GitScrum logo
Try for free

Data Processing Agreement (DPA)

Effective Date: January 5, 2026

PREAMBLE

This Data Processing Agreement ("DPA") forms an integral part of the GitScrum Terms and Conditions ("Main Agreement") between GitScrum ("Processor," "we," "us," "our") and the customer subscribing to GitScrum services ("Controller," "you," "your," "Customer").

This DPA governs the processing of Personal Data by GitScrum as a Processor on behalf of the Controller in accordance with the European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR"), applicable national data protection laws, and other relevant data protection regulations.

By accepting the Main Agreement or using GitScrum's services, you agree to the terms of this DPA.

This DPA takes precedence over any conflicting provisions in the Main Agreement regarding data processing activities covered by GDPR.

1. DEFINITIONS

For the purposes of this DPA, the following terms have the meanings set forth below:

  • 1.1 "Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of GitScrum services, the Controller is the Customer who subscribes to and uses GitScrum to manage projects, tasks, and team collaboration, and who inputs or causes to be inputted Personal Data about their employees, contractors, clients, or other individuals.
  • 1.2 "Processor" means GitScrum, the entity that processes Personal Data on behalf of the Controller in accordance with the Controller's documented instructions and this DPA.
  • 1.3 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by GitScrum as a Processor on behalf of the Controller. This includes, but is not limited to, names, email addresses, job titles, contact information, project data, task assignments, comments, and any other data inputted by the Controller or its Authorized Users into the GitScrum platform.
  • 1.4 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • 1.5 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including but not limited to the Controller's employees, contractors, clients, customers, or other individuals whose Personal Data is processed through the GitScrum platform.
  • 1.6 "Subprocessor" means any third-party service provider engaged by GitScrum to process Personal Data on behalf of the Controller in connection with the provision of GitScrum services.
  • 1.7 "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51 to monitor and enforce GDPR compliance.
  • 1.8 "Data Breach" or "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • 1.9 "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • 1.10 "Authorized User" means any individual authorized by the Controller to access and use the GitScrum platform under the Controller's account.
  • 1.11 "Services" means the GitScrum project management and collaboration platform, including web application, mobile applications, APIs, and all related services provided by GitScrum to the Controller.

2. SCOPE AND APPLICABILITY

2.1 Scope of Processing

This DPA applies to all processing of Personal Data by GitScrum as a Processor on behalf of the Controller in connection with the provision of the Services, including but not limited to:

  • Storage and management of Personal Data uploaded by the Controller or its Authorized Users
  • Processing necessary to provide platform functionality (user management, project tracking, collaboration tools)
  • Data backup and disaster recovery operations
  • Technical support and troubleshooting
  • Security monitoring and incident response

2.2 Controller-Processor Relationship

The parties acknowledge and agree that:

  • Controller determines the purposes and means of processing Personal Data through the GitScrum platform
  • Processor (GitScrum) processes Personal Data only on behalf of and according to the documented instructions of the Controller
  • Controller is responsible for ensuring that its use of the Services and instructions to GitScrum comply with all applicable data protection laws
  • Controller is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquires Personal Data

2.3 Applicability

This DPA is automatically incorporated into and forms part of the Main Agreement when the Controller processes Personal Data through the Services. No separate signature or execution is required.

3. DETAILS OF PROCESSING

3.1 Subject Matter and Duration

Subject Matter: Provision of cloud-based project management and team collaboration services as described in the Main Agreement.

Duration: The duration of processing is from the Effective Date of the Main Agreement until termination or expiration of the Main Agreement, plus any additional period necessary to fulfill post-termination obligations under this DPA (typically 30 days for data retrieval and deletion).

3.2 Nature and Purpose of Processing

Nature of Processing: GitScrum processes Personal Data by providing cloud-based software services including storage, organization, retrieval, transmission, and display of data through the GitScrum platform.

Purpose of Processing: The sole purpose of processing is to provide the Services to the Controller as described in the Main Agreement, including:

  • User authentication and access management
  • Project and task management functionality
  • Team collaboration and communication features
  • Data storage, backup, and retrieval
  • Platform analytics and performance optimization
  • Technical support and troubleshooting
  • Security monitoring and incident response

GitScrum shall not process Personal Data for any other purpose unless specifically instructed by the Controller in writing or required by applicable law.

