Version: TP.05122025.01
Effective date: 05/December/2025
This section describes the specific details of the Processing activities performed by Testpoint (“Processor”) on behalf of the Customer (“Controller”) in connection with the Vansah Test Management for Jira and Vansah Intelligence (AI) services.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person as defined under GDPR.
“Processing” means any operation performed on Personal Data (collection, storage, retrieval, transmission, deletion, etc.).
“Controller” means the entity which determines the purposes and means of Processing.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Sub-Processor” means any third party engaged by the Processor to Process Personal Data.
“Data Subject” means the individual whose Personal Data is Processed.
“AI Engine” means the functionality within Vansah that provides automated or assisted content generation, analysis, classification, or similar features based on artificial intelligence models.
“GDPR” means Regulation (EU) 2016/679.
2. Subject Matter, Nature, and Purpose of Processing
Vansah Processes Personal Data solely to:
Provide test management capabilities in Jira
Synchronize and update Jira issues, test cases, executions, and metadata
If enabled Provide AI-assisted functionality (Vansah Intelligence) such as test-case generation, requirement analysis, and content improvement
Maintain, secure, troubleshoot, and improve the technical operation of the Service
Support Customer requests
Vansah acts only on the documented instructions of the Controller and never determines its own purposes for Processing Personal Data.
3. Categories of Personal Data and Data Sources
3.1 Standard Service Data
Vansah may Process the following data categories:
Jira user identifiers (account ID, username, display name)
Issue data (summaries, descriptions, system fields, custom fields)
Attachments, comments, labels, components
Test cases, steps, executions, results, history, and related metadata
Operational logs associated with Service usage (non-sensitive)
3.2 AI Processing (“Vansah Intelligence”)
When the Customer enabled and uses Vansah’s AI features, the following data may be sent to the AI Engine:
Jira work item summary
Jira work item description
Acceptance criteria
Mapped custom fields such as labels, components, priority, fix version
User-supplied prompts or overrides
Additional context required for the AI feature used
Explicit Exclusions
The following are not sent to the AI Engine:
Personal Information
Passwords
Secrets, API tokens, or credentials
Execution results
Production logs
Sensitive categories of data
Only fields selected and configured by the Customer are included.
3.3 Data Minimization
Vansah applies strict data minimization:
Only the minimal fields required to fulfill the AI or non-AI feature are processed.
4. Duration of Processing
Processing continues for the duration of the Customer’s use of Vansah and any additional retention period defined in Section 11.
5. Controller Responsibilities
Customer:
Determines the lawful basis for Processing
Controls which fields are mapped to Vansah and to AI engines
Configures Jira permissions and governs user access
Ensures Personal Data is not supplied in fields used for AI that violates organizational policies
Provides instructions to Vansah for Processing
6. Processor Obligations (Vansah)
6.1 Processing on Documented Instructions
Vansah Processes Personal Data only as instructed by the Customer through:
API calls
Jira permission model
Customer configuration of mapped fields
User-initiated AI requests
Vansah does not repurpose Personal Data.
6.2 Confidentiality
All Vansah personnel with access to Personal Data are bound by confidentiality obligations.
6.3 Security Measures
Vansah implements technical and organizational security measures including:
Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
Access control based on least-privilege principle
HTTPS-only communication
Monitoring, logging, and alerting
Tenant-level data isolation
Vulnerability management
Secure development lifecycle (SDLC) practices
6.4 Assistance with Data Subject Rights
Vansah will assist Customer with responding to:
Access requests
Correction
Erasure
Portability
Objections
Restriction of processing applied to data controlled by Vansah.
6.5 Personal Data Breach Notification
Vansah will notify Customer without undue delay upon becoming aware of a Personal Data Breach.
6.6 Documentation and Compliance Support
Vansah will provide documentation necessary to demonstrate compliance, including details of Sub-Processors, security measures, and data flows.
7. AI-Specific Processing Obligations
7.1 Purpose Limitation
AI Engines Process data solely to fulfill user-requested AI features such as:
Test-case generation
Requirement analysis
Defect analysis
Enhancing or rewriting test content
No independent profiling or analytics occur.
7.2 No Model Training or Secondary Use
The following will never be used to train any AI models:
Customer prompts
AI inputs
AI outputs
Metadata generated during AI use
Feedback provided to AI features
No AI data is shared with third-party model trainers.
7.3 AI Audit Logging
Vansah maintains logs for:
Which user invoked AI
Which Jira issue(s) were used as context
The generated test-case identifiers
Timestamp and action type
Logs do not include sensitive data.
7.4 Customer Control Over AI Inputs
Customers control:
Which fields are included in AI processing
Whether to enable or disable AI features
Sensitivity of content submitted
8. Sub-Processors
Vansah may use Sub-Processors for hosting or operational functions.
Sub-Processor | Purpose of Processing | Data Categories Processed | Location / Region | Safeguards & Compliance |
Amazon Web Services (AWS) | Cloud hosting, compute, encrypted storage, infrastructure services for Vansah | Encrypted test management data, metadata, logs, configuration data | Global regions (aligned with Customer data residency regions: US, EU, UK, AU, Singapore, Canada, Germany) | ISO 27001, SOC 1/2/3, GDPR-compliant, SCCs where applicable |
DigitalOcean, LLC | Cloud hosting for certain Vansah regions, database and compute infrastructure | Encrypted test data, metadata, and application data | Regional data centers (aligned with Customer data residency regions: US, EU, UK, AU, Singapore, Canada, Germany) | SOC 2 Type II, ISO 27001, GDPR compliant, SCCs where applicable |
Cloudflare, Inc. | DNS, DDoS protection, firewall, performance optimization | IP addresses, request metadata, routing & security logs (no test content) | Global Anycast network | SOC 2, ISO 27001, GDPR compliant, SCCs for EU→US data |
OpenAI, L.L.C. | When enabled by Jira Admin, AI processing for Vansah Intelligence: test-case generation, requirement analysis | Mapped Jira fields: summary, description, acceptance criteria, custom fields; never secrets, tokens, credentials, execution results | United States | SCCs, TLS encryption, no training on customer data, no data retention beyond request |
New Relic | Application monitoring, metrics, logs | System logs, performance metrics (no customer test content) | US/EU Regions | SOC 2, GDPR compliant, SCCs |
Sub-Processors are required to provide equivalent GDPR protections.
Vansah will notify Customer of new Sub-Processors and allow reasonable objections.
9. International Data Transfers
Vansah does not transfer Personal Data outside the Customer’s selected Jira Data residency region.
10. Audit Rights
Customers may:
Request SOC 2, ISO 27001, or equivalent security documentation (if applicable)
Request questionnaires or summaries of Vansah security controls
Request details regarding Sub-Processor security
Conduct audits with reasonable notice
11. Return or Deletion of Personal Data
Upon Customer request or Service termination:
Vansah will return or delete Personal Data
If no instruction is received, data is deleted within 180 days
12. Liability
Vansah’s total liability is limited to three times the amount paid by the Customer in the preceding 12 months.
13. Governing Law
This DPA is governed by the governing law of the primary Agreement.
Where GDPR applies, EU regulations take precedence for data-processing matters.
14. Entire Agreement
This DPA supersedes any prior data protection terms and forms an integral part of the Agreement between the Parties.
15. Contact Information
If you have any questions about this policy, please contact us through our support portal.