Last Updated: January 2, 2022
This Data Processing Addendum (“DPA” or “Addendum”) is hereby incorporated by reference into, and becomes a binding part of the Terms of Service for JFrog’s Cloud Services (the “Cloud Services”) available here, or any other existing agreement between the Customer and JFrog for the provision by JFrog of any of its Cloud Services (the “Agreement”) in which JFrog and its Affiliates (“JFrog” or “Processor”) acts as a Processor of Customer’s data. All capitalized terms not defined herein will have the meaning set forth in the Agreement.
For the purposes of this DPA, the term “Customer” or “Controller” shall include both the individual using the Cloud Services offered under the applicable Agreement and any legal entity on whose behalf such individual is acting. This DPA sets out the terms that apply with regards to the Processing of Personal Data (as defined below) by JFrog, on behalf of Customer, in the course of providing the Cloud Services to Customer under the Agreement.
In this Addendum, the following terms will have the meanings set out below:
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Controller or Processor (as applicable), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Process/Processing”, “Processor”, and “Special Categories of Personal Data” will have the same meaning as defined in Data Protection Laws;
- “Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) , as well as the Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (UK GDPR), as applicable to the Processing of Personal Data under the Agreement;
- “Data Subject Request” means a request from a Data Subject to exercise any right under Data Protection Laws;
- “EEA” means the European Economic Area, and unless otherwise indicated, EEA or Member States of the EEA will continue to include the United Kingdom after it exits the European Union;
- “Personal Data” means any Personal Data that is disclosed by Controller to Processor in the performance of Processor’s rights or obligations under the Agreement, to the extent such Personal Data is related to residents of the EEA, or the disclosure of such Personal Data is otherwise subject to Data Protection Laws;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Processor on behalf of the Controller;
- “Restricted Transfer” means a transfer of Personal Data from Controller to Processor, to a jurisdiction outside of the EEA which is not deemed to have “adequate safeguards” as set forth under Data Protection Laws;
- “Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of Personal Data to third countries which do not ensure an adequate level of protection as set out by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 under Regulation (EU) 2016/679 as updated, amended, replaced or superseded from time to time by the European Commission, or (ii) any other contractual clauses or other mechanism approved by a Supervisory Authority or by Data Protection Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Supervisory Authority or Data Protection Laws; and
- “Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to the GDPR; and (ii) any similar regulatory authority responsible for the enforcement of Data Protection Laws in the United Kingdom.
- Disclosing of Personal Data.
- only have Processor Process Personal Data in accordance with the requirements of the applicable Data Protection Laws;
- only disclose the Personal Data for one or more defined purposes which are consistent with the terms of the Agreement (“Permitted Purposes”);
- have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data;
- ensure that a notice has been made available and will continue to be accessible to the relevant Data Subjects informing them that their Personal Data will be disclosed to the Processor or to a category of third party describing the Processor;
- ensure that it has obtained any necessary consents or authorizations required to permit the Processor to freely Process the Personal Data for the Permitted Purposes;
- not disclose any Special Categories of Personal Data to the Processor; and
- be responsible for the security of any Personal Data in transmission from Controller to Processor.
- Processing of Personal Data.
In its capacity as a Processor, JFrog will:
- only Process Personal Data on behalf of and in accordance with Controller’s reasonable instructions;
- not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);
- not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);
- ensure that its personnel and Sub-Processors fully comply with the provisions hereof in Processing Controller’s Personal Data;
- will make best efforts within industry acceptable standards have in place appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful Processing, or accidental loss or destruction or damage; and
- reasonably assist Controller to facilitate the fulfillment of Controller’s obligation to comply with any exercise of rights set forth in the applicable Data Protection Laws by a Data Subject or Supervisory Authority.
- Details of Processing.
The parties acknowledge that the Processing of Personal Data by JFrog is for the performance of the Cloud Services pursuant to the Agreement. The nature and purpose of the Processing, as well as the duration of the Processing, the types of Personal Data (which shall not include any Special Categories of Personal Data), and categories of Data Subjects Processed under this DPA are detailed in Appendix 1 to this DPA. The Personal Data is disclosed and transferred for the Permitted Purposes as set forth in the DPA.
- Restricted Transfers.
- With respect to Restricted Transfers from Controller to JFrog, the parties will enter into module II (Controller to Processor) of the Standard Contractual Clauses, which is incorporated into this Addendum as Appendix 3, if applicable.
- Controller for itself and its relevant Affiliates are the “data exporter” and JFrog and its relevant Affiliates are the “data importer”, and both parties have the authority to enter into the Standard Contractual Clauses for themselves and their respective relevant Affiliates.
- Personal Data Breach.
- JFrog will notify the Controller without undue delay following any Personal Data Breach involving the Personal Data Processed by JFrog on behalf of the Controller.
- JFrog will cooperate with Controller, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to affected Data Subjects which are required following a Personal Data Breach involving the Personal Data, insofar as it relates to JFrog’s Processing of Personal Data under this DPA.
