Data Protection by design and by default in Hipchat Server
Article 25 of the GDPR sets forth the principle of data protection by design and by default. This is a broad principle with varying meaning and application depending on the context and type of personal data being processed. This principle is unique to each organization, and should always be evaluated with the assistance of legal counsel to determine all efforts required to comply. These efforts may include ensuring certain third party applications you use to process personal data are configured to default to the most privacy-friendly settings available whenever personal data is input. Below is a summary of relevant settings and configurations available through certain Atlassian products, and a discussion of any limitations.
The following document describes how user personal data may be accessible via Hipchat by the individual, Hipchat Administrators, Authenticated Users and others, if the data is publicly accessible.
- Hipchat Administrator - an authenticated user with a valid Hipchat account who has administrator privileges for the Hipchat instance.
- Authenticated User - an authenticated user with a valid Hipchat account other than the individual or the Hipchat Administrator.
- Public Access - any person without a valid Hipchat account.
Personal Data access policies
|What is it?||Data Subject||Hipchat Administrator||Authenticated User||Public Access|
|Full name||View and Change||View and Change||View||None|
|Mention name||View and Change||View and Change||View||None|
|Job title||View and Change||View and Change||View||None|
|Timezone||View and Change||View||View||None|
|Avatar||View and Change ||View||View||None|
|View and Change||View and Change||View||None|
|Mobile Device Identifiers||Remove||None ||None||None|
- To remove any or all of the user's personal data, or to prevent further processing, see either Hipchat Data Center: Right to erasure or Hipchat Server: Right to erasure depending on the specific Hipchat product you use.
- To update any or all of the user's personal data, see Hipchat Data Center Right to Rectification or Hipchat Server Right to Rectification depending on the specific Hipchat product you use.
- To review the full list of users who have Hipchat Administrator and Authenticated User roles on your Hipchat instance, see either Hipchat Data Center: Administrators and authenticated users or Hipchat Server: Administrators and Authenticated Users depending on which Hipchat product you use.
- Third party add-ons may store user data in their own data stores, and this document does not cover those cases.
- Some of the chat messages and file attachments may contain personal data. After identifying the problematic message or file, you can follow Hipchat Data Center Right to Erasure: Deleting Message or File Attachment or Hipchat Server Right to Erasure: Deleting Message or File Attachment depending on the specific Hipchat product you use.
- The personal data in the Audit Log is not modifiable and cannot be erased by anyone. The goal of Audit Log is to make sure any changes to personal data are accounted for, and to assist in detecting fraudulent or malicious activities such as impersonation. The Audit Log is ONLY accessible to Hipchat Administrators.
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.