ProductLog

Legal Data Processing Agreement

Data Processing Agreement

Updated 27 May 2026

This DPA forms part of the Terms of Service between JJ Online GmbH and you (the Customer) and is incorporated into the Terms of Service under § 18.2. Where this DPA and the Terms of Service diverge in respect of Personal Data processing on the Customer's behalf, this DPA controls.

Last updated: 27 May 2026 — Version 1.1

Preamble

Parties

The Processor:

JJ Online GmbH Schönhauser Allee 163, 10435 Berlin, Germany HRB 235074 B (Amtsgericht Berlin-Charlottenburg) USt-IdNr. DE351060880 Represented by: Andrius Gecius, Geschäftsführer (Managing Director) Phone: +49 151 12032902 Email: [email protected] (hereinafter "JJ Online", "we", "us", or "the Processor")

The Controller:

You — the natural or legal person identified as the Workspace Operator on the ProductLog Subscription, processing Personal Data through the ProductLog Service operated by JJ Online. (hereinafter "you", "the Customer", "the Workspace Operator", or "the Controller")

JJ Online and the Controller are collectively referred to as the "Parties" and individually as a "Party".

Recitals

(A) JJ Online operates ProductLog, a hosted SaaS workspace for changelog publishing, roadmap and feedback boards, surveys, knowledge-base hosting, broadcast email to End-Subscribers, and public-board rendering under custom domains (the "Service", as further defined in the Terms of Service at https://productlog.dev/legal/tos).

(B) In the course of using the Service, the Controller causes JJ Online to process certain Personal Data on the Controller's behalf within the meaning of Art. 4 (8) and Art. 28 GDPR and, where applicable, the UK General Data Protection Regulation (the "UK GDPR") and the Swiss Federal Act on Data Protection (the "FADP").

(C) The Parties wish to establish their respective rights and obligations under Art. 28 GDPR (and equivalent provisions of the UK GDPR and the FADP) in respect of this processing.

(D) This DPA is incorporated by reference into the Terms of Service and applies automatically upon Controller's acceptance of the Terms of Service. No separate signature is required; in the event the Controller requires a counter-signed version, the Controller may request one at [email protected].

Definitions

Unless otherwise defined in this DPA, terms used in this DPA have the meaning given to them in the GDPR. In addition:

  • "Data Protection Laws" means the GDPR, the UK GDPR, the FADP, the German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG), the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), and any other applicable data protection or privacy law as in force from time to time. (The German Digitale-Dienste-Gesetz (DDG), which implements the EU Digital Services Act, is platform-regulation law and is not part of this Data Protection Laws definition; any DDG obligation referenced in this DPA is referenced specifically by section where it applies.)
  • "Customer Personal Data" means Personal Data processed by JJ Online on the Controller's behalf in connection with the Service — namely the End-Subscriber records (subscriber email and name, locale, status, double-opt-in tokens), the End-Feedback-User records (author name and optional email, comment / post body, vote and reaction records, fingerprint hash), the public-board visitor analytics events (IP, User-Agent, session ID, subject reference, timestamp), the broadcast-email tracking (open / click events), and the outbound webhook delivery payloads insofar as they replay Personal Data of the foregoing categories. The Controller's Workspace Operator account data is not Customer Personal Data within the meaning of this DPA; JJ Online is the Controller of that data and processes it under the Privacy Policy.
  • "Sub-processor" means a third party that JJ Online engages to process Customer Personal Data on the Controller's behalf within the meaning of Art. 28 (4) GDPR. The current list of Sub-processors is set out in Annex C of this DPA; the Annex is the canonical source.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "EU-US Data Privacy Framework" or "DPF" means the data protection framework certified pursuant to Commission Implementing Decision (EU) 2023/1795 of 10 July 2023.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office and laid before Parliament on 2 February 2022.
  • "IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner's Office and laid before Parliament on 2 February 2022, in standalone form (i.e., not as the Addendum to the Commission SCCs).
  • "End-Subscriber" and "End-Feedback-User" have the meanings given in the Terms of Service.

1. Subject matter and scope

1.1. This DPA governs JJ Online's processing of Customer Personal Data on the Controller's behalf in connection with the Service. The detailed subject matter, nature, purpose, duration, types of Customer Personal Data and categories of Data Subjects are set out in Annex A.

1.2. The Controller is the controller and JJ Online is the processor of Customer Personal Data within the meaning of Art. 4 GDPR. JJ Online remains an independent controller for Personal Data it processes for its own purposes (Workspace Operator account management, billing, security, product analytics) — that processing is governed by the ProductLog Privacy Policy at privacy.en.md, not by this DPA.

1.3. This DPA does not apply to:

(a) JJ Online's processing of the Controller's own Workspace Operator account-holder data (name, email, billing details), for which JJ Online is the controller;

(b) Personal Data the Controller chooses to transmit to third-party services through the Service — specifically, where the Controller activates a customer-enabled outbound integration (Slack, Jira, Linear, or a generic outbound webhook to a destination of the Controller's choosing) and event payloads are relayed to the destination the Controller selected. For those onward transmissions JJ Online acts on the Controller's documented instruction, and the Controller is the controller of the resulting onward transfer — see § 10.5 below.

Customer freedom of choice — outbound integrations. The Controller is free to connect any of the outbound integrations offered in Annex C.2. The act of connecting an integration in the Controller's Workspace, supplying the relevant credentials, and selecting which events to relay constitutes the Controller's documented instruction under Art. 28 (3)(a) GDPR for the routing of event payloads to that destination. The Controller bears the Art. 6 and Art. 44–49 GDPR lawfulness analysis for the resulting transfer, including, where the destination is outside the EEA, the Art. 46 / 49 transfer-mechanism analysis applicable to that destination. JJ Online's role is limited to (i) offering the integration as an option in the Service, (ii) executing the configured relay on the Controller's instruction, and (iii) disclosing in Annex C.2 the fact of the integration and the destination category, so the Controller can compose its own Chapter V transfer analysis. JJ Online does not pre-vet a particular legitimate-interest / consent / contract-necessity basis for the Controller's choice of destination.

2. Duration

This DPA enters into force on the date the Controller accepts the Terms of Service and continues for the duration of the Controller's Subscription to the Service plus, where applicable, the residual retention periods set out in § 15 (End-of-contract treatment of data).

3. Nature and purpose of processing

JJ Online processes Customer Personal Data on the Controller's behalf solely for the purpose of providing the Service and the related operational functions (changelog rendering, broadcast-email delivery, public-board hosting, comment / vote / reaction acceptance and rendering, survey hosting, knowledge-base hosting, dashboards, exports, support). The detailed list of processing activities is set out in Annex A.

4. Type of Personal Data and categories of Data Subjects

The types of Customer Personal Data and the categories of Data Subjects are set out in Annex A. The Controller acknowledges that JJ Online cannot independently verify the categories of data that may appear in End-Feedback-User comments or feedback-post bodies, nor in the broadcast email content the Controller composes — the Controller is responsible for the lawfulness of the data it causes to be captured and processed by the Service, including the lawfulness of moderating or removing End-Feedback-User content that the Controller is not entitled to host.

5. Roles and responsibilities

5.1. Controller responsibilities. The Controller:

(a) is solely responsible for the lawfulness of the processing under Art. 6 GDPR and, where consent is required, for obtaining valid consent under Art. 7 GDPR — including the double-opt-in consent of each End-Subscriber for the dispatch of broadcast emails, and any cookie / terminal-storage consent required from End-Feedback-Users and other visitors of the Controller's public boards. The Controller further warrants that, where the Controller's public board (whether served from a ProductLog URL or under the Controller's custom domain) stores information on, or accesses information already stored on, the terminal equipment of a visitor located in the European Economic Area, the United Kingdom, or any other jurisdiction with an analogous rule — including any storage written by the embedded HelpCanvas chat widget that loads on every ProductLog-rendered page — the Controller has obtained the consent required by § 25 Abs. 1 TDDDG (Germany), Art. 5 (3) of Directive 2002/58/EC (ePrivacy Directive) as transposed by the relevant Member State, and any equivalent national rule applicable to the visitor (such as the UK PECR for UK visitors), in addition to any GDPR Art. 6 lawful basis required for the underlying processing. JJ Online is not the controller in respect of those § 25 TDDDG / ePrivacy / PECR consents and has no operational visibility into the Controller's consent-management system; the parties' Art. 28 GDPR allocation in this DPA is concluded on the basis of this warranty;

(b) is solely responsible for providing transparent information to Data Subjects under Arts. 13 and 14 GDPR in respect of the processing carried out through the Service — including, in the Art. 13 information presented to visitors of the Controller's public board, disclosure of the JJ Online HelpCanvas chat widget loaded on that surface (the relevant facts are set out in Annex C.3 so the Controller can copy them into its own visitor-facing notice);

(c) is responsible for ensuring that the Service is used in accordance with all applicable Data Protection Laws and that any onward transfer of Personal Data through the Service (in particular through a customer-enabled outbound integration under § 1.3 (b)) is itself lawful;

(d) warrants that the Controller has the legal right to provide JJ Online with the Customer Personal Data and to instruct JJ Online to process it as set out in this DPA — including, for the End-Subscriber list, the Controller's demonstrable double-opt-in consent record for each subscriber.

5.2. Processor responsibilities. JJ Online:

(a) processes Customer Personal Data only on documented instructions from the Controller as set out in § 6;

(b) implements the technical and organisational measures set out in Annex B;

(c) engages Sub-processors only in accordance with § 10;

(d) assists the Controller as set out in § 8, § 9, § 11, and § 12;

(e) returns or deletes Customer Personal Data as set out in § 15.

6. Processing on documented instructions

6.1. JJ Online processes Customer Personal Data only on documented instructions from the Controller. The Controller's instructions are set out in:

(a) this DPA, including its Annexes;

(b) the Terms of Service;

(c) the configuration settings the Controller selects in the Service — including, but not limited to, the publication of a public board, the configuration of subscriber double opt-in and unsubscribe behaviour, the moderation rules applied to End-Feedback-User submissions, the activation of broadcast email, the connection of outbound integrations (Slack, Jira, Linear, generic webhooks), and the Service plan tier selected by the Controller (which, together with § 15 and Annex A.9, determines the retention periods applicable within the per-category ceilings set out there);

(d) any subsequent written instructions issued by the Controller to [email protected] that JJ Online expressly accepts in writing; and

(e) the Processing Instructions Summary the Controller may request at any time from [email protected]. The Summary is generated by JJ Online from the Controller's account state at the time of the request and sets out, for the Controller's specific account: the active projects and public boards, the subscriber-list scope (number of active End-Subscribers per project, double-opt-in status), the broadcast-email pipeline configuration, the active outbound integrations (and therefore the destinations on the Controller's instruction under § 1.3 (b)), the Service plan tier selected (and the retention periods applicable to the Controller under Annex A.9 of this DPA as a result), the EU storage region applicable to the Controller's data, and any subsequent written instructions accepted under (d). JJ Online returns the Summary within five (5) business days of receipt. The Summary, read together with this DPA, constitutes the Controller's documented instructions under Art. 28 (3)(a) GDPR for the purposes of demonstrating compliance under Art. 5 (2). The structure of the Summary is set out in Annex A.8.

