JFrog has taken best practice measures to ensure compliance with the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) which provide companies with frameworks on how to process and protect individuals Personal Data. Guided by our compliance team, JFrog employees worldwide safely care for Personal Data in accordance with the GDPR and CCPA guidelines.
In addition, JFrog is certified under ISO 27701, the data privacy extension to ISO 27001. This Privacy Information Management System outlines a framework for data controllers and data processors on how to manage privacy controls and to reduce the risk to the privacy rights of individuals, by putting systems in place to support compliance with GDPR and other data privacy requirements. A copy of the certificate can be downloaded here.
A list of JFrog Subsidiaries and Sub-processors is available here.
For any questions regarding GDPR, CCPA and data protection at JFrog, please contact firstname.lastname@example.org.
Data Protection at JFrog – FAQs
1. What service does JFrog offer?
JFrog provides a DevOps Platform for the management of software binaries and artifacts. Additional information can be found here: https://jfrog.com/platform/
2. Is JFrog a data processor or a data controller?
JFrog acts as a data processor with respect to personal data processed on behalf of customers with an active JFrog Cloud Subscription.
3. Does JFrog have a Data Processing Addendum?
Yes, it’s only applicable to JFrog cloud subscriptions, please see: https://jfrog.com/jfrog-cloud-data-processing-addendum/.
With regards to JFrog self hosted subscriptions, JFrog DPA is not applicable, since the self-hosted platform is used to share binaries and artifacts and doesn’t include the processing of personal data on behalf of the customer.
4. Is JFrog certified under ISO 27701?
JFrog is certified under ISO 27701, the data privacy extension to ISO 27001/2. This Privacy Information Management System (PIMS) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls and to reduce the risk to the privacy rights of individuals.
JFrog is also ISO 27001, ISO 27701 and SOC 2 Type II certified, additional information can be found here: https://jfrog.com/trust/certificate-program/.
5. What kind of personal data is processed by JFrog?
JFrog processes very minimal personal data for logging and monitoring purposes of your authorized users, which include username, business email address and last login IP address. The customer is responsible for managing the users’ access to the platform, please see: https://www.jfrog.com/confluence/display/RTF6X/Managing+Users.
6. Does JFrog process sensitive/special categories of personal data?
No. Furthermore it is not allowed to use the JFrog Platform for such purpose, please see clause 3.12 of the JFrog Cloud Terms and Conditions: https://jfrog.com/cloud-terms-and-conditions/.
7. Who are the data subjects?
Customer’s users authorized to use the JFrog Platform.
8. Where is the personal data hosted?
The customer can choose the cloud provider (AWS/GCP/AZURE) and the region in accordance with the list available here: https://status.jfrog.io/.
9. How long will the personal data be retained for?
The hosted data will be deleted within 60 days following termination, please see clause 18.104.22.168 of the JFrog Cloud Terms and Conditions: https://jfrog.com/cloud-terms-and-conditions/.
10. Does JFrog use Sub-Processors?
Please see our Subsidiaries and Sub-Processors list here: https://jfrog.com/trust/privacy/sub-processors/.
11. Does JFrog conduct vendor due diligence?
Third-party vendors are vetted prior to their on-boarding process by the security, compliance, IT and legal teams. The process considers the classification of data the vendor will have access to, the type of access, the controls necessary to protect the data, and any regulatory requirements.
12. Does JFrog rely on the Standard Contractual Clauses?
Please see our Data Processing Addendum available here: https://jfrog.com/jfrog-cloud-data-processing-addendum/ which incorporates the EU SCCs as well as the UK IDTA.
13. Does JFrog maintain Technical and Organization Measures?
Please see JFrog TOMs here: https://jfrog.com/jfrog-toms/.
14. Is JFrog subject to law enforcement requests?
JFrog believes that the risks relating to the transfer/access of personal data outside the EU is low, considering we handle minimal personal data (username, email address and IP address) of your authorized users. Therefore, JFrog has no reason to believe that the U.S. government would seek to target the data we process, nor did we receive any such requests to this day.
In case JFrog receives such request, it will be handled in accordance with clause 11 of our DPA: https://jfrog.com/jfrog-cloud-data-processing-addendum/.
15. Does JFrog conduct mandatory training for employees?
JFrog conducts mandatory annual training for all employees covering information about cybersecurity and privacy awareness, and best practices for data protection. This is also part of the onboarding process for new employees.
16. Does JFrog have an Incident Response Plan?
Yes, JFrog has an IRP in place which includes data breach notification requirements.
17. Did JFrog experience a personal data breach in the last three (3) years which had to be reported to a Data Protection Supervisory Authority?
18. Can JFrog assist in completing data subject requests?
Yes, JFrog has a data privacy management platform in place.
19. Who can provide additional information regarding data protection at JFrog?
Please contact JFrog Compliance Team: compliance@Jfrog.com.