This page contains the Data security and privacy statement for Exply for Jira Cloud

  1. Data security statement
  2. Privacy Statement

Data Security Statement


Exply for Jira Cloud is using one Exply On-Premise version per customer to store imported Jira Cloud data. Exply is provided by the Sandstorm Media GmbH.

Each Exply instance runs on its own virtual machine and imported data is therefore stored in separate databases which are isolated from other customer data. Each incoming web request is authenticated and authorised before access to customer data is allowed.

Exply for Jira Cloud is hosted on our own servers at Hetzner in Germany. The Exply team is responsible for provisioning, monitoring, and managing the servers and virtual machines, and for providing support to Exply for Jira Cloud subscribers.

Data Storage and Facilities

Exply for Jira Cloud uses dedicated servers at Hetzner in Germany for data storage.

Jira Data Storage

Exply for Jira Cloud is using Jira issues search REST API to import issue data from all projects. Exply stores them in own databases per customer. Currently the following fields are being imported: 

issue key, issue summary, project, component, issue type, status, priority, resolution, fix and affects versions, reporter, assignee, label, security level, issue created, due and resolved dates, original and remaining estimated hours, hours logged by user. In addition all available custom fields are stored. Exply does not store detailed issue descriptions, comments, and attachments.

People and Access

Exply support team accesses application data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request for support purposes. Only authorised Exply employees have access to application data.

Exply users are authenticated using Atlassian Connect JWT authentication. Exply will get Jira Cloud current user information which will be used for access control. Customers are responsible for maintaining the security of their own Jira Cloud login information.


Every Exply instance is backed up once per day and are retained for ten days. Backups are stored encrypted using BorgBase 


Please see our Privacy Policy below.

Privacy Policy “Exply” Cloud Service

§ 1 General information

We are pleased that you use our services. The protection of your privacy and personal data is very important to us. According to Art. 4 no. 1 of the General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person. This includes for example information like your first and last name, your address, telephone number or IP address.

This Privacy Policy gives you information about how we are handling your personal data while providing our services and kind, scope and purpose of data processing and the storage duration.

This Privacy Policy applies to all services we provide in connection with the cloud service “Exply” (“Services”). 

Responsible for processing personal data according to Art. 4 No. 7 GDPR within the named scope is Sandstorm Media GmbH, Tatzberg 47, 01307 Dresden, Germany which may be reached under If you have any questions concerning data protection you could also contact our data protection officer Christopher Hutz, SH Beratung & Beteiligung UG (haftungsbeschränkt), under

§ 2 Your rights

As a person concerned according to Art. 4 No. 1 GDPR you have got the following rights.

  • According to Art. 15 GDPR you have got the right to information about your personal data.
  • According to Art. 16 GDPR You are entitled to demand correction and completion of your personal data.
  • According to Art. 17 GDPR you are entitled to demand deletion of your personal data. In addition to this, we are obligated to delete personal data in case of Art. 17 para. 1 lit. a to f GDPR.
  • You are entitled to demand restriction of data processing under the provisions of Art. 18 GDPR.
  • According to Art. 20 GDPR you have got the right to data portability.
  • According to Art. 21 GDPR you are entitled to file an objection against data processing, provided that data processing is based on Art. 6 para. 1 lit. e or f GDPR.
  • In the case that data processing is based on consent you are entitled to recant the consent at any time, according to Art. 7 para 3 GDPR.
  • According to Art. 77 GDPR you have got the right to complain to a supervisory body.

§ 3 Data processing

 a) Type and scope

We will collect and process the following data about you:

  • Information you give us: when you sign up for and use the Services, consult with our customer service team, send us an email, or communicate with us in any way, you are voluntarily giving us information that we store to provide our Services. That information may include your name, physical address, email address, IP address, payment information as well as details including how someone wants to be addressed (pronouns), purchase history, and other demographic information.
  • Information from your use of the Service: We may receive information about how and when you use the Services, store it in log files or other types of files associated with your account, and link it to other information we collect about you. This information may include, for example, your IP address, time, date, browser used, and actions you have taken using the Services.

b) purpose and legal basis

We may process personal data only for the following purposes:

  • To provide, support, and improve the Services we offer. Legal basis is Art. 6 para 1 lit. b and f GDPR.
  • To bill you for the Services provided. This includes sending you emails, invoices and receipts. We use third parties for secure credit card transaction processing, and we send billing information to those third parties to process your orders and credit card payments. Legal basis is Art. 6 para 1 lit. f GDPR and our legitimate interest in a proper handling of payments.
  • To promote use of our Services. If you use any of our Services and we think you might benefit from using another Service we offer, we may send you an email about that. You can stop receiving our promotional emails by following the unsubscribe instructions included in every email we send. Legal basis is Art. 6 para 1 lit. f GDPR.

c) storage duration

Personal data will be deleted by the end of the purpose of data processing. Beyond that, it might be the case that there are retention obligations for example by the German “Handelsgesetzbuch” (HGB) or “Abgabenordnung” (AO). In the framework of these obligations we will delete personal data by the end of the certain obligation.

§ 4 Cookies

We use cookies. Cookies are small data which are sent by us to the browser of your end device while using our website. Some cookies are technically necessary for the use of our Services, some are useful to facilitate or improve the use of our Services. Cookies do not inflict damage to your end device. They cannot be carrier of a virus.

We use the following cookies: 

a) transient cookies

Transient cookies will be deleted automatically when the browser used to access our Services is closed. These include in particular so-called session-cookies which save your session-ID. This makes it possible to recognize your end device while using our Services.

b) persistent cookies

Persistent cookies will be deleted automatically after a certain time. Persistent cookies serve the purpose of configuring Service settings according to your wishes. 

c) tracking cookies

Exply uses Matomo, an open-source software to statistically analyse user accesses. The information about the use of our services which are created by this cookie are saved on our server in Germany. The IP-address is anonymized immediately after processing and before it is saved. You can block the setting of the cookie by configuring your browser to block it. Further details as to Matomo may be found here (

§ 5 Data transfer

When we do have to share personal data with third parties, we take steps to protect your personal data by requiring these third parties to enter into a contract with us that requires them to use the personal data we transfer to them in a manner that is consistent with this policy. 

We only transfer your personal data to third parties in the following cases: 

  • On the basis of an explicit consent according to Art. 6 para 1 lit. a GDPR.
  • If the transfer is legitimate by law and necessary to fulfil a contractual relationship between you and Sandstorm Media GmbH or conduct pre-contractual measures according to Art. 6 para 1 lit. b GDPR.
  • According to Art. 6 para 1 lit. c GDPR, if the transfer is necessary to exercise legal obligations. We are obligated by law to transfer data to state authorities.
  • If the transfer is necessary to preserve Sandstorm Media GmbH’s legitimate interest according to Art. 6 para 1 lit. f GDPR as well as to assert, exercise or defend legal claims. This counts only under the condition that there are no overriding and protection requiring interests by your side.
  • In case we use external service providers according to Art. 28 GDPR.