A counter-signed counterpart of this DPA with the Summary attached as Annex A.8 is available on request at no fee for any Controller whose procurement, audit, or regulatory process requires it. Request the counterpart at [email protected].

6.2. Essential / non-essential means split (EDPB Guidelines 07/2020 ¶ 38). The Controller determines the essential means of processing — the categories of data, the categories of Data Subjects, the duration of retention, and the recipients of the data — through the instructions enumerated at § 6.1 (a)–(d). JJ Online determines, in its capacity as Processor, the non-essential (technical) means — including the choice of EU-located storage infrastructure (OVH France for the application database, AWS SES eu-central-1 Frankfurt for broadcast email delivery), the rich-text rendering pipeline, the server-side SHA-256(IP | User-Agent) fingerprint computation for the one-vote / one-reaction / one-survey-response enforcement on public boards, the self-hosted Altcha proof-of-work challenge on signup and public-form submissions, the broadcast-pipeline architecture, and the application-layer rate-limiting configuration. The non-essential means JJ Online determines constitute Art. 32 GDPR technical and organisational measures and do not displace the Controller's authority over the essential means.

6.3. JJ Online informs the Controller without undue delay if it believes that an instruction infringes Data Protection Laws.

6.4. No use of Customer Personal Data for JJ Online's own purposes or third-party commercial purposes. JJ Online does not process Customer Personal Data for any purpose other than the performance of the Service for the Controller. Without limiting the foregoing, JJ Online:

(a) does not use Customer Personal Data — whether in identified, pseudonymised, hashed, or aggregated form — to train, fine-tune, evaluate, benchmark, or otherwise develop any artificial-intelligence, machine-learning, or large-language model, including the construction of model weights, embeddings, retrieval-augmented-generation indexes, evaluation datasets, or any other derived dataset;

(b) does not use Customer Personal Data for advertising, profiling, look-alike audience-building, ad targeting, or audience-segment enrichment;

(c) does not sell, sub-license, syndicate, or otherwise make Customer Personal Data available to data brokers, analytics networks, advertising networks, or any other third party for that third party's own purposes;

(d) does not reuse Customer Personal Data for any other secondary purpose that is not strictly necessary to deliver the Service to the Controller.

JJ Online's Sub-processors are bound to equivalent prohibitions under their respective Art. 28 (4) GDPR contracts (see § 9 and Annex C); the prohibitions in this § 6.4 form part of those flow-down obligations.

6.5. JJ Online may process Customer Personal Data outside the scope of § 6.4 only where required to do so by Union or Member State law to which JJ Online is subject. In that case, JJ Online informs the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

6.6. AI-assisted features — EU AI Act forward-looking commitment. The Service does not currently include AI-assisted features within the meaning of Regulation (EU) 2024/1689 (the "EU AI Act"); the § 6.4 (a) prohibition on training, fine-tuning, evaluating, benchmarking, or otherwise developing artificial-intelligence or machine-learning models with Customer Personal Data continues to apply. The AI-translated public-board content feature documented in the ProductLog product vision is not yet built in code and is documented in Annex C.6 as a planned feature. Where JJ Online introduces an AI-assisted feature into the Service in the future, JJ Online will, in addition to the § 6.4 (a) prohibition continuing to apply:

(a) classify the feature under the EU AI Act risk-classification framework (prohibited practice / high-risk / limited-risk / minimal-risk) and disclose the classification to the Controller as part of the § 20.4 update;

(b) provide the transparency information required by Art. 50 EU AI Act for limited-risk systems (and any corresponding higher-risk regime where applicable), in a form that the Controller can pass through to its own Data Subjects where relevant;

(c) disclose any provider / deployer split between JJ Online and the Controller for the feature, taking into account that JJ Online is the deployer of any model embedded in the Service while the Controller is the deployer of any feature it activates in respect of its own Data Subjects; and

(d) update this DPA under § 20.4 to reflect any AI-Act-driven changes to the processing, including (where applicable) updates to Annex A, Annex B, Annex C, and the § 20.4 (i)–(xi) presumptive-materiality list.

This § 6.6 is forward-looking and does not authorise JJ Online to introduce AI-assisted features without the § 20.4 update process; it sets out the substance of that update so the Controller can anticipate the disclosures that will follow.

7. Confidentiality

7.1. JJ Online ensures that persons authorised to process Customer Personal Data are bound by an obligation of confidentiality, whether by contract or other appropriate means. The binding rests on the contractual obligations in their employment or contractor agreements, supplemented by training.

7.2. JJ Online restricts access to Customer Personal Data to personnel who require such access to perform their duties under the Service.

7.3. Personnel instruction binding (Art. 32 (4) GDPR). JJ Online takes steps to ensure that any natural person acting under JJ Online's authority who has access to Customer Personal Data does not process that data except on documented instructions from the Controller (as set out in § 6.1), unless that person is required to process the data otherwise by Union or Member State law. Where Union or Member State law requires such processing otherwise than on the Controller's instructions, JJ Online informs the person concerned of the obligation and, in the same circumstances, informs the Controller as set out at § 6.5, unless that law prohibits such notification on important grounds of public interest. The steps JJ Online takes to give effect to this § 7.3 include, without limitation, (a) the confidentiality binding at § 7.1, (b) the least-privilege access restriction at § 7.2 and Annex B.1, (c) the personnel measures at Annex B.7 (confidentiality obligations and background screening), and (d) ongoing data-protection training. This § 7.3 is set out separately from § 7.1 and § 7.2 in order to give explicit effect to Art. 32 (4) GDPR alongside the Art. 28 (3)(b) GDPR confidentiality duty at § 7.1.

8. Security of processing (Art. 32 GDPR)

8.1. JJ Online implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex B. These measures include, in particular:

(a) pseudonymisation and encryption of Customer Personal Data where appropriate;

(b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of those measures.

8.2. JJ Online assesses the appropriate level of security taking account of the risks presented by processing — in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

8.3. JJ Online may update Annex B from time to time to reflect changes in the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, or new identified risks. JJ Online notifies the Controller of any material reduction in the measures set out in Annex B before the change takes effect.

8.4. Known TOM gaps disclosed under Art. 5 (1)(a) GDPR transparency. The current TOM posture set out in Annex B includes a small number of items below the protection level JJ Online would want to claim. These are disclosed here so the Controller can take them into account in its Art. 32 GDPR assessment and in any DPIA the Controller may carry out under Art. 35 GDPR:

(a) Plaintext customer-supplied outbound-integration credentials at rest — the Slack webhook URL, Jira API token, and Linear API key supplied by the Workspace Operator are stored as plaintext in the application database. Column-level (envelope) encryption is a pending product item; today, operational staff with database access could in principle read these credentials. See Annex B.1 for the live measures and Annex B.5 (pending TOMs) for the remediation status;

(b) Plaintext IP and User-Agent on public-board analytics events — hashing at the storage layer is under consideration; today these fields are stored in plaintext within the active retention window;

(c) Indefinite retention of outbound webhook delivery payloads — TTL + purge job (target 30 calendar days) is a pending product item;

(d) No hard-delete job today — across the affected records (operator accounts, organisations, projects, changelog entries, feedback posts), deletion is soft-delete only. Art. 17 GDPR erasure is technically incomplete until the hard-delete job is built;

(e) No per-tenant audit log of Workspace Operator actions (role changes, integration-credential updates, deletions, exports) — accountability under Art. 5 (2) GDPR is therefore limited until per-tenant audit logging ships;

(f) JWT access token in localStorage — the access token is readable by any JavaScript on productlog.dev, including the embedded HelpCanvas widget. Migration to an HttpOnly + Secure cookie is a pending product item.

These items are concrete remediation targets, not aspirational generalisations; their remediation status is reportable on audit-information request under § 14.1 (d). Their persistence beyond the next material § 20.4 update would trigger a presumptive § 20.4 (v) TOM-reduction notification.

9. Sub-processor engagement (Art. 28 (2) GDPR)

9.1. General authorisation. The Controller grants JJ Online general written authorisation to engage Sub-processors for the processing of Customer Personal Data, subject to the conditions set out in this § 9.

9.2. Current Sub-processors. The current list of Sub-processors engaged by JJ Online is set out in Annex C, which is the canonical list maintained as part of this DPA. Updates to Annex C are republished as part of an updated version of this DPA and are notified to the Controller as set out at § 9.3.

9.3. Notification of changes. JJ Online notifies the Controller at least 30 calendar days in advance of any intended addition or replacement of a Sub-processor. The notification is delivered through two parallel channels:

(a) Primary channel — email to the address registered to the Controller's ProductLog account; and

(b) Secondary channel — in-product notification displayed in the Controller's ProductLog dashboard (e.g. a persistent banner, notification-centre entry, or equivalent in-product surface) which remains visible to administrator users of the Controller's account until acknowledged.

Both channels carry the same notification content and the same effective date. The 30 calendar day objection period under § 9.4 starts to run on the later of (i) the date the email was sent under (a) and (ii) the date the in-product notification first became visible to an administrator user of the Controller's account; if email delivery to the registered address fails (e.g. hard bounce, mailbox-full reject) and JJ Online cannot reach the Controller through a known alternative contact, the in-product surface controls. Annex C of the then-current version of this DPA is updated in parallel to reflect the change.

The notification obligation extends to changes in a Sub-processor's sub-sub-processing chain that introduce a new processing location (e.g. a new third country) or a new category of recipient (e.g. a new corporate group outside the existing Sub-processor's group); it does not extend to purely internal reassignments of processing within a Sub-processor's corporate group that do not introduce a new processing location or a new category of recipient and that do not materially change the lawful-transfer mechanism applied.

