Search Results

This article is a guest contribution from Julie Starling, ActionableAgile customer, and was originally posted on her blog. Jump down to read more about Julie. We're all familiar with Schrodinger's cat right? The cat in a box which has the state of both dead and alive whilst the box is closed … when the box is opened it is one or the other. I can't help but see the parallels to work items in our system. Schrodinger's Work Item An active item in our system represents both potential value and waste ...until we deliver it, we do not know which it is. Potentially Valuable – In most instances, we engage with our customers to understand what is valuable to them. Even in cases where direct customer communication is limited, we often hold a genuine belief in the value of what we're delivering. However, complete certainty about its value remains elusive until we actually deliver the item and receive feedback. Only when our work item is in the hands of our customers can we truly determine whether the time invested has indeed been valuable. Waste - Until we deliver the item, the time we are spending on it can also be considered waste, as until it's delivered there is always a risk it won't be delivered and the time spent up until now will have been for nothing… these situations happen all the time and can be for a number of reasons, be it a change in strategy due to a global pandemic or change of requirement from our customers and everything else in between. It can also have been waste if we deliver it an no one uses it, it doesn't deliver the expected outcome or if we don't get any valuable feedback. Let The Cat Out The Box Whilst we understand that work in our system is potentially not valuable, we shouldn't be using this as a reason to not be experimental with what we deliver! Instead, we should think about getting work items out of our system as efficiently as we can. This way we can find out if it was actually valuable as quickly as possible, learn from this answer and move on with this new knowledge. Compromising quality is also not the answer! Two ways to get the cat out of the box... 1. Don’t Start! If you haven’t started working on an item then you haven’t started potentially wasting time. You can then put your efforts on keeping work that has started active and flowing. 2. Finish It! If you’ve started...then finish! One way to get an item out of a system is to finish it. On their own they may seem like two obvious and probably unhelpful points. However if we look at the bigger picture, we shouldn’t start items until we know they have the best chance of flowing through our system. When we do start, we should be managing that work in progress always with a goal of finishing. We want to keep our work flowing and keep the work as busy and active as possible. If we start items before they can flow there can be a lot of sitting around in the system. The longer the item is in the system the possibility of the item being waste just increases as the world around us changes or items become stale. Don’t Put the Cat in The Box, But If You Do, Don’t Keep It In There Longer Than Necessary In essence we shouldn’t start work until it’s the right time for our system, and when we do start it, we should be managing the work in progress with the goal of finishing. There are a number of ways in which we can manage work in progress, including... 1. Limit the amount of Work In Progress By not having too much in our system we are able to focus on what is active, less context switching and spend our efforts on keeping our work busy (keep work busy before people). If you are in a situation where you have a team of busy people and a number of work items that aren’t actively being worked on, then you probably need to start controlling your WIP. 2. Make items small The smaller work items are the easier they are going to flow through your system. We need to make sure our items are right-sized and represent the smallest possible chunk of potential value. This will help flow but it will also help us get the necessary feedback we need to know if we need to pivot in the quest for value. With this approach if the world around us changes and what we were delivering is no longer relevant, we’ve also minimized the amount of waste. 3. Take action on items that are unnecessarily aging Any item that is staying in the system unnecessarily long needs action taken on it. This could range from splitting the work item down, resolving blockers or even kicking it out of the system! But how do we know if an item is unnecessarily aging? ...I’ll be covering that in my next post. Similar to the state of Schrodinger's Cat being unknown until perceived, our work items exist in a superposition of potential value and waste. That is, until they are delivered and observed by our customers. Actively managing the work in the system shortens the time to understand its fate! TLDR; We can’t assume all work will be as valuable as we expect when we decide to do it. Work not finished has a dual nature of both potentially valuable or waste until we deliver and get feedback. To get the answer to ‘was it valuable?’ as quickly as possible we should be focusing on flow. Keep items in our system for a short of a time as possible. Keep inactive time to a minimum. Whilst work is in our system, we should be actively managing it with a goal to getting it out (at a high quality) as soon as we can. Techniques such as managing WIP, right sizing items and taking action on aging items help us to do this. About Julie Starling, Guest Writer Julie is passionate about the efficient delivery of value to customers and avoiding the illusion of certainty. In recent years she has specialized in how data can be used to drive the right conversations to do this. She encourages teams to use data in actionable ways and adjust ways of working to maximize their potential. She has spent over 15 years working in and alongside software delivery teams. In her spare time, she loves to travel, snowboard, and is obsessed with houseplants!

