Data Processing Agreement - WikiTraccs
WikiTraccs is a console application that runs on a customer-controlled machine and connects only to the customer’s Atlassian Confluence and Microsoft SharePoint Online.
Product network interactions for transparency:
- If your Confluence pages reference third-party resources (for example external images), your environment may contact those external hosts to fetch them. Those hosts receive your egress IP address and act as independent controllers. You control these calls through your configuration and network policies. (Privacy Policy)
If you choose to send support artifacts such as log excerpts or screenshots, I act as a processor only for those materials under your instructions. Artifacts are handled in Exchange Online with data stored in Germany and are deleted within 30 days after issue resolution.
If you require a support-only DPA for this narrow scope, see the template below.
Support Data Processing Addendum (support artifacts only) [Template]
Parties
- Customer (Controller): [Customer legal name], [Customer address]
- Service Provider (Processor): Wiki Transformation Project - Heinrich Ulbricht (sole proprietor)
Definition
“Support Matter” means a discrete, customer-initiated request for assistance submitted via email or similar channel.
1. Subject Matter and Duration
1.1 Processing is limited to support artifacts that the Customer voluntarily provides (e.g., log excerpts, screenshots, redacted sample pages) for the sole purpose of diagnosing and resolving WikiTraccs support requests. Processing lasts only for the Support Matter.
1.2 Where such processing occurs, the Customer is the Data Controller and the Service Provider is the Data Processor of such Personal Data, except where the Customer acts as a Data Processor of Personal Data, in which case the Service Provider is a Data Sub-Processor.
1.3 The Service Provider deletes all artifacts within 30 days after Support Matter resolution unless law requires longer retention.
2. Nature and Purpose of Processing
Viewing, storing, analyzing, and communicating about the artifacts to provide support for WikiTraccs. There is neither operation of hosted services nor access to the Customer’s production systems.
3. Categories of Personal Data and Data Subjects
3.1 Categories of personal data may include business contact data and any personal data incidentally contained in artifacts.
3.2 Categories of data subjects may include the Customer’s employees or users. Special categories are not expected. The Customer will avoid sending secrets, credentials, or special-category data to the Service Provider.
4. Documented Instructions
The Service Provider acts only on the Customer’s documented instructions in tickets or email. If an instruction appears unlawful under the GDPR, the Service Provider will promptly inform the Customer.
5. Confidentiality
The Service Provider ensures that all persons authorized to process the data have committed themselves to confidentiality.
6. Security Measures (Art. 32 GDPR)
The Service Provider maintains appropriate measures for this limited scope, including access controls, malware-protected workstations, encrypted storage at rest, encrypted transmission, least-privilege access, and secure deletion.
7. Sub-Processors
7.1 The Service Provider uses the following sub-processor solely for email handling of support artifacts:
- Name: Microsoft Ireland Operations Limited
- Service: Exchange Online (Microsoft 365)
- Processing: receipt, storage, and transmission of support emails and attachments containing support artifacts
- Primary data location: Germany (tenant setting)
- Safeguards: encryption in transit and at rest; EU Standard Contractual Clauses and Microsoft data protection terms
7.2 The Customer consents to this sub-processor. The Service Provider will notify the Customer of intended changes to sub-processors with 30 days’ notice, and the Customer may object for justified reasons. No other sub-processors will be appointed without the Customer’s prior written consent.
8. International Data Transfers
No transfers of personal data outside the European Economic Area (EEA) are intended by the Service Provider. To the extent Microsoft, as sub-processor, accesses personal data from outside the EEA for service operations, such access is covered by appropriate safeguards, including the EU Standard Contractual Clauses.
9. Assistance
The Service Provider will reasonably assist the Customer with data subject requests, Data Protection Impact Assessments (DPIAs), and consultations, considering the limited scope and information available to the Service Provider.
10. Notification of Personal Data Breaches
The Service Provider will notify the Customer without undue delay after becoming aware of a personal data breach affecting artifacts.
11. Deletion and Return
At Support Matter resolution, the Service Provider will delete all artifacts, including any copies in Exchange Online mailboxes, within 30 days and, on request, confirm deletion in writing. The Service Provider cannot delete data on the Customer’s systems.
Dormant threads: If the Customer does not respond to a Service Provider request for 30 days, the Support Matter will be deemed resolved for deletion timing.
12. Audit and Information
The Service Provider will make available information necessary to demonstrate compliance with this Addendum and will allow one reasonable, document-based audit per year with 30 days’ notice. No on-site audits. No access to systems unrelated to support artifacts.
13. Precedence
This Addendum governs the processing of support artifacts. If it conflicts with other terms, this Addendum prevails for that processing.
Effective date: Effective on the date of the later signature below.
Accepted by:
Customer
Name: ______________________ Title: ___________ Date: ___________
Signature: __________________________
Service Provider
Name: Heinrich Ulbricht Title: Sole proprietor Date: ___________
Signature: __________________________