- Controller will not communicate any finding or admission of liability concerning any Personal Data Breach which directly or indirectly identifies JFrog without JFrog’s prior written approval.
- Security Responsibilities.
JFrog is responsible for implementing and maintaining the technical and organizational measures for the Cloud Services as described in Appendix 2 to this DPA, designed to help secure Controller’s Personal Data against unauthorized processing and accidental or unlawful loss, access, or disclosure.
- JFrog may engage third-party service providers to Process Personal Data on behalf of Controller (“Sub-Processors”) for the duration of the Cloud Services. Controller provides JFrog with a general authorization to engage the Sub-Processors listed here. JFrog may engage with a new Sub-Processor to Process Personal Data on Controller’s behalf. Controller shall subscribe to notifications of new Sub-Processors for the Cloud Services here. When Controller subscribes, JFrog will provide notification of a new Sub-Processor before permitting them to Process Personal Data in connection with the provision of the Cloud Services. All Sub-Processors are required to abide by substantially equivalent obligations as JFrog under this DPA as applicable to their performance of the service.
- Controller may object to JFrog’s use of a new Sub-Processor for reasonable and explained grounds, by notifying JFrog in writing to firstname.lastname@example.org. within 5 business days following JFrog’s notification. In the event Controller will object to a new Sub-Processor, JFrog will use reasonable efforts to make available to the Controller a change in the Cloud Services or recommend a commercially reasonable change to the configuration or use of the Cloud Services to avoid Processing of Personal Data by the objected new Sub-Processor without unreasonably burdening the Controller. If within 90 days from Controller’s reasonable objection, JFrog is not able to provide a commercially reasonable alternative, Controller, as its sole and exclusive remedy in connection therewith, may terminate the affected part of the Cloud Services on 30 days prior written notice to JFrog.
- Deletion of Data.
Upon termination or expiration of the Agreement JFrog shall delete, within up to sixty (60) days, all Personal Data provided by the Controller pursuant to the Agreement. For the removal of doubt, JFrog will not have any obligation to retain such data following the termination of this Agreement. This requirement shall not apply (i) to the extent JFrog is required by applicable law to which JFrog is subject, to retain some or all of the Personal Data, and (ii) to archived data on back-up systems (e.g., in the form of audit logs). In such case the relevant Personal Data shall be securely isolated and protected from any further Processing, except to the extent required by applicable law.
Controller, at its own costs and expenses, shall be permitted to monitor JFrog’s compliance with this DPA by performing an annual virtual information security assessment. JFrog will: (i) provide Controller and any mutually authorized third-party representative access to all non-internal documentation necessary to demonstrate compliance with this DPA relating to the protection of Personal Data; which may include responses to an information security-related questionnaire, copies of relevant audits, reviews, tests, or certifications of JFrog’s systems or processes, including an annual SOC2 Type II Report, ISO 27001 and ISO 27017 certifications; (ii) maintain its controls to the level attested to Controller in such assessments.
- Government Requests.
Upon receipt of any request for disclosure of Personal Data by any government, including governmental bodies and law enforcement agencies, JFrog shall, to the extent allowed by law, (i) promptly forward and notify the Controller of receipt of such request, (ii) make reasonable efforts to oppose the request if possible, and (iii) limit the scope of any disclosure to what is strictly necessary to respond to the request.
- In the event of any conflict or inconsistency between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data;
- In the event of any conflict between certain provisions of this DPA and any of its Schedules and the SCCs, the latter shall prevail.
- Governing Law and Jurisdiction.
Without prejudice to clauses 17 and 18 of the Standard Contractual Clauses:
- the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
- Limitation of Liability.
JFrog’s and its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
APPENDIX 1: DETAILS OF PROCESSING
|Nature and Purpose of Processing
||Providing the Cloud Services to the Customer.
|Duration of Processing
||For the duration of the Cloud Services, and subject to local legal requirements.
|Types of Personal Data
||Username, email address and IP address.
|Categories of Data Subjects
||Controllers’ employees authorized to use the Cloud Services.
APPENDIX 2: TECHNICAL AND ORGANIZATIONAL CLOUD SECURITY MEASURES
- Each cloud Customer account is deployed with a unique ID to guarantee adequate separation.
- Each cloud Customer account is granted with its own unique and narrow role, based on least privilege principle. We grant just the permissions which are required to perform tasks and access shared resources, such as databases and cloud object storage.
- The default and automatic deployment of JFrog SaaS solution is on a shared environment including the following resources:
- The load balancer is a shared component at the region level.
- The applications’ database schema and role are dedicated for each Customer. The applications’ database is a cloud provider managed service, shared at the region level.
- Each Customer has its own unique role with permissions for their own files. The applications’ file store is a cloud provider managed service, shared at the region level.
- JFrog SaaS solution uses managed object storage and databases from the major cloud providers. Each Customer has their own unique role with permissions to their own data.