3.3 Types of Personal Data

The types of Personal Data processed may include, but are not limited to:

  • Identity Data: First name, last name, username, title, job position
  • Contact Data: Email address, telephone number, business address
  • Account Data: Account ID, password (encrypted), login credentials, user preferences
  • Usage Data: IP address, browser type, device identifiers, access logs, activity timestamps
  • Content Data: Project data, task descriptions, comments, file uploads, documents, communications within the platform
  • Team Data: Organizational structure, team memberships, role assignments, permissions
  • Performance Data: Task completion data, project timelines, productivity metrics (if enabled by Controller)

Note: The Controller determines which types of Personal Data are processed. GitScrum does not control or determine the specific Personal Data uploaded by the Controller.

3.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be processed include:

  • Employees and personnel of the Controller
  • Contractors, consultants, and temporary workers engaged by the Controller
  • Clients, customers, and business partners of the Controller (if their data is inputted by the Controller)
  • Authorized Users of the Controller's GitScrum account
  • Any other individuals whose Personal Data is uploaded by the Controller or its Authorized Users

4. CONTROLLER'S INSTRUCTIONS AND OBLIGATIONS

4.1 Processing Instructions

GitScrum shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case GitScrum shall inform the Controller of such legal requirement before processing, unless prohibited by law).

Documented Instructions: The Controller's instructions for processing Personal Data are documented in and limited to:

  1. This DPA and the Main Agreement
  2. The Controller's use of the Services through the GitScrum platform (including configuration settings, user permissions, and feature usage)
  3. Additional written instructions provided by the Controller to GitScrum via email to legal[at]gitscrum.com or through the designated support channels, provided such instructions are consistent with the terms of this DPA and the Main Agreement

Out-of-Scope Instructions: If GitScrum believes that any instruction from the Controller violates GDPR or other applicable data protection laws, GitScrum will promptly inform the Controller and may suspend execution of the instruction until the Controller confirms or modifies the instruction.

4.2 Controller's Responsibilities

The Controller represents, warrants, and undertakes that:

  • It has all necessary rights, consents, and legal bases to process and disclose Personal Data to GitScrum for processing in accordance with this DPA
  • It has provided all necessary privacy notices to Data Subjects and obtained all required consents under applicable data protection laws
  • Its instructions to GitScrum comply with all applicable data protection laws, including GDPR
  • It will not request GitScrum to process Personal Data in a manner that would cause GitScrum to violate applicable laws
  • It is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquires Personal Data
  • It will maintain appropriate technical and organizational measures on its own systems and devices used to access the Services

4.3 Controller's Instruction to Delete Data

The Controller may instruct GitScrum to delete specific Personal Data at any time during the term of the Main Agreement by using the deletion functionality within the GitScrum platform or by contacting GitScrum support.

5. PROCESSOR'S OBLIGATIONS

5.1 Compliance with Instructions

GitScrum shall:

  • Process Personal Data only in accordance with the Controller's documented instructions as set forth in Section 4.1
  • Immediately inform the Controller if, in GitScrum's opinion, an instruction infringes GDPR or other applicable data protection laws
  • Not transfer, disclose, or otherwise process Personal Data for purposes other than those specified in this DPA without the Controller's prior written consent, except as required by applicable law

5.2 Confidentiality

GitScrum shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

All GitScrum employees, contractors, and agents with access to Personal Data:

  • Are bound by written confidentiality agreements
  • Receive regular training on data protection principles and GDPR requirements
  • Process Personal Data only as necessary to perform their job functions
  • Are subject to disciplinary action for unauthorized disclosure or misuse of Personal Data

5.3 Security Measures

GitScrum implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

Technical and Organizational Measures include:

A. Encryption:

  • Data in transit: TLS 1.2 or higher encryption for all data transmitted over public networks
  • Data at rest: AES-256 encryption for all Personal Data stored on GitScrum servers
  • Encryption key management: Keys stored in dedicated key management systems or Hardware Security Modules (HSMs) with regular rotation

