Skip to main content

Data Processing Addendum (DPA)

Effective Date: 31 Mar 2026
Last Updated: 31 Mar 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between AOBRAIN SYSTEMS SL (“Processor”, “Service Provider”, “we”) and the customer organization using EpicStory (“Customer”, “Controller”, “Business”).

Processor details
AOBRAIN SYSTEMS SL
NIF: B24833048
Avenida de Rius i Taulet, 13
Sant Cugat del Vallés, 08172
Barcelona, Spain

1. Purpose and scope

This DPA governs processing of personal data in connection with EpicStory for Jira Cloud.

This DPA applies to customer Jira data processed by EpicStory as processor/service provider and does not apply to direct support/contact interactions where AOBRAIN acts as controller under the Privacy Policy.

2. Roles

  • Customer is the controller/business for personal data contained in its Jira data.
  • AOBRAIN acts as processor/service provider when processing that data to provide EpicStory.

3. Processing instructions

We process personal data only:

  • on documented customer instructions through normal app use,
  • as required to provide EpicStory functionality,
  • or as required by applicable law.

4. Categories of data and processing

4.1 Data categories

Depending on customer Jira content and app usage, processing may include:

  • Jira issue content used for generation workflows (for example epic descriptions/prompts and generated output content)
  • technical tenant identifier (cloudId) used for per-tenant token limits/metering
  • Atlassian accountId used only for internal per-user token limits/access control

4.2 Data minimization commitments

  • Epic/issue content, including LLM input prompts and output content, is processed as transient runtime data in EpicStory frontend/backend execution and is not intentionally printed to app logs.
  • Epic/issue content, including LLM input prompts and output content, is not intentionally sent as telemetry.
  • cloudId is stored in Jira Forge KVS and sent to New Relic with token usage statistics and technical operation metadata.
  • accountId is stored only in Jira Forge KVS for per-user limits, is not intentionally printed to app logs, and is not intentionally sent outside the app.

5. Sub-processors and third parties

Current processing stack may include:

  • Atlassian (Jira Cloud/Forge platform)
  • AWS Bedrock (AI inference, when enabled by app configuration)
  • New Relic (observability/telemetry)

We require appropriate contractual and security commitments from sub-processors.

6. International transfers

Where personal data is transferred across borders, we apply legally required transfer safeguards.

This can become relevant where configured AI endpoints, telemetry infrastructure, or support/access workflows involve non-EEA locations.

7. Security measures

We maintain technical and organizational security measures appropriate to the nature of processing, including access controls, encryption in transit, and operational monitoring.

8. Retention and deletion

We retain personal data only as long as needed for service delivery, usage accounting, security operations, and legal obligations.

Upon termination, we delete or return personal data as required by the main agreement and applicable law, subject to legal retention requirements.

9. Data subject rights and assistance

To the extent required by law, we provide reasonable assistance so Customer can respond to data subject requests related to EpicStory processing.

10. Incident notification

We will notify Customer without undue delay after becoming aware of a confirmed personal data incident affecting EpicStory processing, consistent with legal and contractual requirements.

We will provide the information reasonably available to us at the time so Customer can assess notification and response obligations.

11. Contact

For DPA/privacy matters:

AOBRAIN SYSTEMS SL
NIF: B24833048
Avenida de Rius i Taulet, 13
Sant Cugat del Vallés, 08172
Barcelona, Spain
privacy@aobrain.com