Atlassian FastShift Data Processing Addendum
Effective starting: October 7, 2025
This FastShift Data Processing Addendum ("DPA") supplements the FastShift Terms, or other agreement in place between Customer and Atlassian covering Customer's use of the FastShift Support Services (the "Agreement"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Scope and Term.
1.1 Scope. This DPA governs Atlassian's Processing of Customer Personal Data for the FastShift Support Services provided under the Agreement.
1.2 Roles of the Parties. For the purposes of this DPA, the parties agree that:
(a) Customer is either a Controller, or a Processor of Customer Personal Data acting on another Controller's behalf while passing down relevant processing instructions to Atlassian. Processing details are stated in Schedule 1 (Description of Processing).
(b) Atlassian is a Processor (or respectively, a Sub-processor) of Customer Personal Data. Processing details are stated in Schedule 1 (Description of Processing).
1.3 Term of the DPA. The term of this DPA coincides with the term of the FastShift Support Services and terminates upon expiration or earlier termination of the FastShift Support Services.
1.4 Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) the main body of this DPA; and (3) the Agreement.
2. Processing of Personal Data.
2.1 Customer Instructions.
(a) This DPA, the Agreement and Customer's use of the FastShift Support Services constitute Customer's documented instructions regarding Atlassian's Processing of Customer Personal Data ("Documented Instructions").
(b) Atlassian must Process Customer Personal Data in accordance with the Documented Instructions of Customer as further stated in Section 6.1 of Schedule 1 (Description of Processing). Customer:
(i) must ensure its Documented Instructions comply with Applicable Data Protection Law. Atlassian is not responsible for monitoring Customer's compliance with Applicable Data Protection Law; and
(ii) is responsible for determining whether the FastShift Support Services are appropriate for the Processing of Customer Personal Data under Applicable Data Protection Law.
2.2 Confidentiality. Atlassian must treat Customer Personal Data as Customer’s Confidential Information under the Agreement. Atlassian must ensure FastShift Personnel are bound by written or statutory obligations of confidentiality.
3. Security.
3.1 Security Measures. To the extent Atlassian Processes Customer Personal Data in Atlassian environments, Atlassian has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Personal Data and protect against Security Incidents, as described here (the “FastShift Security Measures”). Customer acknowledges that the FastShift Security Measures are subject to technical progress and development and that Atlassian may update or modify the FastShift Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the FastShift Support Services. To the extent Customer Personal Data is only made available to Atlassian within Customer's own environment, Atlassian will ensure that FastShift Personnel follow any security policies applicable to Customer's environment provided by Customer to Atlassian in writing from time to time.
3.2 Security Incidents. Atlassian must notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Atlassian must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Atlassian’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Atlassian, Atlassian must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Atlassian’s notification of a Security Incident is not an acknowledgment by Atlassian of its fault or liability.
4. Sub-processing.
Atlassian will not subcontract any processing of Customer Personal Data to a Sub-processor without Customer’s specific prior written authorization. By entering into this DPA, Customer authorizes Atlassian’s use of the Sub-processors listed here. Atlassian will submit any request for specific authorization of new Sub-processors to the email address that is listed as a technical contact on Customer’s account at least fourteen (14) days prior to the engagement of the Sub-processor. Atlassian must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to Customer if such Sub-processor fails to fulfil its data protection obligations with regard to the relevant Processing activities under the Agreement.
5. Assistance and Cooperation Obligations.
5.1 Data Subject Rights. Taking into account the nature of the Processing, Atlassian must provide reasonable and timely assistance to Customer to enable Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer Personal Data.
5.2 Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the Processing, Atlassian will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities).
5.3 Third Party Requests. Unless prohibited by Law, Atlassian will promptly notify Customer of any valid legal process or governmental request compelling Atlassian to disclose Customer Personal Data. Atlassian will follow its law enforcement guidelines in responding to such requests. In the event that Atlassian receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Atlassian will redirect such inquiries to Customer, and will not provide any information unless required to do so under Law.
6. Deletion of Customer Personal Data.
Following termination of the FastShift Support Services or upon earlier request by Customer, Atlassian will delete all Customer Personal Data from systems used to provide the FastShift Support Services in accordance with its standard deletion practices.
7. Audit.
Upon Customer’s reasonable request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Atlassian, Atlassian will supply a summary copy of relevant report(s) to Customer, so Customer can verify Atlassian’s compliance with this DPA.
8. International Provisions.
To the extent Atlassian Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).
9. Definitions.
“Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Agreement.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
"FastShift Customer Data" means any data, content or materials provided or made available to Atlassian by or at the direction of Customer in connection with the provision of the FastShift Support Services.
“Customer Personal Data'' means any Personal Data contained in the FastShift Customer Data Processed in connection with the provision of the FastShift Support Services under the Agreement by Atlassian solely on behalf of Customer.
“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
“Processing” (and “Process” and "Processed") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security Incident'' means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Atlassian and/or its Sub-processors, and for the purposes of this definition, “Processing” includes Personal Data and FastShift Customer Data.
“Sub-processor” means any third party (inc. Atlassian Affiliates) engaged by Atlassian to Process Customer Personal Data.
Schedule 1 Description of Processing
Categories of data subjects whose Personal Data is Processed: Customer and its Users.
Categories of Personal Data Processed: Customer Personal Data.
