Data Processing Agreement v1.0

Owned by Bloompeak Support
Last updated: Aug 29, 2023
11 min read

Effective as of: September 1, 2023

This Data Processing Agreement (“Agreement”, “DPA”) forms part of the Contract for Services (“Principal Agreement”) between you (either an individual or a single legal entity and its affiliates using Bloompeak Services, the “Customer”) and Mehmet Aydogdu sole proprietorship legal address: Mimar Sinan Mah. Yesil Kayalar Cad. No:11E B2-14 Cekmekoy/Istanbul Türkiye, operating under the registered trademark Bloompeak (hereinafter referred to as Bloompeak) (together as the “Parties”)

WHEREAS

(A) The Customer acts as a Data Controller.
(B) The Customer subcontracts Services, which imply the processing of personal data by Bloompeak.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1. “Customer Personal Data” means any data, including Personal Data, provided by Customer that are processed pursuant to or in connection with the Principal Agreement;
1.1.2. “Contracted Processor” or a “Sub-processor” means any person appointed by or on behalf of Bloompeak to process Personal Data on behalf of the Customer in connection with the Agreement;
1.1.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or to the extent specified applicable by the Principal Agreement – privacy laws of another country;
1.1.4. “EEA” means the European Economic Area;
1.1.5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.6. “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.7. “Data Transfer” means:
- transfer of Customer Personal Data from the Customer to Bloompeak; or
- an onward transfer of Customer Personal Data from Bloompeak to a Contracted Processor, in each case, where such transfer would be permitted by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.8. “Services” means using the Bloompeak website (bloompeak.io) or any Bloompeak Atlassian app sold through Bloompeak’s partners.

1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Customer Personal Data

2.1. Bloompeak shall:

2.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
2.1.2. process Customer Data only for the purposes described in this Agreement and only in accordance with the Customer’s documented lawful instructions.

2.2. The Parties agree that this Agreement and the Principal Agreement set out the Customer’s complete and final instructions to Bloompeak in relation to the processing of Customer Personal Data, and processing outside the scope of these instructions (if any) shall require a prior written agreement between Customer and Bloompeak.

2.3. In the event Bloompeak processes Customer Personal Data outside of the scope of Services, Bloompeak becomes an independent personal data controller with respect to such personal data processing.

2.4. The Customer Personal Data processed using the Services for each Bloompeak Cloud product is set out per individual app listing, under the "Privacy & Security" tab in the Atlassian Marketplace.

3. Security

3.1. Bloompeak, to the extent required under the Agreement, will implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security of Customer Personal Data appropriate to the risks related to the processing of the Customer Personal Data and to avoid alteration, loss or non-authorized processing thereof or access thereto, taking into account the current state of technology, nature of the stored data and the risks to which they are exposed, as well as the confidentiality of the Customer Personal Data.

3.2. Bloompeak’s current technical and organizational measures are described in Annex II (“Security Measures”).

3.3. Parties acknowledge that the Security Measures are subject to technical progress and development and that Bloompeak may unilaterally update or modify the Security Measures from time to time, provided that such updates and modifications upgrade and further develop the overall security of the Services. In the event such amendments to Security Measures take place, Bloompeak notifies the Customer about implemented changes without undue delay.

3.4. Bloompeak ensures that the persons authorized to process Customer Personal Data as described in this Agreement are bound by appropriate confidentiality requirements.

4. Sub-processing

4.1. Customer agrees that Bloompeak may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by Bloompeak and authorized by Customer are listed at Annex I.

4.2. Bloompeak shall:

4.2.1. enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer’s Personal Data to the standard required by Applicable Data Protection Law and, in substance, to the same standard provided by this Agreement; and
4.2.2. remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under Data Protection Laws or this Agreement.

4.3. Bloompeak must:

4.3.1. make available an up-to-date list of the Sub-processors it has appointed upon written request from the Customer; and
4.3.2. notify Customer if it adds any new Sub-processors at least fourteen (14) days prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to Bloompeak of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If the Parties are not able to achieve a resolution, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA) for convenience.

