Data Processing Agreement

Last updated 12 March 2024

This DPA supplements the Terms of Service (the “Terms”), entered into by and between

(a) the customer that is a party to the Terms (“Customer”), and

(b) Conelike LLC a company incorporated under the laws of the State of Wyoming, having its principal place of business at 1309 Coffeen Ave #1200, Sheridan, WY, United States of America (collectively "Conelike").

Together the “Parties” and each a “Party”.

The Parties agree as follows:

1. Subject matter of this DPA

1.1. This DPA applies to the Processing of Personal Data that is subject to the EU General Data Protection Regulation (“GDPR”) (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

1.2. This DPA supplements the terms of the End User License Agreement (“EULA”) ( a “Service Agreement”), under which Conelike provides certain services (“Services”).

1.3. To the extent Conelike processes Personal Data subject to the GDPR on behalf of Customer in the course of the performance of a Service Agreement, the terms of this DPA shall apply.

1.4. This DPA shall be effective starting on June 1, 2022. 

2. Definitions

2.1. The terms “Processing”, “Personal Data”, “Controller”, “Processor”, “Personal Data Breach” and “Supervisory Authority”, “Commission”, “Member State” shall have meanings given in the GDPR, and their cognate terms shall be construed accordingly.

2.2. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

2.3. “Customer Data” means all Personal Data which is provided to Conelike (or to any sub-processor) by the Customer in connection with the Service Agreement.

3. Customer and Conelike

3.1. Customer

3.1.1. Customer is the Data Controller. Customer will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 24). Customer will not instruct Conelike to process any Customer Data in a manner that would constitute a breach of the GDPR.

3.1.2. Customer warrants that Customer has all the necessary rights to provide the Customer Data to Conelike for the Processing to be performed in relation to the Services. To the extent required by the GDPR, Customer is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should a consent be revoked by the data subject, Customer is responsible for communicating the fact of such revocation to Conelike, and Conelike remains responsible for implementing any Customer instruction with respect to the further processing of that Customer Data.

3.2. Conelike

3.2.1. Conelike is the Data Processor. Conelike will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 28).

4. Processing Instructions

4.1. Conelike will process the Customer Data only as set forth in Customer’s written instructions as set forth in the EULA and in this DPA, or as agreed upon in writing by the parties and to the extent that the processing is appropriate for the provision of the Services, unless Conelike is required to comply with a legal obligation to which Conelike is subject (Art 28(3)(a)). In such a case, the Conelike shall notify the Customer of that legal obligation before processing unless that legal obligation explicitly prohibits the furnishing of such information to the Customer.

4.2. The Parties have entered into a EULA in order to benefit from the expertise of the Conelike in processing the Customer Data for the purposes set out in Exhibit 2. Exhibit 2 describes the processing of Customer Data as required by GDPR, Article 28(3). Customer may make reasonable amendments to Exhibit 2 by written notice to Conelike to meet the GDPR requirements. Nothing in Exhibit 2 (included as amended pursuant to this Section) confers any right or imposes any obligation on any Party to this DPA. Conelike shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this DPA.

5. Confidentiality (Art 28(3)(b))

Without prejudice to any existing contractual arrangements between the Parties, Conelike shall treat all Customer Data with an obligation of confidentiality and shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Customer Data. Conelike shall ensure that all such persons or parties are under an appropriate obligation of confidentiality.

6. Security (Art 28(3)(c))

6.1. Conelike will take all measures required by Article 32 (Security of Processing) of the GDPR.

6.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Conelike shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Customer Data appropriate to the risk (Art 32(1)).

6.3. In assessing the appropriate level of security, Conelike shall take into account the particular risks that are presented by processing, for example, from accidental or unlawful destruction, loss, alteration, unauthorized or unlawful storage, processing, or access or disclosure of Customer Data (i.e. Personal Data Breach) (Art 32(2)).

7. Sub processing (Art 28(3)(d)

7.1. Customer authorizes the engagement of Conelike's Affiliates as subprocessors (Art 28(2)).

7.2. Customer agrees that Conelike may continue to use those subprocessors already engaged by Conelike as of the date of this DPA (Art 28(2)).

7.3. Customer generally authorizes the engagement of any other third-parties as subprocessors (Art 28(2)).

7.4. Information about subprocessors, including their functions and locations, is available at support@assetmanagementforjira.com

7.5. Requirements for subprocessor engagement (Art 28(4)) With respect to each subprocessor, Conelike shall:

7.5.1. Before the subprocessor first processes any Personal Data, carry out adequate due diligence to ensure that the subprocessor is capable of providing the level of protection for Personal Data required by the Service Agreement;

7.5.2. Ensure that the arrangement is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of GDPR Article 28(3);

7.5.3. Remain fully liable for all obligations subcontracted to, and all acts and omissions of the subprocessor.

8. International Data Transfers (Art 28(6)-(8), Art 44 - 46)

8.1. Customer instructs Conelike to transfer Customer Data to any country or territory as is reasonably necessary for the provision of the Services.