B. Access Controls:

  • Role-based access control (RBAC) limiting access to Personal Data based on job function
  • Multi-factor authentication (MFA) for administrative access to production systems
  • Principle of least privilege enforced for all personnel
  • Regular access reviews and immediate revocation upon termination of employment

C. Network Security:

  • Firewall protection and intrusion detection/prevention systems (IDS/IPS)
  • Network segmentation isolating production environments
  • DDoS mitigation and rate limiting
  • Regular vulnerability scanning and penetration testing

D. Data Protection:

  • Pseudonymization and anonymization where feasible and appropriate
  • Data backup and disaster recovery procedures with encrypted backups stored in geographically distributed locations
  • Secure data disposal procedures using industry-standard deletion methods

E. Incident Response:

  • 24/7 security monitoring using Security Information and Event Management (SIEM) systems
  • Documented incident response plan with defined roles and escalation procedures
  • Regular incident response drills and tabletop exercises

F. Personnel Security:

  • Background checks for personnel with access to Personal Data (where legally permitted)
  • Mandatory security awareness training upon hire and annually thereafter
  • Confidentiality agreements for all personnel

G. Physical Security:

  • Data centers operated by certified third-party infrastructure providers
  • Physical access controls including biometric authentication, 24/7 surveillance, and security personnel
  • Environmental controls for fire suppression, power redundancy, and climate control

H. Application Security:

  • Secure software development lifecycle (SDLC) practices
  • Regular code reviews and static/dynamic application security testing (SAST/DAST)
  • Input validation, output encoding, and protection against OWASP Top 10 vulnerabilities
  • Dependency scanning and vulnerability management

I. Business Continuity:

  • Documented business continuity and disaster recovery plans
  • Regular backups with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Redundant infrastructure across multiple availability zones/regions

J. Audit and Compliance:

  • Regular internal security audits and third-party penetration testing
  • Comprehensive logging of access to Personal Data and security-relevant events
  • Log retention for security investigation and compliance purposes

Detailed Security Documentation: For more comprehensive information about GitScrum's security practices, please refer to our Security Policy.

Updates to Security Measures: GitScrum may update or modify security measures from time to time, provided that such updates do not result in a material degradation of the overall security posture.

6. SUBPROCESSORS

6.1 General Authorization

The Controller provides general written authorization for GitScrum to engage Subprocessors to process Personal Data on behalf of the Controller, subject to the conditions set forth in this Section 6.

6.2 Current Subprocessors

GitScrum currently engages the following Subprocessors:

SubprocessorService ProvidedData LocationPurpose
Amazon Web Services (AWS)Cloud infrastructure and hostingGlobal (multiple regions: US-East, EU-Frankfurt, EU-Ireland, São Paulo, etc.)Platform hosting, data storage, compute resources, database services
Amazon Simple Email Service (AWS SES)Transactional email deliveryGlobal (operates in multiple AWS regions)Sending platform notifications, alerts, password resets, system emails
Stripe, Inc.Payment processingUnited States and Ireland (EU-U.S. Data Privacy Framework certified)Processing subscription payments, billing management, payment gateway services
Google LLCAnalytics and advertising servicesUnited States (with IP anonymization enabled for GDPR compliance)Platform usage analytics, user behavior tracking, marketing optimization
Meta Platforms, Inc. (Facebook)Analytics and advertising trackingUnited StatesMarketing analytics, advertising conversion tracking, audience insights
GitScrum (Internal)Customer support platformSame infrastructure as main platform (AWS Global)Technical support ticket management, user assistance, help desk

6.3 Subprocessor Obligations

GitScrum shall:

  • Impose data protection obligations on Subprocessors that are substantially equivalent to those set out in this DPA, particularly requiring Subprocessors to implement appropriate technical and organizational security measures
  • Enter into written agreements with each Subprocessor that include terms substantially similar to those in this DPA (including confidentiality, security, data breach notification, and data deletion obligations)
  • Ensure that Subprocessors process Personal Data only in accordance with the Controller's instructions as documented in this DPA
  • Remain fully liable to the Controller for the performance of any Subprocessor's obligations, as if GitScrum were performing the services directly

6.4 New Subprocessors - Notification and Objection

Notification: GitScrum will provide the Controller with at least 30 days' prior written notice before adding any new Subprocessor or replacing an existing Subprocessor.

