JFrog Cloud Data Processing Addendum

Last Updated: January 1, 2023

icon downloadDownload DPA

On June 4 2021, the European Commission issued a new set of Standard Contractual Clauses (“SCCs”). In case you and JFrog have entered into an agreement which references the previous SCCs, they will be replaced by the new SCCs available below under Appendix 2. All other commercial and privacy provisions will remain the same. If you have further questions please contact compliance@jfrog.com.

This JFrog Cloud Data Processing Addendum (“DPA”) forms part of JFrog Cloud Terms and Conditions available at https://jfrog.com/cloud-terms-and-conditions/ or entered by and between JFrog and Customer (the “Agreement”). Both Parties shall be referred to as “Parties”. Any capitalized terms which are not defined herein, shall have the meaning ascribed to them in the Agreement. To the extent JFrog (“JFrog”, “Processor” or “Service Provider”) Processes any Personal Data on behalf of the Customer (“Customer”, “Controller” or “Business”) in connection with the JFrog Platform, the provisions of this DPA shall apply.

 

  1. DEFINITIONS
  2. DETAILS OF PROCESSING
  3. DISCLOSING OF PERSONAL DATA
  4. PROCESSING OF PERSONAL DATA
  5. CALIFORNIA-RELATED PROCESSING OF PERSONAL DATA
  6. RESTRICTED TRANSFERS
  7. SECURITY RESPONSIBILITIES
  8. SECURITY BREACH
  9. SUB-PROCESSORS
  10. DATA PROTECTION IMPACT ASSESSMENT
  11. GOVERNMENT REQUESTS
  12. DELETION OF PERSONAL DATA
  13. AUDIT REPORTS
  14. CONFLICT
  15. GOVERNING LAW AND JURISDICTION

APPENDIX 1: DETAILS OF PROCESSING

APPENDIX 2: STANDARD CONTRACTUAL CLAUSES

APPENDIX 3: UK INTERNATIONAL DATA TRANSFER ADDENDUM

 

  1. DEFINITIONS
    In this DPA, the following terms will have the meanings set out below:

    1. Controller”, “Member State”, “Process/Processing”, “Processor”, “Special Categories of Personal Data”, “Business”, “Consumer”, “Personal Information”, “Sell”, “Share” and “Service Provider” shall have the same meaning as defined in Data Protection Laws;
    2. Data Protection Laws” means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR“); (ii) UK Data Protection Laws which means the Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR“); (iii) California Data Protection Laws which means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq. (“CCPA”) including as modified by the California Privacy Rights Act of 2020 and its implementing regulations (“CPRA”), as amended, or superseded from time to time, and as applicable to the Processing of Personal Data under this DPA;
    3. Data Subject Request” means a request from a Data Subject to exercise applicable rights under Data Protection Laws;
    4. International Data Transfer Addendum” means Standard Data Protection Clauses issued by the UK Information Commissioner’s Office (“ICO”) under S119A(1) of Data Protection Act 2018, to the SCCs, for parties making Restricted Transfers (“UK Addendum”);
    5. Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), to the extent such information is related to residents of the EEA, or the disclosure of such information is otherwise subject to Data Protection Laws;
    6. Restricted Transfer” means a transfer of Personal Data from Controller to Processor, to a jurisdiction outside of the European Economic Area (“EEA”) and/or the United Kingdom of Great Britain and Northern Ireland (“UK”);
    7. Security Breach” means a breach of security leading to any unauthorized, accidental or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data which has been validated by JFrog;
    8. Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries which do not ensure an adequate level of protection as set out by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under the GDPR as updated, amended, replaced or superseded from time to time by the European Commission (“SCC”); and
    9. Supervisory Authority” means, as applicable, an appointed government entity with the authority to enforce Data Protection Laws, including, but not limited to (i) an independent public authority which is established by a Member State pursuant to the GDPR; and (ii) the ICO in the UK.
  2. DETAILS OF PROCESSING
    The Parties acknowledge that the Processing of Personal Data by JFrog is for the provision of the JFrog Platform pursuant to the Agreement. The nature and purpose of the Processing, as well as the duration of the Processing, the types of Personal Data, and categories of Data Subjects whose Personal Data shall be Processed under this DPA, are detailed in Appendix 1. The Personal Data is disclosed and transferred for the Permitted Purposes as set forth in this DPA.
  3. DISCLOSING OF PERSONAL DATA
    Controller will:

    1. only have Processor Process Personal Data in accordance with the requirements of the applicable Data Protection Laws;
    2. only disclose Personal Data to the Processor for one or more defined purposes which are consistent with the terms of the Agreement (“Permitted Purposes”);
    3. have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data;
    4. where required under Data Protection Laws, ensure that a notice has been made available and will continue to be accessible to the relevant Data Subjects informing them that their Personal Data will be disclosed to the Processor or to a category of third party describing the Processor; and
    5. not disclose any Special Categories of Personal Data to the Processor.
  4. PROCESSING OF PERSONAL DATA

    In its capacity as a Processor, JFrog will:

    1. only Process Personal Data on behalf of and in accordance with Controller’s reasonable instructions as detailed in this DPA;
    2. not Process Personal Data in a way that is incompatible with, or for longer than is necessary to carry out, the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);
    3. ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements;
    4. will implement appropriate Technical and Organizational Measures (“TOMs”) to protect Personal Data against a Security Breach as detailed in Section 7 below (Security Responsibilities); and
    5. reasonably assists Controller to facilitate the fulfillment of Controller’s obligation to comply with any exercise of Data Subject Requests set forth in the applicable Data Protection Laws by a Data Subject or a Supervisory Authority, to the extent Controller does not have the ability to fulfill such a request.
  5. RESTRICTED TRANSFERS

    With respect to Restricted Transfers of Personal Data from Controller to JFrog, the Parties hereby enter into module II (Controller to Processor) of the SCCs, which is incorporated into this DPA as Appendix 2; for Restricted Transfer from the UK, the UK Addendum is incorporated as Appendix 3. Both Parties have the authority to enter into the SCCs and the UK Addendum for themselves and their respective relevant Affiliates. If the mechanism for Restricted Transfers of Personal Data outside of the EEA and/or the UK will change or require an update, JFrog will put in place alternative arrangements for such Restricted Transfers, as required by applicable Data Protection Laws.

