DATA PROCESSING ADDENDUM

Effective Date: January 1, | Last Updated: January 1,

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Cowboy MSP ("CowboyMSP," "we," "our," or "us") and the customer ("Customer," "you") governing the use of CowboyMSP applications distributed through the Atlassian Marketplace, including but not limited to Credential Vault for Confluence (each, an "App"). This DPA sets out the terms under which CowboyMSP processes personal data on behalf of the Customer in connection with the App.

This DPA is designed to satisfy the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), where applicable.

2. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the GDPR or CCPA, as applicable. For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by CowboyMSP on behalf of the Customer in connection with the App.
• "End-User Data" means data processed by the App on behalf of the Customer or the Customer's end users.
• "Data Controller" means the entity that determines the purposes and means of the processing of Personal Data. The Customer is the Data Controller.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. CowboyMSP is the Data Processor.
• "Sub-processor" means any third party engaged by CowboyMSP to process Personal Data on behalf of the Customer.

3. Roles of the Parties

For the purposes of GDPR, the Customer is the Data Controller and CowboyMSP is the Data Processor. For the purposes of the CCPA/CPRA, the Customer is the Business and CowboyMSP is the Service Provider. CowboyMSP processes Personal Data solely for the purpose of providing the App and in accordance with the Customer's documented instructions and this DPA.

4. Subject Matter, Duration, Nature, and Purpose of Processing

Subject matter: Provision of the App and related support services to the Customer.

Duration: For the duration of the Customer's subscription to the App, plus any retention period required by applicable law.

Nature of processing: Storage of AES-GCM-256 encrypted credential ciphertext within Atlassian Forge Key-Value Storage, together with associated metadata required for App functionality.

Purpose of processing: Credential management within Confluence, including secure storage, retrieval, and audit of user-supplied credentials and related entries.

5. Categories of Data Subjects and Types of Personal Data

Categories of data subjects: The Customer's authorized end users of the App, which may include employees, contractors, and agents of the Customer.

Types of Personal Data processed:

• Atlassian account identifiers (used to scope vault ownership, audit log entries, and per-user preferences).
• Encrypted credential entries (AES-GCM-256 ciphertext containing user-supplied usernames, passwords, MFA secrets, URLs, notes, and tags — CowboyMSP cannot access this data in plaintext).
• Audit log events (timestamp, action type, and Atlassian account identifier of the actor).
• User preferences (theme selection, password generator defaults, sort orders, dismissed-warning flags).

CowboyMSP does not process special categories of Personal Data (as defined in Article 9 GDPR) and instructs Customers not to use the App for such data.

6. Obligations of CowboyMSP

CowboyMSP shall:

• Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement the technical and organizational measures set out in Section 9 of this DPA.
• Respect the conditions for engaging Sub-processors as set out in Section 8.
• Assist the Customer in fulfilling its obligations to respond to requests from data subjects to exercise their rights under GDPR Chapter III.
• Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the nature of the processing and the information available to CowboyMSP.
• At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

7. Obligations of the Customer

The Customer shall:

• Comply with its obligations as a Data Controller under applicable data protection laws.
• Have a lawful basis for processing Personal Data and provide all required notices to and obtain all required consents from data subjects.
• Provide CowboyMSP with documented and lawful instructions regarding the processing of Personal Data.
• Ensure that no special categories of Personal Data are entered into the App.
• Safeguard the vault PIN(s) used to derive encryption keys; loss of a PIN renders the associated encrypted data permanently unrecoverable, including by CowboyMSP.

8. Sub-processors

The Customer authorizes CowboyMSP to engage the following Sub-processors in connection with the App:

• Atlassian Pty Ltd — provides the Forge runtime, Forge Key-Value Storage, authentication, and hosting infrastructure on which the App operates. All Personal Data processed by the App is stored within Atlassian-operated infrastructure and inherits Atlassian's data residency settings.
• Have I Been Pwned (HIBP) — used only when a Customer end user voluntarily triggers the optional password breach check. Only the first 5 hexadecimal characters of a SHA-1 hash of the password are transmitted via the HIBP k-anonymity API. No Personal Data and no plaintext credential is transmitted. CowboyMSP does not receive or store this request.

CowboyMSP will provide the Customer with at least 30 days' prior written notice (which may be by posting an updated DPA at this URL) before adding or replacing any Sub-processor. The Customer may object to such change on reasonable data protection grounds within 30 days of notice. If the Customer objects, CowboyMSP will use commercially reasonable efforts to provide an alternative; if no alternative is reasonably available, either party may terminate the relevant App subscription.

