JFrog Vendor DPA

 

1. DEFINITIONS
2. DETAILS OF PROCESSING
3. PROCESSING OF PERSONAL DATA
4. COOPERATION AND DATA SUBJECT RIGHTS
5. VENDOR PERSONNEL
6. SECURITY RESPONSIBILITIES
7. SECURITY BREACH
8. SUB-PROCESSORS
9. RESTRICTED TRANSFERS
10. AUDITS
11. GOVERNMENT REQUESTS
12. RETURN AND DELETION OF PERSONAL DATA
13. CONFLICT
14. GOVERNING LAW AND JURISDICTION
15. MISCELLANEOUS

 

APPENDIX 1: DETAILS OF PROCESSING
APPENDIX 2: STANDARD CONTRACTUAL CLAUSES
APPENDIX 3: TECHNICAL AND ORGANIZATIONAL MEASURES
APPENDIX 4: SUB-PROCESSORS LIST

 

1. DEFINITIONS
   In this DPA, the following terms will have the meanings set out below:
   1. “Controller”, “Member State”, “Process/Processing”, “Processor”, “Special Categories of Personal Data”, “Business”, “Sell”, “Share” “Service Provider”, and “Supervisory Authority” will have the same meaning as defined in Data Protection Laws.
   2. “Data Protection Laws” means any and all laws and regulations applicable to the processing of Personal Data under this DPA, including, but not limited to: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council, and any laws of Member States of the European Economic Area implementing or supplementing (“GDPR”); (ii) UK Data Protection Laws means the Data Protection Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”); (iii) California Data Protection Laws which means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq. (“CCPA”) as amended by the California Privacy Rights Act, and any regulations made under it (iv) applicable US state laws as they may come into effect from time to time, and (v) – where applicable – the local data protection law of the Controller.
   3. “Data Subject” means an identified or identifiable natural person. For clarity, Data Subject includes any “consumer” as defined under Data Protection Laws.
   4. “Personal Data” means any information relating to, directly or indirectly, an identified or identifiable person that is collected, accessed, used, disclosed, or otherwise Processed by Vendor in its provision of Services pursuant to the Agreement, and includes “personal information” as defined in Data Protection Laws.
   5. “Restricted Transfer” means a transfer of Personal Data from Controller to Processor, to a jurisdiction outside of the European Economic Area (“EEA”) and/or the United Kingdom of Great Britain and Northern Ireland (“UK”), unless such transfer is made to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant authorities of the EEA and/or the UK as relevant (“Adequacy Decision”).
   6. “Security Breach” means any unauthorized, accidental or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data.
   7. “Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of Personal Data to third countries which do not ensure an adequate level of protection as set out by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under the GDPR as updated, amended, replaced or superseded from time to time by the European Commission (“EU SCCs”); and (ii) Standard Data Protection Clauses issued by the UK Information Commissioner’s Office (“ICO”) under S119A(1) of Data Protection Act 2018, to the SCCs, for parties making Restricted Transfers (“UK Addendum”), collectively “SCCs”.
2. DETAILS OF PROCESSING
   In the course of providing the Services to JFrog, Vendor will Process Personal Data on behalf of JFrog pursuant to the Agreement. Vendor agrees to comply with the provisions set out in this DPA and Data Protection Laws. The nature and purpose of the Processing, as well as the duration of the Processing, the types of Personal Data, and categories of Data Subjects whose Personal Data will be Processed under this DPA, are detailed in Appendix 1. Such Personal Data is disclosed and transferred for the Permitted Purposes as set forth in this DPA.
3. PROCESSING OF PERSONAL DATA
   1. Vendor will only Process the types of Personal Data relating to the categories of Data Subjects for the purposes of the Agreement and for the specific purposes in each case as set forth in Appendix 1 to this DPA, in accordance with JFrog instructions (“Permitted Purpose”). In no event will Vendor Process, retain, use or disclose Personal Data: (i) for any of its own purposes or those of any third party; (ii) outside of the direct business relationship between the Parties as defined in the Agreement; (iii) Sell or Share Personal Data; or (iv) as otherwise prohibited by Data Protection Laws. 
