Skip to content
Wayflare

Data Processing Agreement — Leaver Cleanup & Owner Reassignment for Jira

Effective date · 8 June, 2026Last updated · 8 June, 2026

This Data Processing Agreement ("DPA") governs Wayflare OÜ's processing of personal data on behalf of an organisation that installs and uses the Leaver Cleanup & Owner Reassignment for Jira app (the "App"). It is written to match exactly what the App does and the data-minimising way it does it. It is incorporated into the App's end-user terms and is entered into when the Customer accepts those terms on installation, satisfying GDPR Article 28 (which requires the processing to be governed by a contract, not merely available on request).

See also the App's privacy notice and security & data handling page.

  • Provider / Processor: Wayflare OÜ, Pärnu mnt 141, 11314 Tallinn, Estonia, registry code 17495514 (Estonia)
  • Contact: info@wayflare.eu
  • App: Leaver Cleanup & Owner Reassignment for Jira

1. Scope and roles

1.1 This DPA applies where Wayflare OÜ ("Wayflare") processes personal data on behalf of the organisation that installs and uses the App (the "Customer"), where that processing is subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") or equivalent law.

1.2 For that processing, the Customer is the controller and Wayflare is a processor acting on the Customer's documented instructions. The Customer administrator's configuration and use of the App constitute those documented instructions.

1.3 The App Runs on Atlassian: it operates only on Atlassian-hosted compute and storage and sends no data to Wayflare or any third party. Atlassian (Atlassian Pty Ltd and its affiliates) provides that hosting and is the only sub-processor Wayflare engages for the App; Atlassian in turn relies on its own sub-processors under the Forge Data Processing Addendum. Atlassian is also the Customer's own processor for the underlying Jira data under the Customer's agreement with Atlassian.

1.4 Sub-processor note (for clarity). Wayflare and Atlassian also have a separate Forge Data Processing Addendum between them. Under it, the App's data — the personal data the App processes about the Customer's Jira users — is processed by Atlassian as a sub-processor on Wayflare's behalf, with Wayflare in turn acting as the Customer's processor. The only data that the Forge DPA treats differently is Wayflare's own account and operational data, for which Atlassian acts as an independent controller and which is unrelated to the Customer's Jira data. None of this changes the relationship described in this DPA, which governs the Wayflare-to-Customer leg: there, the Customer determines the purpose and means of the processing through its use of the App, so the Customer is the controller and Wayflare is its processor.

1.5 This DPA forms part of, and is subject to, the agreement between Wayflare and the Customer for the use of the App (including the end-user terms). On matters of data protection this DPA prevails in case of conflict.

1.6 The Customer, as controller, is responsible for the lawfulness of the personal data and of the instructions it gives, and confirms it has a lawful basis for the processing it requests through the App.

2. Details of the processing (GDPR Art. 28(3))

  • Subject-matter: finding the Jira content a deactivated or departed user owns, reassigning its ownership to an active user on the Customer administrator's instruction, and producing a record of the changes.
  • Duration: for the period the App is installed, plus the limited retention in Section 5; processing ends on uninstall.
  • Nature and purpose: detection, preview (dry run), ownership-reassignment writes, reconciliation reads, and closure-evidence generation — performed on the administrator's instruction to support the Customer's offboarding and administration.
  • Types of personal data: Atlassian account identifiers (accountId) of the departed user, the reassignment target, and the acting administrator; item references (issue, filter, component, and project identifiers, names, and types); the outcome of each reassignment; and timestamps. Display names are fetched live only when needed (to show the candidate list and to label the evidence export) and are not stored. The App does not process Jira issue content, attachments, comments, or worklogs. The Customer, as controller, approves these categories and the retention period in Section 5 by accepting this DPA.
  • Categories of data subjects: the Customer's Jira users — in particular the departed or deactivated user, the active user(s) content is reassigned to, and the administrator who runs the App.
  • The evidence export. The closure-evidence export (a CSV) is generated on demand and is not retained by the App; once the administrator downloads it, the file is outside the App's control and the Customer, as controller, is responsible for storing and disposing of it appropriately.

3. Processor obligations

Wayflare shall:

3.1 Documented instructions (Art. 28(3)(a)). Process the personal data only on the Customer's documented instructions (including this DPA and the Customer's use of the App), and for no other purpose. Wayflare does not transfer the personal data outside the Atlassian platform; the App declares no external network access and the platform rejects any outbound transfer. Wayflare shall inform the Customer if, in its opinion, an instruction infringes applicable data-protection law. Wayflare does not determine the purposes or means of processing for any purpose of its own; if it ever did, GDPR Article 28(10) would treat it as a controller for that processing.

