Atlassian Business Associate Agreement
最終更新日: 2023 年 9 月 19 日
本データ移転影響評価 (以下、「DTIA」) は、欧州連合司法裁判所の「Schrems II」の判決と欧州データ保護委員会のその後の勧告に照らして、アトラシアンのクラウド製品、サポート、サービス (総称して、以下「本サービス」) と Forge プラットフォーム (以下、「Forge」) の提供、およびアトラシアン、その関連会社、復処理者による当該個人データのその後の処理に関連して、アトラシアンのお客様および Forge 開発者が個人データ移転のリスク評価を実施するのをサポートするためのものです。DTIA は、アトラシアンのデータ処理補遺 (アトラシアンの DPA) および Forge データ処理補遺 (Forge DPA) で定義されている欧州データ保護法に基づくデータ移転の規定を遵守するために必要な情報を補足します。
アトラシアンはグローバル サービスのプロバイダとして、複数の管轄に共通する運用上の慣行と機能に基づいてサービスを運営しています。そのため、当社は、データ レジデンシーに関するドキュメントで詳述されているように、米国、EMEA、APAC にある Data Center に個人データを保存し、製品、機能の提供や、顧客サポートおよび技術サポートの目的で世界中の他の場所で個人データを処理します。
欧州データ保護法では、個人データを欧州外に移転することはできません。ただし、(i) 関連する政府機関が輸入国を十分性のある国だとみなした場合、または (ii) データ輸出者が適切な保護対策を講じており、移転される個人データに十分なレベルの保護が確保されている場合を除きます。これらの保護対策は「移転メカニズム」と呼ばれます。
アトラシアンの DPA には、次のような移転メカニズムとして標準的契約条項 (DPA で定義されている) が組み込まれています。
- GDPR で保護されている個人データが欧州外のアトラシアンに移転される場合、アトラシアンは EU 標準的契約条項 (SCC) に基づいて移転に対して適切な保護対策を講じます。SCC では、当社のお客様は「データ輸出者」と位置付けられ、アトラシアンは「データ輸入者」となります。
- 個人データが英国データ保護法によって保護されている場合、アトラシアンは 2022 年の ICO ガイダンスに従って、DPA の英国補遺に依拠します。
スイスの連邦データ保護法によって保護されている個人データが欧州外のアトラシアンに移転される場合、アトラシアンは EU SCC に加えて特定の解釈規定に依拠し、スイスの法制度においても SCC が機能するようにします。
2. Applicability of this BAA
2.1 Applicability. This BAA is applicable only to the extent that Customer has an active Subscription Term for a HIPAA-Qualified Cloud Product and has configured such HIPAA-Qualified Cloud Product in accordance with the specifications provided in Section 5 of this BAA. Customer must not provide PHI to any Cloud Product that is not a HIPAA-Qualified Cloud Product to which this BAA applies. For avoidance of doubt, Customer acknowledges and agrees that this BAA does not apply to (a) any Cloud Products or Support and Services provided by Atlassian or its Affiliates other than the HIPAA-Qualified Cloud Products, (b) any Third-Party Product, including any Third Party Apps, that Customer elects to integrate or enable for use with the HIPAA-Qualified Cloud Products, or (c) Customer’s own products and services used with any HIPAA-Qualified Cloud Products.
2.2 Term. The term of this BAA commences on the Effective Date and will terminate automatically upon expiration or earlier termination of the Agreement, unless earlier terminated pursuant to the terms of this BAA.
2.3 Execution. To the extent this BAA has been pre-signed on behalf of Business Associate, for the BAA to be enforceable, Customer must:
a) complete the signature block below by completing all required fields and counter-signing;
b) submit the completed and signed BAA to Business Associate as instructed; and
c) have only a signatory who possesses legal authority to bind Customer into legally enforceable contracts execute this BAA.
Where Customer makes any deletions or other revisions to this BAA, this BAA will be null and void.
3. Responsibilities of business associate
3.1 Use and Disclosure. With regard to its use or disclosure of PHI, Business Associate agrees to:
(a) not use or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law and, to the extent that Business Associate is to carry out any of Customer’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Customer in the performance of those obligations;
(b) implement and use appropriate technical, physical and administrative safeguards to prevent use or disclosure of ePHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;
(c) report without unreasonable delay to Customer: (i) any use or disclosure of PHI of which it becomes aware that is not permitted by this BAA; or (ii) any Security Incident of which Business Associate becomes aware. Notwithstanding the foregoing, Customer acknowledges that Business Associate routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings, port scans, phishing attempts, log-on attempts, and other unsuccessful Security Incidents. Business Associate hereby notifies Customer of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice will be required of such unsuccessful Security Incidents;
(d) without unreasonable delay and in no case later than five (5) calendar days after discovery, Business Associate must notify Customer of a Breach of any Unsecured PHI, all in accordance with 45 C.F.R. § 164.410;
(e) in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to no less restrictive restrictions and conditions on the use or disclosure of PHI that apply to Business Associate; including to the extent that Business Associate provides ePHI to a subcontractor, it must require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;
(f) make available its internal practices, books, and records relating to the use or disclosure of PHI to the Secretary of the Department of Health and Human Services (“HHS”) for purposes of determining Customer’s compliance with the Privacy Rule;
(g) within thirty (30) days after receiving a written request from Customer, make available information necessary for Customer to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528 and when directed by Customer, make that accounting directly to the Individual;
(h) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA;
(i) if Business Associate maintains a Designated Record Set, make available Customer PHI as required to enable Customer to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524 and 164.526, subject to the implementation guide as defined in Section 5.1;
(j) request, use or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure;
(k) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and
(l) not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3).
