Effective Date: April 5, 2026 Last Updated: April 5, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Yamuno Software ("Yamuno", "we", "us") and the customer entity that has accepted Yamuno's Terms of Service ("Customer", "you"). This DPA applies to Yamuno's processing of personal data on behalf of the Customer in connection with the Yamuno apps available on the Atlassian Marketplace.
To request a countersigned copy of this DPA, email [email protected] with subject line "DPA Request".
2.1 The Customer is the Controller of any personal data processed in connection with the Services.
2.2 Yamuno acts as a Processor, processing personal data only on the documented instructions of the Customer and solely to the extent necessary to deliver the Services.
2.3 Importantly: Yamuno's apps are built exclusively on the Atlassian Forge platform. All app execution, data storage, and processing occurs within Atlassian's infrastructure. Yamuno does not operate external servers, databases, or storage. As a result, Yamuno's role as a data processor is highly limited — substantially all data processing responsibilities are governed by the Customer's existing agreement with Atlassian.
Purpose: Delivery of Yamuno's Atlassian Marketplace apps, including but not limited to:
Nature: Processing occurs entirely within the Atlassian Forge sandbox. Yamuno does not access, copy, or transmit Customer data to external systems.
Duration: Processing continues for the duration of the Customer's use of the Services and ceases upon termination or uninstall of the relevant app.
The following categories of personal data may be processed incidentally as part of app functionality:
| Category | Example | How Used |
|---|---|---|
| Atlassian user identifiers | Account ID, display name | Displaying ownership of imported pages or attachments |
| Usage metadata | Timestamps of macro creation | Shown in admin usage analytics dashboards |
| Content metadata | Page titles, attachment filenames | Required to perform import, export, or attachment operations |
Yamuno does not process: financial data, health data, government IDs, biometric data, or sensitive personal data of any kind.
Personal data processed under this DPA relates to:
Yamuno commits to:
6.1 Process only on instructions. Process personal data solely in accordance with the Customer's documented instructions, unless required to do so by applicable law.
6.2 Confidentiality. Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.
6.3 Security. Implement appropriate technical and organizational measures to protect personal data. See our Security Policy for details.
6.4 Sub-processors. Engage sub-processors only as described in Section 8 of this DPA, and impose equivalent data protection obligations on them.
6.5 Data subject rights. Assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability) to the extent technically feasible given the Forge platform constraints.
6.6 Breach notification. Notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting Customer data.
6.7 Deletion. Upon termination of Services, personal data processed by Yamuno (if any exists outside Atlassian's infrastructure) will be deleted within 60 days, unless longer retention is required by law.
6.8 Audits. Upon reasonable written request, provide information necessary to demonstrate compliance with this DPA.
The Customer is responsible for:
7.1 Ensuring it has a lawful basis for processing personal data under applicable law.
7.2 Providing any required notices to and obtaining any required consents from data subjects.
7.3 Ensuring that instructions given to Yamuno are lawful.
7.4 Complying with its own obligations under applicable data protection law, including GDPR.
Given the Forge-native architecture of Yamuno's apps, the primary sub-processor is Atlassian:
| Sub-Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Atlassian Pty Ltd | App execution, data storage, and all runtime processing via Atlassian Forge | Global (per your Atlassian data residency settings) | atlassian.com/legal/privacy-policy |
| Google LLC (Google Analytics) | Anonymized website analytics (yamuno.com only — not inside apps) | United States | policies.google.com/privacy |
Yamuno will notify the Customer of any intended changes to sub-processors by updating this DPA and, where material, by direct email notification. The Customer has the right to object to new sub-processors within 14 days of notification.
9.1 Yamuno's apps run on Atlassian Forge. Data residency follows the Customer's Atlassian Cloud instance configuration.
9.2 Where Yamuno transfers personal data outside the EEA, UK, or Switzerland, it does so on the basis of:
9.3 For yamuno.com analytics data processed by Google, Yamuno relies on Google's SCCs.
Yamuno implements the following technical and organizational measures:
Technical:
Organizational:
Full details are available in our Security Policy.
Yamuno will provide reasonable assistance to the Customer where a Data Protection Impact Assessment (DPIA) is required under Article 35 GDPR. Given the Forge-native architecture, the privacy risk profile of Yamuno apps is low — no data leaves Atlassian's infrastructure.
12.1 This DPA is effective for the duration of the Customer's use of the Services.
12.2 Upon termination, Yamuno will delete or return any personal data it holds, within 60 days, unless required by law to retain it longer.
This DPA is governed by the laws of the State of California, United States, consistent with Yamuno's Terms of Service.
To execute a countersigned version of this DPA for your records, email:
[email protected] Subject: DPA Request — [Your Company Name]
We will respond within 2 business days.
Yamuno Software · 75 E 3rd St Ste 7, Sheridan, WY 82801, United States Last Updated: April 5, 2026