Notification Method: Notice will be provided via:

  • Email to the Controller's registered account email address
  • Update to the public Subprocessor List at gitscrum.com/legal/subprocessors with date of update
  • In-platform notification (if applicable)

Objection Rights: If the Controller has legitimate grounds related to data protection for objecting to GitScrum's appointment of a new Subprocessor, the Controller must notify GitScrum in writing within 30 days of receiving notice, clearly stating the grounds for objection.

Resolution Process:

  • GitScrum will use reasonable efforts to address the Controller's concerns or provide an alternative solution (e.g., not using the Subprocessor for the Controller's data, migrating to a different Subprocessor)
  • If GitScrum cannot provide a reasonable alternative within 60 days and the Controller maintains a legitimate objection, the Controller may terminate the affected portion of the Services (or the entire Main Agreement if the Subprocessor is essential to the Services) without penalty or fees for the remainder of the prepaid term

No Objection: If the Controller does not object within 30 days of notice, the Controller is deemed to have accepted the new Subprocessor.

6.5 Subprocessor Audits

Upon the Controller's written request (no more than once per year, unless required by a Supervisory Authority or applicable law), GitScrum will provide:

  • Copies of standard subprocessing agreements (with commercially sensitive information redacted)
  • Evidence of Subprocessor security certifications (e.g., ISO 27001, SOC 2 Type II)
  • Summary of due diligence conducted on Subprocessors

7. DATA SUBJECT RIGHTS

7.1 Assistance with Data Subject Requests

Taking into account the nature of the processing, GitScrum shall provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects exercising their rights under GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Rights related to automated decision-making and profiling (Article 22)

7.2 Controller's Primary Responsibility

The Controller is primarily responsible for responding to Data Subject requests. GitScrum's obligation is limited to providing reasonable assistance as described in this Section 7.

7.3 Assistance Mechanism

Direct Requests to GitScrum: If a Data Subject submits a request directly to GitScrum (rather than to the Controller), GitScrum will:

  • Promptly notify the Controller of the request within 5 business days
  • Not respond to the Data Subject directly unless legally required to do so
  • Redirect the Data Subject to submit the request to the Controller (if appropriate and legally permissible)

Controller Requests for Assistance: If the Controller requests GitScrum's assistance in responding to a Data Subject request:

1. Request Process: The Controller must submit a written request to GitScrum at privacy[at]gitscrum.com or dpo[at]gitscrum.com, including:

  • Identification of the Data Subject
  • Nature of the request (access, deletion, rectification, etc.)
  • Specific assistance needed from GitScrum
  • Reasonable deadline for response (minimum 10 business days unless legally required sooner)

2. GitScrum's Response: GitScrum will provide assistance by:

  • Access Requests: Providing tools within the platform for the Controller to export Personal Data, or assisting with data retrieval if necessary
  • Deletion Requests: Providing tools for the Controller to delete Personal Data, or deleting data upon Controller's instruction
  • Rectification Requests: Enabling the Controller to update inaccurate data through the platform interface
  • Restriction/Objection Requests: Providing functionality to restrict processing or assisting with account suspension as directed by the Controller
  • Portability Requests: Providing Personal Data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) upon request

3. Response Timeline: GitScrum will respond to Controller's requests for assistance within 10 business days, or sooner if required by law or the urgency of the request.

7.4 Fees for Extraordinary Assistance

GitScrum's reasonable assistance under this Section 7 is provided at no additional cost. However, if the Controller's request requires extraordinary effort, resources, or technical work beyond standard assistance (e.g., extensive manual data retrieval, custom data exports, multiple complex requests), GitScrum may charge a reasonable fee based on GitScrum's standard professional services rates, notified to the Controller in advance.

