Data Processing Addendum

Last updated: May 19, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Release Cadence ("Processor") and the customer ("Controller"). It applies when the Controller is subject to data protection legislation, including the EU General Data Protection Regulation (GDPR) and UK GDPR.

1. Definitions

  • "Controller" means the Release Cadence customer who determines the purposes and means of processing personal data.
  • "Processor" means Release Cadence, which processes personal data on behalf of the Controller.
  • "Personal Data" has the meaning given in the GDPR: any information relating to an identified or identifiable natural person.
  • "Processing" has the meaning given in the GDPR.
  • "Sub-processor" means any third party engaged by Release Cadence to process personal data in the course of providing the service.
  • "Data Subject" means the natural person whose personal data is processed.
  • "Services" means the Release Cadence platform as described in the Terms of Service.

2. Details of Processing

2.1 Subject Matter

Release Cadence processes personal data to provide the Services as described in the Terms of Service, including product feedback collection, survey management, roadmap management, and Atlassian integration features.

2.2 Duration

Processing continues for the duration of the Controller's subscription to the Services, and for the data retention period thereafter as described in the Privacy Policy (up to 90 days following termination).

2.3 Nature and Purpose of Processing

Release Cadence processes personal data to:

  • Store and display survey responses submitted by the Controller's customers and end users
  • Compute and display analytics derived from survey responses
  • Associate feedback with product features and roadmap items
  • Provide the Atlassian Jira and Confluence integration, linking Atlassian items to Release Cadence projects

2.4 Categories of Personal Data

  • Survey responses (which may include names, opinions, contact details, or other personal data provided by respondents)
  • Email addresses (of Controller's team members using the platform)
  • Account profile information (name, role)
  • Usage and log data

2.5 Categories of Data Subjects

  • The Controller's employees and team members who use Release Cadence
  • The Controller's customers and end users who respond to surveys distributed through Release Cadence

3. Processor Obligations

3.1 Instructions

Release Cadence will process personal data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service. If Release Cadence is required by applicable law to process personal data in a manner not covered by the Controller's instructions, it will inform the Controller before such processing unless prohibited from doing so by law.

3.2 Confidentiality

Release Cadence will ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.

3.3 Security

Release Cadence implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit using TLS and at rest
  • Measures to ensure ongoing confidentiality, integrity, and availability of processing systems
  • A process for regularly testing and evaluating the effectiveness of security measures
  • Access controls limiting personal data access to authorized personnel only

3.4 Sub-processors

The Controller authorizes Release Cadence to engage the sub-processors listed in the Privacy Policy (Section 4.1). Release Cadence will inform the Controller of any intended changes to that list (additions or replacements) with reasonable notice, giving the Controller the opportunity to object. Release Cadence imposes data protection obligations on sub-processors equivalent to those in this DPA.

3.5 Data Subject Rights

Release Cadence will assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection). To submit a data subject rights request on behalf of your organization, contact privacy@releasecadence.dev.

3.6 Security Assistance

Taking into account the nature of processing and the information available, Release Cadence will assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

3.7 Data Breach Notification

Release Cadence will notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data, providing sufficient information to allow the Controller to meet its obligations under applicable data protection law. Notifications will be sent to the Controller's registered account email address.

3.8 Deletion or Return of Data

Upon termination of the Services, Release Cadence will, at the Controller's election, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires storage of the personal data. Data export is available through the platform prior to account termination. Following termination, personal data is deleted within 90 days.

3.9 Audits and Inspections

Release Cadence will make available all information necessary to demonstrate compliance with the obligations in this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor. Audit requests should be submitted to legal@releasecadence.dev.

4. International Data Transfers

Release Cadence's infrastructure is located in the United States. Where personal data is transferred from the European Economic Area (EEA) or the United Kingdom to the United States, such transfers are made under the Standard Contractual Clauses adopted by the European Commission (where applicable), or other lawful transfer mechanisms.

Controllers who require Standard Contractual Clauses as part of this DPA may request the executed SCCs by contacting legal@releasecadence.dev.

5. Controller Obligations

The Controller represents and warrants that:

  • It has a lawful basis for collecting and processing the personal data it inputs into the Services
  • It has provided appropriate notices and obtained any required consents from data subjects whose data it submits to the Services
  • Its instructions to Release Cadence comply with applicable data protection law
  • It is responsible for the accuracy, quality, and legality of the personal data it submits

6. Governing Law

This DPA is governed by the same law as the Terms of Service between the parties. To the extent required by applicable data protection law, the GDPR or UK GDPR shall take precedence over the governing law of the Terms of Service with respect to data protection matters.

7. Contact

Questions about this DPA, data subject rights requests, or requests for executed Standard Contractual Clauses:

Email: legal@releasecadence.dev

Privacy inquiries: privacy@releasecadence.dev