JFrog Cloud Data Processing Addendum

1. DEFINITIONS
2. DETAILS OF PROCESSING
3. DISCLOSING OF PERSONAL DATA
4. PROCESSING OF PERSONAL DATA
5. CALIFORNIA-RELATED PROCESSING OF PERSONAL DATA
6. RESTRICTED TRANSFERS
7. SECURITY RESPONSIBILITIES
8. SECURITY BREACH
9. SUB-PROCESSORS
10. DATA PROTECTION IMPACT ASSESSMENT
11. GOVERNMENT REQUESTS
12. DELETION OF PERSONAL DATA
13. AUDIT REPORTS
14. CONFLICT
15. GOVERNING LAW AND JURISDICTION
16. MODIFICATIONS

APPENDIX 1: DETAILS OF PROCESSING
APPENDIX 2: STANDARD CONTRACTUAL CLAUSES
APPENDIX 3: TECHNICAL AND ORGANIZATIONAL MEASURES
APPENDIX 4: SUB-PROCESSORS LIST

1. DEFINITIONS
   In this DPA, the following terms will have the meanings set out below:
   1. “Controller”, “Member State”, “Process/Processing”, “Processor”, “Special Categories of Personal Data”, “Business”, “Consumer”, “Personal Information”, “Sell”, “Share” and “Service Provider” shall have the same meaning as defined in Data Protection Laws;
   2. “Data Protection Laws” means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR“); (ii) UK Data Protection Laws which means theData Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR“); and (iii) California Data Protection Laws which means the California Consumer Privacy Act of 2018, California Civil Code § 1798.100 et seq. (“CCPA”) including as modified by the California Privacy Rights Act of 2020 and its implementing regulations (“CPRA”), as amended, or superseded from time to time, and as applicable to the Processing of Personal Data under this DPA;
   3. “Data Subject Request” means a request from a Data Subject to exercise applicable rights under Data Protection Laws;
   4. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) Processed by JFrog on behalf of the Controller under this DPA and the Agreement;
   5. “Restricted Transfer” means a transfer of Personal Data from Controller to Processor, to a jurisdiction outside of the European Economic Area (“EEA”) and/or the United Kingdom of Great Britain and Northern Ireland (“UK”), unless such transfer is made to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant authorities of the EEA and/or the UK as relevant (“Adequacy Decision”);
   6. “Security Breach” means a breach of security leading to any unauthorized, accidental or unlawful destruction, loss, alteration, disclosure of, or access to Personal Data which has been validated by JFrog;
   7. “Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of Personal Data to third countries which do not ensure an adequate level of protection as set out by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under the GDPR as updated, amended, replaced or superseded from time to time by the European Commission (“EU SCCs”); and (ii) Standard Data Protection Clauses issued by the UK Information Commissioner’s Office (“ICO”) under S119A(1) of Data Protection Act 2018, to the SCCs, for parties making Restricted Transfers (“UK Addendum”), collectively “SCCs”; and
   8. “Supervisory Authority” means, as applicable, an appointed government entity with the authority to enforce Data Protection Laws, including, but not limited to (i) an independent public authority which is established by a Member State pursuant to the GDPR; and (ii) the ICO in the UK.
2. DETAILS OF PROCESSING
   The Parties acknowledge that the Processing of Personal Data by JFrog is for the provision of the JFrog Platform pursuant to the Agreement. The nature and purpose of the Processing, as well as the duration of the Processing, the types of Personal Data, and categories of Data Subjects whose Personal Data shall be Processed under this DPA, are detailed in Appendix 1. Such Personal Data is disclosed and transferred for the Permitted Purposes as set forth in this DPA.
3. DISCLOSING OF PERSONAL DATA
   Controller will:
   1. only have JFrog Process Personal Data in accordance with the requirements of the applicable Data Protection Laws;
   2. only disclose Personal Data to JFrog for one or more defined purposes which are consistent with the terms of the Agreement (“Permitted Purposes”);
   3. have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data;
   4. where required under Data Protection Laws, ensure that a notice has been made available to the relevant Data Subjects informing them that their Personal Data will be disclosed to JFrog or to a category of third party describing JFrog; and
   5. not disclose any Special Categories of Personal Data to JFrog.
4. PROCESSING OF PERSONAL DATA
   In its capacity as a Processor, JFrog will:
   1. only Process Personal Data on behalf of and in accordance with Controller’s reasonable instructions as detailed in this DPA;
   2. not Process Personal Data in a way that is incompatible with, or for longer than is necessary to carry out, the Permitted Purposes (other than to comply with a requirement of applicable law to which JFrog is subject);
   3. ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and received appropriate information security and privacy training on their responsibilities;
   4. maintain an information security program designed to implement appropriate Technical and Organizational Measures (“TOMs”) to protect Personal Data against a Security Breach as detailed in Section 7 below (Security Responsibilities); and
   5. reasonably assists Controller to facilitate the fulfillment of Controller’s obligation to comply with any exercise of Data Subject Requests set forth in the applicable Data Protection Laws by a Data Subject or a Supervisory Authority, to the extent Controller does not have the ability to fulfill such a request. Notwithstanding anything to the contrary, Controller shall be solely responsible for complying with the Data Subject Requests and its own obligations under Data Protection Laws.