8. DATA BREACH NOTIFICATION

8.1 Notification to Controller

GitScrum shall notify the Controller without undue delay and, where feasible, within <strong>72 hours</strong> of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

8.2 Breach Notification Contents

The notification shall include, to the extent known at the time of notification:

  • Description of the breach: Nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected
  • GitScrum contact: Name and contact details of GitScrum's Data Protection Officer or other contact point for obtaining more information
  • Likely consequences: Description of the likely consequences and potential risks to Data Subjects
  • Mitigation measures: Description of measures taken or proposed by GitScrum to address the breach, mitigate its adverse effects, and prevent future breaches
  • Recommended actions: Recommendations for the Controller to mitigate potential adverse effects on Data Subjects

8.3 Breach Investigation and Remediation

Upon becoming aware of a Personal Data Breach, GitScrum shall:

  • Immediately take steps to contain and investigate the breach
  • Preserve evidence and forensic information related to the breach
  • Implement remediation measures to prevent recurrence
  • Cooperate with the Controller in breach investigation and response activities
  • Provide reasonable updates to the Controller on the status of remediation efforts

8.4 Controller's Notification Obligations

The Controller acknowledges that it is solely responsible for:

  • Determining whether notification to Data Subjects and/or Supervisory Authorities is required under applicable law
  • Providing such notifications in accordance with GDPR Articles 33 and 34 and applicable data protection laws
  • Determining the content and timing of such notifications

8.5 No Acknowledgement of Fault

GitScrum's notification of a breach under this Section 8 shall not constitute an acknowledgment by GitScrum of any fault or liability with respect to the breach.

9. DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION

9.1 Assistance with DPIAs

Where the Controller is required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35 or prior consultation with a Supervisory Authority under GDPR Article 36, GitScrum shall provide reasonable assistance to the Controller, taking into account the nature of processing and information available to GitScrum.

9.2 Controller Responsibility

The Controller is solely responsible for:

  • Determining whether a DPIA (Data Protection Impact Assessment) is required
  • Conducting the DPIA
  • Determining whether prior consultation with a Supervisory Authority is required
  • Conducting such prior consultation

9.3 Request Process

Requests for assistance with DPIAs or prior consultation should be submitted to privacy[at]gitscrum.com or dpo[at]gitscrum.com, with reasonable advance notice (minimum 30 days) and sufficient information to enable GitScrum to provide meaningful assistance.

10. DELETION AND RETURN OF PERSONAL DATA

10.1 Data Deletion Upon Termination

Upon termination of the Agreement, GitScrum will, at the Controller's election:

Option 1: Return of Data

  • Export all Personal Data in a commonly used, machine-readable format
  • Provide access to data export tools for a period of 30 days following termination
  • Assist with data migration to a successor service upon reasonable request

Option 2: Deletion of Data

  • Securely delete all Personal Data from active systems within 90 days
  • Purge backup copies within 180 days following the standard backup rotation cycle
  • Provide written certification of deletion upon request

Election Process:

Controller must notify GitScrum in writing of their preference at least 14 days before the termination effective date. If no election is made, deletion will be the default action.

10.2 Data Retention Period Post-Termination

GitScrum will retain Personal Data for <strong>30 days</strong> following termination of the Main Agreement to allow the Controller to retrieve or export data. After this period, Personal Data will be securely deleted unless the Controller requests earlier deletion.

10.3 Exceptions

Notwithstanding the above, GitScrum may retain Personal Data where required by applicable law, provided that GitScrum:

  • Retains only the minimum data necessary to comply with the legal obligation
  • Continues to protect the retained data in accordance with this Agreement
  • Deletes the data promptly once the legal obligation expires

10.4 Certification of Deletion

Upon written request from the Controller, GitScrum will provide written certification that Personal Data has been deleted in accordance with this Section 10, except where retention is required by law.

11. AUDITS AND COMPLIANCE

11.1 Audit Rights

GitScrum shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

11.2 Audit Process

GitScrum will support Controller's audit requirements through the following mechanisms:

Standard Compliance Documentation:

Upon Controller's written request, GitScrum will provide copies of current third-party audit reports and certifications at no additional cost.

