JFrog Trust Privacy Center

Welcome to the Privacy Center, a dedicated resource that provides details about the JFrog privacy program. We believe in transparency and accountability, and we invite you to explore our Privacy Center to learn more about our privacy practices and externally validated controls. For additional information about JFrog product security, visit: https://jfrog.com/trust/

Privacy Documentation

Cloud Data Processing Addendum

Sub-Processor Information

Cloud Data Security Addendum (formally known as TOMs)

About Our Privacy Program

JFrog powers the software that powers the world. The JFrog global privacy program is designed in alignment with global data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). The JFrog Privacy & AI Office continuously monitors regulatory developments to confirm our practices remain current with applicable data protection and privacy laws. Our privacy team includes subject matter experts who hold various International Association of Privacy Professionals (IAPP) certifications.

Sub-Processors

JFrog conducts international transfers to our Affiliates to provide 24/7 “follow-the-sun” support and to perform essential administrative and security functions for our Platform and infrastructure. We also use third-party data processors for specific functions, with limited data processing. For a complete list of our Sub-Processors, including Affiliates, visit our Sub-Processors page.

JFrog Privacy Notice

JFrog’s Privacy Notice provides comprehensive information about how we collect, use, and protect your personal data. This document outlines:

What personal information we collect and why
How we use your information to provide and improve our services
Your rights regarding your personal data, including access, correction, and deletion
Our data retention practices and security measures
How to contact us with privacy questions or concerns

We regularly update our Privacy Notice to reflect changes in our practices and applicable regulations. For information about our use of cookies and similar technologies, please see our separate Cookie Notice. If you have specific privacy questions not addressed in our Privacy Notice, please contact our Privacy Office at privacy at jfrog.com.

JFrog conducts mandatory security and privacy training for employees

JFrog implements comprehensive security and privacy training for its employees. This includes mandatory onboarding training and annual refresher courses for our workforce. Our specialized Privacy and Security teams also deliver targeted training sessions on specific topics relevant to different roles and functions. For more details about our broader security practices, visit our Trust Center.

Data Protection Officer (DPO)

JFrog has an external DPO in Germany who can be reached by email at privacy@jfrog.com.

FAQs
Expand all
- 1. Is JFrog a data processor or data controller under the GDPR when providing the Platform?
    
    As a global Software-as-a-Service (SaaS) provider, JFrog acts as a data processor under the GDPR with respect to processing of Personal Data to provide the JFrog Cloud Platform to our customers. Under the terms of our Cloud Data Processing Addendum (DPA) with Customers, JFrog will process personal data as instructed by the Customer for the purpose of providing the JFrog Platform. JFrog processes some personal data as an Independent Controller in a manner consistent with the purposes outlined in our Privacy Notice, such as for billing, account and customer support, and abuse and security detection.
  2. What kind of personal data is processed by JFrog as a processor when providing the Platform?
    
    The customer elects what personal data to provide to JFrog. Typically, customers provide name, business email address, title, phone number, business address, and IP address for authorized users. JFrog does not request or otherwise ask for sensitive personal data from customers.
  3. Does JFrog process sensitive/special categories of personal data?
    
    No. Customers are prohibited from uploading sensitive categories of personal data to the JFrog Platform. For more information, see the JFrog Cloud Terms and Conditions: https://jfrog.com/cloud-terms-and-conditions/.
  4. Does JFrog have a Data Processing Addendum?
    
    Yes, it’s only applicable to JFrog cloud subscriptions, please see: https://jfrog.com/jfrog-cloud-data-processing-addendum/.
    
    With regards to JFrog self hosted subscriptions, JFrog DPA is not applicable, since we do not have access to the customer's instance, data contained within the application, application configurations, or infrastructure security, nor do we process or transfer any personal data on the customer's behalf.
  5. Is JFrog a service provider or business under the CCPA?
    
    Under the California Consumer Privacy Act (“CCPA”), JFrog is a service provider when providing the JFrog Platform to our customers. Under the terms of our Cloud Data Processing Addendum (DPA) with Customers, JFrog will process personal data as instructed by the Customer for the purpose of providing the JFrog Platform.
  6. Does JFrog require access to Customer networks or systems to provide the JFrog Platform?
    
    No, JFrog offers a SaaS solution, hybrid solution or self-hosted solution.
  7. Does JFrog have a process to assist customers in fulfilling requests to update, correct, access, delete, or restrict personal data?
    
    Yes. Our customers can complete data subject rights requests through their JFrog admin account.
  8. Where does JFrog store Customer Data?
    
    DevOps and DevSecOps Customers can choose the cloud provider (AWS, GCP or Azure) and the region in accordance with the JFrog Status list: https://status.jfrog.io/. JFrog MLOps Customers can choose between the cloud provider options of AWS or GCP.
  9. Does JFrog use Sub-Processors?
    
    Yes, JFrog may carry out international transfers to our Affiliates for the purposes of providing follow-the-sun 24/7 support and performing administrative and security actions to deliver our Platform and the operation of the underlying infrastructure. JFrog utilizes third-party data processors for processing of limited data to perform specific functions, which are detailed in our Sub-Processors and Affiliates page at: https://jfrog.com/trust/privacy/sub-processors/.
  10. How can I be notified of new Sub-Processors?
    
