JFrog Cloud Data Processing Addendum

Last Updated: June 1, 2022

icon downloadDownload DPA

This Data Processing Addendum (“DPA” or “Addendum”) is hereby incorporated by reference into, and becomes a binding part of the Terms of Service for JFrog’s Cloud Services (the “Cloud Services”) available here, or any other existing agreement between the Customer and JFrog for the provision by JFrog of any of its Cloud Services (the “Agreement”) in which JFrog and its Affiliates (“JFrog” or “Processor”) act as a Processor of Customer’s Personal Data. Both Parties shall be referred to as the “Parties”. All capitalized terms not defined herein will have the meaning set forth in the Agreement.

For the purposes of this DPA, the term “Customer” or “Controller” shall include both the individual using the Cloud Services offered under the applicable Agreement and any legal entity on whose behalf such individual is acting. This DPA sets out the terms that apply with regards to the Processing of Personal Data (as defined below) by JFrog, on behalf of Customer, in the course of providing the Cloud Services to Customer under the Agreement.

  1. Definitions.
    In this Addendum, the following terms will have the meanings set out below:

    1. Controller”, “Member State”, “Process/Processing”, “Processor”, and “Special Categories of Personal Data” will have the same meaning as defined in Data Protection Laws;
    2. Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (GDPR), as well as the UK Data Protection Laws which means the Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (UK GDPR), as applicable to the Processing of Personal Data under the Agreement;
    3. Data Subject Request” means a request from a Data Subject to exercise any right under Data Protection Laws;
    4. International Data Transfer Addendum” means Standard Data Protection Clauses issued by the UK Information Commissioner Office (ICO) under S119A(1) of Data Protection Act 2018, to the SCCs, for parties making Restricted Transfers (“UK Addendum”);
    5. Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), that is disclosed by Controller to Processor in the performance of Processor’s rights or obligations under the Agreement, to the extent such information is related to residents of the EEA, or the disclosure of such information is otherwise subject to Data Protection Laws;
    6. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Processor on behalf of the Controller;
    7. Restricted Transfer” means a transfer of Personal Data from Controller to Processor, to a jurisdiction outside of the European Economic Area (“EEA”) and/or the United Kingdom of Great Britain and Northern Ireland (“UK”);
    8. Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries which do not ensure an adequate level of protection as set out by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under Regulation (EU) 2016/679 as updated, amended, replaced or superseded from time to time by the European Commission (“SCC”); and 
    9. Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to the GDPR; and (ii) the ICO in the UK.
  2. Disclosing of Personal Data.
    Controller will:

    1. only have Processor Process Personal Data in accordance with the requirements of the applicable Data Protection Laws;
    2. only disclose the Personal Data for one or more defined purposes which are consistent with the terms of the Agreement (“Permitted Purposes”);
    3. have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data;
    4. ensure that a notice has been made available and will continue to be accessible to the relevant Data Subjects informing them that their Personal Data will be disclosed to the Processor or to a category of third party describing the Processor;
    5. ensure that it has obtained any necessary consents or authorizations required to permit the Processor to freely Process the Personal Data for the Permitted Purposes;
    6. not disclose any Special Categories of Personal Data to the Processor; and
    7. be responsible for the security of any Personal Data in transmission from Controller to Processor.
  3. Processing of Personal Data.
    In its capacity as a Processor, JFrog will:

    1. only Process Personal Data on behalf of and in accordance with Controller’s reasonable instructions;
    2. not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);
    3. not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);
    4. ensure that its personnel and Sub-Processors comply with equivalent measures in Processing Controller’s Personal Data;
    5. will make best efforts within industry acceptable standards have in place appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful Processing, or accidental loss or destruction or damage; and
    6. reasonably assist Controller to facilitate the fulfillment of Controller’s obligation to comply with any exercise of rights set forth in the applicable Data Protection Laws by a Data Subject or Supervisory Authority.
  4. Details of Processing.
    The Parties acknowledge that the Processing of Personal Data by JFrog is for the performance of the Cloud Services pursuant to the Agreement. The nature and purpose of the Processing, as well as the duration of the Processing, the types of Personal Data (which shall not include any Special Categories of Personal Data), and categories of Data Subjects Processed under this DPA are detailed in Appendix 1 to this DPA. The Personal Data is disclosed and transferred for the Permitted Purposes as set forth in the DPA.
  5. Restricted Transfers.
    1. With respect to Restricted Transfers of Personal Data from Controller to JFrog, the Parties hereby enter into module II (Controller to Processor) of the SCCs, which is incorporated into this Addendum as Appendix 2; for Restricted Transfer from the UK, the UK Addendum is incorporated as Appendix 3.
    2. Controller for itself and its relevant Affiliates are the “data exporter” and JFrog and its relevant Affiliates are the “data importer”, and both Parties have the authority to enter into the SCCs and the UK Addendum for themselves and their respective relevant Affiliates.
  6. Personal Data Breach.
    1. JFrog will notify the Controller without undue delay following any Personal Data Breach involving the Personal Data Processed by JFrog on behalf of the Controller.
    2. JFrog will cooperate with Controller, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to affected Data Subjects which are required following a Personal Data Breach, insofar as it relates to JFrog’s Processing of Personal Data under this DPA.
    3. Controller will not communicate any finding or admission of liability concerning any Personal Data Breach which directly or indirectly identifies JFrog without JFrog’s prior written approval.
  7. Security Responsibilities.
    JFrog is responsible for implementing and maintaining the Technical and Organizational Measures (“TOMs”) for the Cloud Services as described here, designed to help secure the Personal Data against unauthorized processing and accidental or unlawful loss, access, or disclosure.
  8. Sub-Processors.
    1. JFrog may engage third-party service providers to Process Personal Data on behalf of Controller (“Sub-Processors”) for the duration of the Cloud Services. Controller provides JFrog with a general authorization to engage the Sub-Processors listed here. JFrog may engage with a new Sub-Processor to Process Personal Data on Controller’s behalf. Controller shall subscribe to notifications of new Sub-Processors for the Cloud Services here. When Controller subscribes, JFrog will provide notification of a new Sub-Processor before permitting them to Process Personal Data in connection with the provision of the Cloud Services. All Sub-Processors are required to abide by substantially equivalent obligations as JFrog under this DPA as applicable to their performance of the service.
    2. Controller may object to JFrog’s use of a new Sub-Processor for reasonable and explained grounds, by notifying JFrog in writing to privacy@jfrog.com. within 5 (five) business days following JFrog’s notification. In the event Controller will object to a new Sub-Processor, JFrog will use reasonable efforts to make available to the Controller a change in the Cloud Services or recommend a commercially reasonable change to the configuration or use of the Cloud Services to avoid Processing of Personal Data by the objected new Sub-Processor without unreasonably burdening the Controller. If within ninety (90) days from Controller’s reasonable objection, JFrog is not able to provide a commercially reasonable alternative, Controller, as its sole and exclusive remedy in connection therewith, may terminate the affected part of the Cloud Services on thirty (30) days prior written notice to JFrog.
  9. Deletion of Personal Data.
    Upon termination or expiration of the Agreement JFrog shall delete, within up to sixty (60) days, all Personal Data provided by the Controller pursuant to the Agreement. For the removal of doubt, JFrog will not have any obligation to retain such data following the termination of this Agreement. This requirement shall not apply (i) to the extent JFrog is required by applicable law to which JFrog is subject, to retain some or all of the Personal Data; and (ii) to archived data on back-up systems (e.g., in the form of audit logs). In such case the relevant Personal Data shall be securely isolated and protected from any further Processing, except to the extent required by applicable law.
  10. Audit.
    Controller, at its own costs and expenses, shall be permitted to monitor JFrog compliance with this DPA by performing an annual virtual privacy and information security assessment. JFrog will: (i) provide Controller and any mutually authorized third-party representative with non-internal documentation necessary to demonstrate compliance with this DPA relating to the protection of Personal Data; which may include response to a privacy and information security questionnaire, copies of relevant audits, reviews, tests, or certifications of JFrog platform or processes, including an annual SOC2 Type II Report, ISO 27001 and ISO 27017 certifications; (ii) maintain its controls to the level attested to Controller in such assessments.
  11. Government Requests.
    Upon receipt of any request for disclosure of Personal Data by any government, including governmental bodies and law enforcement agencies, JFrog shall, to the extent allowed by law, (i) promptly forward and notify the Controller of receipt of such request; (ii) make reasonable efforts to oppose the request if possible; and (iii) limit the scope of any disclosure to what is strictly necessary to respond to the request.
  12. Conflict.
    1. In the event of any conflict or inconsistency between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data;
    2. In the event of any conflict between certain provisions of this DPA and any of its Schedules and the SCCs, the latter shall prevail.
  13. Governing Law and Jurisdiction.
    Without prejudice to clauses 17 and 18 of the SCCs and the UK Addendum:

    1. The Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
    2. This Addendum and all non-contractual or other obligations arising out of or in connection with it, are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
  14. Limitation of Liability.
    JFrog and its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
APPENDIX 1: DETAILS OF PROCESSING
Types of Personal Data Username, email address and IP address.
Details on such data are stipulated further in JFrog Privacy Policy.
Duration of Processing For the duration of the Cloud Services, and subject to local legal requirements.
Nature and Purpose of Processing Providing the Cloud Services to the Customer.
Categories of Data Subjects Controllers’ employees authorized to use the Cloud Services.
Sensitive Data transferred Not applicable.
Frequency of transfer Continuous basis for the duration of the Agreement.
For transfers to Sub-Processors As described above.
APPENDIX 2: STANDARD CONTRACTUAL CLAUSES

The Parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to a Restricted Transfer, as follows:

Module II – Controller to Processor
Clause 7 – Docking Clause Shall not apply.
Clause 9(a) – Use of Sub-Processors Option 2: general written authorization shall apply; prior notice of new Sub-Processors will be given ten (10) days in advance; the method for appointing and objecting to such changes shall be as set forth in Section 8 of the DPA.
Clause 11 – Redress The optional language shall not apply.
Clause 17 – Governing law Option 1 shall apply; the Parties agree that the SCCs shall be governed by the laws of the Republic of Ireland.
Clause 18(b) – Jurisdiction Disputes will be resolved before the courts of the Republic of Ireland.
Annex I.A – List of Parties
Customer / data exporter JFrog / data importer
Role Controller Processor
Relevant activities Use of the Cloud Services Provision of the Cloud Services
Name, address, and contact details As detailed in the Agreement
Signature and date By entering into the Agreement and/or DPA, data exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement
Annex I.B – Description of Transfer, as detailed in Appendix 1 of the DPA.
Annex I.C – Competent Supervisory Authority (in accordance with Clause 13)
The data exporter’s competent Supervisory Authority will be determined in accordance with the GDPR.
Annex II – JFrog Cloud Services Technical and Organizational Measures, as further detailed here.

Annex III – JFrog list of Subsidiaries and Sub-Processors, as stipulated in Section 8.1 of the DPA.

APPENDIX 3: UK INTERNATIONAL DATA TRANSFER ADDENDUM

    1. Parties.

As listed in Annex I.A.

    1. Effective Date.

This UK Addendum is effective from the same date as the SCCs.

    1. Background.

This UK Addendum is a summarized version of the International Data Transfer Addendum issued by the Information Commissioner Office and is intended to provide the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR (“Appropriate Safeguards”) for the purposes of Restricted Transfers, when it is entered into as a legally binding contract.

    1.  Interpretation.
      1. Where this UK Addendum uses terms that are defined in the SCCs, those terms shall have the same meaning as in the SCCs.
      2. If the provisions included in the UK Addendum amend the SCCs in any way which is not permitted under the SCCs or the UK Addendum, such amendment(s) will not be incorporated in this UK Addendum and the equivalent provision of the SCCs will take their place.
      3. If there is any inconsistency or conflict between UK Data Protection Laws and this UK Addendum, UK Data Protection Laws applies.
      4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this UK Addendum has been entered into.
    2. Hierarchy.

Where there is any inconsistency or conflict between the UK Addendum and the SCCs, the UK Addendum overrides the SCCs, except where (and in so far as) the inconsistent or conflicting terms of the SCCs provides greater protection for data subjects, in which case those terms will override the UK Addendum.

  1. Incorporation of the Clauses.
    1. This UK Addendum incorporates the SCCs which are deemed to be amended to the extent necessary, so that together they operate for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and to provide Appropriate Safeguards for those transfers;
    2. The following amendments to the SCCs are made:
    “Clauses” UK Addendum as it incorporates the SCCs.
    “Regulation (EU) 2016/679” and “that Regulation” Replaced: “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
    “Regulation (EU) 2018/1725” Removed.
    “Union”, “EU” and “EU Member State” Replaced: UK.
    Clause 2 – Effect and invariability of the Clauses Removed: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”
    Clause 6 – Description of the transfer(s) Replaced: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix A (B) where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
    Clause 8.8(i) – Onward Transfers Replaced: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
    Clause 13(a) – Supervision Not used, the “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”.
    Clause 16(e) – Non-compliance with the Clauses and termination Replaced: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”
    Clause 17 – Governing law Replaced: “These Clauses are governed by the laws of England and Wales.”
    Clause 18(b) – Jurisdiction Replaced: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
    Footnotes Do not form part of the UK Addendum, except for footnotes 8, 9, 10 and 11.
  2. Amendments to this UK Addendum.
    1. The Parties may amend this UK Addendum by agreeing to the changes in writing, provided they maintain the Appropriate Safeguards.
    2. From time to time, the ICO may issue a revised UK Addendum which will specify the start date from which the changes to the UK Addendum are effective, and whether the Parties need to review it, such revision will be automatically amended from the start date specified.
  3.    Executing this UK Addendum.
    1. The Parties may enter into this UK Addendum (incorporating the SCCs) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the SCCs.
    2. By entering into the Agreement and/or DPA, data exporter is deemed to have signed this UK Addendum incorporated herein, as of the Effective Date of the Agreement.