It is inevitable that there are ways that the software creator intends a feature to be used and there are ways that it ends up being used. 🤓 Sometimes these unintended uses can be even better than the initial idea, but other times they can end up causing harm. In a recent chat with Daniel Vacanti, we discussed this very thing about ActionableAgile™️ Analytics. I can say I was more than mildly surprised when one of my favorite features came up: the pace percentile feature on ActionableAgile's Work Item Aging chart. I love this feature because it helps you get early signals of slow work. However, after talking to and training many people, Dan saw that people very often misinterpret what this particular signal really tells us. How did he come to that conclusion? He talked to them about the decisions they would make because of the signals and saw that they weren't necessarily picking up what was intended. Instead, the decisions people were likely to make could lead to even worse outcomes than currently presented on the chart. What do you think? Are you interpreting the signals correctly? Watch this short video from Dan to find out. As always, feel free to leave your (appropriate) comments and questions on our YouTube channel!

This is post 9 of 9 in our Little's Law series. I personally can't fathom how someone could call themselves a flow practitioner without a concerted effort to study Little's Law. However, the truth is that some of the posts in this series have gone into way more detail about LL than most people would ever need to practically know. Having said that, without an understanding of what makes Little's Law work, teams are making decisions every day that are in direct contravention of established mathematical facts (and paying the consequences). To that end, for those who want to learn more, here is my suggested reading list for anyone interested in learning more about Little's Law (in this particular order): 1. http://web.eng.ucsd.edu/~massimo/ECE158A/Handouts_files/Little.pdf Frank Vega and I call this "Little's Law Chapter 5" as it is a chapter taken from a textbook that Little contributed to. For me, this is hands down the best introduction to the law in its various forms. I am not lying when I say that I've read this paper 50 times (and probably closer to 100 times) and get something new from it with each sitting. 2. https://people.cs.umass.edu/~emery/classes/cmpsci691st/readings/OS/Littles-Law-50-Years-Later.pdf This is a paper Little wrote on the 50th anniversary of the law. It builds on the concepts of Chapter 5 and goes into more detail about the history of L=λW since its first publication in 1961. This paper, along with Chapter 5, should tell you 95% of what you need to know about LL. 3. http://fisherp.scripts.mit.edu/wordpress/wp-content/uploads/2015/11/ContentServer.pdf Speaking of the first publication of the proof of L=λW, there's no better teacher than going right to the source. This article would be my 3rd recommendation as it is a bit mathy, but its publication is one of the seminal moments in the history of queuing theory and any buff should be familiar with this proof. For extra credit: 4. http://www.columbia.edu/~ww2040/ReviewLlamW91.pdf This article is not for the faint of heart. I recommend it not only for its comprehensive review of L=λW but also (and mostly) for its exhaustive reference list. Work your way through all of the articles listed at the end of this paper, and you can truly call yourself an expert on Little's Law. If you read all of these, then you can pretty much ignore any other blog or LinkedIn post (or Wikipedia article, for that matter) that references Little's Law. Regardless of the effort that you put in, however, expertise in LL is not the end goal. No, the end goal is altogether different. Why You Really Should Care If you are studying Little's Law, it is probably because you care about process improvement. Chances are the area of process improvement that you care most about is predictability. Remember that being predictable is not completely about making forecasts. The bigger part of predictability is operating a system that behaves in a way that we expect it to. By designing and operating a system that follows the assumptions set forth by Little's Law, we will get just that: a process that behaves the way we expect it to. That means we will have controlled the things that we can control and that the interventions that we take to make things better will result in outcomes more closely aligned with our expectations. That is to say, if you know how Little's Law works, then you know how flow works. And if you know how flow works, then you know how value delivery works. I hope you have enjoyed this series and would welcome any comments or feedback you may have. Thanks for going on this learning journey with me! Explore all entries in this series When an Equation Isn't Equal A (Very) Brief History of Little's Law The Two Faces of Little's Law One Law. Two Equations It's Always the Assumptions The Most Important Metric of Little's Law Isn't In the Equation How NOT to use Little's Law Other Myths About Little's Law Little's Law - Why You Should Care (this article) About Daniel Vacanti, Guest Writer Daniel Vacanti is the author of the highly-praised books "When will it be done?" and "Actionable Agile Metrics for Predictability" and the original mind behind the ActionableAgile™️ Analytics Tool. Recently, he co-founded ProKanban.org, an inclusive community where everyone can learn about Professional Kanban, and he co-authored their Kanban Guide. When he is not playing tennis in the Florida sunshine or whisky tasting in Scotland, Daniel can be found speaking on the international conference circuit, teaching classes, and creating amazing content for people like us.