8.2. Customer agrees that Conelike and its subprocessors may store and process Customer Data in a country outside of the European Economic Area provided that the European Commission has determined that the country provides an adequate level of protection, or the Commission has determined that a regulatory framework provides an adequate level of protection.  For the purposes of this DPA, the parties agree to rely on Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91 (“Standard Contractual Clauses (EU/EEA)”) and adopted by the Switzerland Federal Data Protection and Information Commissioner (“Swiss FDPIC”) as well as the International Data Transfer Addendum to the Standard Contractual Clauses (EU/EEA) as adopted by the United Kingdom Information Commissioner’s Office (“UK ICO”) for use in connection with data transfers from the United Kingdom (“Standard Contractual Clauses (UK)”). The Standard Contractual Clauses (UK).

8.3. To the extent that a Party relies on a basis for international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to terminate promptly the transfer and to pursue an alternate mechanism that can lawfully support the transfer.

9. Data Subject Rights (Art 28(3)(e))

9.1 Conelike shall use reasonable endeavors to assist the Customer in responding to their Data Subject requests. Conelike shall have at least 30 days, from the time the Customer asks for assistance, to respond to the Customer’s request. The performance and cost of such requests shall be in accordance to the EULA and Conelike's price list at any giving time.

9.2 Conelike must not disclose the Personal Data to any Data Subject or to a third party and responsibility for responding to requests from Data Subjects shall remain with the Customer.

10. Cooperation (Art 28(3)(f) and (3)(h))

10.1 If requested, Conelike will provide reasonable assistance to the Customer to comply with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Conelike.

10.2 Conelike shall make available to Customer upon request any reasonable information to demonstrate compliance with Conelike's obligations under this DPA. Conelike shall reply to any requests for information under this Section within 60 days of receiving the request.

10.3 Conelike will perform audits of its Personal Data Processing practices and the information technology and information security controls for its facilities and systems used in complying with its obligations under this Agreement.

11. Incident Management (Art 33 - 34)

11.1. Conelike shall notify Customer without undue delay upon Conelike (or any subprocessor) becoming aware of a Personal Data Breach affecting Customer Data, and provide Customer with sufficient information to allow each it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the GDPR.

11.2. Conelike shall cooperate with Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11.3. Any notifications made to the Customer pursuant to this Section shall be addressed to the employee of the Customer whose contact details are provided in Exhibit 1 of this DPA, and shall contain:

11.3.1. a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

11.3.2. the name and contact details of the Conelike’s data protection officer or another contact point where more information can be obtained;

11.3.3. a description of the likely consequences of the incident; and

11.3.4. a description of the measures taken or proposed to be taken by the Conelike to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

12. Return or Destruction of Personal Data (Art 28(3)(g))

12.1. Upon termination of this DPA, upon Customer’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, Conelike shall, at the discretion of Customer and within reasonable business efforts, either delete, or destroy Customer’s data.

12.2. Conelike shall notify all subprocessors of the termination of the Data Processing Agreement and shall notify that all such subprocessors either delete or destroy the Personal Data, at the discretion of Customer.

12.3. Conelike and its subprocessors may retain Customer Personal Data to the extent required by a legal obligation and only to the extent and for such period as required by the legal obligation.

13. Limitation of Liability

Conelike's liability to Customer for any kind of loss or damage arising out of or in connection with breach of this DPA (including breach of contract, tort, misrepresentation or restitution) will: (a) be subject to the exclusions of liability applicable to Conelike in the Service Agreement; and (b) be subject to, and will in no event exceed, the limitation on Conelike’s liability in the Service Agreement. Any liability incurred under this DPA, such as regulatory fines, will be included in the calculation of Conelike’s liability in the Service Agreement.

14. Termination

This DPA will remain in effect until the later of: (a) the termination or expiry of the Service Agreement, and (b) Conelike ceasing to process the Customer Data.

15. General Terms

15.1. The terms of the Service Agreement shall apply to this DPA.

15.2. Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Service Agreement, the DPA shall prevail.

Exhibit 1

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

1. The Parties

Data exporter(s):

Name: Customer

Address: As designated by Customer under my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).

Contact person’s name, position and contact details: As designated by Customer under my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).

Signature and date: By signing up for the Services and accepting the Terms, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Terms.

Data importer(s):

Name: Conelike LLC

Address: 1309 Coffeen Ave Ste 1200, Sheridan, WY 822801, USA

Contact details:

Via email: support@assetmanagementforjira.com

Signature and date: By entering into the Terms, Data Importer is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Terms.

Exhibit 2

Nature and Purpose of Processing: Company will process Customer’s Personal Data as necessary to provide the Services under the Terms, for the purposes specified in the Terms and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of the processing shall include, without limitation: Receiving, holding, using, updating, protecting, returning, erasing data.

Duration of Processing: Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Terms; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be processed and stored as set forth in Company’s privacy policy.

Categories of Data Subjects: Personal Data of any other individuals provided by Customer in connection with the Services (including Customer’s employees and end users)

Categories of Personal Data: Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Company in order to provide the Services or as otherwise set forth in the Terms or this DPA.

Categories of Personal Data may include real name (as provided by Customer), internet protocol address, email address, job function, work or personal address, account name, or any other Personal Data inputted by Customer on behalf of Customer’s employees or end-users.

Sensitive Data or Special Categories of Data: Company’s Terms forbid Customer from processing any data containing passwords, credit card information, Patient Health Information, personal identification numbers or other similar types of sensitive personal information.