   2. Vendor will not: collect, retain, use, transfer, modify, disclose, amend, or alter Personal Data or otherwise Process Personal Data for any purpose (including a commercial purpose) other than for the specific business purpose of performing the obligations under the Agreement and this DPA. 
   3. The Parties acknowledge and agree that with regard to the Processing of Personal Information under CCPA, Vendor is the Service Provider and JFrog is the Business.
   4. Vendor will not combine Personal Data that Vendor receives from, or on behalf of, JFrog with Personal Data received from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, except where both (i) expressly required to perform the Service; and (ii) as permitted by applicable Data Protection Laws.
   5. Vendor will notify JFrog within five (5) days if it determines that it can no longer meet its obligations under applicable Data Protection Laws and allow JFrog to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.
4. COOPERATION AND DATA SUBJECT RIGHTS
   1. Vendor will provide reasonable and timely assistance to JFrog in: (i) responding to requests to exercise Data Subject rights under applicable Data Protection Laws; (ii) responding to any correspondence, inquiry or complaint received from a Data Subject, Supervisory Authority, regulator, or third party in connection with the Processing of Personal Data, and (iii) carrying out a data privacy impact assessment. 
   2. Vendor will promptly notify JFrog at privacy@jfrog.com if it receives any such request, will cooperate, and assist JFrog in responding to it and will maintain a record of the request.
   3. Vendor will ensure that: (i) it does not respond to such request without JFrog’s approval, except to acknowledge receipt and to confirm that the request is related to JFrog; (ii) the Services provided by Processor as well as Processor’s internal systems, are designed to locate the Personal Data relating to a specific individual, to rectify it, to delete it, or to perform any other operation necessary under Data Protection Laws. 
5. VENDOR PERSONNEL
   1. Vendor will ensure that its personnel:
      1. are contractually bound to written confidentiality requirements;
      2. will Process Personal data only as necessary for the Permitted Purpose;
      3. provided with annual privacy and security trainings; and
      4. familiarized with the Processor obligations under this DPA and that they fully comply with the provisions hereof in Processing Personal Data.
   2. Vendor will conduct an appropriate background investigation of its employees or contractors who may have access to JFrog Personal Data, prior to allowing them such access, to the extent permissible under applicable law.
   3. Vendor will ensure that access is strictly limited to those individuals who need to receive access to the relevant Personal Data, as strictly necessary for providing the Services.
6. SECURITY RESPONSIBILITIES
   1. Vendor has implemented and will maintain appropriate Technical and Organizational Measures (“TOMs”) for protection of the security, confidentiality and integrity of the Personal Data as described in Appendix 3 in accordance with industry best practices.
   2. Vendor will regularly monitor compliance with the TOMs and will ensure a level of security appropriate to the risks of Processing Personal Data, including appropriate measures referred to in Data Protection Laws. 
   3. The TOMs may be updated from time to time to reflect process improvements or changing practices, provided that the modifications will not materially decrease the overall security of the Services during the term of the Agreement.
   4. In assessing the appropriate level of security, Vendor will take into account of the nature, scope, context, and Permitted Purpose of the Processing as well as the risk and severity for the rights and freedoms of the Data Subjects presented by Processing, in particular with regards to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed.
7. SECURITY BREACH
   