Legal Customer Agreements Cloud Subscriptions On-Prem Subscriptions On-Prem Perpetual Privacy Statement & Policies Community Terms of Use Website Terms of Use Archives Privacy Policy If you receive our surveys, newsletters, or other marketing We at 55 Degrees AB (" 55 Degrees ", "we "," our ", and" us ") care about your privacy and want you to feel safe when we process your personal data. In this privacy policy, we want to inform you about how we process your personal data when you receive our surveys, newsletters, or other marketing and what rights you have regarding this data processing. ​ Our goal is to be as transparent as possible regarding our processing of your personal data – do not hesitate to contact us with any questions you have! In short When you subscribe to our newsletters, we process your personal data as necessary to: - send surveys, newsletters, and other marketing to existing customers/attendees , - send newsletters to you, - send newsletters and other marketing to potential customers , and - analyze how you use our newsletters (e.g., what you click on) to improve and develop the newsletters we send. ​ If you unsubscribe from receiving our newsletters, we keep track of your wish in an “unsubscribe list ” to avoid sending you any marketing material. Below you will find information about the processing and storage time of your personal data that we at 55 Degrees are responsible for when you subscribe to our newsletters. Here you can find all our privacy policies which describe how we process personal data in other situations, e.g., if you work for a company that is a customer of 55 Degrees, if you visit our website, or if you are otherwise in contact with us. ​ Your rights Below you will find a detailed description of your rights and how to exercise them. In summary, you have the following rights: ​ the right to lodge a complaint with a supervisory authority, the right to withdraw your consent to our processing , the right to access what personal data we process about you, the right to object to our processing, the right to erasure of the personal data we process, the right to rectification of any personal data that is inaccurate, the right to restrict our processing, and the right to data portability . ​ If you have any questions about your rights or want to exercise any of your rights, you are more than welcome to contact us. ​ Below you can read more about: By pressing the selected heading, you will be moved to the relevant paragraph. ​ Who is responsible and how to contact us? A detailed description of how we process your personal data Who can gain access to your personal data and why? What are your rights when we process your personal data? Detailed description Balancing of interests assessments when processing personal data based on the legal basis of “legitimate interests” When we refer to "your company" in this privacy policy, we refer to your employer or the organization or public body that you represent. ​ Who is responsible, and how to contact us? We at 55 Degrees are generally processing personal data on the instructions of our customers, i.e., as processors. When you receive our surveys, newsletters, or other marketing, it is 55 Degrees AB that is responsible for the processing of your personal data. ​ If you have any questions or if you wish to exercise any of your rights, we are available at: Full name of legal entity: 55 Degrees AB (organization number 559201-6843) E-mail address: privacy@55degrees.se Mailing address: Lilla Nygatan 7, 211 38 Malmö, Sweden ​ ​ A detailed description of how we process your personal data Below you will find a detailed description of how we process your personal data. We gather your personal data directly from you and provide some personal data ourselves by analyzing how you use our newsletters. To send surveys, newsletters and other marketing to existing customers/attendees What processing we perform ​​ Send information about news and marketing so you can keep up with updates on services and workshops ("newsletters"). ​ Send follow-up e-mails and evaluation requests regarding our services/workshop ("surveys"). ​ Administer survey answers. ​ In our privacy policy for customers , you will find more information about how we process your personal data when your company uses our services and when you attend a workshop. What personal data we process Your name ​ E-mail address Our legal basis for the processing: Legitimate interest (Article 6.1.f GDPR) ​ Your personal data will be processed based on our legitimate interest to contact and send newsletters and surveys to representatives of customers ​ Storage period: If you have attended a workshop, we may contact you for up to 12 months after the completion of the workshop. Otherwise, you continue to receive e-mails for as long as you are a customer. If you unsubscribe or object from receiving our e-mails, we keep track of this in our “unsubscribe-list” to avoid sending you any further marketing material. ​ If you answer a survey, we will store the result for 12 months after you answer it. We will delete your personal data if you ask us to and stop sending you evaluations if you object to receiving them. To send newsletters to subscribers What processing we perform ​​ Send information about news and marketing for you to keep up with updates on produ​ cts, services, and community events (“newsletters”). We send newsletters to those who have chosen to subscribe to our newsletters. What personal data we process Your name if you have chosen to provide it to us ​ E-mail address ​ The list of subscriptions you have chosen Our legal basis for the processing: Consent (Article 6.1.a GDPR) ​ We collect your consent to send newsletters to you. You