On-Site Audits:

Controller may conduct or commission on-site audits subject to the following conditions:

  1. Advance Notice: Minimum 30 days' written notice, including proposed scope and duration
  2. Timing: Audits must be scheduled during normal business hours and may not exceed 3 business days
  3. Frequency: No more than one audit per calendar year, unless required by regulatory authority
  4. Confidentiality: Auditors must execute GitScrum's standard confidentiality agreement before access is granted
  5. Scope Limitation: Audits are limited to systems, processes, and facilities directly involved in processing Controller's Personal Data
  6. Cost Allocation: Controller bears all costs associated with on-site audits, including GitScrum's reasonable personnel costs at standard professional service rates
  7. Remediation: If audit findings identify material non-compliance, GitScrum will prepare a remediation plan within 30 days and implement corrections within a mutually agreed timeframe

11.3 Alternative Compliance Verification

GitScrum may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certification) in lieu of on-site audits, at GitScrum's discretion.

11.4 Confidentiality of Audit Information

All information, reports, and materials obtained during audits are Confidential Information of GitScrum and shall be treated as such by the Controller and its auditors.

12. INTERNATIONAL DATA TRANSFERS

12.1 Data Transfer Locations

GitScrum operates infrastructure in the following regions:

  • Primary Data Centers: European Union (Germany, Ireland)
  • Backup Facilities: European Economic Area
  • Content Delivery: Global edge locations with data cached only, no persistent storage

Supplementary Measures

Where Personal Data is transferred to countries outside the EEA that do not benefit from an adequacy decision, GitScrum implements the following supplementary measures:

  • Technical Measures: End-to-end encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization where feasible, access controls and logging
  • Organizational Measures: Data handling policies, regular security training, vendor risk assessments, incident response procedures
  • Contractual Measures: Standard Contractual Clauses, data processing agreements with all subprocessors, binding corporate rules where applicable

12.2 Transfers to Third Countries

If Personal Data is transferred from the European Economic Area (EEA) to countries outside the EEA that have not been subject to an adequacy decision by the European Commission ("Third Countries"), GitScrum shall ensure that appropriate safeguards are in place as required by GDPR Chapter V.

12.3 Standard Contractual Clauses (SCCs)

To the extent that GitScrum processes Personal Data in, or transfers Personal Data to, Third Countries, the parties agree to enter into and comply with the Standard Contractual Clauses (SCCs) for international data transfers approved by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), which are incorporated into this DPA by reference.

12.4 Transfer Impact Assessments (TIAs)

GitScrum conducts Transfer Impact Assessments (TIAs) for transfers to Third Countries to evaluate the legal framework in destination countries and ensure that adequate safeguards exist to protect Personal Data.

12.5 International Data Transfer Mechanisms

For transfers of Personal Data from the EU/EEA to the United States, GitScrum relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).

12.6 Adequacy Decisions

GitScrum may also transfer Personal Data to Third Countries that have been subject to an adequacy decision by the European Commission, in which case the safeguards described in Sections 12.3 and 12.4 are not required.

12.7 Alternative Transfer Mechanisms

If the SCCs are invalidated, modified, or replaced by a supervisory authority or court decision (as occurred in the Schrems II decision), the parties agree to cooperate in good faith to implement alternative transfer mechanisms that comply with applicable data protection laws.

13. TERM AND TERMINATION OF DPA

13.1 Term

This DPA is effective as of the Effective Date of the Main Agreement and shall continue in full force and effect until the termination or expiration of the Main Agreement.

13.2 Termination

Either party may terminate this Agreement:

  • Upon termination of the underlying Agreement
  • For material breach of this Agreement, if such breach is not cured within 30 days of written notice
  • If required by applicable data protection law

Surviving Sections:

The following sections survive termination: Confidentiality (Section 5), Data Deletion (Section 10), Liability (Section 14), and any other provisions that by their nature should survive.

13.3 Effect of Termination

Upon termination of this Agreement:

  • GitScrum will cease all processing of Personal Data except as required to fulfill remaining obligations
  • The data deletion provisions of Section 10 will apply
  • Each party will return or destroy all Confidential Information of the other party
  • Any accrued rights or obligations of either party will remain in effect

14. LIABILITY AND INDEMNIFICATION

14.1 Liability Under GDPR

Each party shall be liable for damages caused by processing that infringes the GDPR:

  • Controller Liability: The Controller is liable for the entire damage caused by processing not in compliance with the GDPR
  • Processor Liability: GitScrum is liable for damage caused by processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to Controller's lawful instructions
  • Joint Liability: Where both parties are responsible for any damage caused by processing, each party shall be held liable for the entire damage to ensure effective compensation of the data subject

Right of Recourse:

Where one party has paid full compensation for the damage suffered, that party is entitled to claim back from the other party that part of the compensation corresponding to their part of responsibility for the damage.

