top of page

Data Processing Addendum

Field

Detail

Document ID

BB-PRI-001

Version

3.0

Created

13 Mar 2026

Last Updated

23 Mar 2026

Last Reviewed

23 Mar 2026

Next Review

Mar 2027

Document Owner

BluBees LLC

Classification

Public

Contact

privacy@blubees.ai

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between BluBees LLC ("BluBees") and a customer using BluBees services ("Customer") where personal data may be processed.

Because the Terms of Service already incorporate this DPA, you do not need to sign a separate copy.

1. Scope of Processing

BluBees provides an AI-powered workflow automation application operating within the Atlassian Jira Cloud platform and distributed through the Atlassian Marketplace. BluBees also operates service infrastructure hosted on Amazon Web Services (AWS) in the United States.

The Service enables Customer to connect to and integrate with virtually any third-party application, AI provider, or other service ("Third-Party Service"). In providing the Service, BluBees may process: (a) limited business contact information related to Customer personnel; (b) limited Jira platform metadata necessary for application functionality; and (c) Integration Credentials (API tokens, OAuth credentials, account identifiers, and domain access information) required to maintain Customer's configured integrations with Third-Party Services, stored in encrypted form.

BluBees does not store or persist data that flows between Customer's Third-Party Services during workflow execution ("Pass-Through Data"). Pass-Through Data is transmitted transiently through the Service and is not retained.

2. Definitions

Applicable Data Protection Law: Applicable law governing the use, access, deletion, or processing of Personal Information, including U.S. Data Protection Laws and European Data Protection Laws.

Configuration Data: Customer's workflow definitions, automation rules, field mappings, integration settings, and other account-level configurations and preferences stored within the Service.

European Data Protection Laws: (a) GDPR (Regulation 2016/679); (b) UK GDPR (Data Protection Act 2018); (c) Swiss Federal Data Protection Act; in each case as amended, superseded, or replaced from time to time.

Integration Credentials: API tokens, OAuth tokens and secrets, access keys, account identifiers, domain names, and other authentication or access information that Customer provides to the Service to enable connections with Third-Party Services.

Pass-Through Data: Data that flows between Customer's Third-Party Services through the Service during workflow execution, which is transmitted transiently and is not stored or persisted by BluBees.

Personal Information: Personal data or personal information as defined under Applicable Data Protection Law that is subject to such law and contained within Customer Content.

Security Incident: A confirmed breach of security leading to unauthorized destruction, loss, alteration, disclosure of, or access to Personal Information.

Sensitive Information: Personal Information revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership; genetic data; biometric data; health data; sexual orientation data; criminal convictions data; or other data affording enhanced protection under Applicable Data Protection Law.

Subprocessor: A third party engaged by BluBees to process Personal Information in connection with the provision of the Service.

U.S. Data Protection Laws: All state laws in effect in the United States applicable to the processing of Personal Information, including the California Consumer Privacy Act/CPRA, Virginia CDPA, Colorado Privacy Act, Connecticut DPA, and Utah CPA.

3. Categories of Data Stored by BluBees

Business Contact Information

  • name

  • business email address

  • business telephone number

  • company name

  • company address

  • Jira user identifier

Integration Credentials (Encrypted)

  • API tokens and keys for Third-Party Services

  • OAuth tokens and secrets

  • Account identifiers and domain names

  • Other authentication information required for Third-Party Service connections

Configuration Data

  • Workflow definitions and automation rules

  • Field mappings and integration settings

  • Account-level configurations and preferences

Data NOT Stored by BluBees

  • Pass-Through Data (data flowing between Third-Party Services during workflow execution)

  • User passwords or authentication credentials (managed by Atlassian)

  • Payment or financial information (managed by Atlassian Marketplace)

  • IP addresses, geolocation data, or browser/device tracking information

  • Behavioral analytics or advertising tracking data

BluBees does not intentionally collect or process Sensitive Information. Customer is prohibited from using the Service to process Sensitive Information.

4. Purpose of Processing

Personal data and Integration Credentials are processed solely for:

  • operation of the BluBees software application and maintenance of configured integrations

  • authenticating and connecting with Customer's Third-Party Services

  • providing technical support

  • communicating product updates or service notifications

  • communicating service notices, renewal notifications, and account-related information

  • compliance with applicable law

5. Processing Requirements

BluBees will process Personal Information as processor to provide and support the Service in accordance with the Agreement, any documented lawful instructions from Customer, and as required by applicable law.