9.4. Right to object. The Controller has the right to object to the intended change on reasonable grounds related to the protection of Customer Personal Data within 14 days of receiving the notification under § 9.3 (with the 14-day clock anchored as set out in § 9.3). If the Controller raises a reasoned objection, the Parties cooperate in good faith to identify a solution. The Controller may, at its option, elect any of the following remedies:

(a) Termination with pro-rata refund. The Controller may terminate the affected portion of the Service in accordance with the Terms of Service § 22 before the change takes effect, with pro-rata refund of any pre-paid fees attributable to the unused portion of the affected period;

(b) Alternative Sub-processor. The Controller may require JJ Online to engage a different Sub-processor in place of the proposed Sub-processor. JJ Online will not refuse such a request where an alternative is available within the same functional category of service (Annex C category) at no more than 25 % incremental cost to JJ Online relative to the proposed Sub-processor and the swap can be completed within 90 calendar days of the request, taking into account reasonable engineering and migration effort on JJ Online's side. Refusal is permitted only where (i) no alternative meeting the 25 % incremental-cost ceiling is available within the same functional category, or (ii) the swap cannot be completed within 90 calendar days (or such longer period as the Parties agree in writing), or (iii) the alternative would itself give rise to a separate protection-of-Customer-Personal-Data concern reasonably comparable to the one underlying the Controller's objection. Where JJ Online refuses, JJ Online provides the Controller with a written reasoned statement identifying which of (i), (ii), or (iii) is engaged and the specific facts JJ Online relies on; the Controller may then elect remedy (a) or remedy (c). Any disagreement on whether the 25 % or 90-day thresholds are met is resolved in the Controller's favour where there is reasonable doubt; or

(c) Accept the change. The Controller may withdraw the objection and accept the change.

The Controller's failure to elect a remedy under (a), (b), or (c) within 30 calendar days of the Parties acknowledging in writing that no good-faith solution under the second sentence of this § 9.4 has been reached is treated as election of remedy (c). The choice of remedies in this § 9.4 is without prejudice to any data-subject rights under Art. 77 or Art. 79 GDPR, and without prejudice to any supervisory-authority action under Art. 58 GDPR.

9.5. Sub-processor obligations. JJ Online imposes data protection obligations on each Sub-processor that are no less protective than those imposed on JJ Online under this DPA, by way of a written contract. JJ Online remains fully liable to the Controller for any failure of a Sub-processor to fulfil its data protection obligations, except where the Sub-processor's failure is caused by the Controller's instructions or the Controller's own breach.

10. International data transfers (Art. 44–49 GDPR)

10.1. Primary processing location. Customer Personal Data is primarily processed within the European Economic Area:

(a) The main application infrastructure (dashboard, API, primary database, image-upload storage for changelog rich-text content) is hosted on OVH SAS infrastructure in France (Roubaix / Gravelines / Strasbourg).

(b) Broadcast email and transactional email to End-Subscribers and Workspace Operators is dispatched through AWS SES, eu-central-1 (Frankfurt) (Amazon Web Services EMEA SARL, Luxembourg, as the contracting entity). The mail-dispatch layer does not route to non-EU SES endpoints; all outbound email from the Service is dispatched from the Frankfurt region.

(c) Public boards and the marketing website are fronted by Cloudflare (Cloudflare, Inc., US-headquartered, with global edge nodes including in the EU). Cloudflare terminates TLS at the edge and forwards requests to the EU backend; Cloudflare also serves the CF-IPCountry geolocation header used for country-level routing decisions on public boards.

(d) Image uploads for changelog and feedback rich-text content are stored on the OVH France local filesystem. There is no S3, R2, or Spaces object-store Sub-processor for image uploads.

10.2. Necessary transfers outside the EEA. Notwithstanding § 10.1, JJ Online transfers Customer Personal Data outside the EEA in the following narrow flows:

(a) Cloudflare, Inc. (United States HQ) holds the contracting and operational backbone for the Cloudflare edge network. While requests from EEA visitors are typically served from EU edge nodes, the contracting entity and a subset of the operational and support functions are in the US;

(b) AWS EMEA SARL corporate-group access by Amazon Web Services, Inc. (United States) for parent-company support and infrastructure operations, although the actual SES processing region is eu-central-1 (Frankfurt);

(c) Customer-enabled outbound integrations that route event payloads to non-EEA destinations (Slack Technologies LLC in the United States; Atlassian Pty Ltd in Australia, with US sub-processing; Linear Orbit, Inc. in the United States; generic outbound webhooks where the Controller's chosen destination is outside the EEA) — these onward transfers are made on the Controller's instruction under § 1.3 (b) and § 10.5, and the Controller is responsible for the lawfulness of the onward transfer.

10.3. Transfer mechanism. For each transfer outside the EEA, JJ Online relies on one of the following mechanisms, layered as required by EDPB Recommendations 01/2020:

(a) EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) for Sub-processors that are self-certified under the DPF;

(b) Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 3 (processor-to-processor), for any transfer where the DPF does not apply, supplemented by technical and organisational measures appropriate to the destination country, including in particular the encryption-in-transit and encryption-at-rest measures in Annex B and the Sub-processor government-access-notification commitments at § 10.6;

(c) For transfers under UK GDPR, the UK Addendum to the SCCs as the default mechanism, or — at the Controller's election — the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office and laid before Parliament on 2 February 2022, in standalone form. The default election is the UK Addendum (which preserves the Commission SCCs as the underlying instrument and reduces drafting fragmentation across the EEA and UK transfer chains); a Controller who prefers the standalone IDTA may notify JJ Online in writing at [email protected], in which case the Parties incorporate the IDTA in place of the UK Addendum for transfers under UK GDPR;

(d) For transfers under the Swiss FADP, the SCCs read with the Swiss-specific amendments published by the Federal Data Protection and Information Commissioner.

10.4. Sub-processor list — canonical source. The canonical Sub-processor list is Annex C of the then-current version of this DPA. Changes to the list are notified to the Controller under § 9.3 and reflected in an updated version of this DPA published at https://productlog.dev/legal/dpa.

10.5. Onward transfers by Customer-instructed integrations. Where the Controller connects a customer-enabled outbound integration that itself transfers data outside the EEA (Slack in the US, Atlassian Jira in Australia + US sub-processing, Linear in the US, or a generic webhook to a non-EEA destination chosen by the Controller), JJ Online is acting on the Controller's instruction under § 1.3 (b). The Controller is the controller of the resulting onward transfer and is solely responsible for ensuring that the chosen destination is lawful under Arts. 44–49 GDPR for the Controller's particular use case, including for any Art. 46 transfer mechanism the Controller must put in place with its chosen integration provider. JJ Online identifies in Annex C.2 which integrations are non-EEA destinations, to assist the Controller's assessment; JJ Online does not itself enter into an Art. 28 GDPR contract with the integration provider for the Controller's onward transfer.

10.6. Government-access transparency. JJ Online publishes, where any government-access request affecting Customer Personal Data has been received, an annual transparency report at the next material policy revision. As at the version date of this DPA, no government-access request affecting Customer Personal Data has been received. JJ Online's Sub-processors are contractually required (through their own DPAs or terms) to notify JJ Online of any government-access request, except where prohibited by applicable law; JJ Online's own commitment to challenge prohibitions on notification through legally available channels is recorded at § 14.4 (c).

11. Assistance with Data Subject requests (Art. 12–22 GDPR)

11.1. JJ Online provides reasonable assistance to the Controller, by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under the GDPR, including the rights of access, rectification, restriction, erasure, portability, and objection.

11.2. Direct Data Subject contacts. If a Data Subject (typically an End-Subscriber or End-Feedback-User) contacts JJ Online directly with a request relating to Customer Personal Data, JJ Online forwards the request to the Controller without undue delay and does not otherwise respond to the Data Subject, except to acknowledge receipt and inform the Data Subject that the request has been forwarded to the Controller.

11.3. In-product self-service. Where the Service provides built-in tooling for the Controller to satisfy Data Subject requests directly — for example, per-project subscriber-list export (CSV / JSON), feedback-post and comment moderation, End-Subscriber one-click unsubscribe via the unsubscribe link in every broadcast, deletion of a feedback post or comment from the Workspace Operator's moderation queue — the Controller is expected to use those tools as the first-line response. JJ Online's manual assistance is available where the in-product tooling is insufficient.

11.4. Cost. Manual assistance beyond what is reasonably available through the in-product tooling may be charged at JJ Online's reasonable cost, except where the Service's documented capabilities should have been sufficient to satisfy the request.

12. Personal Data breaches (Art. 33–34 GDPR)

12.1. JJ Online notifies the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting Customer Personal Data. This processor-side window is deliberately set inside the Controller's own Art. 33 (1) GDPR 72-hour notification window so that the Controller has meaningful time to assess and to notify the competent supervisory authority on the Controller's own clock. JJ Online treats this 24-hour ceiling as a firm operational commitment, not a target.

12.2. The notification at least:

(a) describes the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and data records concerned;

(b) communicates the name and contact details of JJ Online's point of contact for the breach (the email [email protected] is the default; for severe incidents JJ Online may direct the Controller to a specific incident contact);

(c) describes the likely consequences of the breach;

(d) describes the measures JJ Online has taken or proposes to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

12.3. Where the information cannot be provided at the same time, the information may be provided in phases without undue further delay.

12.4. JJ Online does not notify supervisory authorities or Data Subjects on behalf of the Controller — that obligation under Arts. 33 (1) and 34 GDPR rests with the Controller. JJ Online provides the Controller with the information needed to make those notifications.

13. DPIA and prior consultation (Art. 35–36 GDPR)

JJ Online does not charge for assistance under Art. 28 (3)(f) GDPR. JJ Online provides reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required under Arts. 35 and 36 GDPR. The Art. 28 (3)(f) GDPR duty to provide such assistance — taking into account the nature of processing and the information available to JJ Online — is treated as a mandatory and unqualified processor obligation and is performed at no charge to the Controller. This no-charge rule applies to the full scope of Art. 28 (3)(f) assistance, regardless of how the Controller's request is framed or how many iterations of clarification it requires.

Standard documentary assistance (no charge). JJ Online provides as standard, on Controller request: (a) this DPA, (b) Annex B (TOMs), (c) Annex C (Sub-processor list), (d) the ProductLog Privacy Policy and Cookie Policy, (e) the per-account Processing Instructions Summary under § 6.1 (e) and Annex A.8, and (f) the per-recipient transfer-mechanism summaries referenced in § 10. These documents together are designed to cover the typical Art. 35 (7) DPIA elements (description of processing, necessity-and-proportionality assessment inputs, risk assessment inputs, safeguards).

Reasonable additional assistance (no charge). Where the Controller's DPIA or Art. 36 prior-consultation reasonably requires assistance specifically directed at the Controller's deployment of the Service that goes beyond the standard documentation — for example, written responses to a finite set of clarification questions, a walk-through of a specific TOM, or a written confirmation of a specific configuration fact — JJ Online provides that assistance at no charge, as part of its Art. 28 (3)(f) GDPR obligation.

Engagements outside the scope of Art. 28 (3)(f). Charges may be applied only for engagements that are not Art. 28 (3)(f) GDPR assistance — that is, for work the Controller commissions from JJ Online that goes beyond the processor's statutory DPIA-assistance duty.

