Skip to main content
SmartRuns

Data Processing Agreement

GDPR Article 28 · Processor terms for SmartRuns customers

Last updated: July 7, 2026

Preamble

This Data Processing Agreement ("DPA") forms part of, and is governed by, the Terms of Service and any order form or subscription agreement (together, the "Agreement") between the customer identified in the Agreement ("Customer", "you") and Kalinka Tech SL, a Spanish limited liability company (Sociedad Limitada) with tax ID (CIF/NIF) B72371446 and registered office at Federico Chueca 6, Bajo 2, El Puerto de Santa María, Cádiz, Spain ("SmartRuns", "we", "us"), operating the SmartRuns test management platform from Spain.

It governs the Processing of Personal Data by SmartRuns on the Customer's behalf in connection with the SmartRuns platform (smartruns.io and api.smartruns.io) and the SmartRuns for Jira app distributed via the Atlassian Marketplace. It reflects the parties' obligations under Article 28 of the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR. Where this DPA conflicts with the rest of the Agreement in respect of the Processing of Personal Data, this DPA prevails.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. In this DPA:

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data contained within the Customer content that SmartRuns Processes on the Customer's behalf under the Agreement.
  • "Data Protection Law" means the GDPR, the UK GDPR, and any other applicable data protection or privacy law, in each case as amended or superseded.
  • "Sub-processor" means any third party engaged by SmartRuns to Process Customer Personal Data.
  • "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries approved by European Commission Implementing Decision (EU) 2021/914, and, for UK transfers, the UK International Data Transfer Addendum.

2. Roles of the parties

For Customer Personal Data Processed under the Agreement, the Customer is the Controller and SmartRuns is the Processor. Where the Customer itself acts as a processor on behalf of a third-party controller, SmartRuns acts as a sub-processor; the Customer warrants that it has the authority and instructions required for SmartRuns to Process the Customer Personal Data as described in this DPA.

Separately, SmartRuns acts as an independent Controller for the limited account, billing, security, and product-analytics data described in our Privacy Policy; that Processing is governed by the Privacy Policy and not by this DPA.

3. Scope and Customer instructions

SmartRuns shall Process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case SmartRuns will inform the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest).

The Agreement, this DPA, the configuration options the Customer selects within the platform, and the Customer's use of the platform's documented features constitute the Customer's complete and final documented instructions. SmartRuns shall inform the Customer if, in its opinion, an instruction infringes Data Protection Law.

4. Subject-matter, nature, purpose, and duration of Processing

Subject-matter and nature. Hosting, storage, transmission, display, organisation, retrieval, and deletion of Customer content within a cloud-based QA test management platform, together with the optional integrations the Customer enables (including Jira, GitHub, AI-assisted test generation, and the SmartRuns for Jira app).

Purpose. To provide, maintain, secure, and support the SmartRuns platform for the Customer in accordance with the Agreement.

Duration. For the term of the Agreement, plus the post-termination return/deletion period described in Section 11.

Categories of Data Subjects

  • The Customer's authorised users of the platform (employees, contractors, and other members of the Customer's organisation).
  • Any individuals whose Personal Data the Customer or its users choose to include within Customer content — for example, people named in test cases, test runs, defects, comments, attachments, or in Jira issues that the Customer links to SmartRuns.

Categories of Customer Personal Data (platform level)

The Customer determines what Personal Data it submits. Processed categories typically include:

  • Authorised-user identity and account data — name, work email, role, and authentication context of the Customer's users.
  • Customer content — test cases, test plans, test runs, results, defects, comments, and attachments, which may contain Personal Data the Customer or its users choose to include (free-text, screenshots, logs).
  • Jira integration content — where the Customer configures the SmartRuns platform's own Jira integration, the issue data the Customer elects to fetch and link (which may include issue summaries, descriptions, comments, and associated identities) is Processed as Customer content under the Customer's control.
  • Integration credentials — OAuth tokens and API keys the Customer supplies for Jira, GitHub, and OpenAI, stored encrypted and used only to execute requests the Customer initiates.

The Customer must not submit special categories of Personal Data (GDPR Art. 9) or other high-risk data unless expressly agreed in writing with SmartRuns, consistent with Section 5 of the Terms of Service.

