Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ScrumJam ("Processor") and the customer ("Controller") using ScrumJam's services.

1. DEFINITIONS

"Personal Data" means any information relating to an identified or identifiable natural person processed by ScrumJam on behalf of the customer.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party engaged by ScrumJam to process Personal Data.

2. SCOPE AND PURPOSE

ScrumJam processes Personal Data only to provide the services described in the Terms of Service — specifically:

  • Running planning poker and sprint retrospective sessions
  • Importing and displaying Jira issues within sessions
  • Storing session content (tasks, votes, retro cards, action items)
  • Managing user authentication and team membership

ScrumJam processes Personal Data solely on the documented instructions of the Controller and for no other purpose.

3. DATA TYPES PROCESSED

ScrumJam processes the following categories of Personal Data on behalf of the Controller:

  • Email addresses
  • User identifiers (Firebase UID)
  • Jira OAuth access and refresh tokens
  • Jira issue keys and summaries
  • Planning poker session content (tasks, votes)
  • Retrospective session content (cards, action items)
  • User preferences (selected Jira project, board, sprint)

4. SUB-PROCESSORS

ScrumJam uses the following sub-processors to deliver its services:

Sub-processorPurposeLocation
Google FirebaseAuthentication and data storageUnited States
Google FirestoreDatabaseUnited States
PostHogProduct analyticsUnited States / EU
StripePayment processingUnited States

ScrumJam will notify the Controller of any intended changes to sub-processors by updating this page.

All sub-processors maintain Standard Contractual Clauses (SCCs) for EEA data transfers.

5. DATA TRANSFERS

Personal Data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). All such transfers are governed by Standard Contractual Clauses (SCCs) under GDPR Article 46, implemented through ScrumJam's agreements with its sub-processors.

6. SECURITY

ScrumJam implements the following technical and organisational measures to protect Personal Data:

  • Encryption at rest: AES-256 via Google Cloud / Firebase defaults
  • Encryption in transit: TLS 1.2 or above for all communications
  • Access control: Firebase Authentication with role-based access
  • OAuth security: Cryptographically random state parameter with server-side validation and one-time use enforcement
  • Dependency vulnerability scanning via GitHub Dependabot
  • Multi-factor authentication on all developer accounts

For full details see our Security page.

View our Security page →

7. DATA RETENTION

ScrumJam retains Personal Data as follows:

  • Public session data: deleted after 24 hours of inactivity
  • Team session data: retained for the duration of the subscription
  • Jira OAuth tokens: deleted immediately upon Jira disconnection
  • User account data: retained until deletion is requested

Controllers may request deletion of their organisation's data by contacting info@scrumjam.app. ScrumJam will make reasonable efforts to fulfil deletion requests in a timely manner.

8. DATA SUBJECT RIGHTS

Where technically possible, ScrumJam will assist the Controller in responding to data subject requests (access, rectification, erasure). Requests should be submitted to info@scrumjam.app.

9. BREACH NOTIFICATION

In the event of a confirmed Personal Data breach, ScrumJam will make reasonable efforts to notify affected Controllers without undue delay, providing sufficient information to support the Controller's own obligations under applicable law.

10. CONTACT

For any questions regarding this DPA or data processing:

Email: info@scrumjam.app

Website: scrumjam.app