Digia's Jira Cloud privacy statement
Processing of Customer Data in the Change and Project Management Service (Jira Cloud Service)
This Privacy Statement (“Statement”) describes how Digia Plc and its group companies (together “Digia” or “we”) process personal data in connection with the use of the Jira Cloud (“Jira”) service. This Statement also applies to the processing of personal data of contact persons and users of Digia’s cooperation partners (such as service providers, subcontractors, and customers).
The Statement also outlines the general data protection principles followed by Digia in its operations and explains the rights you have as a data subject regarding your personal data.
This Statement is available on Digia’s website. The Statement was last updated on 30 September 2025. We may update the Statement from time to time, so we recommend reviewing it regularly. If we make material changes to the Statement, such as adding new purposes for processing, we will notify you separately in advance.
1. Controller's Contact Information
Digia Plc
Business ID: FI-08313124
Address: Atomitie 2 B, 00370 Helsinki, FINLAND
Tel.: Exchange, +358 (0)19 313 3000 (mpm/pvm)
Contact person for questions regarding the processing of personal data described in this Privacy Statement:
Digia Service Center +358 9 3158 6378
2. Data Protection Officer's Contact Information
Data Protection Officer Digia Plc
dpo(at)digia.com
3. Purposes of Processing and Legal Bases
The purpose and legal basis for the processing of personal data are recorded in the table below.
Processing Purpose tarkoitus | Legal Basis for Processing |
For the creation of user data to enable the use of the service |
Legitimate interest: establishing user data for the use of tools employed within the service |
Management of project access rights |
Legitimate interest: maintaining access rights is based on an active customer relationship |
4. Categories of Data Subjects
Jira users of Digia’s customers.
5. Processed Personal Data
The following personal data is processed in connection with the purposes of processing mentioned above:
- Email address
- Usernames (first name, last name)
- Customer company
- Viewing and log data
The email address, name, and customer company information (Entra ID data) are provided by Digia’s customer contact person during the service activation order process, which is created based on the personal data submitted in the order.
6. Data Retention Periods
Personal data is retained for the duration of the customer relationship.
When an external (guest) user no longer requires access to Jira:
- Access rights are removed from Entra ID groups. Once the user is removed from the groups, they no longer have access to Jira.
- Inactive accounts are deleted from Digia’s Jira environment twice a year.
7. Regular Data Sources
Entra ID (Azure) is located within the EU.
Data is collected from information provided by external users, which is required for service onboarding.
- Regular disclosures and transfers of data outside the EU or European Economic Area (EEA)
Digia’s service provider Atlassian processes and stores the personal data described in this Privacy Statement primarily in the United States (Atlassian account). - Jira project data is stored within the EU (Frankfurt and Ireland).
All data transfers are subject to separate assessments before execution. Digia always complies with the applicable national and international regulations when transferring personal data. This includes implementing necessary contractual safeguards, typically using the European Commission’s Standard Contractual Clauses or other appropriate transfer protection mechanisms.
Additional information is available on Atlassian’s security pages at the Atlassian Trust Center.
8. Description of Technical and Organizational Security Measures
Digia has implemented appropriate technical and organizational security measures required by law to protect the personal data it processes from unauthorized access, processing, loss, alteration, and other security risks. User data is stored in the controller's system, which is protected by operating system security software and functions. Access to the system requires a user-specific identifier.
The system is also protected by firewalls and other technical means. Only certain pre-defined employees of the controller and their invited communication counterparts have access to and are authorized to use the data stored in the system. The information in the register is located in locked and guarded premises.
9. Rights of Data Subjects
Applicable legislation guarantees several rights to data subjects regarding their processed personal data. Digia respects these rights and is committed to implementing them. The rights of data subjects are listed below:
- The right to request access to personal data concerning the data subject and the right to receive a copy of such data;
- The right to data portability when processing is based on consent and is carried out by automated means;
- The right to request correction, completion, or erasure of inaccurate, incomplete, or outdated personal data processed about the data subject;
- Data subjects have the right to request the restriction of processing in certain situations, for example, if the company no longer needs the data but the data subject does not want it to be erased and instead requests the restriction of processing.
- Data subjects have the right to object to the processing of their personal data in certain situations based on their particular circumstances, for example, when the processing is based on the legitimate interests of the data controller and there are no overriding legitimate grounds for the processing.
- Data subjects have the right to have the data controller erase their personal data under certain conditions (the "right to be forgotten"), for example, when the personal data is no longer necessary for the purposes for which it was collected, or when the processing is based on consent and the consent has been withdrawn.
- Data subjects have the right to withdraw their consent to the processing at any time.
- Data subjects have the right to lodge a complaint with the competent supervisory authority, which in Finland is the Office of the Data Protection Ombudsman (see tietosuoja.fi).
Requests regarding the exercise of these rights should be sent to the address PrivacyQuery(at)digia.com. Please note that the exercise of certain rights may be subject to additional requirements under applicable law. Additionally, the company may need to request some additional information in order to verify the identity of the requester.
Please include the following information in your request:
- Information that allows your identification (such as full name, email address, or equivalent)
- Information about the role in which you are contacting us (former employee/emplyoee/customer/partner)
- Information regarding the specific right based on the above-mentioned legal grounds that you wish to exercise.