   1. Vendor will:
      1. notify JFrog promptly and without any undue delay (but in any event no later than forty-eight (48) hours), after becoming aware of any actual or suspected Security Breach;
      2. provide a detailed description, including the nature of the Security Breach, the categories and approximate number of affected Data Subjects and data records, and the likely consequences and risks;
      3. take all necessary steps to identify, remediate and/or mitigate the cause of such Security Breach as quickly as possible and to prevent its recurrence, including all actions as may be required under Data Protection Laws; and
      4. fully cooperate with JFrog in:
         1. investigation, mitigation, and remediation of such Personal Data Breach; and
         2. notification to Supervisory Authorities and/or to affected Data Subjects (if required).
   2. Vendor will not:
      1. inform any third party of the Security Breach without first obtaining JFrog prior written consent, unless such notification is required by applicable Data Protection Laws, in which case Vendor will inform JFrog and provide a copy of the proposed notification; and
      2. communicate any finding or admission of liability concerning any Security Breach which directly or indirectly identifies JFrog without JFrog prior written approval.
   3. Vendor must maintain cyber-liability or breach insurance at the minimum level of three million dollars ($3,000,000).
8. SUB-PROCESSORS
   1. Vendor will not engage third-party service providers to Process Personal Data on behalf of JFrog (“Sub-Processors”) without prior written consent of JFrog. JFrog authorizes Vendor to engage the Sub-Processors listed under Appendix 4 below, provided that:
      1. such Sub-Processor is only engaged in Processing Personal Data as strictly necessary for the fulfillment of Vendor’s obligations under the Agreement and this DPA;
      2. Vendor has conducted the level of due diligence necessary to ensure that such Sub-Processor is capable of meeting the requirements of this DPA and Data Protection Laws; and
      3. Vendor and the Sub-Processor have entered a written agreement binding the Sub-Processor, containing data protection and security standards substantially equivalent to the obligations under this DPA. Vendor will be responsible for its Sub-Processors’ compliance with the obligations of this DPA; 
   2. Vendor will provide JFrog at least thirty (30) days prior written notice of its intention to engage or replace a Sub-Processor. Such notice will be sent to privacy@jfrog.com. JFrog may object to Vendor’s use of a new Sub-Processor for reasonable and explained grounds. In the event JFrog objects to a new Sub-Processor, Vendor will make available to JFrog a change in the Services to avoid Processing of Personal Data by the objected new Sub-Processor without unreasonably burdening JFrog. If within thirty (30) days from JFrog reasonable objection, Vendor is not able to provide a commercially reasonable alternative, JFrog may terminate the Agreement and this DPA without penalty, and Vendor will issue a prorated refund of any prepaid and unused portion of the fees for the terminated Services within thirty (30) days from the termination effective date.
9. RESTRICTED TRANSFERS
   With respect to Restricted Transfers of Personal Data that is protected under applicable Data Protection Laws, the Parties hereby enter into the EU SCCs, completed as set out below in Appendix 2 of this DPA, which will also be deemed amended as specified by the UK Addendum. Both Parties have the authority to enter into the SCCs for themselves and their respective relevant Affiliates.
10. AUDITS
    JFrog will be permitted to monitor Vendor’s compliance with this DPA by performing an annual audit, including inspection. Vendor will: provide JFrog or independent third-party representative designated by JFrog all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by them. Vendor will cooperate and assist JFrog in fulfilling JFrog’s obligations under applicable Data Protection Laws to carry out data protection assessments and/or consult the relevant supervisory authority regarding such assessments related to JFrog’s use of the Services.
11. GOVERNMENT REQUESTS
    Upon receipt of any request or demand for disclosure of Personal Data by any government, including governmental bodies and law enforcement agencies (“Authority”) Processed in connection with the Agreement, Vendor will:
    1. promptly forward and notify JFrog of receipt of such request (unless legally prohibited from doing so);
    2. inform the Authority that Vendor is a Processor of such Personal Data and that JFrog has not authorized Vendor to disclose such Personal Data to the Authority;
    3. inform the Authority that any and all requests or demands for access to such Personal Data should be notified to or served upon JFrog (as the Controller) in writing;
    4. not provide the Authority with access to such Personal Data unless and until authorized in writing by JFrog;
    5. make reasonable efforts to oppose the request if possible; and
    6. limit the scope of any disclosure to what is strictly legally required to respond to the request in accordance with applicable lawful process. Vendor will not knowingly disclose Personal Data in a bulk or indiscriminate manner that goes beyond what is necessary and proportionate. 
12. RETURN AND DELETION OF PERSONAL DATA
    Upon the earlier of:
    1. JFrog written request;
    2. termination of Services; or
    3. cessation of the requirement to Process the Personal Data, Vendor will, and will cause its Sub-Processors to promptly and in any event within thirty (30) days, return or delete, at the choice of JFrog, all relevant Personal Data Processed by Vendor. Upon JFrog request, Vendor will provide written certification that Vendor has fully complied with this section. 
13. CONFLICT
    In the event of any conflict or inconsistency between provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will govern. Any data protection agreements that may already exist between the Parties as of the last signature date of this DPA as well as any earlier version of data security terms to which the Parties may have agreed to are superseded and replaced by this DPA in their entirety. In the event of any conflict between certain provisions of this DPA and any of its Schedules and the SCCs, the latter will prevail.
14. GOVERNING LAW AND JURISDICTION
    Without prejudice to clauses 17 and 18 of the SCCs, this DPA and all other obligations arising out of or in connection with it, are governed by the laws and subject to the exclusive jurisdiction of the courts set out in the Agreement.
15. MISCELLANEOUS
    1. Vendor will indemnify and hold harmless JFrog against all losses, fines, damages, liabilities, costs, harm, and expenses arising from any claim by a third party or Supervisory Authority arising from any breach of this DPA by Vendor or Vendor’s Sub-Processors; Vendor’s liability is subject to the ‘Limitation of Liability’ section of the Agreement. This DPA, along with the Agreement, will not be construed as limiting the liability of either Party with respect to claims brought by data subjects or under the SCCs.
    2. This DPA will remain in effect for as long as Vendor Processes Personal Data. Any obligation imposed on Vendor under this DPA in relation to the Processing of Personal Data will survive any termination or expiration of this DPA.
    3. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
    4.  Where any replacement of, or amendment to, the SCCs is approved by the competent authority/ies or government body/ies (including, without limitation, a supervisory authority or the European Commission or a UK Government Department) (“New SCCs”), the New SCCs will be deemed incorporated into this DPA and Agreement and take effect and be binding on the Parties from the date of such approval by the applicable competent authority or governmental body or, if later, the end of any grace period applicable to the New SCCs. In the event reasonably required by either Party or where required by applicable Data Protection Laws, the Parties will enter into signed copies of the New SCCs with details of processing as set out in, or substantially similar to, those set out in the SCCs.