The Art. 28 (3)(f) duty is anchored on the underlying factual disclosure, not on the output framework. The factual disclosure of what Customer Personal Data JJ Online processes, where, under what TOMs, through which Sub-processors, and with which transfer mechanisms is the same disclosure whether the Controller is producing the output for a GDPR DPIA, a UK GDPR DPIA, a Swiss FADP impact assessment, an ISO 27001 control narrative, a SOC 2 / HITRUST attestation, or a non-GDPR regime such as HIPAA, CCPA, LGPD, or PIPL. JJ Online does not charge for that underlying factual disclosure, regardless of the regulatory frame the Controller intends to use it in — to the extent the substance of the assistance is the § 14.1 (a)–(e) audit-information set, the Annex A / Annex B / Annex C content of this DPA, the § 10 transfer analysis, the § 6.1 (e) Processing Instructions Summary, or any reasonable clarification of those, it is Art. 28 (3)(f) assistance and is provided at no charge.

Charges may be applied only for the incremental value-add that is genuinely outside the § 14.1 (a)–(e) factual-disclosure surface — namely:

(a) bespoke security audits commissioned by the Controller that go beyond the § 14.2 audit cooperation already provided at no incremental charge;

(b) custom written attestation / control narrative work that JJ Online produces for the Controller's framework filing (for example, ghost-writing a SOC 2 sub-processor control narrative or an ISO 27001 Annex A.15 control statement), as opposed to the underlying factual disclosure;

(c) legal-regime mapping work that goes beyond stating the factual position — e.g., a written legal opinion that the JJ Online TOMs satisfy a specific HIPAA Security Rule administrative safeguard, a CCPA "service provider" warranty, an LGPD "operator" warranty, or a PIPL "entrusted processing" warranty, as opposed to merely disclosing the underlying TOM facts.

Whether a particular request falls inside or outside Art. 28 (3)(f) is decided in the Controller's favour where there is reasonable doubt — in particular, where a Controller is itself subject to a regulatory regime outside the GDPR / UK GDPR / FADP scope and the request can be satisfied by the factual disclosure surface above, it is Art. 28 (3)(f) assistance and is provided at no charge regardless of the framework the Controller is producing the output for. Any chargeable outside-scope engagement is quoted in writing before work begins, is at JJ Online's reasonable cost, and the Controller has the option to decline. Declining a chargeable outside-scope engagement does not waive or reduce JJ Online's Art. 28 (3)(f) obligation in respect of the underlying DPIA, prior consultation, or factual disclosure.

14. Audit rights (Art. 28 (3)(h) GDPR)

14.1. Audit information. JJ Online makes available to the Controller, upon written request, the information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and in this DPA. The standard form of audit information is:

(a) this DPA, including its current Annexes;

(b) the ProductLog Privacy Policy and Cookie Policy;

(c) the current Sub-processor list (Annex C);

(d) summaries of any independent third-party audit reports JJ Online holds in respect of the Service infrastructure (where available — the Service is not currently SOC 2 / ISO 27001 certified; JJ Online provides equivalent self-assessment summaries on request, including the remediation-status reports for the § 8.4 TOM gaps);

(e) Art. 28 (3)(a) instruction record — for the Controller's account, the timestamped record of the Processing Instructions Summary versions previously issued under § 6.1 (e) and Annex A.8. JJ Online produces this record on Controller or supervisory-authority request as the Art. 5 (2) accountability evidence for the Controller's documented instructions.

14.2. On-site audit. Where the standard audit information set out in § 14.1 is insufficient to demonstrate compliance, the Controller (or an independent auditor mandated by the Controller and acceptable to JJ Online, acting reasonably) may carry out audits, including inspections, at JJ Online's premises, on the following conditions:

(a) audits take place no more than once in any rolling twelve-month period as a default (this default does not curtail the Controller's Art. 28 (3)(h) GDPR right and is subject to (i)–(iii) below). Additional audits within the same rolling twelve months may be conducted where the Controller demonstrates a reasoned need related to the protection of Customer Personal Data — without limitation, where (i) a material personal data breach affecting Customer Personal Data has occurred, (ii) a competent supervisory authority has issued an instruction, request, or order to the Controller or to JJ Online that reasonably requires a further audit, or (iii) the Controller has identified a specific finding (whether from a prior audit, from the standard audit information under § 14.1, from a sub-processor disclosure, from a supervisory-authority action against JJ Online or another customer, or from an external source) the verification of which reasonably requires a recurrent audit. JJ Online will not refuse a recurrent audit request supported by such a reasoned need, and any disagreement on whether the threshold is met is resolved in the Controller's favour where there is reasonable doubt;

(b) the Controller gives at least 30 calendar days' written notice of the audit;

(c) audits are conducted during JJ Online's normal business hours and in a manner that does not unreasonably interfere with JJ Online's business operations;

(d) the auditor is bound by appropriate confidentiality obligations covering the audit process and findings;

(e) the Controller bears its own audit costs; JJ Online bears its own internal costs of cooperating with the audit;

(f) the audit does not extend to information concerning other JJ Online customers, infrastructure or commercial information not relevant to the audit's stated purpose, or any data not relating to the Controller. Where JJ Online proposes to withhold a particular piece of information on the basis of this paragraph, JJ Online identifies the withheld item with sufficient specificity for the Controller to assess the withholding, and any disagreement on whether the item is relevant to the audit's stated purpose is resolved in the Controller's favour where there is reasonable doubt.

14.3. Sub-processor audits. Where the Controller's audit right reasonably extends to a Sub-processor, JJ Online either (a) provides the relevant Sub-processor audit information from its own records, or (b) on reasonable request assists the Controller in exercising any audit rights the Sub-processor's own DPA with JJ Online provides.

14.4. Cooperation with supervisory authorities — including the Controller's lead authority under Art. 56 GDPR. JJ Online cooperates, on request, with any competent supervisory authority in relation to JJ Online's processing of Customer Personal Data under this DPA. The competent supervisory authority is not limited to the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) as JJ Online's own lead under Art. 56 (1) GDPR (and as designated for Annex I to the SCCs at Annex D.2). In particular, where the Controller has cross-border processing within the meaning of Art. 4 (23) GDPR and a lead supervisory authority of its own designated under Art. 56 (1) GDPR, JJ Online:

(a) cooperates with that Controller-lead authority, and with any concerned supervisory authority within the meaning of Art. 4 (22) GDPR acting through the Art. 60 GDPR one-stop-shop mechanism, on requests reasonably related to JJ Online's processing of that Controller's Customer Personal Data — without requiring the request to be routed first through BlnBDI;

(b) provides to that authority, on reasonable request and subject to applicable confidentiality obligations, the same categories of audit information set out in § 14.1 (a)–(e), and the same on-site-audit cooperation as at § 14.2, that would be available to the Controller itself; and

(c) notifies the Controller in writing without undue delay of any direct contact, request, instruction, or order that JJ Online receives from a supervisory authority concerning the processing of that Controller's Customer Personal Data, unless the authority's instruction or applicable law prohibits such notification on important grounds of public interest. Where JJ Online is so prohibited, JJ Online challenges the prohibition through legally available channels and notifies the Controller as soon as the prohibition is lifted.

This § 14.4 does not displace BlnBDI's role as JJ Online's lead supervisory authority for SCC-Annex-I purposes under Annex D.2, and does not displace the Controller's own duty to engage directly with its lead authority. It is a parallel cooperation channel intended to give effect to the one-stop-shop mechanism of Arts. 56 and 60 GDPR in respect of JJ Online's processor-side cooperation duty under Art. 28 GDPR.

15. End-of-contract treatment of data (Art. 28 (3)(g) GDPR)

15.1. Upon termination of the Controller's Subscription, JJ Online, at the Controller's choice exercised within 30 calendar days of termination:

(a) returns Customer Personal Data to the Controller in a structured, commonly used and machine-readable format through the Service's export tooling (per-project content APIs deliver changelog entries, subscriber lists, and survey responses in CSV / JSON form). The Controller exercises the return option by initiating, and completing, the export via the Service's export tooling within the 30-calendar-day window. After the 30-calendar-day window has elapsed, the return option is extinguished and JJ Online proceeds with deletion under (b); or

(b) deletes Customer Personal Data in the production systems.

Extension on reasoned request. Where the Controller has notified JJ Online in writing within the 30-calendar-day window that the Controller has elected the return option but reasonably requires additional time to complete the export, JJ Online and the Controller agree in good faith on a reasonable extension, not exceeding a further 30 calendar days save in exceptional circumstances. Until the extension expires, the return option is not extinguished and deletion under (b) is suspended.

15.2. Default behaviour and 30-day grace. If the Controller does not exercise the return option within the 30-calendar-day window in § 15.1 (or within any extension agreed under § 15.1), Workspace Content is retained for the 30-day grace period set out in the Terms of Service § 22.4 to allow re-Subscription, then JJ Online proceeds with deletion under § 15.1 (b) without further notice or instruction from the Controller. Where the Controller has expressly indicated a wish to abandon the data and proceed immediately to deletion, JJ Online honours that instruction and skips the grace period.

15.3. Backups. Customer Personal Data may remain in JJ Online's encrypted backups for the residual period of the backup-rotation policy adopted under § 15.3 (a) below before being overwritten by the rotation cycle. During that residual period, the data is not actively processed and exists only as a frozen disaster-recovery snapshot. The combination of a short rolling window, the absence of active processing during that window, and the re-erasure-on-restore step described at § 15.3 (b) is consistent with established supervisory-authority practice on backups under Art. 17 (1) / (3) GDPR.

(a) Backup-rotation policy. A documented backup-rotation policy with a target rolling 14-calendar-day window — matching the policy applied across other JJ Online products — is a pending product item; until it is documented and put in place, this DPA's commitment is to apply the rotation window that the policy specifies once adopted, and to notify the Controller under § 20.4 (v) of the rotation parameters at adoption.

(b) Re-erasure-on-restore. If JJ Online restores from a backup that pre-dates an erasure request received from the Controller or a Data Subject, the original erasure is re-applied to the restored data within 72 hours of the restore completing — and, where the restore brings the system back online for active processing, before the restored system is opened to user or Controller traffic — so that erased Customer Personal Data is not reintroduced into active processing. The 72-hour ceiling is the outer audit commitment; in normal operation the re-erasure replay runs as the first scripted step after the restore. The erasure log lives outside the backup chain so it survives the restore.

(c) Backup register. JJ Online maintains an internal backup register documenting the in-scope systems (application database and image-upload local filesystem, both on OVH France), the rotation policy, the storage location, the access controls, and the re-erasure runbook. The re-erasure runbook itself, the backup register, and the per-restore records (timestamp restore completed; timestamp erasure-log replay completed; confirmation that no user or Controller traffic was admitted to the restored system between the two) are subject to the audit right under § 14 and are produced on Controller or supervisory-authority request as part of the standard audit-information set under § 14.1.