- Data in transit is defined as data that is actively transferring between different destinations (e.g., applications to databases or object storage) over the same network or over the internet. In the JFrog SaaS solution, every Customer’s data is encrypted in transit using HTTPS with TLS V1.2.
- Data at rest is defined as data that is physically stored and hosted in any digital form (e.g., cloud storage, databases, data warehouses, or cloud backups) and not actively transferring between different destinations. In the JFrog SaaS solution, all hosted data at rest is securely stored in a database and object storage using 256-bit AES encryption.
|Application and Infrastructure Control
- As part of our multi-layer cloud protection approach, a dedicated DDoS mitigation ecosystem has been put in place. JFrog utilizes anti-DDoS protection, a next-gen WAF, an API protection tool, advanced rate limiting and bot protection.
- JFrog’s Cyber Incident Response Team (CIRT) constantly monitors our products, infrastructure operations and security solutions. JFrog’s security has established a comprehensive strategy and policies to respond, notify, and remediate security incidents promptly and efficiently.
- JFrog’s CIRT continuously monitors our products’ logs, infrastructure operations and systems audit logs in our internal Security Information and Event Management (SIEM) to detect potential incidents promptly and efficiently. As part of this ongoing effort, the CIRT investigates and responds to reports from bug bounty programs, vulnerability disclosure programs, automated scanners, Customer support portal and dedicated email inbox.
- To ensure prompt and efficient response time, our Security Operations Center (SOC) is staffed with highly qualified and experienced security experts, who work to fulfill our internal SLA policy.
- JFrog has defined access roles for each system and service based on least privilege principle. Access to all our applications is possible only via Single Sign-on (SSO) and 2-factor authentication (2FA) with strong password policies.
- JFrog requires that its employees use a password manager to ensure that they use unique and complex passwords and store them in a secure vault.
- JFrog uses a zero-trust solution to securely connect our employees, devices, and apps over JFrog’s internal network. Our zero-trust solution provides Web and URL filtering, sandboxing, cloud firewall, CASB and DLP.
- JFrog engineers connect to our production resources using an advanced 2FA and just-in-time access solution, which allows us to employ the principle of least privilege and conduct a full audit.
- JFrog laptops are equipped with encryption technology that is turned on by default, in compliance with our policy, along with advanced anti-malware software.
- JFrog uses email protection solutions designed to prevent malware, zero-day attacks, phishing, Business Email Compromise (BEC), spam and N-days.
- All JFrog employees receive mandatory privacy and cyber security awareness training as part of their onboarding, as well as mandatory annual ones thereafter. Moreover, employees receive ongoing security education training about topics such as phishing, password management, secure development, and security best practices for operating cloud accounts.
- JFrog’s CIRT works with external incident response experts to assist us with emergency security incidents. As part of our comprehensive vulnerability management process, JFrog’s CIRT runs continuous and automated vulnerability scans of all our assets; prioritizes vulnerability fixes and releases patches quickly.
- ISO 27001, ISO 27017
- SOC 2 Type II
APPENDIX 3: STANDARD CONTRACTUAL CLAUSES
The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to a Restricted Transfer, as follows:
Module II – Controller to Processor
|Clause 7 – Docking Clause
||Shall not apply.
|Clause 9 – Use of Sub-Processors
||Option 2: general written authorization shall apply, and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in Section 8 of the DPA.
|Clause 11 – Redress
||The optional language shall not apply.
|Clause 17 – Governing law
||Option 1 shall apply; the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
|Clause 18(b) – Jurisdiction
||Disputes will be resolved before the courts of the Republic of Ireland.
Annex I.A – List of Parties
||Customer / data exporter
||JFrog / data importer
||Use of the Cloud Services
||Provision of the Cloud Services
|Name, address, and contact details
||As detailed in the Agreement
|Signature and date
||By entering into the Agreement and/or DPA, data exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I.B – Description of Transfer
|Categories of Data Subjects and Personal Data
||As detailed in Appendix 1 of the DPA
|Sensitive Data transferred
|Frequency of transfer
||Continuous basis for the duration of the Agreement
|Nature and purpose of processing
||As detailed in Appendix 1 of the DPA
|Period for Personal Data retention
||As detailed in Appendix 1 of the DPA
|For transfers to Sub-Processors
||As detailed in Section 8 of the DPA
Annex I.C – Competent Supervisory Authority
||Supervisory Authority (in accordance with Clause 13)
|Established in an EU Member State
||Of the Applicable Member State
|Not established in an EU Member State, but subject to Articles 3(2) and 27(1) of the GDPR
||Of the Member State in which the representative under Article 27(1) is appointed
|Not established in an EU Member State, but subject to Article 3(2) of the GDPR
||Of the Member State of the applicable Data Subjects whose Personal Data is transferred
|Annex II – Technical and Organizational Measures
, as detailed in Appendix 2
to the DPA.
Annex III – List of Subsidiaries and Sub-Processors, as stipulated in Section 8.1 of the DPA.