can withdraw your consent and object to our marketing at any time. ​ Storage period: You continue to receive e-mails until you choose to unsubscribe. If you unsubscribe or object from receiving our e-mails, we keep track of this in our “unsubscribe-list” to avoid sending you any further marketing material. To send newsletters to potential customers What processing we perform ​​ Contact and send marketing about our services and workshops to you who are working at a company which is a potential customer to us. What personal data we process Your name ​ E-mail address ​ Position and information about the company that you work for ​ Information about you e.g. from the website of your company ​ Information from you, e.g. via e-mail Our legal basis for the processing: Legitimate interest (Article 6.1.f GDPR) ​ Your personal data will be processed based on our legitimate interest to contact and send marketing to representatives of potential customers ​ Storage period: If you are a potential customer with no previous contact with us, we process your personal data for 6 months from when we collected the personal data if we do not have any continued contact with you. ​ If you unsubscribe or object from receiving our e-mails, we keep track of this in our “unsubscribe-list” to avoid sending you any further marketing material. To improve and develop the e-mails we send What processing we perform ​​ Improve and develop the newsletters we send by analyzing how you open them and what you click on in the newsletter. We do this with the help of our service provider Sendinblue.​ Do you want to know more about this type of analysis? Please contact us. What personal data we process Information about how you open our newsletters and what you click on ​ Information about your device ​ IP-address ​ Information about when and where you started subscribing to our newsletters Our legal basis for the processing: Legitimate interest (Article 6.1.f GDPR) ​ Your personal data will be processed based on our legitimate interest to improve and develop our newsletters and marketing ​ Storage period: We continue to improve and develop our newsletters for as long as you receive them. Thereafter we anonymize the information we have gathered If you object to receiving marketing from us We will store information about you if you choose to object to receiving marketing from us. We have received the information from you. To comply with marketing legislation What processing we perform ​​ If you have stated that you do not wish to receive marketing from us, we will store such information in an “unsubscribe list” to make sure we do not send any marketing to you. What personal data we process Name ​ E-mail address Our legal basis for the processing: Legal obligation (Article 6.1.c GDPR) The processing is necessary to comply with legal obligations which we are subject to, i.e., marketing law, which requires us not to send marketing material to individuals who have objected to receiving such marketing. ​ We cannot make sure you will not receive marketing from us without processing your personal data for this purpose, and you are therefore required to provide your personal data to us. ​ Storage period: You will be listed in our “unsubscribe list” until further notice. Who can gain access to your personal data and why? We do not sell your personal data or share it with other parties unless necessary. This means that your personal data will be handled by our employees but only by the personnel needing such access to conduct their work. We need to work with third parties to conduct our business. To be able to send surveys, newsletters, and other marketing in an efficient way, we use the newsletter provider Sendinblue which will process your personal data on our behalf and follow our instructions. This means that we are responsible for any sharing of your personal data with such suppliers and to ensure that your personal data is safe when shared with third parties. ​ We do not transfer your personal data outside of the EU/EEA. ​ ​ What are your rights when we process your personal data? Detailed description You have certain rights that you can exercise to affect how we process your personal data. You can read a more detailed description of what those rights are below. ​ If you want to know more about your rights or if you want to exercise any of your rights, please contact us, and we will help you. ​ Right to lodge a complaint with a supervisory authority (Article 77 GDPR) You have the right to lodge a complaint with a supervisory authority. The supervisory authority in Sweden is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, the IMY). ​ In detail: Your right to complain exists without prejudice to any other administrative or judicial remedy. You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place where the alleged infringement of applicable data protection laws has allegedly occurred. ​ The supervisory authority has an obligation of informing you of the progress and the outcome of the complaint, including the possibility of a judicial remedy. ​ Right to withdraw consent (Article 7.3 GDPR) You have the right to withdraw your consent at any time by contacting us. ​ In detail: The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. ​ Right to access (Article 15 GDPR) You have the right to obtain confirmation as to whether we are processing personal data concerning you or not. You can make a request by contacting us. If we do process your personal data, you also have a right to obtain a copy of the personal data processed by us as well as information about our processing of your personal data. ​ In detail. The information we provide includes the