3.2 Confidentiality (Art. 28(3)(b)). Ensure that persons authorised to process the personal data are bound by confidentiality. Wayflare personnel have no access to a Customer's instance data through the App (there is no egress and no external copy).

3.3 Security (Art. 28(3)(c); Art. 32). Implement appropriate technical and organisational measures, taking into account the state of the art and the risks. For the App these include: running only on Atlassian-hosted infrastructure (encryption in transit and at rest, access control, and physical and network security provided by the Atlassian platform); data minimisation (storing only account identifiers, item references, outcomes, and timestamps — not display names, content, or attachments); least-privilege scoped access to the Customer's Jira; preview-before-write plus reconciliation to avoid unintended changes; and bounded retention with on-demand and on-uninstall deletion.

3.4 Sub-processors (Art. 28(2),(4)). The Customer provides general authorisation for Atlassian as the sole sub-processor (hosting and storage). Wayflare engages no other sub-processor and uses no external service. If Wayflare intends to add or replace a sub-processor, it will give the Customer at least 30 days' prior notice (via the Marketplace listing or info@wayflare.eu) and the opportunity to object; any sub-processor will be bound by data-protection obligations no less protective than those in this DPA.

3.5 Assistance with data-subject rights (Art. 28(3)(e)). Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests to exercise data-subject rights. Because the App holds only minimal identifiers and references and the underlying content remains in the Customer's Jira, the Customer can fulfil most requests at source; the App additionally provides on-demand erasure of a run's records, and erases a closed account's identifiers on Atlassian's personal-data reporting cycle.

3.6 Assistance with security, breach, and DPIA (Art. 28(3)(f); Art. 32–36). Assist the Customer in ensuring compliance with its security, personal-data-breach-notification, and data-protection-impact-assessment obligations, taking into account the nature of the processing and the information available to Wayflare.

3.7 Deletion or return (Art. 28(3)(g)). At the Customer's choice, delete or return the personal data after the end of the provision of the services, and delete existing copies, unless storage is required by law. The App provides: on-demand erasure of a run's records after export; automatic 90-day expiry of per-change records; and, on uninstall, a best-effort erase plus Atlassian's purge of the App's hosted storage.

3.8 Audit and information (Art. 28(3)(h)). Make available to the Customer the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice and subject to confidentiality.

4. Personal data breach

Wayflare shall notify the Customer without undue delay after becoming aware of a personal data breach affecting the personal data processed under this DPA, and provide the information reasonably available to assist the Customer's own notification obligations.

5. Retention and deletion

The App stores per-change records for 90 days (after which they expire automatically), supports on-demand erasure of a run's records after export, erases a closed account's identifiers on Atlassian's reporting cycle (by removing the reassignment-run records in which that account appeared in any role, which may include records concerning other users in the same run), and purges all stored data on uninstall (Wayflare's best-effort erase plus Atlassian's platform purge). The underlying content remains in the Customer's Jira and is controlled by the Customer. The 90-day period is a processor-proposed default that the Customer approves by accepting this DPA; a Customer that requires a different period may contact us.

6. International transfers

The App's processing takes place entirely within the Atlassian platform and matches the Customer's Jira data residency. Wayflare does not itself transfer the personal data to any third country; any transfer inherent in the Customer's own Atlassian/Jira data residency is governed by the Customer's agreement with Atlassian and the Forge Data Processing Addendum (which incorporates the EU Standard Contractual Clauses).

7. Data protection officer and representative

Wayflare has assessed that it is not required to appoint a Data Protection Officer (GDPR Art. 37) — the processing is not large-scale and special-category data is not a core activity — and, being established in the European Union (Estonia), is not required to designate an Article 27 representative. The contact point for data-protection matters is info@wayflare.eu.

8. General

8.1 This DPA is governed by the law of Estonia, except where the principal agreement specifies otherwise, and is subject to the liability provisions of the principal agreement.

8.2 If any provision is held invalid, the remainder continues in effect.

8.3 This DPA takes effect when the Customer accepts the App's end-user terms on installation and continues for the duration of that use.

Wayflare OÜinfo@wayflare.eu