Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Threadmaker Terms of Service and the Privacy Policy. Where the Customer acts as a Controller and Threadmaker processes Personal Data on its behalf, this DPA governs. In the event of conflict between this DPA and the Terms or Privacy Policy as to the processing of Personal Data, this DPA prevails.
1. Parties and roles
- Processor: CT Core (trading name of Viktar Martavitski, Polish sole proprietorship; NIP 9512543228; REGON 522272970; ul. Hoza 86/410, 00-682 Warsaw, Poland).
- Controller: the legal entity that installs and uses the Service.
Definitions follow GDPR (Regulation (EU) 2016/679) Art. 4. "SCCs" means the Standard Contractual Clauses annexed to EU Commission Implementing Decision 2021/914; "UK Addendum" means the UK ICO International Data Transfer Addendum to the EU SCCs; "DPF" means the EU-US Data Privacy Framework certified under European Commission Decision C(2023) 4745.
2. Subject matter, duration, nature, purpose
| Item | Description |
|---|---|
| Subject matter | Bidirectional synchronization of comments and messages between the Controller's Slack workspace(s) and Atlassian Jira site(s) via the Service. |
| Duration | From the Effective Date until termination of the Main Agreement, plus the retention period in §6. |
| Nature | Automated transmission, temporary storage for queueing / retry / idempotency, delivery to the counterpart platform, and audit logging. No secondary analysis. |
| Purpose | To provide the Service for which the Controller has contracted. |
3. Categories of Personal Data and Data Subjects
Categories of data: identifiers (Slack user / team IDs, Jira account IDs, email addresses exposed by OAuth); content data (text, rich-text, emoji, mentions, file attachments in synced comments); technical metadata (timestamps, thread IDs, issue keys, message IDs); authentication artefacts (Slack bot OAuth tokens, encrypted at rest, accessible only to authorised Processor personnel).
Data subjects: the Controller's employees, contractors, and collaborators using the Slack workspace or Jira site; third parties mentioned within synced messages or comments.
Special categories (GDPR Art. 9): the Processor does not intentionally process special categories. The Controller shall not instruct the Processor to process special categories through the Service without first agreeing additional safeguards in writing.
4. Sub-processors and host platforms
The Controller grants general authorization to engage Sub-processors provided each is bound by data-protection obligations substantively equivalent to this DPA. The Processor remains fully liable to the Controller for the performance of Sub-processors' obligations.
The table below distinguishes parties engaged by the Processor as Sub-processors (the Processor contracts them, instructs them, and pays them) from host platforms that the Controller is independently contracted with — these are listed for transparency and to disclose the data flow, but the Processor does not engage them as Sub-processors within the meaning of GDPR Art. 28 and the Controller's primary contract with each platform governs.
| Party | Engagement | Activity | Region |
|---|---|---|---|
| Cloudflare, Inc. (USA) — Workers | Engaged as Sub-processor | Edge compute | US — wnam |
| Cloudflare, Inc. (USA) — D1 | Engaged as Sub-processor | Primary tenant database; platform AES-256 at rest | US — wnam |
| Cloudflare, Inc. (USA) — KV (TENANT_SHARDS) | Engaged as Sub-processor | Shard-routing lookup cache (no message content) | US (replicated edge cache) |
| Cloudflare, Inc. (USA) — R2 | Engaged as Sub-processor | Daily AES-256-GCM-encrypted full-database snapshot under a Processor-controlled application-layer key (90-day rolling retention production / 30-day staging) | US — wnam |
| Cloudflare, Inc. (USA) — Cloudflare Access | Engaged as Sub-processor | Operator-only admin-portal SSO; not a Customer-facing surface | US |
| Functional Software, Inc. (Sentry, USA) | Engaged as Sub-processor | Error reporting (scrubbed payloads only; no message bodies, no comment text) | US |
| Atlassian, Inc. — Marketplace billing | Engaged narrowly | Atlassian collects subscription fees and remits to Processor net of revenue share | Atlassian-managed |
| Atlassian, Inc. — Forge plugin runtime | Host platform (Controller's Atlassian Cloud Terms / DPA govern) | Hosts the Threadmaker Jira plugin inside the Controller's licensed Atlassian tenant; Jira data does not leave Atlassian | Atlassian-managed |
| Slack Technologies LLC (Salesforce) | Host platform (Controller's Slack Customer Terms / DPA govern) | Source / sink for synced message data via the OAuth grant the Controller's workspace administrator provided | Salesforce-managed |
The current list is published at Threadmaker.dev/privacy/subprocessors.
Change notification: the Processor will give the Controller at least 30 days' advance notice before adding or replacing a Sub-processor that materially affects the processing of Personal Data. Notice is given by (i) updating the Sub-processor list with the proposed change and effective date, AND (ii) at least one of the following, in order: the procurement-contact email registered at /dpa-contact, OR the email address associated with the Atlassian Marketplace billing account. We may additionally display the change in the Slack App Home tab or the Forge plugin admin page in Jira; such in-product notices are operational fallbacks only and do not substitute for written notice. The Controller may object on reasonable data-protection grounds during the 30-day window; an unresolved objection is grounds for terminating the affected portion of the Service with a pro-rata refund of pre-paid Marketplace fees.
5. International transfers
Personal Data is transferred to and processed in the United States by Cloudflare, Inc., Atlassian, Inc., Slack Technologies LLC, and Functional Software, Inc. (Sentry). The parties rely on the following layered transfer mechanisms:
- Primary — EU-US Data Privacy Framework. All four US-based Sub-processors named above (Cloudflare, Atlassian, Slack, Sentry) self-certify under the DPF (Commission Decision C(2023) 4745 of 10 July 2023). This constitutes an adequacy decision under GDPR Art. 45. Current participation status is verifiable at dataprivacyframework.gov.