14.2 Relationship to Main Agreement

Subject to Section 15 (Limitation of Liability), each party's liability under this DPA is in addition to, and not in lieu of, any liability under the Main Agreement.

14.3 Indemnification by GitScrum

GitScrum agrees to indemnify, defend, and hold harmless the Controller from and against any claims, damages, losses, and expenses (including reasonable attorney's fees) arising from:

  • GitScrum's breach of this Agreement
  • GitScrum's violation of applicable data protection laws
  • GitScrum's negligence or willful misconduct in processing Personal Data
  • Any unauthorized disclosure or access to Personal Data caused by GitScrum's failure to implement appropriate security measures

14.4 Indemnification by Controller

The Controller agrees to indemnify, defend, and hold harmless GitScrum from and against any claims, damages, losses, and expenses (including reasonable attorney's fees) arising from:

  • Controller's breach of this Agreement
  • Controller's violation of applicable data protection laws
  • Processing instructions given by Controller that infringe data protection laws
  • Any claims by data subjects arising from Controller's failure to fulfill transparency obligations or respond to data subject requests

15. LIMITATION OF LIABILITY

15.1 Cap on Liability

Except as provided in Section 15.2 (Exceptions), and notwithstanding any provision in the Main Agreement, the total aggregate liability of either party arising out of or related to this DPA (whether in contract, tort, negligence, or otherwise) shall not exceed the <strong>greater of:</strong>

  • The total fees paid by the Controller to GitScrum under the Main Agreement in the 12 months immediately preceding the event giving rise to liability, or
  • €50,000 (for accounts paying <€500/month), €100,000 (for accounts paying €500-€2,000/month), €250,000 (for enterprise accounts paying >€2,000/month)

15.2 Exceptions to Limitation

The limitations in Section 15.1 do not apply to:

  • Liability for death or personal injury caused by a party's gross negligence or willful misconduct
  • Liability for fraud or fraudulent misrepresentation
  • Liability that cannot be excluded or limited under applicable law
  • Indemnification obligations under Section 14.3 and 14.4 (subject to caps specified therein, if any)
  • Fines or penalties imposed directly by Supervisory Authorities (which are not subject to contractual limitation)

15.3 Indirect Damages

Neither party shall be liable for any indirect, incidental, consequential, special, or punitive damages, including lost profits, loss of data, or business interruption, arising out of or related to this DPA, even if advised of the possibility of such damages, except to the extent such damages constitute direct damages that are not subject to limitation under Section 15.2.

15.4 Proportional Liability

Where both parties are liable for the same damage under GDPR Article 82, liability shall be apportioned according to each party's degree of fault.

16. CHANGES AND UPDATES TO THIS DPA

16.1 Material Changes

GitScrum may update this Agreement from time to time to reflect changes in:

  • Applicable data protection laws and regulations
  • Guidance from data protection authorities
  • Our processing operations or security measures
  • Industry best practices

Notification Process:

For material changes, GitScrum will provide at least 30 days advance notice via:

  • Email to the Controller's designated contact
  • Prominent notice within the GitScrum platform
  • Publication on our legal updates page

Objection Right:

If Controller objects to any material changes, Controller may terminate the affected services within 30 days of the notice. Continued use of GitScrum services after the effective date constitutes acceptance of the updated Agreement.

16.2 Non-Material Changes

GitScrum may make non-material changes to this DPA (e.g., clarifications, formatting, corrections of typographical errors) without advance notice, provided that such changes do not reduce the Controller's rights or increase the Controller's obligations under this DPA.

16.3 Legal Requirement

If GitScrum is required by law to make changes to this DPA, GitScrum may implement such changes immediately and will notify the Controller as soon as reasonably practicable.