SmartRuns for Jira app — minimal data footprint

The Atlassian Forge app SmartRuns for Jira has a deliberately minimal footprint that is narrower than the platform's own Jira integration. The Forge app Processes only the Jira issue key, the acting user's Jira identity and authentication context, and Jira project and issue-type identifiers used to populate pickers, together with the SmartRuns tenant domain and API token held in Atlassian Forge app storage (encrypted at rest). The Forge app is used to link Jira issues to SmartRuns records and to display SmartRuns data inside Jira. Fetching of broader Jira issue data (summaries, descriptions, comments, attachments) is performed by the platform's separate, Customer-configured Jira integration, not by the Forge app, and is governed as Customer content above.

5. SmartRuns' obligations as Processor

SmartRuns shall:

  • Process Customer Personal Data only on the Customer's documented instructions (Section 3);
  • ensure that persons authorised to Process Customer Personal Data are bound by an appropriate obligation of confidentiality and are limited to those who need access to provide the service;
  • implement the technical and organisational security measures described in Section 6 (GDPR Art. 32);
  • respect the conditions for engaging Sub-processors set out in Section 7;
  • assist the Customer with Data Subject requests and with the Customer's own compliance obligations as set out in Sections 8 and 9;
  • at the Customer's choice, return or delete Customer Personal Data on termination as set out in Section 11;
  • make available to the Customer the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, as set out in Section 12.

SmartRuns will not sell Customer Personal Data and will not use Customer content or the Customer's team test data to train machine-learning models.

6. Security of Processing (GDPR Art. 32)

Taking into account the state of the art and the risks of the Processing, SmartRuns implements appropriate technical and organisational measures, including:

  • Encryption in transit — TLS 1.2+ for all data transmitted between clients, the platform, and integrated services;
  • Encryption at rest — Customer content, databases, object storage, and integration credentials encrypted at rest;
  • Access controls and least privilege — role-based internal access, restricted to personnel who require it, with access logging;
  • Tenant isolation — account-scoped data isolation in a multi-tenant architecture so that one Customer cannot access another's data;
  • Secure hosting — infrastructure hosted on Amazon Web Services European (EEA) regions;
  • Resilience and recovery — backups and a documented incident response procedure supporting the confidentiality, integrity, availability, and resilience of Processing systems;
  • Testing — a process for regularly reviewing the effectiveness of these measures.

SmartRuns may update these measures over time provided the level of protection is not materially reduced.

7. Sub-processors

The Customer provides a general authorisation for SmartRuns to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this Section. SmartRuns shall:

  • impose on each Sub-processor, by written contract, data-protection obligations that are materially equivalent to those in this DPA (flow-down), including appropriate security and international-transfer safeguards;
  • remain fully liable to the Customer for the performance of each Sub-processor's obligations.

The Customer authorises the following Sub-processors as at the date of this DPA:

Sub-processorPurposeLocation
AtlassianForge app platform hosting and app configuration storage for the SmartRuns for Jira appGlobal / EU (SCC in place for non-EU processing)
Amazon Web Services (AWS)Cloud infrastructure, database, object storage, and email deliveryEU (SCC in place for US services)
StripePayment processingUnited States (SCC in place)
OpenAIAI test generation (prompt and response only, when explicitly invoked)United States (SCC in place)
SendGrid (Twilio)Transactional email deliveryUnited States (SCC in place)
CloudinaryFile and attachment storageUnited States (SCC in place)
Google CloudData analytics and warehouse (Data Connector feature)EU / United States (SCC in place)
New RelicApplication performance monitoringUnited States (SCC in place)

SmartRuns will give the Customer at least 14 days' prior notice (by email to the Customer's administrative contact) of any intended addition or replacement of a Sub-processor. The Customer may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the service as its exclusive remedy. The current list is also published in our Privacy Policy.

8. Assistance with Data Subject rights

Taking into account the nature of the Processing, SmartRuns shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The platform's self-service export and deletion features are the primary means of such assistance; where those features are insufficient, SmartRuns will provide reasonable additional assistance.

If SmartRuns receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally prohibited, promptly inform the Customer and will not respond to the request itself except on the Customer's documented instructions.