following: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period, the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing, the right to lodge a complaint with a supervisory authority, if the personal data are not collected from you, we provide you with available information about the source of the personal data; the existence of automated decision-making, including profiling, referred to in Articles 22.1 and 22.4 GDPR and, in those cases, meaningful information about the logic involved, as well as the significance and the predicted consequences of such processing; and where your personal data are transferred to a third country or to an international organization, you have the right to information regarding the appropriate safeguards, pursuant to Article 46 GDPR, put in place for the transfer. ​ For any further copies of the personal data undergoing processing requested by you, we may charge a reasonable fee based on administrative costs. If you have made the request by electronic means the information will be provided to you in a commonly used electronic form, unless otherwise requested by you. ​ Your right to obtain a copy referred to above shall not adversely affect the rights and freedoms of others. ​ Right to object (Article 21 GDPR) You have the right to object to our processing of your personal data at any time. ​ In detail: Your right to object applies as follows: Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, you have an unconditional right to have the processing of your personal data for such purposes ceased. In the context of the use of information society services, and regardless of Directive 2002/58/EC (ePrivacy Directive, or ePD), you may exercise your right to object by automated means using technical specifications Right to erasure (“the right to be forgotten”) (Article 17 GDPR) You have the right to ask us to erase your personal data. In detail. We are obligated to erase your personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, you withdraw your consent on which the processing is based, and there is no other legal ground for the processing, the personal data have been unlawfully processed, or the personal data have to be erased for compliance with a legal obligation in Union or Member State law that applies to us. We will notify any erasure of personal data carried out in accordance with your rights stated above to each recipient to whom the personal data have been provided to unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us. Please note that our obligation to erase and inform according to the above shall not apply to the extent processing is necessary: for exercising the right of freedom of expression and information, for compliance with a legal obligation that requires processing by Union or Member State law that applies to us, or for the establishment, exercise, or defence of legal claims. Right to rectification of processing (Article 16 GDPR) You have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you. ​ In detail: Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. ​ We will communicate any rectification of personal data to each recipient to whom the personal data have been provided unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us. Right to restriction of processing (Article 18 GDPR) You have the right to obtain from us restrictions on the processing of your personal data. ​ In detail: Your right applies if: the accuracy of the personal data is contested by you, during a period enabling us to verify the accuracy of the personal data, the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use, or you need the personal data for the establishment, exercise, or defence of legal claims even though we no longer need the personal data for the purposes of processing. ​ Where the processing has been restricted according to above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. ​ We will notify each recipient to whom the personal data has been provided about any restriction of processing according to above, if this do not occur to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us ​ Right to data portability (Article 20 GDPR) You have the right to receive your personal data (that you have provided to us) from us in a structured, commonly used and machine-readable format and, where technically feasible, have your personal data transferred to another data controller (“data portability”). ​ In detail: The right applies if: the processing is based on the lawful basis consent, and the processing is carried out by automated means. ​ The exercise of the right to data portability shall be without prejudice to the right to erasure, i.e. Article 17. ​ Your right to data portability shall not adversely affect the rights and freedoms of others. ​ Balancing of interests assessments when processing personal data based on the legal basis of “legitimate interests” ​ As we state above, for some purposes, we process your personal data based on our “legitimate interest.” By carrying out a balancing of interests assessment concerning our processing of your personal data, we have concluded that our legitimate interest in the processing outweighs your interests or rights, which require the protection of your personal data. ​ If you want more information in relation to our balancing of interests assessments, please do not hesitate to contact us. Our contact information can be found at the beginning of this privacy policy. ​ responsible description access where rights rights-complaint rights-access rights-object rights-erasure rights-rectify rights-restrict rights-withdraw portability send-subscribers improve-emails comply interests send-potential-customers send-existing-customers This privacy policy was adopted on February 16, 2023.