- Secondary — Standard Contractual Clauses. SCCs Module Two (controller-to-processor) is incorporated by reference where the DPF is unavailable or challenged.
- UK data. The UK Addendum to the EU SCCs applies where the Controller is subject to UK GDPR.
- Swiss data. The Swiss FDPIC Addendum applies where the Controller is subject to Swiss FADP.
6. Retention and deletion
| Data | Retention |
|---|---|
message_origins (echo-prevention flags) | Purged every 10 minutes |
retry_queue completed entries | 7 days |
retry_queue failed entries | 30 days |
retry_queue abandoned pending entries | 7 days |
audit_log | 90 days |
admin_audit_log (internal staff access) | 2 years (calibrated to GDPR Art. 28(3)(h) Sub-Processor accountability and the typical 12–18 month claim-emergence window for commercial disputes) |
metric_events | 30 days |
slack_users_cache (email→accountId mapping for cross-system @mentions) | Cache value refreshed on demand every 24 hours; row deleted 30 days after last refresh, OR immediately on workspace uninstall via FK CASCADE |
rate_limits (per-tenant + per-IP counters) | Rolling 1-hour window (auto-reset) |
comment_attachment_map, reaction_sync_map, project_settings (per-tenant integration state) | Duration of install; deleted on uninstall via FK CASCADE on workspaces_local(id) |
Workspace, channel, issue, comment-mapping records (workspaces, channel_project_map, issue_threads, comment_map) | Deleted on uninstall (typically within minutes of app_uninstalled event); SLA upper bound 30 days for DSR erasure under Article 17 |
workspace_deletions (compliance tombstone — workspace ID + deletion timestamp + DSR ticket reference, no content or PII beyond the operator's email) | Indefinite retention as audit trail that the Article 17 erasure was performed |
| Billing records | 7 years — Ustawa o rachunkowości Art. 74 § 2 pkt 1 (księgi rachunkowe) and Ordynacja podatkowa Art. 86 § 1 (ewidencja podatkowa). Retained solely for that purpose. |
| D1 backup snapshots in Cloudflare R2 | 90-day rolling retention production / 30-day staging. Daily AES-256-GCM-encrypted snapshot. Article 17 erasure requests are satisfied within the rolling window per GDPR Recital 65. |
Upon termination, the Processor shall delete or, at the Controller's written choice, return all Personal Data within 30 days, save for copies required to be retained by applicable law (billing records only).
7. Security and breach notification
Technical and organizational measures: TLS 1.3 in transit; AES-256 at rest
in Cloudflare D1; HMAC-SHA256 (constant-time) for all inter-component traffic;
no Jira API tokens stored (Forge proxy via api.asApp()); least-
privilege internal access logged in admin_audit_log.
Breach notification: upon becoming aware of a Personal Data breach affecting Controller data, the Processor shall (i) notify the Controller without undue delay, and in any event within 72 hours of awareness, via the procurement-contact email registered under §4 (or, in its absence, the Atlassian Marketplace billing-account email), with dpo@cinderlab.io copied; (ii) provide information sufficient for the Controller to meet its obligations under GDPR Arts. 33 and 34; (iii) cooperate in investigating and mitigating the breach; and (iv) maintain its own internal record of all breaches in accordance with GDPR Art. 33(5).
8. Data Subject rights
The Processor will assist the Controller in fulfilling Data Subject rights requests under GDPR Chapter III:
- JSON export of mapping and configuration data within 15 business days on Controller request.
- Deletion of identified Data Subject records within the retry queue, audit log, and mapping tables within 30 calendar days on Controller request.
- Uninstallation triggers automated deletion per the §6 schedule.
If the Processor receives a request directly from a Data Subject, the Processor will forward it to the Controller without undue delay and will not respond except to acknowledge receipt and direct the Data Subject to the Controller.
9. Audit rights
The Controller (or an independent third-party auditor bound to confidentiality and selected by the Controller and reasonably acceptable to the Processor) may audit the Processor's compliance with this DPA on reasonable prior written notice (no less than 30 days), during business hours, no more frequently than once per calendar year — except where there is reasonable suspicion of a Personal Data breach affecting the Controller, a documented regulatory requirement compelling earlier audit, or a material change to processing activities, in which case audit may proceed on shorter notice. The Controller bears its own audit costs. In lieu of an on-site audit, the Processor may satisfy the obligation by providing SOC 2 Type II reports (when available), ISO 27001 certificates (when available), Sub-processor audit artefacts, and documented responses to the Controller's reasonable written questionnaires.
For 2026, as Threadmaker is a pre-certification vendor, audit cooperation takes the form of documented questionnaire responses plus the Sub-processor audit artefacts above.
10. Governing law and conflict
Polish law governs this DPA. The SCCs, where relied on, are governed by their own terms (Polish law). In case of conflict, the following order of precedence applies: (1) applicable data-protection law, (2) SCCs (cross- border transfers only), (3) this DPA, (4) the Terms of Service, (5) any other document.
11. Signed copy on request
This DPA is incorporated by reference into the Terms of Service and is
binding without a separate signed counterpart. Where the Controller's
procurement, legal, or DPO function requires a counter-signed paper or PDF
counterpart, Threadmaker will provide one on request to
dpo@cinderlab.io, prepared on the same terms
as the version published at Threadmaker.dev/dpa, with both
parties' details filled in and signed by the Processor's authorised
signatory. Response within 5 business days.
12. Contact
Privacy / DSR / DPA / breach notification:
dpo@cinderlab.io.
Postal address: CT Core, ul. Hoza 86/410, 00-682 Warsaw, Poland.