5. CALIFORNIA-RELATED PROCESSING OF PERSONAL DATA
   1. The parties acknowledge and agree that with regard to the Processing of Personal Information under California Data Protection Laws, JFrog is the Service Provider and Customer is the Business.
   2. In connection with the provision of the JFrog Platform to the Customer, if California Data Protection Laws apply and to the extent JFrog Processes Personal Data on behalf of Customer, JFrog may (i) not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise share Personal Data to any third party for monetary compensation; (ii) not use Personal Data provided by Customer in connection with the Agreement to identify or contact Data Subjects for behavioral advertising or retargeting outside the Permitted Purpose or the direct business relationship with the Customer, unless obtained directly by JFrog; and (iii) combine Personal Data with data received from other entities to the extent necessary to detect Security Breach or protect against fraudulent or illegal activity.
   3. Customer hereby approves and consents to the use and transfer of Personal Data by JFrog to its applicable Affiliates, service providers, third parties and vendors, in order to provide the JFrog Platform to Customer.
   4. To exercise Data Subject Rights under California Data Protection Laws, Customer may email JFrog at privacy@jfrog.com; or call JFrog at +1-408-329-1540.
6. RESTRICTED TRANSFERS
   1. With respect to Restricted Transfers of Personal Data that is protected by the GDPR or the UK GDPR as applicable, the Parties hereby enter into the EU SCCs, completed as set out below in Appendix 2 of this DPA, which shall also be deemed amended as specified by the UK Addendum.
   2. Both Parties have the authority to enter into the SCCs for themselves and their respective relevant Affiliates. If the mechanism for Restricted Transfers of Personal Data outside of the EEA and/or the UK changes or requires an update, JFrog will put in place alternative arrangements for such Restricted Transfers, as required by applicable Data Protection Laws.
7. SECURITY RESPONSIBILITIES
   1. JFrog shall ensure an appropriate level of security, considering the state of the art, the costs of implementation, the nature, scope, context, and the Permitted Purpose of the Processing, as well as the severity of the risk, and industry best practices, when implementing and maintaining the TOMs described in Appendix 3.
   2. JFrog shall regularly monitor compliance with the TOMs and will ensure that JFrog’s information security policies and procedures coincide with the organizational controls intended to meet the JFrog Certificate Program.
   3. Controller acknowledges that the TOMs may be updated from time to time to reflect process improvements or changing practices, provided that the modifications shall not materially decrease the overall security of the JFrog Platform during the term of the Agreement.
8. SECURITY BREACH
   1. Upon becoming aware of a Security Breach involving Personal Data, JFrog will notify Controller without undue delay and within seventy-two (72) hours, unless such notification is delayed or prohibited by applicable law. To the extent possible, JFrog will provide the Controller with a description of (i) the nature of the Security Breach; (ii) likely consequences of the Security Breach; and (iii) mitigation measures taken to address the Security Breach.
   2. JFrog shall take all necessary steps consistent with industry best practices, considering the severity of the risk, to resolve such Security Breach as quickly as possible and to prevent its recurrence. JFrog will reasonably assist the Controller with conducting investigations and analysis regarding the Security Breach.
   3. The Controller is responsible for complying with Security Breach notification laws applicable to Controller and fulfilling any third-party notification obligations related to the Security Breach. JFrog will cooperate with Controller, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to affected Data Subjects which are required following a Security Breach, insofar as it relates to JFrog’s Processing of Personal Data under this DPA.
   4. JFrog’s notification of or response to a Security Breach will not be construed as an acknowledgement by JFrog of any fault or liability with respect to the Security Breach. To the extent legally permissible, Controller will not communicate any findings or admission of liability concerning any Security Breach which directly or indirectly identifies JFrog without JFrog’s prior written approval.
9. SUB-PROCESSORS
   1. JFrog may engage third-party service providers to Process Personal Data on behalf of Controller (“Sub-Processors”) for the duration of the Agreement. Controller provides JFrog with a general authorization to engage the Sub-Processors listed at Appendix 4 below. JFrog may engage with a new Sub-Processor to Process Personal Data on Controller’s behalf. JFrog shall maintain a list of Sub-Processors available online, and Controller shall subscribe to notifications of new Sub-Processors at https://jfrog.com/trust/privacy/sub-processors/. When Controller subscribes, JFrog will provide notification of a new Sub-Processor thirty (30) days before permitting them to Process Personal Data in connection with the provision of the JFrog Platform. All Sub-Processors are required to abide by substantially equivalent obligations as JFrog under this DPA as applicable to their performance of the related service. JFrog shall be responsible for its Sub-Processors’ compliance with the obligations of this DPA.
