Data Processing Agreement

Last updated: April 20, 2026 · SaMD Risk Assessment · Cahill Consulting Group LLC

1. Overview

This Data Processing Agreement ("DPA") forms part of the terms of use between Cahill Consulting Group LLC ("Processor") and the organization installing or using the SaMD Risk Assessment app ("Controller"). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the app.

This DPA supplements the Privacy & Security Policy and Terms of Service. In the event of a conflict, this DPA takes precedence with respect to data protection obligations.

2. Definitions

  • Controller — the organization that installs and configures the App and determines the purposes for which Jira issue data is processed.
  • Processor — Cahill Consulting Group LLC, which processes personal data on behalf of the Controller to provide the risk assessment service.
  • Sub-processor — a third party engaged by the Processor to process personal data, specifically Anthropic, PBC.
  • Personal Data — any data processed by the App that relates to an identified or identifiable natural person, including Jira issue content and user display names.
  • GDPR — the General Data Protection Regulation (EU) 2016/679.

3. Subject matter and duration

The Processor processes personal data solely to provide AI-assisted complaint triage and risk scoring functionality within the Controller's Jira environment. Processing continues for as long as the Controller has the App installed.

4. Nature and purpose of processing

The App processes Jira issue data to:

  • Classify whether a Jira issue represents a product defect
  • Assess the probability and severity of potential harm
  • Generate an ISO 14971-aligned risk level
  • Optionally post a structured risk assessment comment on the Jira issue

5. Types of personal data processed

  • Jira issue summary (title)
  • Jira issue description
  • Jira issue comments (text and dates)
  • User display names (issue reporter and comment authors)
  • Jira issue fields (status, priority, issue type, components, labels)

The App does not process special categories of personal data as defined under Article 9 GDPR.

6. Processor obligations

  • Process personal data only on documented instructions from the Controller (i.e., as described in this DPA and the Privacy Policy).
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect personal data.
  • Not engage sub-processors without informing the Controller and ensuring equivalent data protection obligations are in place.
  • Assist the Controller in responding to data subject rights requests to the extent technically feasible.
  • Notify the Controller without undue delay upon becoming aware of a personal data breach affecting data processed under this DPA.
  • Delete or return personal data to the Controller upon termination of the service, at the Controller's election.

7. Sub-processors

The Processor uses the following sub-processor to deliver the service:

Sub-processor Purpose Location
Anthropic, PBC AI model inference (defect classification and risk scoring) United States

Anthropic processes data under its own Privacy Policy and Data Processing Agreement, which incorporates Standard Contractual Clauses (SCCs) under Article 46 GDPR for transfers outside the EEA.

The Controller's own Anthropic API key is used for all inference requests. Cahill Consulting Group LLC does not have access to the Controller's API key or to any issue content transmitted through it.

8. International data transfers

Issue content transmitted to Anthropic's API is processed in the United States. This transfer is governed by Standard Contractual Clauses (SCCs) incorporated into Anthropic's commercial terms, in accordance with Article 46 GDPR.

9. Data retention

The Processor does not retain personal data after an inference request completes. Issue content is transmitted to Anthropic's API and the result is returned to the Controller's Jira session — no issue content is stored by the Processor at any point.

Configuration data (product requirements, risk matrix, API key) is stored in Atlassian Forge Storage and is subject to Atlassian's Privacy Policy.

10. Data subject rights

The Controller is responsible for handling data subject rights requests (access, erasure, portability, etc.) from its own users. To the extent the Processor holds relevant data, it will assist the Controller upon written request. Given that the Processor does not store personal data beyond the duration of an API call, most requests will need to be directed to Atlassian or Anthropic directly.

11. Security

The Processor implements appropriate technical and organizational measures consistent with the nature of the data processed, including reliance on Atlassian Forge's security controls for stored configuration data and HTTPS encryption for all data in transit to Anthropic's API.

12. Contact

For data protection inquiries or to request a signed copy of this DPA, contact:

Cahill Consulting Group LLC
Contact form