Sensitive data transferred: Subject to Section 1.3 (Out of Scope) of the FastShift Terms , Customer may provide Customer Personal Data to the FastShift Support Services which may include: (i) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) data relating to criminal convictions and offences, which is determined and controlled solely by Customer.
Frequency of the transfer: Continuous.
Nature of the Processing: Atlassian will Process Customer Personal Data in order to provide the FastShift Support Services in accordance with the Agreement, including this DPA.
Purpose(s) of the Processing: Atlassian will Process Customer Personal Data as a Processor in accordance with Customer’s Documented Instructions to:
6.1. provide the FastShift Support Services for Customer;
6.2. investigate Security Incidents, and resolve issues, bugs and errors;
6.3. comply with Atlassian's legal obligations.
Duration of Processing: Atlassian will Process Customer Personal Data for the term of the FastShift Support Services as outlined in Section 6 (Deletion and Return of Customer Personal Data).
Transfers to Sub-processors: Atlassian will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-processing).
Schedule 2 – Region Specific Terms
Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.
Europe, United Kingdom and Switzerland.
1.1 Customer Instructions. In addition to Section 2.1 (Customer Instructions) of the DPA above, Atlassian will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which Atlassian is subject; in such a case, Atlassian shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Atlassian will promptly inform Customer if it becomes aware that Customer's Processing instructions infringe Applicable Data Protection Law.
1.2 European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies:
(a) The EU SCCs are hereby incorporated into this DPA by reference as follows:
(i) Customer is the “data exporter” and Atlassian is the “data importer”.
(ii) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Atlassian is Processing Customer Personal Data as a Processor.
(iii) Module Three (Processor to Processor) applies where Customer is a Processor of Customer Personal Data and Atlassian is Processing Customer Personal Data as another Processor.
(iv) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Agreement.
(b) For each Module, where applicable:
(i) In Clause 7, the optional docking clause does not apply.
(ii) In Clause 9, Option 1 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4 (Sub-processing) of this DPA.
(iii) In Clause 11, the optional language does not apply.
(iv) In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law.
(v) In Clause 18(b), disputes will be resolved before the courts of Ireland.
(vi) The Appendix of EU SCCs is populated as follows:
The information required for Annex I(A) is located in the Agreement and/or relevant Orders.
The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.
The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and
The information required for Annex II is located in Section 3.1 (Security Measures) of this DPA.
1.3 Swiss Transfers. Where Personal Data protected by the Swiss Data Protection Law is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in in Section 1.2 (European Transfers) above with the following modifications:
(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to Swiss Data Protection Law, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of Swiss Data Protection Law; all references to EU Data Protection Law in this DPA will be interpreted as references to the Swiss Data Protection Law.
(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
(c) In Clause 17, the EU SCCs are governed by the laws of Switzerland.
(d) In Clause 18(b), disputes will be resolved before the courts of Switzerland.
(e) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
1.4 United Kingdom Transfers. Where Personal Data protected by UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
(a) The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:
(i) Each party shall be deemed to have signed the UK Addendum.
(ii) (For Table 1 of the UK Addendum, the parties’ key contact information is located in the Agreement and/or relevant Orders.
(iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule.
(iv) For Table 3 of the UK Addendum:
The information required for Annex 1A is located in the Agreement and/or relevant Orders.
The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA.
The information required for Annex II is located in Section 3.1 (Security Measures) of this DPA.
The information required for Annex III is located in Section 4 (Sub-processing) of this DPA.
In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.
1.5 Data Privacy Framework. Atlassian participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, Atlassian (i) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) will notify Customer if Atlassian makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.
2. United States of America. The following terms apply where Atlassian Processes Personal Data subject to the US State Privacy Laws:
2.1 To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that Atlassian Processes as a Service Provider or Processor, on behalf of Customer, Atlassian will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer's Documented Instructions, as necessary for the limited and specified purposes identified in Section 6 of Schedule 1 (Description of Processing). Atlassian will not:
(a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order, or as otherwise permitted under US State Privacy Laws;
(b) "sell" or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and
(c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.
2.2 Atlassian must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws.
2.3 Customer may take reasonable and appropriate steps to stop and remediate any unauthorized Processing of Customer Personal Data.
2.4 To the extent Customer discloses or otherwise makes available Deidentified Data to Atlassian or to the extent Atlassian creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, Atlassian will:
(a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
(b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that Atlassian may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and
(c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.4 (including imposing this requirement on any further Recipients).
3. South Korea
3.1 Customer agrees that it has provided notice and obtained all consents necessary under South Korea Privacy Law for Atlassian to Process Personal Data pursuant to the Agreement, including this DPA.
3.2 To the extent Customer discloses or otherwise makes available Deidentified Data to Atlassian, Atlassian will:
(a) maintain and use such Deidentified Data in a de-identified form and not attempt to re-identify the Deidentified Data; and
(b) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.2 (including imposing this requirement on any further Recipients).
4. Definitions.
4.1 “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
4.2 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.
4.3 “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.
4.4 "EU Data Protection Law" means (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.
4.5 "EU SCCs” means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.
4.6 “Service Provider” has the same meaning as given in the CCPA.
4.7 "South Korea Privacy Law" means the South Korean Personal Information Protection Act and its Enforcement Decrees.
4.8 "Swiss Data Protection Law" means the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time.
4.9 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time.
4.10 "UK Data Protection Law" means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.
4.11 "US State Privacy Laws" means all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”).