Data Processing Addendum

This DPA forms part of the agreement between the customer and CodeTailor for the use of AI Readiness & Content Hygiene Inspector for Confluence when CodeTailor processes Customer Personal Data on the customer's behalf.

This DPA supplements the applicable order, the Atlassian standard end-user agreement adopted for the app, and the provider-specific terms published for the app. If there is a conflict about data protection obligations, this DPA controls for that subject matter.

For Customer Personal Data made available through the customer's use of the app, the customer acts as controller or business, as applicable, and CodeTailor acts as processor or service provider, as applicable.

CodeTailor may separately act as a controller for its own direct business communications, support administration, security reporting, legal compliance, and internal business records. Those controller activities are outside the processor scope of this DPA.

CodeTailor will process Customer Personal Data only on the customer's documented instructions as reflected in the agreement, the app configuration selected by the customer, and the customer's use of Confluence and the app.

If CodeTailor believes an instruction violates applicable data protection law, it may inform the customer before continuing that processing, unless prohibited from doing so by law.

The current security measures for the app include:

• runtime hosted on Atlassian Forge
• no external network egress for the current app runtime
• Forge hosted storage only for app state
• least-privilege app scopes aligned to documented functionality
• interactive admin validation in user context and app-user background continuation for queued scan reads
• limited logging that avoids page bodies, credentials, and unnecessary personal data
• vulnerability management and incident handling aligned with Atlassian Marketplace expectations

More specific public details are published on the security statement.

The app relies on Atlassian Confluence Cloud and Atlassian Forge as the host environment for the current runtime and hosted storage.

CodeTailor does not currently add additional third-party runtime or storage subprocessors outside Atlassian products and services for this app. If that changes materially, CodeTailor will update the public trust documentation accordingly.

Taking into account the nature of the processing and the information available to CodeTailor, CodeTailor will provide reasonable assistance to the customer with data subject requests, security incidents, and compliance questions relating to the app's processor activities.

This assistance will be subject to reasonable confidentiality, feasibility, and proportionality limits, and may require the customer to provide enough detail to identify the relevant installation or dataset.

Customer data handled through the app is retained according to the documented app behavior and Atlassian Forge hosted-storage lifecycle.

In the current implementation, scan artifacts and findings use a 30-day TTL in Forge hosted storage, while policy settings and review decisions remain until changed by the customer or removed with installation data. After uninstall, Atlassian Forge retains hosted storage for a limited post-uninstall period documented by Atlassian as up to 28 days.

The app's current runtime avoids external network egress and stores app data in Forge hosted storage. Data residency behavior for that storage follows Atlassian Forge capabilities and Atlassian administrative controls.

If the app's architecture changes in a way that introduces additional external data-processing locations for in-scope app data, CodeTailor will update the relevant public trust material and any applicable contractual disclosures.

Questions about this DPA may be sent to support@codetailor.com.

The related agreement materials are published at Atlassian's standard agreement, provider-specific terms, privacy policy, and security statement.