  6. SECURITY RESPONSIBILITIES
    JFrog shall ensure an appropriate level of security, considering the state of the art, the costs of implementation, the nature, scope, context, and the Permitted Purpose of the Processing, as well as the severity of the risk, and industry best practices, when implementing and maintaining the TOMs described in Annex II, designed to help secure Personal Data against a Security Breach. JFrog shall regularly monitor compliance with the TOMs and shall not materially decrease the overall security of the JFrog Platform during the term of the Agreement.
  7. SECURITY BREACH
    1. JFrog will promptly, within 72 hours from JFrog’s validation, notify Controller of a Security Breach involving Personal Data Processed by JFrog on behalf of the Controller, unless such notification is delayed or prohibited by an act or order of Supervising Authority. JFrog will provide the Controller with a description of (i) the nature of the Security Breach; (ii) likely consequences of the Security Breach; and (iii) mitigation measures taken to address the Security Breach.
    2. JFrog shall take all necessary steps consistent with industry best practices, considering the severity of the risk, to resolve such Security Breach as quickly as possible and to prevent its recurrence. JFrog will reasonably assist Controller with conducting investigations and analysis regarding the Security Breach.
    3. JFrog will cooperate with Controller, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to affected Data Subjects which are required following a Security Breach, insofar as it relates to JFrog’s Processing of Personal Data under this DPA.
    4. Controller will not communicate any findings or admission of liability concerning any Security Breach which directly or indirectly identifies JFrog without JFrog’s prior written approval.
  8. SUB-PROCESSORS
    1. JFrog may engage third-party service providers to Process Personal Data on behalf of Controller (“Sub-Processors”) for the duration of the Agreement. Controller provides JFrog with a general authorization to engage the Sub-Processors listed at Annex III below. JFrog may engage with a new Sub-Processor to Process Personal Data on Controller’s behalf. JFrog shall maintain a list of Sub-Processors available online, and Controller shall subscribe to notifications of new Sub-Processors at https://jfrog.com/trust/privacy/sub-processors/. When Controller subscribes, JFrog will provide notification of a new Sub-Processor thirty (30) days before permitting them to Process Personal Data in connection with the provision of the JFrog Platform. All Sub-Processors are required to abide by substantially equivalent obligations as JFrog under this DPA as applicable to their performance of the related service. JFrog shall be responsible for its Sub-Processors’ compliance with the obligations of this DPA.
    2. Controller may object to JFrog’s use of a new Sub-Processor for reasonable and explained grounds, relating to the protection of Personal Data intended to be Processed by such Sub-Processor, by notifying JFrog in writing to privacy@jfrog.com within ten (10) days following JFrog’s notification. If no objection is received, it is deemed the Controller has authorized the intended changes. In the event Controller objects to such new Sub-Processor, JFrog will use reasonable efforts to make available and/or recommend a commercially reasonable change to the configuration or use of the JFrog Platform by the Controller to avoid Processing of Personal Data by the objected new Sub-Processor without unreasonably burdening the Controller. If within ninety (90) days from Controller’s reasonable objection, JFrog is not able to provide a commercially reasonable alternative, Controller, as its sole and exclusive remedy in connection therewith, may terminate the affected Processing of Personal Data on thirty (30) days prior written notice to JFrog.
  9. DATA PROTECTION IMPACT ASSESSMENT
    Considering the nature of the Processing and the information available to JFrog, JFrog will, when required by Data Protection Laws, assist Controller with its obligations related to data protection impact assessments, and prior consultation with Supervisory Authorities, only to the extent that Controller does not otherwise have access to the relevant information, including by providing the information outlined in Section 13 below (Audit Reports).
  10. GOVERNMENT REQUESTS
    Upon receipt of any request for disclosure of Personal Data by any government, including governmental bodies and law enforcement agencies, JFrog shall, to the extent allowed by law, (i) promptly forward and notify the Controller of receipt of such request; (ii) make reasonable efforts to oppose the request if possible; and (iii) limit the scope of any disclosure to what is strictly necessary to respond to the request.
  11. DELETION OF PERSONAL DATA
    Upon termination or expiration of the Agreement, JFrog shall delete Personal Data provided by the Controller pursuant to the Agreement, within sixty (60) days. JFrog will not have any obligation to retain such Personal Data following the termination of the Agreement. This requirement shall not apply (i) to the extent JFrog is required by applicable law to which JFrog is subject, to retain some or all Personal Data; and (ii) as part of JFrog standard archival or backup systems, provided that such Personal Data shall continue to be subject to the provisions of this DPA. In such case the relevant Personal Data shall be securely isolated and protected from any further Processing, except to the extent required by applicable law.
  12. AUDIT REPORTS
    Controller may assess JFrog compliance with this DPA subject to the following conditions: (i) prior written request of at least thirty (30) days; (ii) once a year, and (iii) subject to the confidentiality provisions of the Agreement. JFrog will provide Controller and any mutually authorized third-party representative with applicable documentation relating to the protection of Personal Data in the form of (a) data protection and information security questionnaires; and (b) copies or extracts from JFrog’s relevant audits, reviews, tests, or certifications, including an annual SOC2 Type II Report, ISO 27001, ISO 27701, and ISO 27017 certifications. JFrog shall not be required to provide information that may cause JFrog to compromise its own internal, legal, or regulatory compliance obligations or that is commercially sensitive.
  13. CONFLICT

    In the event of any conflict or inconsistency between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data. In the event of any conflict between certain provisions of this DPA and any of its Schedules and the SCCs, the latter shall prevail.

  14. GOVERNING LAW AND JURISDICTION

    Without prejudice to clauses 17 and 18 of the SCCs and the UK Addendum, this DPA and all non-contractual or other obligations arising out of or in connection with it, are governed by the laws and subject to the exclusive jurisdiction of the courts set out in the Agreement.



    APPENDIX 1: DETAILS OF PROCESSING

    Nature and Purpose of Processing Providing the JFrog Platform to the Customer.
    Categories of Data Subjects Controllers’ employees authorized to use the JFrog Platform.
    Types of Personal Data Username, email address and IP address.
    Special Categories of Personal Data transferred Not applicable.
    Duration of Processing For the duration of the Agreement, and subject to local legal requirements.
    Frequency of transfer Continuous basis for the duration of the Agreement.
    For transfers to Sub-Processors As described above.



    APPENDIX 2: STANDARD CONTRACTUAL CLAUSES

    The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to a Restricted Transfer, as follows:


    Module II – Controller to Processor

    Clause 7 – Docking Clause

    		 Shall not apply.

