Data Processing Addendum
Effective Date:
This Data Processing Addendum ("DPA") forms part of the End User License Agreement (the "Agreement" or "EULA") between Soteri LLC ("Processor", "Soteri", "we", "us") and the customer entity identified ("Controller", "Customer", "you"). This DPA applies to the extent that Soteri processes Personal Data on behalf of Customer in providing the following products (the "Services"):
Security for Confluence PII & Secret Scanner - Confluence Cloud edition
Security for Jira PII & Secret Scanner - Jira Cloud edition
Terms not defined in this DPA have the meaning given to them in the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that Soteri processes on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, use, storage, transmission, and deletion.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable privacy legislation.
"Sub-processor" means a third party engaged by Soteri to process Personal Data on behalf of Customer.
"Security Incident" means a confirmed unauthorized access to, or unauthorized disclosure of, Customer Personal Data.
2. Scope and Purpose of Processing
2.1 Nature of Processing
The Services scan content within Customer's Atlassian Cloud instance for passwords, API keys, PII, and other secrets. Content is processed (scanned) but not stored by Soteri. Soteri stores only metadata related to findings — specifically, the location of a detected secret, the type of secret, and when it was introduced or remediated.
2.2 Categories of Personal Data
As disclosed on the Atlassian Marketplace Privacy & Security tab for each app, the following types of End-User Data may be processed and stored:
Content metadata (e.g., Issue IDs, Content IDs)
User IDs (but not PII like email addresses)
Base URL (Account data)
Application-specific configuration (e.g., scanning rule configuration)
Content scanned by the Services is processed but not stored.
2.3 Categories of Data Subjects
Users of Customer's Atlassian Cloud instance (Confluence and/or Jira)
2.4 Duration of Processing
Processing continues for the term of the Agreement. Upon termination or uninstallation, stored End-User Data (metadata) is retained for a minimum of 35 days and a maximum of 90 days post-uninstall, after which it is deleted.
3. Obligations of Soteri as Processor
3.1 Instructions
Soteri shall process Personal Data only in accordance with Customer's documented instructions as set out in this DPA and the Agreement, unless required to do so by applicable law. If Soteri becomes aware that an instruction infringes Data Protection Laws, it shall promptly notify Customer.
3.2 Confidentiality
Soteri ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Soteri requires employees to sign confidentiality agreements during onboarding, as described in Section 5.1 of the SOC 2 report.
3.3 Security Measures
Soteri implements appropriate technical and organizational measures to protect Personal Data. These measures are described in Soteri's SOC 2 Type II report, available upon approval from the Soteri Trust Center. Key measures include:
Encryption of data at rest and in transit
Role-based access controls with least-privilege principles
Multi-factor authentication for production systems
Regular vulnerability scanning
Formal incident response procedures
Full-disk encryption on all employee devices via MDM
Network segmentation to prevent unauthorized access to customer data
For full details, refer to the SOC 2 Type II report (Section 3: System Description).
3.4 Security Incidents
Soteri shall notify Customer without undue delay upon becoming aware of a Security Incident. Notification shall include, to the extent available, the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the incident.
3.5 Data Subject Requests
Soteri shall assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, to the extent Soteri is able to do so given the nature of the Processing.
3.6 Deletion and Return of Data
Upon termination of the Agreement or upon Customer's written request, Soteri shall delete Personal Data in accordance with the retention periods described in Section 2.4 and the Data Management Policy, unless retention is required by applicable law.
4. Sub-processors
4.1 Authorized Sub-processors
Customer grants Soteri general authorization to engage Sub-processors. A current list of Sub-processors engaged by Soteri in providing the Services, including their function and location, is maintained at Soteri's Cloud App Data Sub-processors. That list is incorporated by reference into this DPA.
4.2 Changes to Sub-processors
Soteri will provide notice of material changes to its Sub-processors through the Soteri Trust Center. Customers are encouraged to subscribe to Trust Center updates to receive such notifications. Customer may object to a new Sub-processor by notifying Soteri at hello@soteri.io within 30 days of being informed of the change. If Soteri is unable to reasonably accommodate the objection, Customer may terminate the affected Services.
4.3 Sub-processor Obligations
Soteri imposes data protection obligations on each Sub-processor no less protective than those in this DPA. Soteri reviews Sub-processor compliance attestation reports at least annually, as described in the SOC 2 report (Section 3.5.1 and DC 7).
5. International Data Transfers
Personal Data is processed and stored in the United States. For transfers of Personal Data from the European Economic Area, the United Kingdom, and Switzerland to the United States, Soteri relies on its certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as administered by the U.S. Department of Commerce. Soteri has certified that it adheres to the DPF Principles with respect to Personal Data received from the EU, UK, and Switzerland. For more information, see Soteri's Privacy Policy and the DPF program website at www.dataprivacyframework.gov.
Soteri additionally maintains a SOC 2 Type II certification which provides assurance that appropriate security controls are in place. Google Cloud Platform, Soteri's hosting sub-processor, also maintains independent SOC 2 and ISO 27001 certifications.
6. Audits
Soteri shall make available to Customer, upon request, the SOC 2 Type II report and other information reasonably necessary to demonstrate compliance with this DPA. The SOC 2 report is available upon approval from the Soteri Trust Center. The parties agree that the SOC 2 report shall satisfy any audit rights granted to Customer under Data Protection Laws.
7. Compliance Certifications
Soteri holds the following certifications and participates in the following programs:
SOC 2 Type II — Yearly audits by an independent auditor
EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework — self-certified with the U.S. Department of Commerce (www.dataprivacyframework.gov)
Atlassian Cloud Fortified — meeting the highest Marketplace standards for security, reliability, and support
Atlassian Marketplace Security Bug Bounty Program participant
CAIQ Lite respondent
Current certifications and attestations are available at the Soteri Trust Center.
8. Liability
Liability under this DPA is subject to the limitations set forth in the Agreement (EULA, Section 15).
9. General
9.1 Governing Law
This DPA shall be governed by the laws of the State of California, consistent with Section 19(a) of Soteri's EULA.
9.2 Contact
For data protection inquiries: hello@soteri.io
For security issues: security@soteri.io
9.3 Updates
Soteri may update this DPA from time to time. The current version will always be available in Soteri's public facing documentation website.
9.4 Precedence
This DPA is incorporated into and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall control.
Reference Documents
Document | Location |
|---|---|
End User License Agreement (EULA) | |
Privacy Policy | |
Sub-processor List | |
SOC 2 Type II Report | Available upon approval from Soteri Trust Center |
Data Privacy Framework Participation List | |
Secure Development Policy | |
Data Management Policy | |
Security for Jira — Marketplace Privacy & Security | |
Security for Confluence — Marketplace Privacy & Security |