1. Overview
This Data Processing Agreement (“DPA”) describes ProdOps HQ's obligations when processing personal data on behalf of our customers. This DPA forms part of your service agreement with ProdOps HQ (the Terms of Service). By accepting the Terms of Service, you agree to the data processing terms set out in this DPA.
2. Roles and Responsibilities
When you connect ProdOps HQ to your organisation's third-party platforms (such as GitHub or Jira), you are the data controller and ProdOps HQ is the data processor. You determine the purposes for which your team's data is collected and analysed through ProdOps HQ; we process that data solely to provide the service.
ProdOps HQ is also a data controller in its own right for certain data, including account registration details, authentication credentials, and platform usage information necessary to operate the service.
ProdOps HQ processes personal data on behalf of the Controller as necessary to perform the service under the parties' agreement. The Controller determines the lawful basis for collecting personal data from data subjects.
For details on what data we collect and how we use it, see our Privacy Policy.
3. Processing on Instructions
ProdOps HQ processes personal data only on the Controller's documented instructions. The Controller's instructions are defined by the service agreement and by how the Controller configures and uses the platform. ProdOps HQ will not process personal data for any other purpose.
If ProdOps HQ is required by applicable law to process personal data other than on the Controller's instructions, ProdOps HQ will inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
4. Sub-Processors
ProdOps HQ engages third-party sub-processors to deliver and operate the platform. These sub-processors may process personal data on our behalf as part of normal service delivery. We maintain an up-to-date list of all sub-processors, including their purposes and data processing locations, on our Sub-Processors page.
We will update the Sub-Processors page before engaging any new sub-processor. If you object to a new sub-processor, you may terminate your account in accordance with your service agreement.
5. International Data Transfers
ProdOps HQ's primary infrastructure is hosted in Australia. Some sub-processors operate in other jurisdictions, including the United States.
For customers subject to the EU General Data Protection Regulation (GDPR), the parties agree to the European Commission's 2021 Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), which are hereby incorporated by reference into this DPA. The information required by the SCC Annexes is provided as follows:
- Annex I (Description of transfer): The Controller is the customer; the Processor is ProdOps HQ. Categories of data subjects and personal data are described in our Privacy Policy. Processing is carried out for the purpose of providing the ProdOps HQ service.
- Annex II (Technical and organisational measures): As described on our Security page.
- Annex III (Sub-processors): As described on our Sub-Processors page.
6. Data Breach Notification
In the event of a personal data breach, ProdOps HQ will notify the affected customer without undue delay and no later than 72 hours after becoming aware of a confirmed breach, except where law enforcement authorities request a delay. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach. ProdOps HQ will also assist the Controller in meeting its own breach notification obligations to supervisory authorities and, where applicable, to affected data subjects.
For more on our security practices, see our Security page.
7. Data Retention and Deletion
ProdOps HQ retains personal data for as long as your account is active. When you disconnect a third-party integration, connection credentials are revoked. Upon request before account termination, ProdOps HQ will provide the Controller with a copy of their personal data in a commonly used, machine-readable format. Upon termination of your account, all associated personal data is permanently deleted within 30 days. ProdOps HQ will not retain copies of personal data after deletion except where required by applicable law.
For full details on our data retention practices, see our Privacy Policy.
8. Security Measures
ProdOps HQ implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration. These measures are described on our Security page and include encryption at rest and in transit, network isolation, role-based access control, and regular security reviews.
All ProdOps HQ personnel authorised to process personal data are bound by appropriate confidentiality obligations.
9. Data Subject Rights
ProdOps HQ will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, portability, restriction of processing, and objection, by providing relevant platform features and reasonable technical support.
10. Audit Rights
ProdOps HQ will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including the practices described on our Security and Sub-Processors pages.
ProdOps HQ will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice, scope limitations, and confidentiality obligations.
11. Contact
If you have questions about this DPA, contact us at: