subject: the natural person whose Personal Data is processed (typically a Jira user in Customer's tenant).

Roles of the parties

  • Customer acts as Controller.
  • HumanSys acts as Processor.
  • Atlassian (as operator of the Forge platform and Jira Cloud) acts as a separate Processor for Customer under the Atlassian DPA; Atlassian is, for the purposes of this DPA, a Sub-processor of HumanSys for the components exposed via the Forge runtime.

Scope and purpose

HumanSys processes Personal Data solely to:

  • provide the Service described in §2 of the TOS;
  • generate coaching, assessment, and observability outputs;
  • operate, secure, and improve the Service (aggregated / de-identified only for improvement unless Customer opts in to share identified data);
  • comply with legal obligations.

Categories of Personal Data, Data Subjects, and Atlassian Personal Data Reporting API

Categories of Data Subjects

Jira users in Customer's Atlassian site: admins, project members, reporters, assignees, watchers.

Categories of Personal Data

Processed:

  • Atlassian accountId (opaque identifier);
  • Display name (as surfaced by Forge APIs);
  • Issue metadata: key, type, status, priority, labels, timestamps;
  • Project metadata: key, name;
  • Sprint and board identifiers;
  • Tenant identifiers: cloudId, siteId;
  • App telemetry: events, errors, performance metrics, feature-use counters;
  • Admin contact email (installation flow, for support only).

Not processed in Phase 1:

  • Full text of Jira issue descriptions, comments, or attachments;
  • User email addresses other than the admin contact above;
  • Voice, video, biometric, or health data;
  • Payment data.

Special categories

None processed by default. Customer must not route special-category data through the Service without prior written agreement.

Personal Data Reporting API commitment

HumanSys complies with the Atlassian Personal Data Reporting API (Forge user-privacy guidelines). Specifically:

  • we respond to closed and updated account events published by Atlassian;
  • we respect the Cycle-Period response header (default 7 days) and do not poll more frequently than it permits;
  • on closed, we delete or anonymize Personal Data linked to the affected accountId within ≤7 days;
  • on updated, we refresh the affected fields within ≤7 days;
  • failure to comply with this API is a de-listing event per Atlassian Marketplace policy and is treated by HumanSys as a release gate.

Processing instructions

HumanSys shall process Personal Data only:

  • as necessary to provide the Service;
  • on documented instructions from Customer (these include this DPA, the TOS, and the Privacy Policy);
  • as required by applicable law (with notice to Customer where legally permitted).

HumanSys shall notify Customer without undue delay if, in its opinion, an instruction infringes GDPR, UK GDPR, or other applicable data-protection law.

Sub-processors

Customer authorizes HumanSys to engage the sub-processors listed below.

Sub-processorDomainRoleLocationSafeguard
Atlassian Pty Ltd atlassian.com Forge platform, Jira Cloud hosting, authentication Customer-selected Atlassian data residency Atlassian DPA + SCCs
Fly.io Inc. fly.io Backend hosting (raise-server), region lax Los Angeles, California, USA SCCs 2021/914 (Controller → Processor, Module 2 via HumanSys) + UK IDT Addendum

AI / inference providers

In Phase 1, HumanSys does not use AI inference providers (Anthropic, OpenAI, or others) as default sub-processors. Customer admins may opt in by providing their own API key ("BYOK"). In that case:

  • inference traffic is routed directly from raise-server to the provider using Customer's key;
  • the provider is Customer's sub-processor, not HumanSys';
  • Customer is responsible for the terms, billing, and compliance posture with that provider;
  • HumanSys will log usage metadata (endpoint, latency, token count) but not prompt/response content beyond what is required for debugging (disabled by default in production).

HumanSys will give Customer at least 30 days' prior notice before adding or replacing a sub-processor. Customer may object on reasonable data-protection grounds within that period; if the objection cannot be resolved, Customer may terminate the Service.

A current list is maintained at the published Privacy Policy URL, §5.

International transfers

Personal Data processed through raise-server is transferred to the United States (Fly.io lax region). Transfer safeguards:

  • EU → US: Standard Contractual Clauses, European Commission Decision 2021/914, Module 2 (Controller to Processor);
  • UK → US: UK International Data Transfer Addendum to the EU SCCs;
  • Switzerland → US: FDPIC-adapted SCCs where applicable.

Copies of executed SCCs are available on request at privacy@humansys.ai.

Security measures

HumanSys implements technical and organizational measures (TOMs) appropriate to the risk, including:

  • Encryption in transit: TLS 1.2+ for all ingress and egress;
  • Encryption at rest: disk-level encryption for databases and backups;
  • Authentication: Atlassian Forge JWT (tenant bootstrap) + HumanSys API keys (hashed at rest); no collection of Jira user API tokens or PATs;
  • Access control: least-privilege RBAC inside HumanSys; production access restricted to named engineers with audit logs;
  • Tenant isolation: org_id scoping enforced at database and application layer; cross-tenant isolation tests are part of the release gate;
  • Logging & monitoring: application logs, security event logs, and audit trails retained ≤90 days;
  • Backups: daily encrypted backups retained ≤30 days, then purged;
  • Vulnerability management: dependency scanning in CI; patching on a risk-based schedule;
  • Personnel: confidentiality obligations and security training for all personnel with access to Personal Data.