9. Assistance with security, breach, DPIAs, and consultation (Art. 32–36)

Taking into account the nature of Processing and the information available to it, SmartRuns shall provide reasonable assistance to the Customer in ensuring compliance with the Customer's obligations under GDPR Articles 32 to 36, including with data protection impact assessments (DPIAs) and any prior consultation with a Supervisory Authority.

10. Personal Data Breach notification

SmartRuns shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event in a manner that enables the Customer to meet its own notification obligations to the competent Supervisory Authority within 72 hours (GDPR Art. 33). The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it, with further information provided in phases as it becomes available. This aligns with the breach-notification commitment in our Privacy Policy (Art. 33–34).

11. Return and deletion of Customer Personal Data

On termination or expiry of the Agreement, and at the Customer's choice, SmartRuns shall return or delete Customer Personal Data. The Customer may export its data at any time during the term, and content data is deleted within 30 days of account deletion; integration credentials and OAuth tokens are revoked and deleted on disconnection or account deletion.

SmartRuns may retain Customer Personal Data to the extent, and for as long as, required by EU or Member State law (for example, billing records retained for 7 years under Spanish and EU tax law), in which case it will continue to protect that data and Process it only for the purpose and duration of that legal requirement. Anonymised, non-re-identifiable data is not Customer Personal Data and may be retained.

12. Audit and information rights

SmartRuns shall make available to the Customer all information reasonably necessary to demonstrate compliance with GDPR Art. 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

To limit disruption and protect the confidentiality and security of other customers, the parties agree that: (a) SmartRuns may satisfy audit requests by providing relevant certifications, third-party audit reports, or written responses to a security questionnaire; (b) any on-site inspection will occur on reasonable prior notice, no more than once per year (save where required by a Supervisory Authority or following a Personal Data Breach), during business hours, and subject to confidentiality; and (c) the Customer bears its own costs and any reasonable costs SmartRuns incurs for inspections beyond providing the standard documentation above.

13. International data transfers

SmartRuns' primary infrastructure is located within the EEA. Where Processing of Customer Personal Data involves a transfer to a country outside the EEA that is not the subject of a European Commission adequacy decision — including transfers to certain US-based Sub-processors listed in Section 7 — such transfers are made under the EU Standard Contractual Clauses (SCCs) approved by European Commission Implementing Decision (EU) 2021/914, together with any supplementary measures required by Data Protection Law.

For equivalent transfers of Personal Data protected by the UK GDPR to third countries without a UK adequacy decision, SmartRuns relies on the UK International Data Transfer Addendum to the EU SCCs (UK IDTA). Transfers of Personal Data between the EEA and the United Kingdom rely on the respective adequacy decisions in force between the EU and the UK.

The relevant SCC and UK IDTA modules are incorporated into this DPA by reference; a copy is available on request from legal@smartruns.io.

14. Liability and order of precedence

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement (see Section 9 of the Terms of Service), and any reference in the Agreement to a party's liability means the aggregate liability of that party under the Agreement and this DPA together.

In the event of a conflict between this DPA and the rest of the Agreement, this DPA prevails with respect to the Processing of Customer Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

15. Governing law and jurisdiction

This DPA is governed by the laws of Spain, without regard to conflict-of-law rules, and the courts of El Puerto de Santa María (Cádiz), Spain have exclusive jurisdiction, save where Data Protection Law requires otherwise. The competent lead Supervisory Authority is the Spanish Data Protection Authority (AEPD), www.aepd.es.

Data Protection Officer: SmartRuns has not appointed a Data Protection Officer, as it is not required to do so under GDPR Art. 37. Data-protection enquiries should be directed to legal@smartruns.io.

EU representative: Not required. SmartRuns (Kalinka Tech SL) is established in the European Union (Spain), so the appointment of a representative under GDPR Art. 27 does not apply.

16. Acceptance and incorporation

This DPA is incorporated into and forms part of the SmartRuns Terms of Service. By accepting the Terms of Service and/or using the Service, the Customer (as Controller) agrees to this DPA on behalf of itself and its authorised users. No signature is required for this DPA to take effect; it applies automatically as part of the Agreement.

Customers who require a counter-signed copy of this DPA for their own records may request one by contacting legal@smartruns.io. Data-protection queries and requests under this DPA should be directed to the same address.