Records of processing activities in Hipchat Server

Article 30 of the GDPR requires that data controllers and data processors (as defined under the regulation) keep detailed records of what personal data elements they process, why they process the data, where the data is stored, transferred, shared and with whom, how the data is secured and any limitations that may apply to an individual's request to have personal data erased.  When you use Atlassian server of data center products, our products may be an application within the scope of your records of processing activities.  Whether or not you need to document records of processing activities associated with personal data stored within the product is a determination you should always make with the assistance of legal counsel.  

Please note, when you store personal data in Atlassian server or data center products, the personal data stays on systems within your own environment.  Atlassian does not access, store, or otherwise process the personal data you choose to store within the products and is neither a data controller or processor for that data. 

Below is a list of related articles you may find helpful in compiling the information required for your own records of processing activities:

Description

Any changes to the user account personal data are recorded in the Hipchat internal Audit Log. Every Audit Log entry specifies the who made the change (for example the Data Subject who can change their own account, or the Hipchat Administrator), the date of the change, the changed values, and the client IP address of the user-agent used to make the changes.

Version compatibility

Hipchat Data Center 3.0.1 and later

Hipchat Server 2.0 and later 

Workaround

To review the internal Audit Log entries:

in Hipchat Serverin Hipchat Data Center
  1. Log in to your Hipchat instance using administrator credentials.
  2. Click the Group Admin tab in the top navigation bar.
  3. Click the Audit log tab.
  4. Choose one of the User editedUser account createdUser Joined groupUser destroyedConfirmed accountDeactivated account event types in the Filter by event drop-down field.
  5. Optionally, filter the log entries by the agent using Filter by acting user drop-down field.
  6. Provide the user with the copy of log entries related to their account 
  1. Log in to your Hipchat instance using administrator credentials.
  2. Click System in the left navigation bar.
  3. Click the Audit log tab.
  4. Choose one of the User editedUser account createdUser Joined groupUser destroyedConfirmed accountDeactivated account event types in the Filter by event drop-down field.
  5. Optionally, filter the log entries by the agent using Filter by acting user drop-down field.
  6. Provide the user with the copy of log entries related to their account 


Limitations

  • The audit log data is accessible to Hipchat Administrators only. If you are a regular user, you need to request the audit data from the Hipchat Data Center Administrator or Hipchat Server Administrator for your Hipchat instance. 
  • Audit log data is not modifiable and can not be erased by anyone. The goal of Audit Log is to make sure sure any changes to personal data are accounted for, and to assist in detecting malicious activities such as impersonation.
  • The Audit Log does not contain a record of when the data was accessed. Only modification events are recorded in the Audit Log.
  • In some cases, your user data may be provided to Hipchat by an external user management system, such as Active Directory. In these cases, you'll need to review the changes from the user management system as they cannot be modified from within Hipchat.

Additional notes

There may be limitations based on your product version.

Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.

Third-party add-ons may store personal data in their own database tables or on the filesystem.

The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.

If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.

Last modified on Dec 10, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.