IN WITNESS WHEREOF, the Parties below have executed this legally binding DPA, executed by their duly authorized representatives as of the last date of execution below (“Effective Date”).

 

JFrog	Vendor
Name:	Name:
Title:	Title:
Date:	Date:
By:	By:
Privacy Contact Email: privacy@jfrog.com	Privacy Contact Email:

 

 

 

APPENDIX 1: DETAILS OF PROCESSING

 

 

APPENDIX 2: STANDARD CONTRACTUAL CLAUSES

The Parties agree that the terms of Module II – Controller to Processor of the EU SCCs (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), together with the UK Addendum (available at: http://ico.org.uk/media2/migrated/2620398/draft-ico-addendum-to-com-scc-20210805.pdf) are hereby incorporated by reference and will apply to a Restricted Transfer, as follows: 

Clause 7 Docking Clause	Will not apply.
Clause 9(a) Use of Sub-Processors	Option 1: specific prior authorization will apply; the method for appointing and time period for prior notice of Sub-Processor changes will be as set forth in Section 9 of the DPA.
Clause 11 Redress	The optional language will not apply.
Clause 17 Governing law	Option 1 will apply; the Parties agree that the EU SCCs will be governed by the laws of the Republic of Ireland; the UK Addendum will be governed by the laws of England and Wales.
Clause 18(b) Jurisdiction	Disputes will be resolved in the EU before the courts of the Republic of Ireland, and in the UK before the courts of England and Wales.
Annex I.A List of Parties	JFrog / data exporter Vendor / data importer Controller Processor Use of the Services Provision of the Services Name, address and contact details are detailed in the Agreement. By entering into the Agreement and/or DPA, data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I.B Description of Transfer	As detailed in Appendix 1 of this DPA.
Annex I.C Supervisory Authority	EEA – CNIL UK – ICO
Annex II TOMs	As detailed in Appendix 3 of this DPA.
Annex III Sub-Processors List	As detailed in Appendix 4 of this DPA.

 

 

APPENDIX 3: TECHNICAL AND ORGANIZATIONAL MEASURES

This Appendix 3 describes the minimum technical, organizational, and physical security measures Vendor will take to protect JFrog Data.

 

1. Information Security Program
   Vendor will maintain and comply with a comprehensive written information security program that complies with applicable laws, regulations, and industry best practices. This program will include administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of JFrog Data and JFrog systems.
2. Information Security Program
   Vendor will implement and maintain safeguards to protect JFrog’s Confidential Information, personal, third party and other data uploaded to, collected, stored, processed, or otherwise accessed by Vendor in connection with its software and services, where such data is provided by, on behalf of, or at the direction of JFrog (“JFrog Data”) from unauthorized access, disclosure, alteration, and destruction. 
3. Compliance Standards
   
