Technical and organisational measures

Version: November 2025

The Provider is obliged to comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR), and shall ensure that Order Data is not disclosed or exposed to unauthorised third parties. All documents and data are secured against unauthorised access, taking into account the current state of the art.

Within its area of responsibility, the Provider shall design its internal organisation in such a way that it meets the special requirements of data protection and information security. The Provider shall take all technical and organisational measures necessary for appropriate protection of the Order Data in accordance with Article 32 GDPR, including at least the measures described in Annex 1.

The technical and organisational measures are subject to continuous improvement and technical progress. The Provider may implement alternative, equivalent measures, provided that the overall level of data protection is not reduced.

The Provider develops and distributes software applications for the Atlassian Forge and Microsoft Azure Managed Applications platforms.
These applications are deployed within the respective customer’s Atlassian or Azure tenant environment. The Provider does not maintain or operate independent data-processing infrastructure outside these platforms.

As such, personal data processed through the apps remains primarily under the control of the customer and is handled within the security, compliance, and data protection frameworks of Atlassian and Microsoft.

The Provider ensures that its applications are designed and maintained in compliance with:

• GDPR Article 25 (“data protection by design and by default”), and

• GDPR Article 32 (“security of processing”).

The Provider reviews and updates these measures periodically to reflect the current state of technology and best practices.

Physical and digital access to systems and facilities where personal or confidential data may be processed is restricted to authorised persons only.
Measures include:

• Controlled access to office premises via keycard or physical key management

• Visitor access permitted only under supervision

• Secure workstation policy (automatic screen lock, device encryption)

• Laptops protected by full-disk encryption and password/PIN access

• Office locked outside working hours

(Note: The Provider’s office serves primarily as a development workspace; no customer data or production systems are hosted on-site.)

• Access to development and management systems is restricted to authorised team members.

• Authentication via Microsoft Entra ID (Azure AD) with MFA.

• Code repositories managed in Bitbucket with role-based permissions.

• Secrets (API keys, tokens) managed securely using Bitwarden and Azure Key Vault.

• No direct access to customer production environments or data.

• Each team member uses individual accounts — no shared credentials.

• Access to development systems reviewed at least annually.

• Forge and Azure environments enforce RBAC and MFA by default.

• All network communication uses TLS (HTTPS).

• Customer data, if ever processed, is limited to what is necessary for the app’s functionality.

• Each customer’s app runs within their own Atlassian/Azure tenant, ensuring complete logical separation.

• No shared databases or storage exist across customers.

• Separate Forge environments for development, staging, and production.

• Personal data (if any) is pseudonymised or minimised where possible.

• Apps store only non-identifying technical data unless customer consent is obtained (e.g. configuration).

• UUIDs or hashed identifiers used for internal references instead of direct user IDs.

• All data transmitted between the app and Atlassian/Azure APIs is encrypted via HTTPS/TLS 1.2+.

• No unencrypted storage or transmission of data occurs.

• Changes to application code are reviewed via pull requests and approval workflows in Bitbucket.

• Strict change management via Git workflows and CI/CD pipelines.

• Code reviews required before deployment to Forge or Azure environments.

• Logging and version control maintained for all releases.

• Customer data is never manually altered or manipulated.

• High availability and redundancy provided by Atlassian and Microsoft infrastructures.

• No dependency on Provider-operated physical infrastructure.

• Incident notifications are monitored via platform dashboards (Forge and Azure).

• Data recovery and backups are handled natively by the respective platforms.

• The Provider maintains source code and configuration backups (Bitbucket + cloud storage).

• Restore testing performed regularly as part of CI/CD workflows.

• Dependency management and vulnerability scanning integrated into build pipelines.

• Continuous patching of libraries and dependencies.

• Secure development lifecycle aligned with OWASP and CWE recommendations.

• Annual review of security measures and risk assessments.

• Internal audits of access control and development procedures.

• All developers receive annual GDPR and secure coding training.

• External platforms’ (Atlassian, Microsoft) compliance certificates (ISO 27001, SOC 2, etc.) are reviewed and referenced.

• Confidentiality agreements for all personnel.

• Clear onboarding/offboarding processes with immediate access revocation.

• Documentation of sub-processors (Atlassian, Microsoft, Bitwarden).

• Secure handling of credentials and API keys.

• Security incident response plan consistent with GDPR Articles 33–34.

• Apps process only the minimum data required for functionality.

• No personal data is stored persistently outside customer environments.

• The Provider publishes detailed Data Protection and Privacy Notices for each app, specifying data categories and retention periods.