15.4. Statutory retention. Notwithstanding § 15.1–15.3, JJ Online may retain Customer Personal Data where retention is required by Union or Member State law, in particular under German tax and accounting law (§ 147 AO and § 257 HGB, each as amended from time to time, and the corresponding VAT-invoice retention rules under § 14b UStG). The retention periods applicable under those provisions at the version date of this DPA are eight years for invoices and accounting documents (§ 147 Abs. 3 AO; § 257 Abs. 4 HGB, post-Bürokratieentlastungsgesetz IV in force 1 January 2025) and ten years for books, annual statements and consolidated accounts (anchored at the end of the calendar year). Such retained data is not actively processed beyond what is necessary for the statutory retention purpose.

16. Records of processing (Art. 30 (2) GDPR)

JJ Online maintains a written record of all categories of processing activities carried out on the Controller's behalf and makes that record available to the Controller and to supervisory authorities on request, as required by Art. 30 (2) GDPR. The record contains the Art. 30 (2)(a)–(d) elements as follows:

(a) Name and contact details of the processor and of each controller on whose behalf the processor is acting, and where applicable of any processor's representative and the data protection officer — JJ Online's identity and contact are in the Preamble and Annex E; the Controller is identified by the account record held on the Controller's behalf; JJ Online has no representative under Art. 27 GDPR (controller and processor both established in the EEA); JJ Online has not appointed a DPO under § 38 Abs. 1 BDSG (see Annex E).

(b) Categories of processing carried out on behalf of each controller — set out in Annex A (in particular Annex A.3 nature/purpose and Annex A.4 data categories).

(c) Where applicable, transfers of personal data to a third country or international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Art. 49 (1), the documentation of suitable safeguards — set out in § 10 and Annex C (Sub-processor location and transfer mechanism per Sub-processor) and Annex D (SCC incorporation and supplementary measures).

(d) Where possible, a general description of the technical and organisational security measures referred to in Art. 32 (1) — set out in Annex B.

The Annexes A, B, C and D are therefore the constitutive content of the Art. 30 (2) record for the Service.

17. Liability

17.1. The liability of each Party under this DPA is subject to the liability provisions of the Terms of Service §§ 19 and 20.

17.2. Mandatory non-excludable liability. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law. This includes, without limitation:

(a) Art. 82 GDPR (right to compensation of the Data Subject) — the cap and any limitation in this § 17 does not apply to JJ Online's liability under Art. 82 GDPR for damage caused to Data Subjects by JJ Online's own processing in breach of the GDPR, to the extent the cap would impair the effet utile of Art. 82;

(b) § 309 Nr. 7 BGB and the Kardinalpflichten line of case law — under the standards of § 309 Nr. 7 Buchst. a und b BGB read with § 307 Abs. 1 und Abs. 2 Nr. 1 und Nr. 2 BGB (which the BGH applies to B2B AGB through the Indizwirkung of §§ 308 / 309 BGB), the cap and any limitation in this § 17 does not apply to (i) injury to life, body or health (Körper- und Gesundheitsschäden), (ii) damage caused by intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit) on the part of JJ Online or its legal representatives or vicarious agents (Erfüllungsgehilfen), or (iii) breach of a cardinal contractual duty (Kardinalpflicht / vertragswesentliche Pflicht — a duty whose fulfilment is essential to the proper performance of this DPA and on whose fulfilment the Controller may regularly rely); in the cardinal-duty case where the breach is by simple negligence, JJ Online's liability is not unlimited but is capped at the foreseeable damage typical for this type of contract (der vorhersehbare, vertragstypische Schaden) under the standard BGH formulation;

(c) German Product Liability Act (Produkthaftungsgesetz) — mandatory product-liability claims; and

(d) any other liability that cannot be limited or excluded under mandatory Union or Member State law applicable to the Parties or to the processing.

17.3. Liability cap (subject to § 17.2). To the extent permitted by applicable law and subject to the carve-outs in § 17.2, JJ Online's aggregate liability under this DPA in any rolling twelve-month period is limited to the fees actually paid by the Controller to JJ Online for the Service in that rolling twelve-month period. This cap is set out in this DPA on a self-contained basis and does not depend on the existence, content, or continued effectiveness of any provision of the Terms of Service. To the extent the Terms of Service § 20.1 contains a parallel liability cap, the cap in this § 17.3 applies independently to claims under this DPA; in the unlikely event of any divergence between the two, the cap in this § 17.3 (i.e., fees actually paid in the relevant rolling twelve-month period) applies to claims under this DPA.

Reference period when no full twelve months of fees have accrued. Where the Controller's Subscription has been in force for less than twelve months at the time of the claim, the reference period for the cap is the period between the start of the Subscription and the date of the claim, and the cap is the fees actually paid by the Controller in that shorter period. Where no fees have been paid (e.g. during a free trial or on the Free plan), the cap is set at the fees that would have accrued under the Controller's then-prevailing plan tier over a twelve-month period at the list price applicable on the date of the claim, so that the cap remains a determinate figure under § 17.2's close-case scrutiny rather than collapsing to zero.

Cap survival. This § 17.3 survives any termination, amendment, or invalidity of the Terms of Service to the extent § 18.2 of this DPA preserves the operation of § 17.

Carve-out re-statement. Where, in respect of a particular claim, the cap as so applied would be invalid under § 17.2 (a) (Art. 82 GDPR effet utile) or § 17.2 (b) (Körper-/Gesundheitsschäden / Vorsatz / grobe Fahrlässigkeit / Kardinalpflichten), the cap does not apply to that claim and JJ Online's liability for that claim is determined under the applicable statutory regime (Art. 82 GDPR, §§ 280, 241, 249 ff. BGB, ProdHaftG, or other applicable mandatory rule), subject — in the cardinal-duty / simple-negligence case under § 17.2 (b)(iii) — to the foreseeable-typical-damage ceiling stated there.

18. Term and termination

18.1. This DPA enters into force on the date the Controller accepts the Terms of Service and continues for the duration of the Controller's ProductLog Subscription, plus the residual periods set out in § 15.

18.2. Sections 14 (Audit rights), 15 (End-of-contract treatment of data), 16 (Records of processing) and 17 (Liability) survive termination for as long as is necessary to give effect to the obligations they contain.

19. Order of precedence

In the event of any conflict between this DPA, the Terms of Service, and any other document referenced from either, the order of precedence (highest to lowest) is:

  1. Any data-protection-specific term required by a supervisory authority order or by Data Protection Laws;
  2. The Standard Contractual Clauses, where incorporated by reference under § 10.3 and Annex D, in respect of any transfer governed by them;
  3. This DPA, including its Annexes;
  4. The Terms of Service;
  5. The ProductLog Privacy Policy.

For the avoidance of doubt, the precedence rule above reflects Clause 5 of the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), under which the SCCs prevail over conflicting provisions of related agreements as between the Parties to that SCC transfer. To the extent any provision of this DPA conflicts with the SCCs in respect of an SCC-governed transfer, the SCCs prevail.

20. Miscellaneous

20.1. Governing law and jurisdiction. This DPA is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (UN-Kaufrecht). Disputes are subject to the jurisdiction provisions of the Terms of Service § 26, with the proviso that, for matters falling under the GDPR / UK GDPR / FADP, the Data Subject's mandatory statutory venue under Art. 79 GDPR is preserved.

20.2. Controlling language. This DPA is published in English as the controlling language. Translations are informational; in case of conflict the English version controls.

20.3. Severability. If any provision of this DPA is held to be invalid, illegal or unenforceable, the remaining provisions remain in full force, and the Parties replace the invalid provision with one that achieves the same purpose to the extent permitted.

20.4. Updates. JJ Online may update this DPA to reflect (a) changes in Data Protection Laws, (b) changes in the Service infrastructure or Sub-processor list, (c) supervisory authority guidance, or (d) operational requirements that do not materially reduce the protections afforded to the Controller. Material changes are notified to the Controller at least 30 calendar days in advance.

Presumptively material changes. The following categories of change are presumptively material under this § 20.4 — i.e., JJ Online does not retain discretion to classify them as non-material, and the 30-day notice, the 14-day objection window, and the objection-and-termination remedy below apply automatically:

(i) change in Sub-processor location — any change in the country or region from which a Sub-processor (Annex C) processes Customer Personal Data, including a change in the sub-sub-processing chain that introduces a new third country or new processing region as set out at § 9.3;

(ii) change in the lawful-transfer mechanism applied to any transfer of Customer Personal Data outside the EEA (e.g. transition from EU-US DPF to SCC + supplementary measures, addition of an Art. 49 GDPR derogation as the operative mechanism for any category of transfer, restructuring of an SCC Module assignment under Annex D);

(iii) change in the categories of Sub-processor engaged (e.g. introduction of a new functional category in Annex C, or addition of a Sub-processor in a country or under a corporate group not previously represented in Annex C);

(iv) addition or replacement of a Sub-processor, as already provided for at § 9.3 (this § 20.4 (iv) is for the avoidance of doubt — the § 9.3 dedicated mechanism applies, with the § 9.4 three-remedy menu);

(v) reduction in the technical and organisational measures set out in Annex B — including a downgrade of any encryption-at-rest or in-transit posture, a reduction in the access-control regime, a relaxation of the § 10.1 EU primary-processing-location property, a loosening of any other TOM relied on in the Annex B description, or the regression of any remediation status reported under § 8.4;

(vi) change in the retention period for any category of Customer Personal Data set out in Annex A.9 that lengthens the period, expands the categories subject to retention, or changes the storage location (parallel to § 20.5);

(vii) change in the breach-notification window under § 12 from the 24-hour commitment, or any equivalent loosening of the § 12 assistance regime;

(viii) change in the categories of Customer Personal Data processed beyond what is set out in Annex A.4, or change in the categories of Data Subjects beyond what is set out in Annex A.5;

(ix) restriction of any Controller right under this DPA — including any narrowing of the audit right under § 14, the DPIA-assistance regime under § 13, the data-subject-rights-assistance regime under § 11, or the deletion-on-termination regime under § 15;

(x) change in JJ Online's controller of record under Art. 4 (7) GDPR (e.g. a corporate restructuring within the JJ Online group that changes the contracting entity for Customer Personal Data); and

(xi) any other category of change that a competent supervisory authority indicates should be treated as material for the purposes of Art. 28 GDPR.

This list is presumptively material but non-exhaustive — other changes may also be material on the general standard set out below.

Controller right of objection and termination for material changes. Where a notified change is presumptively material under (i)–(xi) above, or is otherwise material — that is, where it reasonably affects the protection of Customer Personal Data, the rights of Data Subjects, the location of processing, the categories of Sub-processors, the lawful-transfer mechanism applied, or the technical or organisational measures relied on — the Controller may object on reasonable grounds related to the protection of Customer Personal Data within 14 calendar days of receiving the notification. If the Controller raises a reasoned objection, the Parties cooperate in good faith to identify a solution. Where no solution acceptable to both Parties can be reached, the Controller may terminate the affected portion of the Service in accordance with the Terms of Service § 22, with pro-rata refund of any pre-paid fees attributable to the unused portion of the affected period, before the change takes effect. Non-material updates — for example, drafting corrections, restatements of existing law, or changes that strictly improve the protections — do not give rise to a termination right.