   1. Vendor will comply with and maintain certifications of industry accepted security frameworks throughout the duration of the Agreement, including ISO/IEC 27001, ISO/IEC 27017, SOC 2 Type 2, and any standards applicable to the scope of provided services including as applicable, HIPAA, PCI DSS, and any other standards mutually agreed upon by JFrog and Vendor in writing. 
   2. Upon JFrog’s request, Vendor will promptly provide JFrog the most recent security certification and audit reports prepared by a qualified independent third party. 
4. Compliance Standards
   
   1. Vendor must have documented information Security Incident procedures, enabling effective and orderly management of Security Incidents. The procedures must cover the detection, reporting, analysis, monitoring and resolution of Security Incidents.
   2. Vendor will notify JFrog immediately upon becoming aware of any actual or suspected security incident involving the unauthorized access, use, disclosure, alteration, or destruction of the JFrog Data (“Security Incident“) and in any event no later than twenty-four (24) hours thereafter.
   3. Vendor will provide a written incident report detailing the nature, scope, root cause, and remediation efforts. Notwithstanding the above, Vendor will cooperate fully to contain, mitigate, and resolve the incident.
   4. Unless otherwise required by applicable law, Vendor may not inform any third party of a Security Incident without first obtaining JFrog’s prior written consent. 
5. Audits and Assessment
   
   1. Vendor will complete a mandatory annual security assessment to evaluate compliance with the security measures set forth in this Addendum (“Security Risk Assessment”). Notwithstanding the foregoing, JFrog reserves the right to conduct security audits on the Vendor’s operations, facilities, systems, and procedures that process, store or otherwise handle JFrog Data. These audits may be conducted: (a) once annually with thirty (30) days’ prior written notice, (b) upon reasonable suspicion of a breach by Vendor of its obligations under this Addendum with at least five (5) days’ notice, and (c) immediately following a Security Incident. Vendor will cooperate fully, providing necessary access, assistance and information to facilitate the audit.
   2. Any gaps identified during this Security Risk Assessment or audit by JFrog that present a security risk to JFrog or JFrog Data will be remediated by Vendor at its sole expense within no later than thirty (30) days.
6. Business Continuity and Disaster Recovery
   Vendor  represents and warrants that: (i) it maintains a Business Continuity Plan (“BCP”) and a Disaster Recovery Plan (“DRP”) to ensure continuity of critical services during disruptions such as natural disasters or cyber incidents (ii) the BCP and DRP includes recovery processes with a Recovery Time Objective (“RTO”) not exceeding 24 hours and a Recovery Point Objective (“RPO”) of 1 hour, including regular backups and testing. Vendor will annually review and update these plans, conduct regular tests, and provide JFrog with test summaries upon request. In the event of a disruption impacting JFrog or JFrog Data, Vendor will notify JFrog at vendorcompliance@jfrog.com immediately and provide regular updates. Upon request, the Vendor will furnish a summary of the BCP and DRP.
7. Personnel/Human Resources Security
   
   1. Vendor must perform background checks on all personnel, consistent with local laws and regulations and proportional to role-based risk.
   2. Vendor will ensure all personnel agree in writing to comply with Vendor’s security requirements and organizational policies and maintain formal disciplinary processes for violations based on their nature and gravity.
   3. Vendor’s employees and subcontractors must undergo regular security and privacy awareness and specialized trainings upon employee onboarding and at least annually thereafter. All Vendor’s personnel involved in the development, testing, deployment, and maintenance of applications, must undergo trainings covering secure coding practices, common vulnerabilities (e.g., those listed in the OWASP Top Ten), and emerging security threats upon employee onboarding and at least annually thereafter.
   4. Upon termination of any personnel, Vendor must promptly revoke access to its information systems, networks, applications, and JFrog Data.
8. Application Development
   
   1. Vendor will have a comprehensive secure development lifecycle system in place consistent with industry standard best practices (such as OWASP), including policies, training, audits, testing, emergency updates, proactive management, and regular updates to the secure development lifecycle system itself.
   2. Vendor will conduct threat modeling, perform code reviews and static code analysis (SAST), conduct dynamic application security testing (DAST), and implement Software Composition Analysis (SCA) tools to identify and address security vulnerabilities in the development process, including open-source and third-party components, ensuring regular scans, updates, and thorough analysis using both automated tools and manual reviews.
   3. Vendor will maintain and execute a vulnerability management process that includes identifying, prioritizing, and remediating vulnerabilities prior to deployment.
   4. Vendor will manage third-party components and libraries, ensuring that they are up-to-date and free from known vulnerabilities. Regular security reviews and updates are required for all third-party components used in the application.
9. Penetration Testing
   