BluBees shall not retain, use, or disclose Personal Information other than as provided for in the Agreement; sell or share Personal Information (as defined under CCPA/CPRA); or combine Personal Information with data from other sources except as permitted under applicable law.

Customer is solely responsible for the accuracy, quality, and legality of Personal Information, Integration Credentials, and Pass-Through Data; compliance with transparency and lawfulness requirements; ensuring that Customer's instructions comply with applicable laws; and ensuring that Customer has all necessary rights and authorizations for its configured integrations with Third-Party Services.

6. Roles of the Parties

For purposes of applicable data protection laws:

  • Customer acts as the data controller of personal data relating to its users.

  • BluBees LLC acts as a data processor, processing personal data only as necessary to provide its services.

  • For Pass-Through Data, BluBees acts as a conduit only; the data controller/processor relationships for Pass-Through Data are between Customer and the applicable Third-Party Service providers.

For platform accounts, authentication, and billing:

  • Atlassian acts as the primary platform provider and data controller for those data elements.

7. Subprocessors

BluBees uses trusted service providers to operate its services:

Provider

Role

Location

Atlassian

Platform environment, identity, authentication, and licensing

Global (Australia-based)

Amazon Web Services (AWS)

Cloud infrastructure hosting and compute

United States

Chatlio

Real-time customer support chat (ephemeral, session-only)

United States

These providers maintain their own security and compliance programs.

Note: Third-Party Services that Customer connects to via the Service are not Subprocessors of BluBees. Customer's relationship with such Third-Party Services is governed solely by Customer's agreements with those providers.

BluBees will provide at least fourteen (14) days' advance written notice before engaging a new Subprocessor. Customer may object to a new Subprocessor within fourteen (14) days of such notice by written notice to privacy@blubees.ai. If BluBees cannot reasonably accommodate Customer's objection, Customer's sole remedy is to terminate the affected Service for a prorated refund of prepaid fees covering the remainder of the Subscription Term.

BluBees enters into agreements with Subprocessors imposing substantially the same data processing obligations as set forth in this DPA.

8. Security Measures

BluBees maintains reasonable administrative, technical, and organizational safeguards designed to protect Personal Information and Integration Credentials against unauthorized access, disclosure, alteration, or destruction.

Integration Credentials are stored in encrypted form using industry-standard encryption. Specific technical and organizational measures are described in Schedule 2 attached hereto.

9. Security Incident Notification

If BluBees becomes aware of a Security Incident, BluBees will notify Customer without undue delay and not later than forty-eight (48) hours after discovery, and make reasonable efforts to identify the cause, mitigate effects, and remediate. Such notification is not an acknowledgment of fault or liability by BluBees.

10. Confidentiality

BluBees personnel authorized to process Personal Information or access Integration Credentials are subject to appropriate confidentiality undertakings or professional or statutory obligations of confidentiality.

11. Data Subject Requests

Customer is responsible for handling requests from data subjects exercising rights under Applicable Data Protection Law. If BluBees receives a data subject request, BluBees will notify Customer and advise the data subject to submit the request to Customer.

BluBees will reasonably assist Customer in responding to such requests where Customer is required to do so under Applicable Data Protection Law.

Requests may be directed to: privacy@blubees.ai

12. International Data Transfers

BluBees service infrastructure is hosted using Amazon Web Services (AWS) located in the United States, and the Service operates within the Atlassian Jira Cloud platform.

Customer authorizes BluBees to transfer Personal Information internationally, including to the United States. Where Personal Information originating from the European Union is transferred outside the EU, BluBees relies on appropriate safeguards including:

  • EU-US Data Privacy Framework (DPF)

  • Standard Contractual Clauses (SCCs)

where applicable.

13. Audits

Customer may conduct a reasonable audit pursuant to a mutually agreed-upon audit plan, at Customer's sole expense, no more than once annually, where third-party audit reports (e.g., SOC 2) do not provide sufficient information or as required by Applicable Data Protection Law. BluBees shall make available its privacy and security policies and other information reasonably necessary to demonstrate compliance with this DPA.