Close-case rule on materiality. Where there is reasonable doubt about whether a particular change is material, the change is treated as material and the § 20.4 notice, objection, and termination remedy apply. The Controller may at any time, on notification of a change JJ Online has classified as non-material, request that JJ Online reconsider the classification on stated grounds; JJ Online responds to such a request in writing within ten (10) business days, and any disagreement on materiality is resolved in the Controller's favour where reasonable doubt remains.

20.5. Retention schedule — flow-through of privacy-policy changes. A change to § 11 of the ProductLog Privacy Policy (privacy.en.md) that, in respect of any category of Customer Personal Data within the meaning of this DPA, lengthens the retention period, expands the categories subject to retention, or changes the storage location, is treated as a material change to this DPA under § 20.4 and is notified to active Controllers on the § 20.4 timeline with the § 20.4 objection and termination remedy. JJ Online will, in the same notification, publish the corresponding Annex A.9 amendment. Privacy-policy changes that strictly shorten retention or strictly improve the protections for the categories listed in Annex A.9 are non-material under § 20.4 and may take effect on publication; they are nevertheless reflected in the next revision of this DPA and Annex A.9 for transparency.

Annex A — Subject matter, nature, purpose, data categories, Data Subjects

A.1 Subject matter of processing

The processing of Personal Data by JJ Online on the Controller's behalf in the course of providing the ProductLog Service — namely the hosting of the Controller's changelog, roadmap, feedback, survey, and knowledge-base content; the maintenance of the Controller's End-Subscriber list under the Controller's double-opt-in mechanism; the dispatch of broadcast emails to those End-Subscribers on the Controller's behalf; and the acceptance, rendering, and operator-side moderation of End-Feedback-User submissions on the Controller's public boards.

A.2 Duration of processing

The duration of the Controller's Subscription to the Service plus the residual periods set out in § 15.

A.3 Nature and purpose of processing

Processing activity Purpose
Storage, versioning, and rendering of Workspace Content (changelog entries, feedback posts, surveys, knowledge-base articles, brand assets) Operation of the Controller's product communication and feedback channel
Acceptance and storage of End-Subscriber records (email, name, locale, double-opt-in tokens) Maintenance of the Controller's subscriber list for changelog notifications
Dispatch of broadcast emails to End-Subscribers, including unsubscribe links and open / click tracking Delivery of the Controller's changelog notifications under End-Subscriber double-opt-in consent
Acceptance, storage, and rendering of End-Feedback-User posts, comments, votes, reactions, and survey responses on public boards Operation of the Controller's public roadmap, feedback, and survey channels
Server-side computation of the SHA-256(IP | User-Agent) fingerprint for the one-vote / one-reaction / one-survey-response enforcement Anti-double-vote / anti-double-reaction enforcement (§ 25 Abs. 2 Nr. 2 TDDDG strictly-necessary processing)
Storage of public-board visitor analytics events (IP, User-Agent, session ID, subject reference, timestamp) Operator-facing engagement analytics for the Controller's own public boards
Relay of event payloads to customer-enabled outbound integrations (Slack / Jira / Linear / generic webhooks) on the Controller's instruction Extension of the Controller's workflow to the Controller's chosen integration destination
Custom-domain hosting of public boards (TLS termination at Cloudflare edge; rendering on OVH France backend) Publication of the Controller's boards under the Controller's own domain
Hosted dashboards, exports (CSV / JSON of changelog entries, subscriber lists, survey responses), and APIs Operator-side access and portability

A.4 Types of Customer Personal Data

The following categories of Customer Personal Data may be processed, depending on the Controller's use of the Service:

(a) End-Subscriber records. Email (indexed against the project), optional name, status (Pending / Active / Unsubscribed / Bounced), source (organic / api / import), per-subscriber attributes (locale, segments, custom fields), unsubscribe token, double-opt-in confirmation token.

(b) End-Feedback-User submissions. Author name, optional author email (not validated), comment / post body, vote and reaction records, server-side SHA-256(IP | User-Agent) fingerprint hash associated with each vote / reaction / comment / survey response.

(c) Public-board visitor analytics events. Event type (page view, entry view, vote, comment, etc.), subject reference, occurrence timestamp, session ID (client-generated UUID), IP address (currently stored in plaintext within the active retention window — see § 8.4 (b)), User-Agent (currently stored in plaintext within the active retention window — see § 8.4 (b)).

(d) Broadcast email tracking. Open events (1×1 pixel load triggers an analytics-event record), click events (the redirector triggers an analytics-event record), per-broadcast counters (recipient count, open count, click count, failed count).

(e) Outbound integration credentials (Controller-supplied, plaintext at rest today). Slack webhook URL, Jira API token, Linear API key, generic-webhook signing secret. These are not Personal Data of End-Subscribers or End-Feedback-Users; they are operational credentials the Controller supplies to JJ Online so the Service can relay event payloads to the Controller's chosen destination. See § 8.4 (a).

(f) Outbound webhook delivery payloads. The full event payload that the Service relays to the Controller's chosen webhook destination — which may replay End-Subscriber or End-Feedback-User Personal Data from categories (a) and (b). See § 8.4 (c) on the indefinite-retention gap pending the TTL + purge job.

The Controller acknowledges that JJ Online cannot independently determine whether an End-Feedback-User comment, a feedback-post body, a survey response, or the content the Controller publishes for broadcast contains Personal Data, Special Categories of Personal Data (Art. 9 GDPR), or data of children (Art. 8 GDPR). The Controller is responsible for the lawfulness of what it causes to be captured, accepted on its boards, or transmitted by broadcast.

A.5 Categories of Data Subjects

(a) The Controller's End-Subscribers — natural persons who have subscribed via double opt-in to receive the Controller's changelog notifications.

(b) The Controller's End-Feedback-Users — natural persons who post, vote, comment, react, or respond to surveys on the Controller's public boards.

(c) The Controller's public-board visitors — natural persons who view the Controller's public boards (including via the Controller's custom domain), to the extent the public-board analytics-event records capture visit metadata.

(d) Recipients on the Controller's chosen integration destination — where the Controller has connected an outbound integration, the natural persons who would receive the relayed event in the Controller's Slack workspace, Jira project, Linear team, or webhook endpoint. These persons are Data Subjects of the Controller's onward transfer under § 10.5, not Data Subjects of JJ Online's processing.

A.6 Special Categories of Personal Data (Art. 9 GDPR)

JJ Online does not require or solicit Special Categories of Personal Data. The Controller is responsible for not configuring the Service in a way that captures Special Categories of Personal Data (e.g., not publishing a public board where the Controller invites or expects End-Feedback-Users to submit Art. 9 data without appropriate Art. 9 (2) legal basis).

A.7 Data of children (Art. 8 GDPR / national thresholds)

JJ Online does not knowingly process the data of children below the applicable national threshold under Art. 8 (1) GDPR or its UK GDPR / FADP equivalents. The applicable threshold varies by jurisdiction: 16 under Art. 8 (1) GDPR in Germany (the GDPR default; not derogated downward); other EU Member States have exercised the Art. 8 (1) Satz 2 GDPR option to set their threshold in the range 13–16 (e.g. Spain at 14, France at 15, Italy at 14, the Netherlands at 16 like Germany); 13 under section 9 of the UK Data Protection Act 2018; comparable rules under the Swiss FADP. JJ Online applies 16 as the global floor for its own controller-side processing regardless of any lower national threshold. The Controller is responsible for identifying the applicable threshold for the Controller's own Data Subjects (in particular the Controller's own End-Subscribers, End-Feedback-Users, and public-board visitors) and for satisfying Art. 8 (1) / (2) GDPR (or the UK / Swiss equivalent) in respect of them. The Controller's use of public boards or broadcast email on services directed at children below the applicable threshold is the Controller's responsibility and is not contemplated by this DPA.

A.8 Per-account Processing Instructions Summary

This Annex specifies the structure of the Processing Instructions Summary referenced at § 6.1 (e). The Summary is the per-account documented-instructions artifact contemplated by EDPB Guidelines 07/2020 on the concepts of controller and processor ¶ 39 and is generated on Controller request to support the Controller's Art. 5 (2) accountability and Art. 30 (1) records-of-processing obligations.

The Summary is generated by JJ Online from the Controller's account state at the time of the request and contains, at a minimum:

(a) Account identification. The Controller's account identifier, the email address on record, and the date the Summary was generated.

(b) Active projects and public boards. The number and configuration of projects under the account, the public boards published per project (changelog / roadmap / feedback / survey / knowledge-base), whether each board is rendered under a ProductLog URL or under a Controller-controlled custom domain, the public / private flag, and the moderation rules applied.

(c) Subscriber-list scope. The number of active End-Subscribers per project, the double-opt-in status of the list, and the unsubscribe-handling configuration.

(d) Broadcast-email pipeline configuration. Whether broadcasts are enabled, the dispatch region (AWS SES Frankfurt — the only configured region), the open / click tracking configuration, and the sender / branding overrides per organisation.

(e) Service plan tier and retention. The plan tier the Controller has selected at the time of the request, with the corresponding retention period per data category drawn from Annex A.9 of this DPA and § 15 of this DPA.

(f) Active outbound integrations (Controller-controller-of-onward-transfer surface). The Controller-configured outbound integrations currently active on the account (Slack / Jira / Linear / generic webhook), drawn from the list at Annex C.2. Integrations not activated by the Controller are listed as inactive.

(g) Storage region. The EU storage region or regions applicable to the Controller's data (currently OVH France for the application database and image-upload local filesystem; AWS SES Frankfurt for broadcast email; Cloudflare for edge TLS termination and global delivery).

(h) Subsequent written instructions. Any § 6.1 (d) written instructions JJ Online has accepted in writing from the Controller since the last Summary, identified by date and reference.

(i) Sub-processor list. A copy of, or reference to, the current Annex C list at the date of generation.

(j) TOM-gap remediation status. The current remediation status of each of the items disclosed under § 8.4 (a)–(f), so the Controller can incorporate it into its Art. 35 GDPR DPIA where applicable.

(k) Term acknowledgement. A statement that the Summary is documentary in nature, does not vary this DPA, and is read subject to it.

A Controller may request the Summary as often as is reasonably necessary; JJ Online will not unreasonably refuse repeat requests. JJ Online does not currently provide self-service generation of the Summary in the Controller's dashboard — that feature is on the product roadmap. Until self-service is available, the Summary is generated and returned manually within the five-business-day window stated at § 6.1 (e).