17. PRECEDENCE AND CONFLICTS

17.1 Order of Precedence

In the event of any conflict or inconsistency between documents, the following order of precedence shall apply (highest to lowest):

  1. Applicable data protection laws (GDPR, LGPD, etc.)
  2. This Data Processing Agreement
  3. Any negotiated contractual amendments signed by both parties
  4. The main Terms of Service / Master Agreement
  5. GitScrum's Privacy Policy
  6. Any other referenced policies or documentation

For clarity: mandatory legal requirements always prevail. This Agreement prevails over the Terms of Service for data protection matters only.

17.2 Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

18. GOVERNING LAW AND DISPUTE RESOLUTION

18.1 Governing Law

This DPA and any disputes arising out of or relating to this DPA shall be governed by and construed in accordance with the laws of <strong>Portugal</strong>, without regard to its conflict of law principles.

18.2 Jurisdiction

Any legal action or proceeding arising out of or relating to this DPA shall be brought exclusively in the courts located in <strong>Portugal</strong>, and the parties consent to the personal jurisdiction and venue of such courts.

18.3 Dispute Resolution

Before initiating formal legal proceedings, the parties agree to attempt to resolve disputes informally by contacting <strong>legal[at]gitscrum.com</strong> and providing a detailed description of the dispute and proposed resolution. GitScrum will respond within <strong>30 days</strong>.

18.4 Supervisory Authority Jurisdiction

Nothing in this Section 18 shall limit the jurisdiction or authority of any Supervisory Authority to investigate complaints or enforce GDPR against either party.

19. GENERAL PROVISIONS

19.1 Entire Agreement

This DPA, together with the Main Agreement (Terms and Conditions) and any Standard Contractual Clauses incorporated by reference, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior or contemporaneous agreements, communications, and understandings, whether written or oral, regarding such subject matter.

19.2 Assignment

Neither party may assign, transfer, or delegate this DPA or any rights or obligations hereunder without the other party's prior written consent, except that GitScrum may assign this DPA in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA.

19.3 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought. No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of such right.

19.4 Notices

All notices under this Agreement shall be in writing and delivered to:

To GitScrum:

  • Email: dpo[at]gitscrum.com
  • Address: GitScrum, Inc., Data Protection Office, [Address]

To Controller:

To the email address and physical address associated with the Controller's account, or as otherwise specified in the main Agreement.

Notice Effectiveness:

Notices are effective upon: (a) personal delivery; (b) the second business day after mailing; (c) the second business day after sending by confirmed email.

19.5 Language

This DPA is drafted in English. If this DPA is translated into another language, the English version shall prevail in the event of any conflict or inconsistency.

19.6 Counterparts

This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed original signatures for all purposes.

19.7 Survival

Provisions of this DPA that by their nature should survive termination shall continue to apply after termination, including but not limited to: Sections 5.2 (Confidentiality), 10 (Data Deletion), 11.4 (Audit Confidentiality), 14 (Liability), 15 (Limitation of Liability), 18 (Governing Law), and this Section 19.7.

20. CONTACT INFORMATION

For any questions, concerns, or requests regarding this DPA or data processing practices, please contact:

Data Protection Officer (DPO):

dpo[at]gitscrum.com

Response Time: 10 business days

Legal Department:

legal[at]gitscrum.com

Privacy Inquiries:

privacy[at]gitscrum.com

Customer Support:

customer.service[at]gitscrum.com

Supervisory Authority (Portugal):

Comissão Nacional de Proteção de Dados (CNPD)

https://www.cnpd.pt/

geral[at]cnpd.pt

21. ACKNOWLEDGMENT AND ACCEPTANCE

By using GitScrum's Services and processing Personal Data through the platform, the Controller acknowledges and agrees that:

  1. The Controller has read and understood this Data Processing Agreement in its entirety
  2. The Controller agrees to be bound by all terms and conditions set forth in this DPA
  3. The Controller has the authority to enter into this DPA on behalf of the organization it represents
  4. The Controller will process Personal Data in compliance with all applicable data protection laws, including GDPR
  5. The Controller will not provide instructions to GitScrum that would cause GitScrum to violate applicable data protection laws
  6. The Controller acknowledges that this DPA forms an integral part of the Main Agreement (Terms and Conditions)
  7. The Controller understands its obligations as Data Controller and GitScrum's role as Data Processor

Effective Date of Acceptance: The date the Controller first accepts the Main Agreement or begins using the Services (whichever is earlier).