Skip to main content

Additional Terms

Last updated: 2026-05-31

These Additional Terms work alongside the Atlassian Marketplace Standard End User Agreement (Bonterms v1.0) — together they form your complete agreement with Attestsys for use of our apps. Capitalized terms from the Standard Agreement have the same meaning here.

Where these Additional Terms conflict with the Standard Agreement, these Additional Terms take precedence (per §1.4 of the Standard Agreement).

1. Governing law

If you're in the UK or EU: German law applies. Disputes go to the courts of Ulm, Germany. The California default in the Standard Agreement doesn't apply to you.

Everywhere else: California law applies per the Standard Agreement.

2. Data processing (GDPR)

If you're in the EEA or UK, you're the data controller and we're your data processor under Regulation (EU) 2016/679 (GDPR). Our Data Processing Agreement (DPA) applies and is incorporated into this agreement by reference. It covers what we process, why, how long we keep it, and what your rights are.

Read it before you start using the apps with real data.

3. Security

Here's what we actually do:

  • All cryptographic signing uses ECDSA P-256
  • Data at rest is encrypted with AES-256-GCM
  • Signing keys are stored with AES-256-GCM envelope encryption (KEK held separately from wrapped key material)
  • All connections use TLS 1.2 or higher

Per-event RFC 3161 timestamps are issued by independent public timestamp authorities (such as FreeTSA or DigiCert, non-qualified). Qualified RFC 3161 timestamps — the daily checkpoint over the audit chain on paid tiers, and per-event timestamps on Enterprise — are provided by qualified trust service providers (QTSPs) from the EU Trusted List, such as QuoVadis Trustlink B.V. (Netherlands), GlobalSign nv-sa (Belgium), and other EU Trusted List providers. We are a relying party, not a QTSP.

Full details are in our Security Statement.

4. Service availability

We run the service on a best-efforts basis. Status and incident history: status.attestsys.com.

Free tier: no uptime guarantee.
Paid tiers: any availability commitments are in your Marketplace order or Enterprise contract.

We're not responsible for outages caused by Atlassian platform issues, GitHub API problems (for the GitHub Evidence Pack), or things genuinely outside our control.

5. What you can't use Attestsys for

Use it to record what actually happened. Don't use it to:

  • Create, back-date, alter, or fabricate audit records or approvals
  • Generate records intended to mislead auditors, customers, regulators, or anyone else about what actually happened
  • Do anything that violates the Standard Agreement's acceptable use provisions

If we see clear evidence of this kind of abuse, we'll suspend access. We won't apologize for that.

6. Signing key continuity

Your signed records need to stay verifiable even if Attestsys shuts down or changes infrastructure years from now. We commit to:

  • Keeping the public key material for all signing keys available for verification for at least 10 years after last use
  • Providing you with all public keys used to sign your data, on request
  • Giving you at least 90 days' notice before any signing key rotation that would affect verification of past records

If we ever wind down the service, we'll publish all public keys to a permanent public location before going dark.

7. Data retention

Free tier: 30-day retention. Records older than 30 days are automatically deleted.
Paid tiers: retention period is configurable in your account settings.

When you cancel or your subscription ends, we'll keep your data for 60 days so you can export it. After that, it's gone. Export your records before you leave — we can't recover them after deletion.

You're responsible for knowing your own retention obligations. We don't track regulatory retention requirements on your behalf.

8. GitHub Evidence Pack

The GitHub Evidence Pack connects to the GitHub API. If GitHub has an outage, rate-limits your access, changes their API, or revokes access for any reason, that will affect the app's functionality. That's outside our control and not our liability.

If GitHub notifies us in advance of a material API change that affects the app, we'll pass that on to you.

9. Sensitive personal data

Attestsys captures Jira event metadata — issue titles, user actions, comment snippets. You're responsible for making sure sensitive personal data (health information, payment card details, government IDs, and anything else covered by §7.2 of the Standard Agreement) doesn't end up in Jira issues or comments that get captured.

The Standard Agreement's prohibition on Sensitive Data applies fully here. We're not liable for sensitive data you route through the app.

Questions?

Email: legal@attestsys.com
Postal: Ilgiz Khusnullin, Berblingerstr. 3, 89073 Ulm, Germany