GDPR, NIS2, DORA — what does MetaFrazo give me?

If your organization operates in the EU and runs Jira at scale, three regulatory regimes likely shape the questions your auditors ask:

• GDPR (General Data Protection Regulation) — especially Article 30 records of processing activities and the broader "show me what data you hold and what you do with it" expectation.
• NIS2 (Network and Information Security Directive 2) — especially the incident-reporting and risk-management obligations for in-scope organizations.
• DORA (Digital Operational Resilience Act) — especially the third-party risk and operational-resilience evidence financial-sector firms have to produce.

US-equivalent regimes (SOX, HIPAA when applicable, sector-specific evidence requests) ask very similar questions in different language.

MetaFrazo doesn't claim to be your end-to-end compliance platform. We produce one specific kind of evidence — what happened in your Jira workspace, when, who did it, and how patterns are trending — and we make that evidence durable, queryable, and exportable. Below is what your auditors are likely to ask for, and what we make easy.

Records of processing — what data we hold and what we do with it

MetaFrazo holds the events your Jira workspace produces from the moment you installed the connector forward. We do not reach back into your Jira API to import historical data; the record is forward-only from your install date.

What we hold per organization:

• Jira events as they arrive: who acted, when, on which issue, and the before / after of the change.
• Configuration changes that your Jira admins make over time, in the same event-stream form.
• Membership changes within your MetaFrazo organization itself: invites, role changes, removals, with the actor and timestamp for each.
• Provider settings for AI features (when you change which AI provider is active, with the actor and timestamp).

What we don't hold:

• We don't store anyone's personal Jira credentials. Authentication to your Jira workspace happens through Atlassian's signed app-invocation tokens; there is no Jira password or API token of yours sitting in MetaFrazo.
• We don't store the content of issue comments or attachments. We track that an issue had a comment, who added it, when — but not the comment text.

For the Article 30 record, you can typically describe MetaFrazo as a third-party data processor that receives a derived event stream from your Jira workspace, stores it in European infrastructure, and surfaces it to your authorised personnel via a web dashboard. We're happy to provide a vendor-side data processing agreement and a sub-processor disclosure list on request — see the request route at the bottom of this page.

Incident-pattern evidence for NIS2

NIS2 expects in-scope organizations to demonstrate active risk management on the systems they operate. For Jira-driven workflows, MetaFrazo's Risk & Alerts dashboards directly support this:

• High-risk issues — issues that score high on a composite of staleness, reopen rate, and priority.
• Incident patterns — projects with recurring high-priority incidents over time, with mean-time-between-incident statistics.
• SLA breach and warning zones — current and historical breach counts, with the worst-multiplier marker.
• Risk escalation — projects sliding into "needs board attention" territory, week over week.

These dashboards aren't an alerting system in the real-time sense — they're a pattern-recognition system. The combination of "what has been trending wrong" plus "for how long" is what most NIS2 reviewers actually want to see.

Operational-resilience evidence for DORA

DORA financial-sector firms need to evidence the operational resilience of the systems they depend on. MetaFrazo supports this in two ways:

• As an analytics surface for your own work-tracking — the Executive dashboards (portfolio heatmaps, governance composite scores, forecast indicators, team activity) give your DORA evidence pack concrete numbers rather than narrative summaries.
• As a third-party vendor that operates in DORA scope — for the part of your DORA evidence that covers third parties, we can provide our own resilience documentation (service-level commitments, incident-response posture, backup and recovery posture) on request.

The audit trail itself

Underneath every dashboard is an append-only audit trail of every membership change, configuration change, and AI-provider change made inside your MetaFrazo organization. Owners, Admins, and Auditors can read it (see Roles and permissions). It cannot be edited or deleted.

This is the artifact your internal audit team or external auditor will most often ask for. The fact that it's append-only is what makes it useful as evidence — there is no "edit history" question to answer about the audit trail itself.

Exports for external audit

When you need to hand evidence to an external auditor, you have two options today:

• Screenshots and CSV exports from individual dashboards. Every visual supports a "download as CSV" or "export view as PNG" option in its actions menu.
• Bulk evidence requests via support. For sample-based audits or full-quarter exports, contact support (top-right menu → Contact support) and we'll produce the export. We aim to turn around routine evidence requests within two business days.

Outstanding limitations to be aware of

We're honest about where the product hasn't reached its goal state:

• Self-service data-subject-request tooling (GDPR Article 17 erasure) is not in the dashboard yet. If you receive a subject-access or erasure request that touches MetaFrazo data, contact support and we'll process it manually within the GDPR timeline.
• Real-time alerting on individual events is intentionally not a MetaFrazo feature — we focus on patterns over time, not single-event notifications. If you need a real-time alert when a specific Jira event fires, Jira's own automation is the right place for that.

Request a vendor risk packet

If you're starting a vendor risk assessment of MetaFrazo, we publish a standard vendor risk packet that covers the questions most enterprise procurement teams ask: data processing agreement template, sub-processor list, security and resilience overview, incident-response posture, and a list of relevant certifications. Request it via the Contact support menu in the top-right of the dashboard, and we'll send it back within two business days.

Where to go from here

• How is my organization's data isolated from other tenants? — the foundation under everything above.
• Roles and permissions — who in your organization can read the audit trail.
• Choosing an AI provider — the data-egress story for AI features, specifically called out for GDPR / NIS2 reviewers.