    Customers can subscribe to notifications of new Sub-Processors at: https://jfrog.com/trust/privacy/sub-processors/
  11. Does JFrog conduct Sub-Processor due diligence?
    
    Third-party vendors and Sub-Processors are vetted prior to their on-boarding process by our security, IT, and legal teams. The process considers the classification of data the Sub-Processor will access, the type of access, the controls necessary to protect the data, and any regulatory requirements.
  12. Does JFrog rely on the Standard Contractual Clauses for international data transfers of Customer Data?
    
    For transfers of Customer Personal Data from the EEA, UK and Switzerland to countries in which JFrog, as a data importer, is located there are adequacy decisions from the European Commission and corresponding agreements for the UK and Switzerland, on the basis of which this transfer of data is permissible. In the event that these adequacy decisions become ineffective, we agree on utilizing EU Standard Contractual Clauses (“SCCs”). See our Cloud Data Processing Addendum.
  13. Is JFrog Inc. certified to participate in the EU-U.S. Data Privacy Framework?
    
    Yes, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework, which confirms that the United States offers a level of data protection comparable to that of the European Union. This decision allows personal data to flow freely from the EU to U.S. companies participating in the Data Privacy Framework without requiring additional safeguards. JFrog, Inc. has certified to participate in and comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively the “DPF”) and the commitments they entail, as detailed at www.dataprivacyframework.gov.
  14. Does JFrog maintain Technical and Organization Measures?
    
    Yes, please see the JFrog Cloud Data Security Addendum at: https://jfrog.com/jfrog-toms/.
  15. How does JFrog manage personal data requests or demands from law enforcement or government authorities?
    
    Due to the nature of our services as a business-to-business (B2B) company, it is unlikely that JFrog would receive a request from public or government authorities to access customer data. JFrog’s Government Access Request Policy describes how JFrog would handle and respond to law enforcement or other government authority access requests for customer personal data. Additionally, see section 8 of our Cloud Data Processing Addendum for more information.
  16. Can I obtain additional information regarding data privacy at JFrog?
    
    For more information on our privacy practices, see our Privacy Notice. If you have additional questions, please contact our Privacy Office -privacy@jfrog.com
  17. What do I do if I need JFrog’s assistance to complete a questionnaire?
    
    Please reach out to your sales representative for assistance with questionnaires or for general assistance with your contract.
DORA Compliance with JFrog
- 1. Is JFrog’s platform compatible with the EU Digital Operational Resilience Act (DORA)?
    
    Yes. JFrog is considered an ICT Service Provider and has instituted procedures to meet corresponding and relevant DORA requirements. We are ready for ICT risk management, audit rights, reporting workflows and cooperation that supervisors expect—making it straightforward to use JFrog in a fully DORA-compliant manner.
  2. What contractual safeguards do you offer?
    
    On request we provide our DORA Amendment (ready for signature) that contains all legally required information, such as a clear allocation of roles & responsibilities, audit rights for financial entities and competent authorities and rules on incident-notification. To receive our DORA Amendment, contact your JFrog account representative.
  3. Does JFrog support "critical" or "important" functions under DORA?
    
    Generally not. JFrog provides a hybrid, universal, end-to-end software supply chain platform for delivering trusted, secure software updates from code to production. Its goal is to function as the single source of truth for an organization’s software footprint, bridging digital gaps between developers, security teams, machine learning engineers, data scientists, and other business units to empower a world of always-on, always-current software which the Company refers to as “Liquid Software.” JFrog does not process transaction data, customer funds, trade instructions or other information that is directly tied to regulated financial products. For most banks and insurers this means the service is unlikely to be classified as a critical or important function.

Powering the Software
that Powers the World

It’s our Liquid Software vision to automatically deliver software
packages seamlessly and securely from any source to any device.

Start Free Buy Now

JFrog Trust Privacy Center

Table of contents

FAQs

Is JFrog a data processor or data controller under the GDPR when providing the Platform?

What kind of personal data is processed by JFrog as a processor when providing the Platform?

Does JFrog process sensitive/special categories of personal data?

Does JFrog have a Data Processing Addendum?

Is JFrog a service provider or business under the CCPA?

Does JFrog require access to Customer networks or systems to provide the JFrog Platform?

Does JFrog have a process to assist customers in fulfilling requests to update, correct, access, delete, or restrict personal data?

Where does JFrog store Customer Data?

Does JFrog use Sub-Processors?

How can I be notified of new Sub-Processors?

Does JFrog conduct Sub-Processor due diligence?

Does JFrog rely on the Standard Contractual Clauses for international data transfers of Customer Data?

Is JFrog Inc. certified to participate in the EU-U.S. Data Privacy Framework?

Does JFrog maintain Technical and Organization Measures?

How does JFrog manage personal data requests or demands from law enforcement or government authorities?

Can I obtain additional information regarding data privacy at JFrog?

What do I do if I need JFrog’s assistance to complete a questionnaire?

DORA Compliance with JFrog

Is JFrog’s platform compatible with the EU Digital Operational Resilience Act (DORA)?

What contractual safeguards do you offer?

Does JFrog support "critical" or "important" functions under DORA?

Powering the Software that Powers the World

Powering the Software
that Powers the World