   1. Vendor must at its sole expense engage a qualified independent third party at least annually to assess the practical security of Vendor’s systems, including penetration tests from the perspective of an external attacker and an internal user with common and administrative privileges. The penetration tests must include Application, API, Networks, all systems exposed to the internet and any systems, internal or external, that handle JFrog’s Confidential Information or JFrog Data.
   2. Vendor will share the full report with a remediation plan upon JFrog’s request.
   3. Vendor will provide a re-test report and will certify that all findings were remediated in accordance with the remediation plan.
10. System Configuration & Maintenance
    
    1. All operating systems, servers, software and network devices that are included in the scope must be kept hardened and patched.
    2. Vendor must maintain technical best security practices configuration guidelines for all such systems and update them at least annually.
    3. All security-related patches must be installed on systems within a defined in this Addendum timeframe.
11. Vulnerability Management Process
    
    1. Vendor will: (a) maintain and execute a vulnerability management process that includes identifying, prioritizing, and remediating vulnerabilities in a timely manner; (b) track and report vulnerabilities and their remediation status to JFrog; and (c) conduct continuous vulnerability assessments, and after any significant changes to the environment.
    2. Vulnerability classification will follow an industry standard classification process (i.e CVSS).
    3. Vulnerability Remediation will be completed within the following timeline: Critical Vulnerability – 7 days, High Vulnerability – 30 days, Medium Vulnerability – 90 days, Low Vulnerability – 180 days.
    4. Vendor will notify JFrog of any critical or high vulnerabilities immediately upon detection.
12. Patch Management
    
    1. Vendor will establish and maintain a patch management process to ensure timely application of security patches and updates.
    2. Vendor will prioritize critical patches within 48 hours of release. Non-critical patches should be assessed and implemented based on the risk and impact analysis.
    3. Vendor will test patches in a non-production environment to ensure they do not adversely affect system functionality and establish and maintain rollback procedures to quickly revert to previous versions if issues arise.
13. Data Backup
    
    1. Vendor will implement automated and secure backup procedures for all critical data and systems. These procedures must ensure that data integrity and confidentiality are maintained at all times.
    2. Vendor will ensure that backups are performed regularly. Data backups must include all critical data and system configurations required for full restoration.
    3. Vendor will maintain a data backup policy including a backup schedule that includes regular full backups (a complete copy of all data) and more frequent incremental or differential backups (capturing data that has changed since the last backup) that meets agreed-upon Recovery Point Objectives (RPO) of one hour and Recovery Time Objectives (RTO) of twenty-four hours, ensuring that data can be restored to a point in time that minimizes data loss to the extent possible. All backups will be securely retained for a minimum period of 30 days on a rolling basis.
    4. Vendor will conduct restoration tests at least semi-annually to verify the integrity of the backup data and ensure that RTO and RPO are met. These tests must be documented, and the results, including any identified issues and corrective actions taken, must be reported to Client upon request.
    5. Vendor will protect backup data through encryption both in transit and at rest, using industry-standard, strong cryptographic protocols (e.g., AES-256 or greater). Encryption keys must be securely managed and protected against unauthorized access.
    6. Vendor will store backups in geographically diverse locations to mitigate the risks associated with localized disasters. Backup locations must be selected to ensure compliance with applicable data protection laws and regulations. Access to backup media and systems will be strictly controlled based on the principle of least privilege.
    7. In the event of any data loss or corruption for which Vendor is responsible, Vendor will, at its own expense, promptly restore the affected JFrog Data from the most recent, viable backup.
    8. Vendor will not use removable media (e.g., USB drives, external hard drives) for storing JFrog Data under any circumstances.
14. Malware Detection and Response
    
    1. Vendor must Implement enterprise-grade anti-malware solutions across all endpoints, servers, and network devices. The solution will meet at minimum the following:
       1. Updates: Ensure anti-malware definitions are updated automatically and frequently, at least daily.
       2. Real-Time Protection: Enable real-time scanning for all files and emails to detect and block malware threats proactively
       3. Conduct full system malware scans on all critical systems weekly.
       4. Threat Intelligence: Integrate threat intelligence feeds to stay updated on emerging malware threats and adjust defenses accordingly.
15. Access Control Policy
    