9. Technical and Organizational Measures

CowboyMSP implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption at rest: All sensitive credential fields (passwords, MFA secrets, URLs, usernames, notes, tags) are encrypted client-side using AES-GCM-256 with a session key derived via PBKDF2 (200,000 iterations) from a user-supplied PIN before any data leaves the end user's browser.
• Encryption in transit: All communication between the App, the Customer's browser, and Atlassian infrastructure uses HTTPS/TLS 1.2 or higher, enforced by the Atlassian Forge platform.
• Authentication: User identity is authenticated via Atlassian's existing OAuth flow. The vault PIN is an additional factor known only to the end user and is never transmitted to CowboyMSP.
• Access control: Per-page vault scoping prevents cross-vault data access. Owner-only authorization gates permanent deletion, ownership transfer, PIN changes, template and category management, and vault-wide settings. Each vault has a unique salted PIN hash.
• Auditing: A capped 2,000-event audit log per vault records every credential add, edit, delete, PIN change, ownership transfer, and CSV export, including timestamp and Atlassian account identifier.
• Data minimization: Only the minimum data required for App function is stored. No IP addresses, device fingerprints, plaintext passwords, or unencrypted user-supplied data are persisted.
• Confidentiality: CowboyMSP personnel with administrative access are bound by confidentiality obligations. Access is granted on a least-privilege, need-to-know basis.
• Resilience: The App runs on Atlassian Forge, which provides redundancy, automated backups, and disaster-recovery capabilities operated by Atlassian.
• Regular testing: CowboyMSP performs ongoing code review, static analysis, dependency vulnerability scanning, and unit testing as part of its development lifecycle.

10. International Data Transfers

All Personal Data processed by the App is stored within Atlassian Forge Key-Value Storage. Data residency is determined by the Customer's Atlassian Cloud site configuration. CowboyMSP itself does not transfer Personal Data outside of Atlassian-controlled infrastructure.

To the extent any onward transfer occurs, such transfer shall be governed by an appropriate transfer mechanism recognized under GDPR Article 46, including the European Commission's Standard Contractual Clauses (SCCs) where applicable. The parties agree to incorporate the SCCs by reference into this DPA when required.

11. Personal Data Breach Notification

CowboyMSP shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer data processed by the App. Such notification shall, to the extent then known, include:

• The nature of the breach, including categories and approximate number of data subjects and records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its possible adverse effects;
• The contact point at CowboyMSP from whom more information can be obtained.

Notification may be made by email to the Customer's designated contact on file with Atlassian Marketplace or, if no such contact is on file, to the primary administrator account associated with the App installation.

12. Data Subject Rights

Taking into account the nature of the processing, CowboyMSP shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising the data subject's rights under GDPR Chapter III and analogous rights under other applicable laws.

End users may exercise the following rights directly from within the App without CowboyMSP intervention:

• Right of Access: Decrypt and view all stored credential entries.
• Right to Rectification: Edit any stored entry.
• Right to Erasure: Permanently delete entries or the entire vault.
• Right to Data Portability: Export decrypted credential data to CSV.

13. Return or Deletion of Personal Data

Upon termination of the Customer's subscription to the App, CowboyMSP shall, at the Customer's choice, return or delete all Personal Data processed on behalf of the Customer. Because all Personal Data is stored in Atlassian Forge Key-Value Storage scoped to the Customer's Confluence site, uninstalling the App through the Atlassian Marketplace administration interface initiates deletion of all associated data by Atlassian according to Atlassian's published retention policies.

14. Audit Rights

CowboyMSP shall make available to the Customer, upon reasonable written request and no more than once per calendar year, information reasonably necessary to demonstrate compliance with this DPA. Given the architecture of the App (where all credential data is encrypted client-side and CowboyMSP holds no decryption keys), such information will typically consist of documentation of CowboyMSP's technical and organizational measures, sub-processor list, and incident response history.

15. CCPA / CPRA Service Provider Terms

To the extent CowboyMSP processes Personal Information (as defined under CCPA/CPRA) on behalf of a Customer that is a Business under CCPA/CPRA, CowboyMSP acts as a Service Provider and:

• Will not sell or share Personal Information.
• Will not retain, use, or disclose Personal Information for any purpose other than the specific purpose of performing the services specified in the agreement between the parties.
• Will not retain, use, or disclose Personal Information outside the direct business relationship between the parties.
• Will not combine Personal Information received from the Customer with Personal Information received from any other source, except as permitted by CCPA/CPRA.
• Certifies that it understands the restrictions in this Section 15 and will comply with them.

16. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the underlying agreement between the parties, including any Marketplace agreement with Atlassian governing the Customer's use of the App.

17. Conflict

In the event of a conflict between this DPA and any other agreement between the parties relating to the processing of Personal Data, the terms of this DPA shall prevail with respect to the subject matter addressed herein.

18. Changes to This DPA

CowboyMSP may update this DPA from time to time to reflect changes in applicable law, regulatory guidance, or App functionality. Material changes will be notified to Customers with at least 30 days' notice by posting an updated version at this URL. Continued use of the App after the effective date of an updated DPA constitutes acceptance of the updated terms.

19. Governing Law

This DPA is governed by the laws applicable to the underlying agreement between the parties. Where the Customer is established in the European Economic Area or the United Kingdom, the data protection provisions of this DPA shall be interpreted in accordance with the GDPR or UK GDPR as applicable.

20. Contact

For data protection inquiries, sub-processor notifications, breach notifications, or any other matter relating to this DPA, contact:

Data Protection Contact: Cowboy MSP
Email: [email protected]
Website: cowboymsp.com

This DPA should be read together with the CowboyMSP Privacy Policy and the CowboyMSP End User License Agreement.