5. Data Subject Rights

5.1. Taking into account the nature of the Processing, ,Bloompeak shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

5.2. Bloompeak shall:

5.2.1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
5.2.2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Bloompeak is subject, in which case Bloompeak shall to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Contracted Processor responds to the request.

5.3. If the requests of the Data Subject are manifestly unfounded or excessive or have a repetitive character, the Data Processor shall have the right to request remuneration for performing the requests.

6. Personal Data Breach

6.1. Bloompeak shall notify Customer without undue delay, but in any case no later than 48 hours upon Bloompeak becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

6.2. Bloompeak shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. Deletion or return of Customer Personal Data

7.1. Customer acknowledges that all Customer Personal Data can be deleted by Customer using the Services. If Customer deletes the data using Services, Bloompeak acknowledges that all copies of Customer Personal Data will be deleted within 10 (ten) business days.

7.2. If Customer does not delete Customer Personal Data before the cessation of any Services involving the Processing of Customer Personal Data, Bloompeak shall retain data according to retention period set out per individual app listing, under the "Privacy & Security" tab in the Atlassian Marketplace.

7.3. Upon request, Bloompeak shall provide written certification to Customer that it has fully complied with this section 7 within 10 business days of the cessation of any Services involving the Processing of Customer Personal Data.

8. Audit

8.1. Customer acknowledges that Bloompeak is regularly audited by independent third-party auditors and/or internal auditors, including as may be described from time to time in Annex II. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Bloompeak, Bloompeak shall:

8.1.1. supply (on a confidential basis) a summary copy of its audit report(s) (“Report”) to Customer so that the Customer can verify Bloompeak’s compliance with the audit standards against which it has been assessed and this Agreement; and
8.1.2. provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm Bloompeak’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.

8.2. Only to the extent Customer cannot reasonably satisfy Bloompeak’s compliance with this DPA through the exercise of its rights under Section 8.1 above, where required by Applicable Data Protection Law or the Standard Contractual Clauses, Customer and its authorized representatives may conduct audits (including inspections) during the term of the Agreement to establish Bloompeak’s compliance with the terms of this DPA, on the condition that Customer and its authorized representatives have entered into an applicable non-disclosure agreement with Bloompeak. Notwithstanding the foregoing, any audit (or inspection) must be conducted during Bloompeak’s regular business hours, with reasonable advance notice (which may not be less than 45 calendar days), and subject to reasonable confidentiality procedures. Such audit (or inspection) may not require Bloompeak to disclose to the Customer or its authorized representatives or to allow the Customer or its authorized representatives to access the following:

8.2.1. any data or information of any other Bloompeak customer (or such customer’s End Users);
8.2.2. any Bloompeak’s internal accounting or financial information;
8.2.3. any Bloompeak’s trade secret;
8.2.4. any information that, in Bloompeak’s reasonable opinion, could: (1) compromise the security of Bloompeak systems or premises; or (2) cause Bloompeak to breach its obligations under Applicable Data Protection Law or its security, confidentiality, and or privacy obligations to any other Bloompeak customer or any third party; or
8.2.5. any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Applicable Data Protection Law and Bloompeak’s compliance with the terms of this Agreement.

8.3. An audit or inspection permitted in compliance with Section 8.2 will be limited to once per calendar year unless (1) Bloompeak has experienced a Security Incident within the prior twelve (12) months that has impacted Customer Personal Data; or (2) Customer is able to provide trustworthy allegations of Bloompeak’s material noncompliance with this Agreement. The Customer bears the costs and expenses of conducting an audit pursuant to Section 8.2.

