Data Processing Addendum
Effective Date:
This Data Processing Addendum ("DPA") forms part of the End User License Agreement (the "Agreement" or "EULA") between Soteri LLC ("Processor", "Soteri", "we", "us") and the customer entity identified ("Controller", "Customer", "you"). This DPA applies to the extent that Soteri processes Personal Data on behalf of Customer in providing the following products (the "Services"):
Security for Confluence PII & Secret Scanner - Confluence Cloud edition
Security for Jira PII & Secret Scanner - Jira Cloud edition
Terms not defined in this DPA have the meaning given to them in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that Soteri processes on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, use, storage, transmission, and deletion.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable privacy legislation.
"Sub-processor" means a third party engaged by Soteri to process Personal Data on behalf of Customer.
"Security Incident" means a confirmed unauthorized access to, or unauthorized disclosure of, Customer Personal Data.
2. Scope and Purpose of Processing
2.1 Nature of Processing
The Services scan content within Customer's Atlassian Cloud instance for passwords, API keys, PII, and other secrets. Content is processed (scanned) but not stored by Soteri. Soteri stores only metadata related to findings — specifically, the location of a detected secret, the type of secret, and when it was introduced or remediated.
2.2 Categories of Personal Data
As disclosed on the Atlassian Marketplace Privacy & Security tab for each app, the following types of End-User Data may be processed and stored:
Content metadata (e.g., Issue IDs, Content IDs)
User IDs (but not PII like email addresses)
Base URL (Account data)
Application-specific configuration (e.g., scanning rule configuration)
Content scanned by the Services is processed but not stored.
2.3 Categories of Data Subjects
Users of Customer's Atlassian Cloud instance (Confluence and/or Jira)
2.4 Duration of Processing
Processing continues for the term of the Agreement. Upon termination or uninstallation, stored End-User Data (metadata) is retained for a minimum of 35 days and a maximum of 90 days post-uninstall, after which it is deleted.
3. Obligations of Soteri as Processor
3.1 Instructions
Soteri shall process Personal Data only in accordance with Customer's documented instructions as set out in this DPA and the Agreement, unless required to do so by applicable law. If Soteri becomes aware that an instruction infringes Data Protection Laws, it shall promptly notify Customer.
3.2 Confidentiality
Soteri ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Soteri requires employees to sign confidentiality agreements during onboarding, as described in Section 5.1 of the SOC 2 report.
3.3 Security Measures
Soteri implements appropriate technical and organizational measures to protect Personal Data. These measures are described in Soteri's SOC 2 Type II report, available upon approval from the Soteri Trust Center. Key measures include:
Encryption of data at rest and in transit
Role-based access controls with least-privilege principles
Multi-factor authentication for production systems
Regular vulnerability scanning
Formal incident response procedures
Full-disk encryption on all employee devices via MDM
Network segmentation to prevent unauthorized access to customer data
For full details, refer to the SOC 2 Type II report (Section 3: System Description).
3.4 Security Incidents
Soteri shall notify Customer without undue delay upon becoming aware of a Security Incident. Notification shall include, to the extent available, the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the incident.
3.5 Data Subject Requests
Soteri shall assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, to the extent Soteri is able to do so given the nature of the Processing.
3.6 Deletion and Return of Data
Upon termination of the Agreement or upon Customer's written request, Soteri shall delete Personal Data in accordance with the retention periods described in Section 2.4 and the Data Management Policy, unless retention is required by applicable law.
4. Sub-processors
4.1 Authorized Sub-processors
Customer grants Soteri general authorization to engage Sub-processors. The following Sub-processor is currently used for the Cloud Services:
Sub-processor | Purpose | Location |
|---|---|---|
Google Cloud Platform (GCP) | Cloud hosting and infrastructure for the Services | United States |
4.2 Changes to Sub-processors
Soteri maintains a current list of Sub-processors in this DPA. The Customer is responsible for reviewing this list periodically. Customer may object to a new Sub-processor by notifying Soteri at hello@soteri.io within 30 days of being informed. If Soteri is unable to reasonably accommodate the objection, Customer may terminate the affected Services.
4.3 Sub-processor Obligations
Soteri imposes data protection obligations on each Sub-processor no less protective than those in this DPA. Soteri reviews Sub-processor compliance attestation reports at least annually, as described in the SOC 2 report (Section 3.5.1 and DC 7).
5. International Data Transfers
Personal Data is processed and stored in the United States. Soteri maintains a SOC 2 Type II certification which provides assurance that appropriate security controls are in place. Google Cloud Platform, Soteri's hosting sub-processor, also maintains independent SOC 2 and ISO 27001 certifications.
6. Audits
Soteri shall make available to Customer, upon request, the SOC 2 Type II report and other information reasonably necessary to demonstrate compliance with this DPA. The SOC 2 report is available upon approval from the Soteri Trust Center. The parties agree that the SOC 2 report shall satisfy any audit rights granted to Customer under Data Protection Laws.
7. Compliance Certifications
Soteri holds the following certifications and participates in the following programs:
SOC 2 Type II — audited by Prescient Assurance LLC
Atlassian Cloud Fortified — meeting the highest Marketplace standards for security, reliability, and support
Atlassian Marketplace Security Bug Bounty Program participant
CAIQ Lite respondent
Current certifications and attestations are available at the Soteri Trust Center.
8. Liability
Liability under this DPA is subject to the limitations set forth in the Agreement (EULA, Section 15).
9. General
9.1 Governing Law
This DPA shall be governed by the laws of the State of California, consistent with Section 19(a) of Soteri’s EULA.
9.2 Contact
For data protection inquiries: hello@soteri.io
For security issues: security@soteri.io
9.3 Updates
Soteri may update this DPA from time to time. The current version will always be available in Soteri’s public facing documentation website.
9.4 Precedence
This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall control.
Reference Documents
Document | Location |
|---|---|
End User License Agreement (EULA) | |
Privacy Policy | |
SOC 2 Type II Report | Available upon approval from Soteri Trust Center |
Secure Development Policy | |
Data Management Policy | |
Security for Jira — Marketplace Privacy & Security | |
Security for Confluence — Marketplace Privacy & Security |