Automated forecasts Always up-to-date Quickly generate up-to-date, automated forecasts on the epics or versions in your Jira projects with Monte Carlo simulations that use your historical data and your tolerance for risk. Minimize the time and effort you spend forecasting! Answer key questions with Portfolio Forecaster How likely is it that it will be finished by the due date? Our Monte Carlo simulations use your historical data to forecast how likely it is that you'll meet your desired due date for each epic or version. How certain are we about this forecast? In Portfolio Forecaster you can control the level of confidence in your forecast. That sets the probability of finishing by the shown forecasted dates. How will our choices impact the forecast? What would happen if we started more epics? Fewer? What if we changed their priority? You can use Portfolio Forecaster for what-if scenarios and have collaborative conversations early and often! Purchasing Options Start your free trial Portfolio Forecaster is exclusively available as an app that embeds directly in your Jira Cloud, Server, or Data Center instance. Every Jira user is automatically licensed! Try Portfolio Forecaster for free for at least 30 days! 55 Degrees is a Platinum Atlassian Marketplace Partner. Portfolio Forecaster for Jira participates in Atlassian's security programs and is Cloud Fortified

Legal Customer Agreements Cloud Subscriptions On-Prem Subscriptions On-Prem Perpetual Privacy Statement & Policies Community Terms of Use Website Terms of Use Archives Download Available Click the icon to download a PDF of this page. Appendix 1 Data Processing Agreement for On-Premise Perpetual Products Effective November 21, 2022 1. Background and Interpretation ​ 1.1. The Supplier will, upon performance of the Agreement when providing its Product, process personal data on behalf of the Customer, in the capacity of the Customer’s processor. The Supplier will process personal data for which the Customer is the controller. ​ 1.2. This Data Processing Agreement (the “DPA ”) forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct, and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement. ​ 1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the European Parliament and the Council Regulation (EU) 2016/679 (the “GDPR “) and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances. ​ 1.4. In light of the above, the Parties have agreed as follows: ​ 2. Instructions and Responsibilities ​ 2.1. The type of personal data and categories of data subjects processed by the Supplier under this DPA and the purpose, nature, duration, and objects of this processing, are described in the instructions on the processing of personal data in Appendix 1A or the written instructions that Customer provides from time to time. The Supplier shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix 1A . ​ 2.2. Customer is responsible for complying with the GDPR. Customer shall in particular: ​ a) be the point of contact towards data subjects and i.e. respond to their inquiries regarding the processing of personal data; ​ b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR, and maintain a record of processing activities under its responsibility; ​ c) provide the Supplier with documented instructions for the Supplier’s processing of personal data, including instructions regarding the subject matter, duration, nature, and purpose of the processing as well as the type of personal data and categories of data subjects; ​ d) immediately inform the Supplier of changes that affect the Supplier’s obligations under this DPA; e) immediately inform the Supplier if a third party takes action or lodges a claim against the Customer as a result of the Supplier’s processing under this DPA; and f) immediately inform the Supplier if anyone else is a joint controller with the Customer of the relevant personal data. ​ 2.3. When processing personal data, the Supplier shall: ​ a) only process personal data in accordance with Customer’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix 1A; b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; c) maintain an adequate level of security for personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below; d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor; e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR; f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Supplier; g) at the choice of Customer, delete or return all the personal data to Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires the storage of the personal data; and h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor agreed upon by the Parties. ​ 2.4. The Supplier shall notify the Customer without undue delay, if, in the Supplier’s opinion, an instruction infringes the GDPR. In addition, the Supplier is to immediately inform the Customer of any changes affecting the Supplier’s obligations pursuant to this DPA. ​ 3. Security ​ 3.1. The Supplier shall implement technical and organisational security measures in order to protect personal data against destruction, alteration, unauthorised disclosure, and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context, and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The Supplier may amend its technical and organisational measures. 