A.9 Retention schedule (Customer Personal Data — DPA scope)

This Annex sets out the retention schedule applicable to Customer Personal Data within the meaning of this DPA — i.e., Personal Data JJ Online processes as processor on the Controller's behalf under Art. 28 GDPR. It is the operative retention reference for the purposes of § 6.1 (c), § 6.1 (e), § 15.3, and Annex A.8 (e). The corresponding schedule published in § 11 of the ProductLog Privacy Policy (privacy.en.md) covers a broader set of data categories (including Personal Data for which JJ Online is the controller, e.g. Workspace Operator account, billing, and security-audit data) and remains the user-facing source of truth for those broader categories; this A.9 snapshot is restricted to the DPA-scoped subset and prevails over the broader privacy-policy schedule in case of conflict for the categories listed below.

Category (Customer Personal Data, DPA-scope) Retention period Legal basis / authority
Workspace Content — changelog entries, feedback posts, surveys, knowledge-base articles Lifetime of the entry; cascade on project delete; soft-deleted entries remain in the database pending a hard-delete job (see § 8.4 (d)) Art. 6 (1)(b) GDPR (Controller's contract with its end-users); customer-utility ceiling under Art. 5 (1)(e) GDPR
End-Subscriber records Retained indefinitely on status flag (Active / Unsubscribed / Bounced) today; target 24 months after last engagement, pending a purge implementation Art. 6 (1)(a) GDPR — consent; § 7 Abs. 3 UWG hygiene
End-Feedback-User submissions (author name, optional email, comment / post body, vote / reaction records, fingerprint hash) Retained indefinitely (soft-delete only) today; author name and author email persist after soft-delete; anonymisation pending Art. 6 (1)(b) GDPR (Processor on the Controller's behalf); Art. 6 (1)(f) GDPR for the fingerprint hash
Public-board visitor analytics events Target 90 calendar days via a scheduled purge — the purge schedule is not yet provisioned on the production host; until provisioned, the 90-day retention is aspirational and the rows accumulate (see § 8.4 (b)) Art. 6 (1)(f) GDPR (Controller's legitimate interest in measuring engagement on its own boards)
Broadcast email tracking (open / click events) Open / click events are analytics-event records and expire under the row above once the purge job runs; per-broadcast counters persist for the lifetime of the broadcast Art. 6 (1)(a) and (f)
Outbound integration credentials Lifetime of the project; encryption at rest is pending — see § 8.4 (a) Art. 6 (1)(b) GDPR
Outbound webhook delivery payloads Currently retained indefinitely — TTL + purge job (target 30 calendar days) is pending — see § 8.4 (c) Art. 6 (1)(b) GDPR
Backups of the above (application database and image-upload local filesystem, both on OVH France) Rolling window per § 15.3 (a) — backup-rotation policy pending; re-erasure-on-restore at § 15.3 (b) applies once the policy is in place Art. 6 (1)(f) GDPR (disaster recovery)

Retention periods for Customer Personal Data are bounded by (i) the Service plan tier the Controller has selected at § 6.1 (c), and (ii) the deletion-on-termination flow at § 15. The Controller may at any time request earlier deletion of Customer Personal Data under Art. 17 GDPR (subject to § 11 and § 15.4); plan-downgrade-driven shortening of retention is applied prospectively to data collected after the downgrade and not retroactively to previously-collected data unless the Controller requests it.

Changes to this A.9 retention schedule that lengthen any retention period, expand the categories of Customer Personal Data subject to retention, or change the storage location for any category are material changes within the meaning of § 20.4 and are notified to active Controllers on the § 20.4 timeline. Changes that strictly shorten retention or strictly improve the protections — for example, the implementation of any of the pending purge crons / TTLs in the table above — are non-material under § 20.4 but are nevertheless notified for transparency in the next DPA revision.

Annex B — Technical and organisational measures (TOMs) per Art. 32 GDPR

The technical and organisational measures listed in this Annex are JJ Online's current measures. They may be updated in accordance with § 8.3. Items disclosed as pending in § 8.4 are reflected in the relevant row below with their remediation status.

B.1 Confidentiality

Measure Implementation
Access control to systems Multi-factor authentication required for all JJ Online operational staff accessing production infrastructure; least-privilege access; access reviewed periodically
Access control to data Per-tenant logical isolation in the application layer (organisation + project IDs on every row); database-level encryption at rest; least-privilege query access for support staff
Pseudonymisation The public-board fingerprint computation (SHA-256(IP | User-Agent), stored against each vote / reaction / comment / survey response) is the only pseudonymisation routinely applied to visitor identifiers in the Service. The IP and User-Agent on public-board analytics-event records are currently stored in plaintext within the active retention window — hashing at the storage layer is under consideration (§ 8.4 (b))
Encryption in transit TLS 1.2+ enforced for all customer-facing interfaces (productlog.dev marketing, dashboard, public boards, broadcast-link redirector) and for all Sub-processor communications; HSTS enforced; certificate management automated
Encryption at rest Full-disk encryption at the OVH hosting layer covers the application database, image-upload local filesystem, and backup volumes; backups encrypted under a separately-managed key
Password and token hashing Workspace Operator passwords stored as bcrypt hashes; refresh tokens stored as SHA-256 hashes (raw token never persisted); password-reset tokens stored as SHA-256 hashes; team-invitation tokens stored as 64-hex random values
Column-level encryption of customer-supplied integration credentials Not yet implemented — the Slack webhook URL, Jira API token, and Linear API key supplied by the Workspace Operator are currently stored as plaintext in the application database. Operational staff with database access could in principle read these values. Column-level encryption (envelope encryption with separately-managed keys) is the planned remediation; status: pending (§ 8.4 (a)). Until implemented, the access-control / least-privilege measures above are the operative protection

B.2 Integrity

Measure Implementation
Input validation Application-layer input validation and parameterised database queries
Anti-malware / anti-abuse Self-hosted Altcha proof-of-work captcha on signup and public-form submissions (10-minute TTL, HMAC-signed); server-side rate-limiting on sign-in (5 failed attempts / 5 minutes / IP), signup (3 / 15 minutes / IP), forgot-password, contact form, and public-board action endpoints
Logging and audit trails Application and access logs retained for at least 30 calendar days; security-relevant log events monitored
Operator-action audit log Not yet implemented — operator actions (role changes, integration-credential updates, deletions, exports) leave no per-tenant audit trail today; per-tenant audit logging is the planned remediation; status: pending (§ 8.4 (e))

B.3 Availability

Measure Implementation
Backup and restore Daily encrypted backups of the application database and image-upload local filesystem; rolling backup-rotation window per § 15.3 (a) (policy pending — target 14 calendar days matching other JJ Online products); backups tested periodically
Geographic redundancy Primary application infrastructure in OVH France (Roubaix / Gravelines / Strasbourg); Cloudflare global edge for public-facing surfaces
DDoS mitigation Cloudflare DDoS protection at the edge
Re-erasure-on-restore runbook Per § 15.3 (b) — re-erasure replay within 72 hours of any production restore; for restores that bring the system back online for active processing, the replay completes before traffic admission. Erasure log lives outside the backup chain

B.4 Resilience and recovery

Measure Implementation
Incident response Defined incident-response procedure with named roles; post-incident review for material incidents; 72-hour personal-data-breach notification under § 12
Disaster recovery Documented disaster-recovery plan; backup restoration tested periodically

B.5 Regular testing, assessing and evaluating

Measure Implementation
Vulnerability scanning Periodic automated scanning of customer-facing surfaces
Dependency monitoring Automated monitoring of third-party library vulnerabilities (composer + npm); critical updates applied within 14 calendar days
Code review All production changes reviewed before merge
Penetration testing Independent third-party penetration testing is not currently part of JJ Online's annual testing cycle for ProductLog. Application-layer testing for the OWASP Top 10 risk classes is performed in-house. Where a Controller's contractual obligations require independent penetration testing of the customer-facing application surface, the Controller may commission that work under § 14.2 on the Controller's own audit-cost basis, or request JJ Online to procure it as a chargeable engagement outside Art. 28 (3)(f) under § 13
TOM-gap remediation tracking Each item disclosed under § 8.4 (a)–(f) is tracked internally with a remediation status; the status is reportable on audit-information request under § 14.1 (d). Persistence of any item beyond the next material § 20.4 update would trigger a presumptive § 20.4 (v) TOM-reduction notification

B.6 Personnel

Measure Implementation
Confidentiality obligations All operational personnel bound by written confidentiality obligations; ongoing training on data protection requirements
Background screening Standard for personnel with production access

B.7 Sub-processor due diligence

Measure Implementation
Sub-processor selection Sub-processors selected with consideration of their data-protection practices, DPF certification status (where relevant), and DPA availability
Sub-processor monitoring Sub-processor list reviewed at least annually; material changes notified per § 9.3

Annex C — Approved Sub-processors

The current list of Sub-processors engaged by JJ Online for the processing of Customer Personal Data on the Controller's behalf in connection with the ProductLog Service is set out below. Annex C is itself the canonical Sub-processor list — updates are notified to the Controller under § 9.3 and reflected in an updated version of this DPA.

Note for the Controller: Sub-processors marked "Required" process Customer Personal Data for every Controller using the Service. Sub-processors marked "Controller-configured" process Customer Personal Data only where the Controller chooses to connect that integration. The customer-enabled outbound integrations at C.2 are not Sub-processors of JJ Online by default — they are recipients on the Controller's own onward transfer (§ 10.5).

C.1 Hosting and core infrastructure

Sub-processor Legal entity Location Function Transfer mechanism
OVH OVH SAS France (Roubaix / Gravelines / Strasbourg) Required — main application hosting (dashboard, API, primary database, image-upload local filesystem, backups) n/a (EU)
Cloudflare Cloudflare, Inc. USA HQ (with EU edge nodes) Required — CDN, DDoS protection, DNS, TLS termination, geolocation (CF-IPCountry) for public boards SCC (Implementing Decision (EU) 2021/914) + Cloudflare EU Data Protection Addendum + supplementary measures (TLS in transit; encryption at rest at OVH backend)
AWS SES Amazon Web Services EMEA SARL Luxembourg (eu-central-1 Frankfurt — the only configured SES region) Required — transactional email (signup, password reset, team invitation, security alerts) and broadcast email delivery (changelog notifications to End-Subscribers, feedback-status change notifications) n/a (Frankfurt EU region); corporate-group access by Amazon Web Services, Inc. (USA) for parent-company support covered by SCC + supplementary measures

C.2 Customer-enabled outbound integrations (not Sub-processors of JJ Online — Controller-controlled onward transfers)

The following are not Sub-processors of JJ Online within the meaning of Art. 28 (4) GDPR. Where the Controller actively connects one of these integrations to its Workspace, the chosen provider becomes a recipient on the Controller's instruction under § 1.3 (b) and § 10.5. The Controller is the controller of the resulting onward transfer and is responsible for its own DPA with the chosen provider, and for its own Chapter V GDPR transfer assessment where the destination is outside the EEA.