4. Other permitted uses and disclosures of PHI
4.1 Other Permitted Uses and Disclosures. Unless otherwise limited in this BAA, in addition to any other uses or disclosures permitted or required by this BAA, Business Associate may:
(a) use and disclose to subcontractors, the PHI in its possession as necessary to provide the HIPAA-Qualified Cloud Products to Customer pursuant to the Agreement;
(b) use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate, provided that any such disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides written assurances that:
(i) such PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party; and
(ii) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached
5. Obligations of customer
5.1. Product Configuration. Customer is solely responsible for configuring all HIPAA-Qualified Cloud Products according to the implementation guide found here (or successor hyperlink), as may be updated from time to time:
Customer must configure all HIPAA-Qualified Cloud Products in accordance with the implementation guide prior to entering any PHI into the applicable product.
5.2 Authorizations and Consents. Customer must obtain and maintain any and all authorizations and consents by individuals or other parties required for Business Associate’s use or disclosure of PHI contemplated by this BAA.
5.3 Permissible Requests by Customer. Customer must not request Business Associate to access, use, or disclose PHI, nor act in any manner, that would not be permissible under HIPAA if done by Business Associate. Without limiting the foregoing, Customer must not provide to the HIPAA-Qualified Cloud Products any PHI that is subject to a restriction on the use or disclosure of PHI requested by the Individual pursuant to 45 C.F.R. § 164.522 and that may affect Business Associate’s use or disclosure of such PHI.
6.1 Termination. If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of this BAA then the non-breaching Party must provide notice of such breach or violation to breaching Party. Such notice shall clearly specify the nature of the breach or violation. If, after a reasonable time period, which shall not be less than 30 days, following the notice to breaching Party, the breaching Party has not cured the breach or ended the violation, the non-breaching Party may terminate this BAA.
6.2 Effect of Expiration or Earlier Termination. Within sixty (60) days after the expiration or earlier termination of this BAA, Business Associate must return or destroy all PHI, if feasible to do so, including all PHI in possession of Business Associate’s subcontractors. If return or destruction of the PHI is not feasible, Business Associate shall extend any and all protections, limitations and restrictions contained in this BAA to Business Associate’s use or disclosure of any PHI retained after the termination or expiration of this BAA, and limit any further uses or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
7.1 Construction of Terms. To the extent they are not clear, the terms of this BAA shall be construed to allow for compliance by the Parties with HIPAA implementing regulations as applicable and as promulgated and amended from time to time.
7.2 No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
7.3 Survival. Sections 3.1(d), 3.1(g), 6.2, and 7.1 through 7.7 shall survive the termination for any reason or expiration of this BAA.
7.4 Notice. Notices to Customer as required under this BAA shall be made in writing via email in accordance with the applicable provisions in the Agreement. Notices to Atlassian as required under this BAA shall be in writing to the addresses set forth below:
Atlassian Pty Ltd, c/o Atlassian, Inc.
350 Bush Street, Floor 13
San Francisco, CA 94104
Attn: Privacy Officer
With copy to:
7.5. Relationship to the Agreement.
(a) Except for the changes made by this BAA, the Agreement remains unchanged and in full force and effect. If there is any conflict between the provisions of this BAA and the provisions of the Agreement (including the Atlassian Data Processing Addendum (if applicable)), the provisions of this BAA prevail over the provisions of the Agreement only to the extent of that conflict in connection with the use or disclosure of PHI to the HIPAA-Qualified Cloud Product; in all other cases, the provisions of the Agreement prevail over the provisions of this BAA.
(b) Notwithstanding anything to the contrary in the Agreement or this BAA, the liability of each Party and each Party’s Affiliates under this BAA is subject to the exclusions and limitations of liability set out in the Agreement.
7.6 Claims. Any claims against Atlassian or its Affiliates under this BAA may only be brought by the Customer entity that is a party to the Agreement against the Atlassian entity that is a party to the Agreement.
7.7 Governing Law. This BAA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Federal Laws.
Subscribe to receive notifications from us about updates to our legal terms (including our legal policies) and our list of sub-processors.