    1. Vendor will develop and enforce a formal access control policy outlining procedures for granting, reviewing, and revoking access rights its systems and JFrog Data. The policy will consist of the following elements:
       1. Implement role-based access control (RBAC) to ensure users are granted access based on their job responsibilities, adhering to the principle of least privilege.
       2. Periodic access reviews (at least quarterly) to validate user access rights, ensuring appropriateness and alignment with current roles.
       3. Establish a Joiners, Movers, and Leavers (JML) process to manage user access lifecycle: Joiners: Ensure new users are provisioned with appropriate access promptly; Movers: Adjust access rights for users changing roles or departments; Leavers: Revoke all access immediately upon termination of employment.
    2. Vendor will implement a Privileged Access Management (PAM) policy and deploy a PAM solution to monitor and control privileged accounts. The policy must ensure that administrative access is restricted to authorized personnel only, with multi-factor authentication (MFA) enabled for all such access.
16. Password Management
    
    1. Vendor will enforce a robust password policy requiring strong, complex passwords (minimum 12 characters, mix of uppercase, lowercase, numbers, and special characters) and regular password changes, prohibiting reuse of previous passwords.
    2. Vendor will implement MFA for all administrative and privileged access, as well as for accessing systems storing or processing sensitive data.
    3. Vendor will implement account lockout mechanisms after multiple unsuccessful login attempts and monitor all authentication attempts, logging and alerting for suspicious activity.
    4. Vendor will securely store all authentication credentials using strong encryption, ensuring passwords are hashed and salted before storage.
17. Logging and Monitoring
    
    1. Vendor will ensure continuous visibility into system activities to promptly detect security incidents and support forensic investigations through robust logging and real-time monitoring practices.
    2. Vendor will capture logs for all critical systems, applications, databases, and network devices, including user authentication and access attempts, changes to user privileges, administrative actions, system configuration changes, security events, and data access activities.
    3. Logs must include relevant details such as timestamps, source IP addresses, user IDs, system processes, event types, and indicate the success or failure of actions.
    4. Vendor will store logs in a centralized log management system, protect them from unauthorized access and tampering, and maintain them for a minimum of 12 months or as required by regulatory obligations. Logs should be archived securely for long-term storage.
    5. Vendor will deploy a Security Information and Event Management (SIEM) solution to aggregate, analyze, and correlate log data, generating alerts for predefined security incidents and anomalies.
    6. Vendor will implement an escalation process for critical alerts ensuring prompt investigation and response, and use automated tools for event correlation and anomaly detection.
18. Third Party Security
    
    1. Vendor must implement a documented policy for managing fourth-party risks, maintain an up-to-date list of subcontractors.
    2. Vendor must conduct pre-engagement due diligence and regular security assessments of fourth-party vendors, implement continuous monitoring, and share findings as needed.
    3. Vendor will ensure that any subcontractors or third parties processing JFrog Data: (a) are contractually required to implement and maintain security measures that are at least as protective as those as set forth herein, and (b) have adequate continuity and recovery measures in place.
19. Data Encryption Requirements
    
    1. Vendor will ensure that all data transmitted between the client’s systems, end users, and the SaaS application is encrypted using industry-standard encryption protocols, such as TLS (Transport Layer Security), with a minimum of TLS 1.2.
    2. Vendor must ensure that all data at rest, including databases, file storage, and backups, is encrypted using strong encryption algorithms such as AES (Advanced Encryption Standard) with a minimum key length of 256 bits.
    3. Vendor will implement key management practices to ensure the secure generation, distribution, storage, and rotation of encryption keys. Keys should never be hard-coded into the application or stored in plaintext.
    4. Vendor must ensure that JFrog’s Confidential Information, sensitive data, including personally identifiable information, financial data, and health information, as applicable, is encrypted both in transit and at rest in accordance with applicable data protection regulations and industry best practices.

 

 

 

APPENDIX 4: SUB-PROCESSORS LIST

Processor may engage with the following Sub-Processors to provide the Services:

 

Name	Services and Duration	Location	Data Transfer Mechanism