Data Processing Agreement

"Controller" means the Customer, who determines the purposes and means of Processing Personal Data via the IssueCapture service.

"Processor" means IssueCapture, which Processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by IssueCapture in connection with the service.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.

"Sub-processor" means a third party engaged by IssueCapture to Process Personal Data on behalf of the Controller.

"Data Protection Laws" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, and any other applicable data protection legislation.

IssueCapture Processes Personal Data solely to provide the bug reporting and feedback collection service as described in the service agreement. The nature and purpose of Processing includes:

• Receiving issue submissions from the Customer's website visitors via the widget
• Processing and enriching issue data (AI categorization, triage, duplicate detection) when enabled
• Creating issues in the Customer's Jira or Jira Service Management instance
• Storing screenshots, attachments, and metadata for issue processing

Categories of Data Subjects

End users of the Customer's website or application who submit issue reports via the IssueCapture widget.

Types of Personal Data

• Name and email address (if provided by the reporter)
• Issue content (summaries, descriptions, labels, priority, custom fields)
• Screenshots and file attachments
• Technical metadata (page URL, user agent, console errors, network requests)
• Atlassian Account IDs (for Jira integration)

IssueCapture shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to Process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Not engage another Processor without prior written authorization from the Controller (see Section 5)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach
• Delete or return all Personal Data upon termination of the service, at the Controller's choice, unless storage is required by law
• Make available to the Controller all information necessary to demonstrate compliance with these obligations

IssueCapture implements the following technical and organizational measures:

The Controller provides general authorization for IssueCapture to engage Sub-processors. IssueCapture maintains an up-to-date list of Sub-processors at issuecapture.com/subprocessors.

IssueCapture shall notify the Controller of any intended changes to Sub-processors by updating the Sub-processor list. The Controller may object to a new Sub-processor by contacting security@issuecapture.com within 30 days of notification. If the objection cannot be resolved, the Controller may terminate the affected service.

IssueCapture shall impose data protection obligations on each Sub-processor no less protective than those in this DPA and shall remain liable for the acts and omissions of its Sub-processors.

Primary data storage is in the European Union (Stockholm, Sweden). Where Personal Data is transferred outside the EEA (for example, to US-based Sub-processors), IssueCapture ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• EU-US Data Privacy Framework certification of Sub-processors, where applicable
• Supplementary measures as needed based on transfer impact assessments

IssueCapture retains Personal Data only for as long as necessary to provide the service:

• Issue submissions, attachments, and embeddings: 90 days by default (configurable on Business plans)
• Account data: retained while the account is active
• Audit logs: retained per applicable legal requirements

Upon termination of the service or at the Controller's request, IssueCapture shall delete Personal Data within 30 days, except where retention is required by applicable law. The Controller may delete their account and data directly from the dashboard Settings page.

IssueCapture shall assist the Controller in fulfilling data subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction of Processing, data portability, and objection.

If IssueCapture receives a request directly from a data subject, it shall promptly redirect the request to the Controller unless legally required to respond directly.

In the event of a Personal Data breach, IssueCapture shall notify the Controller without undue delay and in any event within 72 hours. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

This DPA shall remain in effect for the duration of the service agreement. Upon termination, IssueCapture shall comply with the data deletion obligations in Section 7.

The obligations in this DPA that by their nature should survive termination (including confidentiality, data deletion, and breach notification) shall survive.

This DPA shall be governed by the laws applicable to the main service agreement. Where the Controller is established in the EEA, this DPA shall be governed by the laws of Ireland. Where the Controller is established in the UK, this DPA shall be governed by the laws of England and Wales.