Legal

Data Processing Agreement

For customers requiring a signed DPA under Article 28 GDPR.

Last updated: May 28, 2026

Available on request

3T Apps offers a Data Processing Agreement (DPA) to customers who require one for their use of TechDesk, DispatchDesk, or Assets to SQL. To request a copy, email privacy@3t-apps.com with your organisation name, Atlassian site URL, and the apps in scope. We aim to return a countersignable draft within 5 business days.

What the DPA covers

The agreement addresses the categories required by Article 28 of the EU General Data Protection Regulation (GDPR):

• Subject matter and duration of processing — limited to the period during which the app is installed and licensed on the customer's Atlassian instance.
• Nature and purpose of processing — providing the app functionality the customer has installed (ticket management, dispatch, asset export, as applicable).
• Types of personal data processed — Atlassian-provided user identifiers (account IDs), user-entered availability statuses, admin-pinned technician starting locations (DispatchDesk only), ticket job-site GPS coordinates (read from Jira), and user-submitted feedback. See the Privacy Policy for the full list.
• Categories of data subjects — primarily technicians and dispatchers (users of the app within the customer's Atlassian instance), and any Jira users whose account identifiers appear in tickets the app reads.
• Customer rights and 3T Apps obligations — including processing only on documented instructions, confidentiality, security measures, sub-processor engagement, data subject rights assistance, breach notification, and return/deletion of personal data at the end of the engagement.

Sub-processors

3T Apps engages the following sub-processors. The list is reviewed when sub-processor relationships change and republished here.

Sub-processor	Role	Location
Atlassian Pty Ltd	Platform host. All app code, configuration, and customer data is stored in Atlassian Forge KVS within the customer's Atlassian data residency region.	Per customer's Atlassian data residency configuration
OpenRouteService (HeiGIT gGmbH) — DispatchDesk only, customer-elected	Routing provider. Engaged only when a DispatchDesk admin configures OpenRouteService in Settings → Routing using the customer's own API key. Receives ordered GPS coordinate pairs to compute routes; receives no other personal data.	Germany (EU)
Mapbox (Mapbox, Inc.) — DispatchDesk only, customer-elected	Routing provider. Engaged only when a DispatchDesk admin configures Mapbox in Settings → Routing using the customer's own API key. Receives ordered GPS coordinate pairs to compute routes; receives no other personal data.	United States

OpenRouteService and Mapbox are customer-elected sub-processors: they are only engaged if the customer chooses to configure routing and supplies their own API key. The customer's contractual and billing relationship is directly with the routing provider. DispatchDesk does not hold a shared routing account on customers' behalf. If a customer leaves Settings → Routing unconfigured, neither sub-processor is engaged.

Standard terms

The DPA we provide is based on standard Article 28 GDPR processor terms and incorporates, where relevant, the European Commission's Standard Contractual Clauses for transfers to third countries (Decision 2021/914). Customers with specific clause requirements can propose redlines via privacy@3t-apps.com; we will accommodate reasonable modifications.

Notification of sub-processor changes

If 3T Apps engages or replaces a sub-processor that processes personal data on a customer's behalf, the change is published on this page at least 30 days before it takes effect. Customers who object to a sub-processor change in writing within that window may terminate the affected app subscription.

Contact

DPA requests, sub-processor questions, and Article 28-related correspondence: privacy@3t-apps.com.