Integration Provider Connection method Data that may flow Destination Controller's own transfer analysis
Slack Slack Technologies LLC (Salesforce Group) Customer-supplied incoming-webhook URL Changelog entries, feedback-post titles, status updates, agent names USA Controller's own DPA + Slack's published EU SCCs / DPF posture
Jira Atlassian Pty Ltd OAuth + REST API v3, basic-auth fallback Feedback-post titles + bodies, status changes, link metadata Australia (+ US sub-processing) Controller's own DPA + Atlassian's transfer-mechanism posture
Linear Linear Orbit, Inc. API key + GraphQL at https://api.linear.app/graphql Feedback-post titles + bodies, status changes, link metadata USA (San Francisco) Controller's own DPA + Linear's DPF / SCC posture
Outbound webhooks (Business plan) Variable — Controller-chosen destination Customer-specified URL + HMAC-SHA256 signing secret Configurable event payloads (changelog publish, feedback comment, vote, etc.) Wherever the Controller configures Controller's full responsibility — no third-party processor of JJ Online's choosing

If the Controller connects any of the above, the Controller must obtain its own DPA or equivalent with that provider, must compose its own Art. 13 / 14 GDPR information for affected Data Subjects, and is the controller of the data flow into that provider's platform.

C.3 Internal JJ Online cross-product services (same controller — not Art. 28 Sub-processors)

These are JJ Online GmbH's own products embedded in or invoked by ProductLog. Same controller across all products, so they are not Art. 28 Sub-processors of ProductLog — but their use is documented so the Controller can incorporate the relevant facts into its Art. 13 GDPR information for visitors of its public boards.

Product Loaded / invoked on Role What flows
HelpCanvas chat widget Every ProductLog route (marketing, dashboard, public boards, knowledge base, including under the Controller's custom domain) Live-chat support widget Visitor messages, name, email, conversation history; visitor IP and User-Agent exposed to the HelpCanvas origin on every page load
ErrorHawk SDK Server-side, on the production backend Internal operational error tracking (the ErrorHawk product is retired from external customer scope; the SDK is kept active for internal ops monitoring) Exception stack traces, request context, optionally request body

When the Controller hosts its public board behind its own custom domain (e.g. changelog.theircompany.com) and visitors arrive there, the HelpCanvas widget still loads on that surface. That is a JJ Online → JJ Online data flow on a Controller-presented surface, and it must be disclosed by the Controller in the Art. 13 GDPR information presented to visitors of the public board (§ 5.1 (b)). The relevant facts (loading on every route; the storage the widget may write in the visitor's terminal; the same-controller status) are made available to the Controller here so the Controller can compose its own visitor-facing notice.

C.4 Self-hosted / internal infrastructure (not Sub-processors)

The following appear in the codebase and operations stack but are operated by JJ Online directly, not by a third party:

  • Altcha (self-hosted proof-of-work captcha — runs locally on ProductLog infrastructure; HMAC-signed). No third-party data flow.
  • Image uploads for changelog and feedback rich-text content — stored on the local filesystem at OVH France. No S3, R2, or Spaces — nothing is forwarded to an external object store.

C.5 Stripe and easybill — not in scope for this DPA

Stripe Payments Europe Ltd. and easybill GmbH are JJ Online's own controller-side relationships for Subscription billing (Stripe) and GoBD-compliant invoice generation and archiving (easybill — integration imminent). They process the Controller's billing identity and payment data on JJ Online's instruction as Controller — they do not process Customer Personal Data within the meaning of this DPA (they do not process End-Subscriber records, End-Feedback-User submissions, public-board visitor metadata, or broadcast email content). They are disclosed in the Privacy Policy § 5.1 for completeness.

C.6 Planned features — not yet built

The following is documented in the product vision but not yet built in code. It is listed here so future audits do not re-discover it, and so this DPA does not describe it as if it were already in production.

  • AI translation of public-board content. The plan is to translate Workspace-Operator-authored changelog entries, feedback posts, and roadmap items into the End-Feedback-User's language. The choice of LLM provider is not yet final, and no implementation exists in the production stack today. When the feature ships:
    • the provider must be added to Annex C.1 (primary Sub-processor table) with at least 30 calendar days' prior notice under § 9.3 (presumptively material under § 20.4 (iii));
    • the data flow must be re-classified (is End-Feedback-User author name / email passed to the translator? Is the source-language text transient or stored on the translator's side?);
    • the provider's API DPA + zero-data-retention configuration must be in place before the first translation call;
    • the Privacy Policy § 5.5 must be redrafted to match the actual implementation;
    • the EU AI Act classification under § 6.6 must be performed and disclosed.

Annex D — International data transfers (Module 2 / Module 3 SCCs)

D.1 Module incorporation

For the purposes of Art. 46 (2)(c) GDPR. JJ Online's main establishment is in Berlin (EEA); JJ Online is therefore the data exporter whenever Customer Personal Data is transferred to a non-EEA Sub-processor. Module 3 is the operative module for those onward transfers; Module 2 (Controller-to-Processor) is the operative module only in the narrower case in which the Controller is itself established outside the EEA and the transfer to JJ Online in Berlin is itself the SCC-governed transfer.

(a) Module 3 — JJ Online → non-EEA Sub-processor (the principal case). Where JJ Online's onward transfer to a Sub-processor is to a destination outside the EEA — in particular Cloudflare, Inc. (USA HQ) for the edge / DDoS / DNS / TLS stack, and Amazon Web Services, Inc. (USA) for AWS EMEA SARL corporate-group access — the Parties incorporate by reference Module 3 (Processor-to-Processor) of the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with JJ Online acting as data exporter and the Sub-processor as data importer.

(b) Module 2 — non-EEA Controller → JJ Online (residual case). Where the Controller is itself established outside the EEA and uses the Service such that the Controller's own transfer of Customer Personal Data to JJ Online in Berlin is the SCC-governed transfer, the Parties incorporate by reference Module 2 (Controller-to-Processor), with the Controller acting as data exporter and JJ Online acting as data importer. The Parties recognise that the application of the SCCs to a transfer whose importer is established in the EEA is itself debated; this paragraph (b) is included as a belt-and-braces incorporation for Controllers whose home regime treats the transfer-to-EEA-importer leg as an SCC-eligible transfer.

(c) Each module is read with the Annexes set out below, which incorporate by reference the corresponding content of this DPA's Annexes A, B and C.

D.2 Annex I to the SCCs

List of Parties. As set out in the Preamble to this DPA.

Description of Transfer. As set out in Annex A.

Competent Supervisory Authority. The competent supervisory authority for the purposes of Annex I to the Standard Contractual Clauses is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59-61, 10555 Berlin, Germany — as the lead supervisory authority for JJ Online's main establishment in Berlin under Art. 56 (1) GDPR. This designation is specific to Annex I of the SCCs and is without prejudice to the Controller's own lead supervisory authority under Art. 56 (1) GDPR, to any concerned supervisory authority under Art. 4 (22) GDPR, and to JJ Online's general cooperation duty under § 14.4 of this DPA in respect of the Art. 60 GDPR one-stop-shop mechanism.

D.3 Annex II to the SCCs — Technical and Organisational Measures

As set out in Annex B of this DPA.

D.4 Annex III to the SCCs — List of Sub-processors

As set out in Annex C of this DPA.

D.5 UK transfer mechanism — Addendum (default) or IDTA (alternative)

For transfers subject to the UK GDPR, the Parties incorporate one of two ICO-issued instruments, at the Controller's election under § 10.3 (c):

(a) Default — UK Addendum. The Parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office and laid before Parliament on 2 February 2022. The information required by Table 1 of the Addendum is set out in the Preamble of this DPA; Table 2 selects the appropriate module of the SCCs as per § D.1; Tables 3 and 4 are not relevant. The UK Addendum is the default election because it preserves the Commission SCCs as the underlying instrument and reduces drafting fragmentation across parallel EEA-and-UK transfer chains.

(b) Alternative — standalone IDTA. Where the Controller notifies JJ Online in writing under § 10.3 (c) that the Controller prefers the standalone International Data Transfer Agreement (IDTA) issued by the ICO and laid before Parliament on 2 February 2022, the Parties incorporate the IDTA in place of the UK Addendum for transfers subject to the UK GDPR. The IDTA is a standalone instrument and does not depend on the Commission SCCs; the Parties complete Part 1 (Parties), Part 2 (Transfer Details), and Part 3 (Mandatory Clauses) of the IDTA using the information set out in the Preamble of this DPA and at Annex A.

Both instruments are recognised by the ICO as valid Art. 46 UK GDPR transfer mechanisms. The election is the Controller's; absent a written election, the default at (a) applies.

D.6 Swiss FADP

For transfers subject to the Swiss FADP, the SCCs are read with the Swiss-specific amendments published by the Federal Data Protection and Information Commissioner: references to "Member State" include "Switzerland", references to the GDPR include corresponding FADP provisions, the competent supervisory authority is the Swiss FDPIC, and the term "personal data" includes data of legal persons until that protection is removed from the FADP.

D.7 Supplementary Measures

In line with EDPB Recommendations 01/2020 on supplementary measures, JJ Online assesses for each non-EEA transfer:

(a) whether the destination country provides essentially equivalent protection;

(b) where it does not, whether the technical measures (in particular TLS 1.2+ in transit on every Sub-processor link, full-disk encryption at rest at the OVH France backend, password and token hashing per Annex B.1, and the government-access-notification commitments at § 10.6) and contractual measures (in particular the Module 3 SCCs incorporated under § D.1 and the JJ Online–Sub-processor DPAs that require notification of government-access requests except where prohibited by law) are sufficient;

(c) whether transparency about government access requests is operationally provided (JJ Online publishes a transparency report at the next material policy revision where it has received such requests; as at the version date of this DPA, no such requests have been received).

Annex E — Contact information

For DPA-related notices, sub-processor change notifications, Data Subject request forwarding, and breach notifications:

JJ Online GmbH Attn: Data Protection Schönhauser Allee 163, 10435 Berlin, Germany Phone: +49 151 12032902 Email — general: [email protected] Email — DPA, privacy, data-subject requests: [email protected]

Data Protection Officer: Not appointed. JJ Online is below the threshold for mandatory DPO appointment under § 38 Abs. 1 BDSG (fewer than 20 persons constantly engaged in automated processing; no Art. 35 DPIA-triggering core activity; no processing of Special Categories of Personal Data as core activity). The Controller may direct data-protection enquiries to the contact above; Andrius Gecius (Geschäftsführer) is the responsible point of contact.

Lead Supervisory Authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59-61, 10555 Berlin, Germany — competent for JJ Online's main establishment.