14. Data Protection Impact Assessments

BluBees will assist Customer in conducting data protection impact assessments upon reasonable notice, where required under Applicable Data Protection Law.

15. U.S. State Privacy Laws

BluBees shall not sell or share Personal Information (as defined under CCPA/CPRA). BluBees shall not retain, use, or disclose Personal Information other than as provided for in the Agreement. This DPA applies to Personal Information subject to U.S. Data Protection Laws, including the California Consumer Privacy Act/CPRA, Virginia CDPA, Colorado Privacy Act, Connecticut DPA, and Utah CPA.

16. Data Retention

BluBees retains Personal Information and Integration Credentials only for as long as necessary to:

  • provide its services and maintain configured integrations

  • comply with legal obligations

  • resolve disputes

17. Data Disposal

Promptly following termination of the Agreement and this DPA, BluBees will delete the Personal Information, Integration Credentials, and Configuration Data it was processing on Customer's behalf, unless Applicable Data Protection Law requires retention.

18. Updates

BluBees may periodically update this DPA as required to comply with Applicable Data Protection Law. Material changes will be communicated to Customer via the mechanisms set forth in the Agreement.

19. Contact

For privacy inquiries related to this DPA: privacy@blubees.ai

Schedule 1 — List of Parties and Description of Transfer

Data Exporter (Customer): Controller or Processor, as applicable. Activities: Use of the Service.

Data Importer (BluBees): Processor. Contact: privacy@blubees.ai. Activities: Provision of the Service.

Categories of Data Subjects: Customer's employees, contractors, representatives, agents, and other individuals permitted to use the Service.

Categories of Personal Information: Name, business email address, business telephone number, company name, company address, Jira user identifier.

Categories of Non-Personal Data Stored: Integration Credentials (encrypted API tokens, OAuth credentials, account identifiers, domain access); Configuration Data (workflow definitions, automation rules, field mappings, integration settings).

Data NOT Stored: Pass-Through Data (data flowing between Third-Party Services during workflow execution is transmitted transiently and not persisted).

Sensitive Data: None. Customer is prohibited from using the Service to process Sensitive Information.

Frequency: Continuous basis for the duration of the Agreement.

Duration: For the term of the Agreement plus any applicable data retention period.

Schedule 2 — Technical and Organizational Measures

1. Security Governance. BluBees maintains an information security program designed to protect customer data, identify risks, and minimize security threats through documented policies, operational procedures, and periodic review.

2. Access Control. BluBees follows the principle of least privilege, granting individuals only the access necessary to perform their job responsibilities. Administrative access to production systems must be approved by authorized personnel and is reviewed periodically. Access rights are revoked when no longer required. User authentication is managed through Atlassian Jira Cloud. BluBees does not store or manage user passwords.

3. Infrastructure Security. BluBees uses Amazon Web Services (AWS) for cloud infrastructure hosting. AWS maintains SOC certifications, ISO 27001, ISO 27017, and ISO 27018. AWS provides physical data center security, network monitoring, redundancy, availability controls, and infrastructure access management.

4. Encryption. Data in transit is encrypted using TLS 1.2 or higher. Data at rest within AWS infrastructure is encrypted using AES-256. Integration Credentials are stored in encrypted form using industry-standard encryption and key management practices.

5. Data Minimization and Pass-Through Architecture. Pass-Through Data is transmitted transiently and is not stored or persisted. BluBees stores only: limited business contact information, Jira platform metadata, Integration Credentials (encrypted), and Configuration Data. BluBees does not collect passwords, payment data, IP addresses, geolocation data, browser/device tracking, or behavioral analytics.

6. Monitoring and Logging. Administrative and operational access to infrastructure is logged and monitored. Anomalous or potentially malicious activities are investigated.

7. Incident Response. BluBees maintains documented security incident response procedures including identification, mitigation, remediation, and notification processes.

8. Business Continuity and Disaster Recovery. BluBees maintains backup and disaster recovery procedures leveraging AWS availability features including redundancy and automated failover. Recovery procedures are periodically reviewed.

9. Personnel Security. BluBees personnel with access to customer data, Integration Credentials, or production systems are subject to confidentiality obligations and complete security awareness practices.

bottom of page