   2. Controller may object to JFrog’s use of a new Sub-Processor for reasonable data protection concerns, relating to the protection of Personal Data intended to be Processed by such Sub-Processor, by notifying JFrog in writing to privacy@jfrog.com within ten (10) days following JFrog’s notification. If no objection is received, it is deemed the Controller has authorized the intended changes. In the event Controller objects to such new Sub-Processor, JFrog will use reasonable efforts to make available and/or recommend a commercially reasonable change to the configuration or use of the JFrog Platform by the Controller to avoid Processing of Personal Data by the objected new Sub-Processor without unreasonably burdening the Controller. If within ninety (90) days from Controller’s reasonable objection, JFrog is not able to provide a commercially reasonable alternative, Controller, as its sole and exclusive remedy in connection therewith, may terminate the affected Processing of Personal Data on thirty (30) days prior written notice to JFrog.
10. AUDIT REPORTS
    1. Controller may assess JFrog compliance with this DPA subject to: (i) prior written request of at least thirty (30) days; (ii) once a year; and (iii) valid confidentiality obligations.
    2. JFrog will provide Controller and any mutually authorized third-party representative with applicable documentation relating to the protection of Personal Data in the form of (a) privacy and information security questionnaires; and (b) copies or extracts from JFrog’s relevant audits, reviews, tests, or certifications (collectively “Audit Reports”), in accordance with the JFrog Certificate Program.
    3. Controller acknowledges that JFrog Certificate Program is audited annually by independent third-party auditors. If the requested audit scope is addressed in the JFrog Certificate Program, the Controller agrees to accept the findings presented in the Audit Reports in lieu of requesting an audit of the same controls.
    4. JFrog shall not be required to provide information that may cause JFrog to compromise its own internal, legal, or regulatory compliance obligations or that is commercially sensitive.
11. DATA PROTECTION IMPACT ASSESSMENT
    Considering the nature of the Processing and the information available to JFrog, JFrog will, when required by Data Protection Laws, assist Controller with its obligations related to data protection impact assessments, and prior consultation with Supervisory Authorities, only to the extent that Controller does not otherwise have access to the relevant information, including by providing the information outlined in Section 10 above (Audit Reports).
12. GOVERNMENT REQUESTS
    Upon receipt of any request for disclosure of Personal Data by any government, including governmental bodies and law enforcement agencies, JFrog shall, to the extent allowed by law, (i) promptly forward and notify the Controller of receipt of such request; (ii) make reasonable efforts to oppose the request if possible; and (iii) limit the scope of any disclosure to what is strictly necessary to respond to the request.
13. DELETION OF PERSONAL DATA
    Upon termination or expiration of the Agreement, JFrog shall delete Personal Data provided by the Controller pursuant to the Agreement, within sixty (60) days, except: (i) as required by applicable law; (ii) to fulfill legal obligations; (iii) to protect JFrog’s legal rights; and (iv) as stored in JFrog’s backup system, provided that such Personal Data shall continue to be subject to the provisions of this DPA. In such case the relevant Personal Data shall be securely isolated and protected from any further Processing, except to the extent required by applicable law. JFrog will not have any obligation to retain Personal Data following the termination of the Agreement.
14. CONFLICT
    In the event of any conflict or inconsistency between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data. In the event of any conflict between certain provisions of this DPA and any of its Schedules and the SCCs, the latter shall prevail.
15. GOVERNING LAW AND JURISDICTION
    Without prejudice to clauses 17 and 18 of the SCCs, this DPA and all non-contractual or other obligations arising out of or in connection with it, are governed by the laws and subject to the exclusive jurisdiction of the courts set out in the Agreement.
16. MODIFICATIONS
    Each Party may, by at least forty-five (45) days prior written notice to the other Party, request in writing variations to this DPA if they are required as a result of any change in applicable Data Protection Laws, to allow Processing of such Personal Data to be made (or continue to be made) without breach of applicable Data Protection Laws. Pursuant to such notice, the Parties shall use commercially reasonable efforts and negotiate in good faith to accommodate such required modifications as soon as is reasonably practicable. In addition, JFrog may amend this DPA from time to time without notice, provided that such changes are not adverse in any material aspect with respect to the Controller’s rights or JFrog’s obligations. If JFrog shall make such material adverse changes, JFrog will notify Controller by posting an announcement on the Website, via the JFrog Platform and/or by sending an email.

APPENDIX 1: DETAILS OF PROCESSING

APPENDIX 2: STANDARD CONTRACTUAL CLAUSES

The Parties agree that the terms of Module II – Controller to Processor of the EU SCCs (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), together with the UK Addendum (available at:
https://ico.org.uk/media/about-the-ico/consultations/2620398/draft-ico-addendum-to-com-scc-20210805.pdf) are hereby incorporated by reference and shall apply to a Restricted Transfer, as follows:

APPENDIX 3: TECHNICAL AND ORGANIZATIONAL MEASURES

Please see JFrog Technical and Organizational Measures detailed here.

APPENDIX 4: SUB-PROCESSORS AND AFFILIATES LIST

Please see JFrog Sub-Processors and Affiliates List here.