    Clause 9(a) – Use of Sub-Processors

    		 Option 2: general written authorization shall apply; prior notification, the method for appointing and objecting to such changes shall be as set forth in Section 9 of this DPA.

    Clause 11 – Redress

    		 The optional language shall not apply.

    Clause 17 – Governing law

    		 Option 1 shall apply; the Parties agree that the SCCs shall be governed by the laws of the Republic of Ireland.

    Clause 18(b) – Jurisdiction

    		 Disputes will be resolved before the courts of the Republic of Ireland.


    Annex I.A – List of Parties

    Customer / data exporter JFrog / data importer
    Role Controller Processor
    Relevant activities Use of the JFrog Platform Provision of the JFrog Platform
    Name, address, and contact details As detailed in the Agreement.
    Signature and date By entering into the Agreement and/or DPA, data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement.


    Annex I.B – Description of Transfer    , as detailed in Appendix 1 of this DPA.

    Annex I.C – Competent Supervisory Authority (in accordance with Clause 13):

    The data exporter’s competent Supervisory Authority will be determined in accordance with the GDPR.

Annex II – JFrog Cloud Services Technical and Organizational Measures, as further detailed here.

Annex III – JFrog List of Subsidiaries and Sub-Processors, as stipulated in Section 9.1 of the DPA.



APPENDIX 3: UK INTERNATIONAL DATA TRANSFER ADDENDUM

  1. Parties.
    As listed in Annex I.A.
  2. Effective Date.
    This UK Addendum is effective from the same date as the SCCs.
  3. Background.
    This UK Addendum is a summarized version of the International Data Transfer Addendum issued by the Information Commissioner’s Office and is intended to provide the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR (“Appropriate Safeguards”) for the purposes of Restricted Transfers, when it is entered into as a legally binding contract.
  4. Interpretation.
    1. Where this UK Addendum uses terms that are defined in the SCCs, those terms shall have the same meaning as in the SCCs.
    2. If the provisions included in Appendix 1 and Appendix 2 above amend the SCCs in any way which is not permitted under the SCCs or the UK Addendum, such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the SCCs will take their place.
    3. If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this UK Addendum has been entered into.
  5. Hierarchy.
    Where there is any inconsistency or conflict between the UK Addendum and the SCCs, the UK Addendum overrides the SCCs, except where (and in so far as) the inconsistent or conflicting terms of the SCCs provides greater protection for data subjects, in which case those terms will override the UK Addendum.
  6. Incorporation of the Clauses.
    1. This UK Addendum incorporates the SCCs which are deemed to be amended to the extent necessary, so that together they operate for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and to provide Appropriate Safeguards for those transfers;
    2. The following amendments to the SCCs are made:
    “Clauses” UK Addendum as it incorporates the SCCs.
    “Regulation (EU) 2016/679” and “that Regulation” Replaced: “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
    “Regulation (EU) 2018/1725” Removed.
    “Union”, “EU” and “EU Member State” Replaced: UK.
    Clause 2 – Effect and invariability of the Clauses Removed: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”
    Clause 6 – Description of the transfer(s) Replaced: “The details of the transfer(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix A (B) where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
    Clause 8.8(i) – Onward Transfers Replaced: “the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    Clause 13(a) – Supervision Not used, the “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”.
    Clause 16(e) – Non-compliance with the Clauses and termination Replaced: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”
    Clause 17 – Governing law Replaced: “These Clauses are governed by the laws of England and Wales.”
    Clause 18(b) – Jurisdiction Replaced: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
    Footnotes Do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.
  7. Amendments to this UK Addendum.
    1. The Parties may amend this UK Addendum by agreeing to the changes in writing, provided they maintain the Appropriate Safeguards.
    2. From time to time, the ICO may issue a revised UK Addendum which will specify the start date from which the changes to the UK Addendum are effective, and whether the Parties need to review it, such revision will be automatically amended from the start date specified.
  8. Executing this UK Addendum.
    1. The Parties may enter into this UK Addendum (incorporating the SCCs) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the SCCs.
    2. Entering into this UK Addendum will have the same effect as signing the SCCs and any part of the SCCs.
    3. By entering into the Agreement and/or this DPA, data exporter is deemed to have signed this UK Addendum incorporated herein, as of the Effective Date of the Agreement.