Data subject requests

If Customer receives a data subject request (access, rectification, erasure, restriction, portability, objection — GDPR Art. 15–22; ARCO rights — LFPDPPP Art. 23–27), HumanSys shall:

  • assist Customer in responding within the statutory deadlines;
  • execute erasure via the Personal Data Reporting API within ≤7 days of Customer's instruction or Atlassian's required window, whichever is shorter;
  • provide export in a structured, commonly used, machine-readable format on request.

Personal data breaches

HumanSys shall notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Customer data. The notification shall describe:

  • the nature of the breach and categories/approximate number of Data Subjects and records concerned;
  • the likely consequences;
  • the measures taken or proposed to address the breach and mitigate adverse effects;
  • the contact point for further information.

Customer is responsible for notifying the relevant supervisory authority and Data Subjects where required by law.

Audits

HumanSys shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Customer or an auditor mandated by Customer, on reasonable prior notice, no more than once per 12 months, during business hours, and subject to confidentiality. HumanSys may satisfy this obligation by providing relevant third-party audit reports (e.g. Atlassian / Fly.io certifications) where they cover the requested scope.

Deletion and return

Upon termination or on Customer's written request:

  • HumanSys shall delete all Personal Data processed under this DPA within ≤30 days;
  • backups shall purge within their retention cycle (≤30 days);
  • Customer may, before deletion, request export of data in a structured format;
  • HumanSys shall certify deletion in writing on request.

Statutory retention obligations (e.g. tax, accounting records that do not constitute Customer Personal Data) are preserved.

Liability

Liability under this DPA is subject to the limitations in §11 of the TOS, except as prohibited by mandatory law.

Governing law for DPA

For Customers established in the EU / EEA / UK, this DPA is governed by the laws of the Customer's country of establishment and disputes arising out of this DPA shall be submitted to the competent courts of that country. For all other Customers, this DPA is governed by the laws of the United Mexican States and §14 of the TOS applies.

Order of precedence

In case of conflict between documents: (1) mandatory law; (2) SCCs (where they apply); (3) this DPA; (4) the Privacy Policy; (5) the TOS.

Adendum de Tratamiento de Datos (español — informativo)

La versión en inglés es la versión canónica. Esta traducción se ofrece únicamente con fines informativos. En caso de discrepancia, prevalece el texto en inglés.

1. Roles

  • Responsable: Cliente.
  • Encargado: HumanSys.
  • Sub-encargado: Atlassian (Forge) y Fly.io (backend).

2. Categorías de datos (Fase 1)

Se procesan: accountId, displayName, metadatos de issue/proyecto/sprint, cloudId/siteId, telemetría, email de admin instalador (solo soporte).

No se procesan: descripciones, comentarios, adjuntos, emails de otros usuarios, datos sensibles.

Compromiso Personal Data Reporting API: HumanSys cumple con el API de Atlassian: responde a eventos closed/updated dentro del Cycle-Period (default 7 días). closed ⇒ eliminación/anonimización por accountId en ≤7 días. updated ⇒ refresh de campos en ≤7 días. El incumplimiento es causal de de-listing; release gate interno.

3. Sub-encargados

Atlassian Pty Ltd (atlassian.com) — Plataforma Forge, Jira Cloud — Residencia Atlassian seleccionada — Atlassian DPA + SCCs.
Fly.io Inc. (fly.io) — Hosting raise-server, región lax — Los Ángeles, California, EE.UU. — SCCs 2021/914 (Módulo 2) + UK IDT.

IA / inferencia: en Fase 1, HumanSys no utiliza proveedores de IA por defecto. Con BYOK, el proveedor es sub-encargado del Cliente, no de HumanSys.

4. Transferencias internacionales

A EE.UU. (Fly.io lax) bajo SCCs 2021/914 y, en su caso, UK IDT Addendum. Copias ejecutadas en privacy@humansys.ai.

5. Seguridad

TLS 1.2+ en tránsito; cifrado en reposo; autenticación vía Forge JWT + RSK hasheada; sin PATs; aislamiento por org_id validado con pruebas cross-tenant como release gate; logs y backups ≤30-90 días; mínimo privilegio.

6. Derechos del titular

Asistencia para ARCO (LFPDPPP Art. 23–27) y derechos GDPR (Art. 15–22). Eliminación efectiva vía Personal Data Reporting API en ≤7 días.

7. Incidentes

Sin demora y dentro de 72 horas tras conocimiento de incidente que afecte datos del Cliente.

8. Eliminación

Tras desinstalación o solicitud escrita: eliminación en ≤30 días; backups purgan en ciclo (≤30 días). Certificación disponible.

9. Auditorías

Información razonable y, en su caso, inspecciones una vez cada 12 meses, con aviso previo y confidencialidad. Reportes de auditoría de sub-encargados satisfacen cuando cubren el alcance.

10. Ley aplicable del DPA

UE/EEE/UK: ley del país de establecimiento del Cliente. Los demás: leyes de México.