3.2. The Supplier shall notify Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that the Supplier has committed any wrongful act or omission, or that the Supplier shall become liable for the personal data breach. 3.3. If the Customer, during the term of this DPA, requires that the Supplier take additional security measures, the Supplier shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures. ​ 4. Sub-processors and Transform to Third Countries ​ 4.1. ​Customer hereby grants the Supplier with a general authorisation to engage sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix 1B . The Supplier shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor. 4.2. The Supplier shall inform Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after the Supplier has informed Customer about the intended changes. If Customer objects to the Supplier engaging a sub-processor and the Parties cannot agree, within a reasonable time, on the new sub-processor’s engagement in the processing of personal data, the Supplier can terminate the Agreement. 4.3. If the Supplier and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. The Supplier shall keep Customer informed about the legal grounds for the transfer. ​ 5. Compensation and Limitation of Liability ​ 5.1. The Supplier is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA. 5.2. Each Party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR. 5.3. Notwithstanding any limitation of liability in the Agreement, each Party’s liability under this DPA shall be limited to direct damages. In addition, the Supplier's liability shall be limited to an amount corresponding to the fees paid by the Customer to the Supplier under the Agreement for a period of six (6) months before the damage occurred. ​ 6. Term and Termination ​ 6.1. This DPA becomes effective when the Agreement has been entered into. 6.2. Upon termination of the Agreement, the Supplier shall at the choice of Customer, delete all the personal data or return it to Customer, and ensure that each sub-processor does the same. 6.3. This DPA remains in force as long as the Supplier processes personal data on behalf of Customer, including deletion or returning of personal data according to section 6.2 above. This DPA shall thereafter cease to apply. Sections 5 and 6.2 shall continue to apply even after this DPA has been terminated. ​ 7. Changes ​ 7.1. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processing agreement, the Parties shall change this DPA to meet the requirements. 7.2. Any other changes to this DPA than following from section 7.1 above or changes in Customer’s documented instructions, shall be made in writing and signed by the Parties’ authorized representatives, to be binding. ​ 8. Miscellaneous ​ 8.1. In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement. 8.2 . This DPA supersedes and replaces all data processing agreements between the Parties potentially existing prior to this DPA. APPENDIX 1A Instructions on Processing of Personal Data Purposes ​ The Supplier processes personal data in order to fulfil the Agreement. This means that the Supplier processes personal data for the following purposes: To handle customer support cases, To work with key End-Users designated by the Customer for purposes of the customer success program. This program is available to opt-in to for certain customer accounts ​ Categories of personal data ​ Categories of personal data that will be processed by the Supplier include: Name, E-mail address, Role in organisation, and Information about how the Product is used provided by the Customer for the purposes of support and customer success. ​ Categories of data subjects ​ End-Users. ​ Retention time ​ The personal data will be processed for as long as the End-User continues to actively use the Service and for twelve (12) months thereafter if the End-User has provided information about which Customer they are associated with. ​ Processing operations ​ The Supplier process the personal data of End-Users in the following ways. ​ The End-User’s name and e-mail address, as well as contextual information provided by the End-User, is collected in order to provide customer support when customers open a support request via e-mail or via the Supplier’s support portal. The name and e-mail address regarding key End-Users designated by the Customer may be stored in the Supplier’ CRM system by Customer Success Specialists to support activities related to the customer success program.. ​ Information Security Measures The Supplier Security Practices Application-specific Data Security and Privacy Statements Security Advisories and related policy APPENDIX 1B Sub-Processors No sub-processors are involved in your regular usage of our On-Premise applications. However, we do rely on sub-processors to support your end-users' ability to get value out of your purchase via our Customer Support and Customer Success functions. In the table below you can see exactly which purposes we utilize sub-processors for end-users of any of our On-Premise applications. Please see our sub-processors page to find links to related documents such as DPAs for the sub-processors above as well as a full list of the subprocessors that process personal data, even those that aren't relevant to this DPA. Appendix2B Appendix2A