9. Data Transfer

9.1. Bloompeak may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

10. Rights and obligations of the Customer

10.1. Customer warrants that as the Data Controller, it has fulfilled all of the obligations of the personal data controller referred to in the GDPR and applicable laws to ensure that Bloompeak, as the Data Processor, has the right to process the Customer Personal Data in accordance with the Agreement before the Customer Personal Data has become available to Bloompeak. This shall include but is not limited to ensuring the legal basis for the Customer Personal Data processing, the Customer Personal Data processing purpose limitation, informing the Customer Personal Data subjects on the processing of their Personal Data, complying with lawful retention terms of the Customer Personal Data and ensuring proper safeguards for the Customer Personal Data transfers.

10.2. Customer confirms that Bloompeak ensures the Personal Data protection measures that are enough to comply with this Agreement and requirements of the GDPR if the Data Processor adopts the Personal Data protection measures referred to in Annex II of the Agreement.

11. General Terms

11.1. Confidentiality. Each Party must keep the information it receives about the other Party and its business, including Customer Personal Data in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

11.1.1. disclosure is required by law;
11.1.2. the relevant information is already in the public domain.

11.2. Notices. All notices by Bloompeak shall be given by sending an email to the Customer’s technical contact or by publishing a message in the Latest News section. All notices by Customer shall be given by sending an email to Bloompeak’s support mail: support@bloompeak.io.

12. Term and termination of the Agreement

12.1. This Agreement is valid until the termination of the Agreement by the Parties or fulfillment of all obligations of the Parties under the Principal Agreement, including the period of data retention.

12.2. The Parties shall be entitled to terminate the Agreement unilaterally by notifying the other Party thereof at least 3 (three) calendar months in advance.

12.3. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions, or regulations regarding the application of the GDPR during the term of this Agreement, with the result that this Agreement does not meet the requirements for a data processing agreement, Bloompeak shall change this Agreement to meet the requirements.

12.4. If any provision of this Agreement is or becomes invalid or void, this shall not affect the effectiveness of the remaining provisions under the Agreement. In such cases, the Parties shall make all efforts to replace the invalid provision with a new one, reflecting the intention and content of the replaced provision. If such a remedy is not possible, the Parties agree on the addition of a new provision to the Agreement, which, to the extent possible, shall govern the same relations and/or issues.

13. Governing Law and Jurisdiction

13.1. This Agreement is governed by the laws of the Türkiye.

13.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the Türkiye.

Annex I. List of Bloompeak Subprocessors

Processor

Purpose

Entity country

Website

Privacy policy

Processor

Purpose

Entity country

Website

Privacy policy

Amazon Web Services Inc, USA

 Cloud hosting

USA

aws.amazon.com

aws.amazon.com/privacy

Annex II - Security Measures

This Annex describes Bloompeak’s security program, security certifications, and technical, organizational and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the “Security Measures“). The Security Measures are in line with the commonly accepted standards of similarly situated software-as-a-service providers.

Compliance and Certifications

Bloompeak information security practices, policies, procedures, and operations meet the ISO27K standards for security.

Secure Personnel

Confidentiality or Non-Disclosure Agreements (NDAs) are signed by all employees and contractors who have a need to access sensitive or internal information. Security training and testing are regularly conducted for Bloompeak employees and contractors.

Bloompeak support team accesses Customer Personal Data data only for the purposes of application health monitoring and performing system or application maintenance and upon customer request for support purposes. Only authorized Bloompeak employees have access to application data.

Secure Software Development

All software development projects follow secure development lifecycle principles. All development undergoes design review to ensure security requirements are incorporated within Software. All software development team members undergo regular secure development training. Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure Testing

Bloompeak participates in bug bounty programs permanently testing our products for vulnerabilities. We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.

Cloud Security

Bloompeak Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. Bloompeak Cloud is hosted on the AWS (US-East-1 data center in N. Virginia, USA).

  • Each incoming web request is authenticated and authorized before access to Customer data is allowed.

  • All data is encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches.

  • Bloompeak application database full backups are performed once per day and are retained for 20 days. All backup data are encrypted. Backups are stored in the AWS.