JFrog Cloud Data Processing Addendum
Last Updated: August 16, 2020
This Data Processing Addendum (“DPA” or “Addendum”), is hereby incorporated by reference into any existing services agreement between you and JFrog for the provision by JFrog of any of its cloud offerings (the “Agreement”) in which JFrog acts as a Processor of your information.
For the purposes of this DPA, the term “you” shall include both the individual using the services offered under the applicable Agreement and any legal entity on whose behalf such individual is acting.
Types of Data Subjects: Employees of Controller
- Definitions. In this Addendum, the following terms will have the meanings set out below:
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either JFrog or Controller (as applicable), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Controller”, “Data Subject”, “Personal Data Breach”, “Process/Processing”, “Processor”, and “Special Categories of Personal Data” will have the same meaning as defined in EU Data Protection Laws. For the removal of doubt, for the purpose of this DPA, Controller shall mean you;
- “Data Subject Request” means a request from a Data Subject to exercise any right under EU Data Protection Laws;
- “EEA” means the European Economic Area, and unless otherwise indicated, EEA or Member States of the EEA will continue to include the United Kingdom after it exists the European Union;
- “EU Data Protection Laws” will mean Directive 95/46/EC (Data Protection) and Directive 2002/58/EC (ePrivacy), in each case as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and any data protection laws substantially amending, replacing or superseding the GDPR following any exit of the United Kingdom from the European Union;
- “EU Personal Data” means any Personal Data that is disclosed by Controller or its Affiliate (“Discloser”) to JFrog or its Affiliate (“Recipient”) in the performance of JFrog’s rights or obligations under the Agreement, to the extent such Personal Data is related to residents of the EEA, or the disclosure of such Personal Data is otherwise subject to EU Data Protection Laws;
- “Personal Data” means any personal data, as defined in EU Data Protection Laws;
- “Restricted Transfer” means a transfer of EU Personal Data from Discloser to Recipient, to a jurisdiction outside of the EEA which is not deemed to have “adequate safeguards” as set forth under GDPR, Art. 45(1) (or any succeeding legislation of the United Kingdom upon its exit from the European Union);
- “Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of personal data to controllers established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2004)5721, as updated, amended, replaced or superseded from time to time by the European Commission, or
- (ii) any other contractual clauses or other mechanism approved by a Supervisory Authority or by Data Protection Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Supervisory Authority or Data Protection Laws; and
- “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to GDPR, Art. 51; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws in the United Kingdom upon its exit from the European Union.
- Disclosing of Personal Data. Controller will:
- only disclose the Personal Data for one or more defined purposes which are consistent with the terms of the Agreement (“Permitted Purposes”);
- ensure that a notice has been made available and will continue to be accessible to the relevant Data Subject(s) informing them that their Personal Data will be disclosed to the Recipient or to a category of third party describing the Recipient;
- ensure that it has obtained any necessary consents or authorizations required to permit the Recipient to freely Process the Personal Data for the Permitted Purposes;
- not disclose any Special Categories of Personal Data to the Recipient; and
- be responsible for the security of any Personal Data in transmission from Controller to JFrog.
- Processing of Personal Data. In its capacity as a Processor, JFrog will:
- not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject);
- not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject)
- ensure that its personnel and sub-processors fully comply with the provisions hereof in Processing Controller’s Personal Data; and
- will make best efforts within industry acceptable standards have in place appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful Processing, or accidental loss or destruction or damage, and to facilitate the fulfilment of JFrog’s obligation to comply with any exercise of rights set forth in the GDPR by a Data Subject.
- Personal Data Breaches
- JFrog will notify the Controller without undue delay following any Personal Data Breach involving the Personal Data.
- JFrog will co-operate with Controller, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to Data Subjects which are required following a Personal Data Breach involving the Personal Data.
- Description of Personal Data. The parties acknowledge that the EU Personal Data (a) may include the categories of personal data specified in the preamble to this Addendum, which shall not include any Special Categories of Data (sensitive data); (b) is related to the types of data subjects specified in the preamble to this Addendum; and (c) is disclosed and transferred for the Permitted Purposes as set forth in the Agreement, which may include enabling use of the services as detailed in the Agreement, technical assistance and support, invoices and payments and marketing efforts.
- Restricted Transfers. With respect to any Restricted Transfers, the parties hereby enter into the Standard Contractual Clauses, which are incorporated by reference into this Addendum as follows:
- Controller for itself and its relevant Affiliates is the “data exporter” and JFrog and its relevant affiliates are the “data importers”, and both parties have the authority to enter into the Standard Contractual Clauses for themselves and their respective relevant Affiliates.
- For the purposes of clause II h) of the Standard Contractual Clauses, the Parties shall be deemed to have selected option (iii). Annex 2 to the Standard Contractual Clauses shall be deemed to be prepopulated with the relevant information in Section 5 of this Addendum, and the following contact information: (a) data exporter: Controller name and mailing address as set forth in the preamble to this Addendum; and (b) data importer: firstname.lastname@example.org.
- Governing Law and Jurisdiction. Without prejudice to clause IV of the Standard Contractual Clauses:
- the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.