JFrog Cloud Data Security Addendum

Last Updated: August 01, 2024

This JFrog Cloud Data Security Addendum (“DSA” or “TOMs”) describes the technical and organizational security measures (TOMs) that JFrog maintains to protect Customer Data (including Personal Data, as applicable) and Confidential Information. JFrog reserves the right to update the DSA, at its sole discretion, where updates will not materially degrade the security protocols or security levels in place as of the Effective Date during the applicable Subscription Term. Changes will be reflected at https://jfrog.com/jfrog-toms. This DSA forms part of the JFrog Agreement between JFrog and Customer and applies to Self-Hosted Subscriptions as applicable. Any capitalized terms which are not defined herein, shall have the meaning provided to them in the Agreement or the DPA.

  1. JFrog Security Program
    JFrog has implemented and maintains appropriate administrative, technical, physical, and organizational measures to ensure a level of security appropriate to the level of risk, in accordance with industry standards. JFrog maintains security policies, standards, and controls related to security, confidentiality, integrity, and availability. These policies are reviewed and approved annually and updated as needed.
  2. Certificate Program / Security Certifications
    JFrog maintains the following certifications and governance methods:

    1. Certification under ISO/IEC 27001:2013, ISO/IEC 27701:2019, ISO 27017:2014, and SOC 2, Type 2.
    2. Annual security audits by an independent third party, covering security, confidentiality, and availability control criteria.
    3. Regularly tests and monitors the effectiveness of its information security program through internal audits aligned with the relevant compliance controls and frameworks. Issues identified are documented, tracked, and remediated as appropriate.
  3. Access and Authentication Controls
    JFrog has implemented and maintains the following measures:

    1. Access Control Policy in accordance with the “least privileges” and “need to know” principles.
    2. Strict role-based permissions are granted in accordance with the role requirements.
    3. Access permissions are reviewed on a regular basis. Any access which is inappropriate for a role function is promptly removed.
    4. Access to JFrog systems and networks are disabled promptly upon notification in the event of termination of personnel.
    5. Unique usernames and passwords with minimum length and complexity requirements are enforced for all users.
    6. Two-factor authentication (2FA) is required for remote access and privileged account access.
    7. Physical access to JFrog facilities is restricted and requires a key-card, access is logged and maintained. Visitors are accompanied at all times and confidentiality measures are in place. Additional measures include video surveillance and other industry-standard practices.
    8. Services operate on a multitenant architecture designed to segregate and restrict access to Customer Data hosted on the JFrog platform. JFrog architecture provides a logical data separation for each different Customer via a unique ID.
  4. HR, Security, Training and Awareness
    JFrog has implemented and maintains the following measures:

    1. Background checks are conducted commensurate with job duties, in accordance with applicable laws and regulations.
    2. Personnel are subjected to non-disclosure or confidentiality obligations.
    3. Personnel are required to complete security awareness and privacy training during onboarding and at least annually thereafter.
    4. Personnel are required to review and acknowledge security policies during onboarding and annually thereafter.
    5. Periodic security and privacy awareness campaigns aimed to further educate personnel about their responsibilities.
  5. Risk Management and Infrastructure Control
    JFrog has implemented and maintains the following measures:

    1. JFrog Management reviews documented risks to determine appropriate risk levels and treatment options.
    2. Encryption and Key Management: Industry-standard encryption techniques (TLS 1.2 for data in transit and 256-bit AES for data at rest). Encryption keys are managed in a cloud-hosted key management service (KMS).
    3. Threat and Vulnerability Management: Continuous monitoring, annual penetration tests, and ongoing vulnerability scans are performed to identify and remediate potential threats. Patches are applied regularly after testing for safety. Vulnerabilities are classified based on the Common Vulnerability Scoring System (CVSS), a remediation plan is developed, including the steps required to address the vulnerability and the timeline for completion based on the remediation time for each severity level.
    4. Logging and Monitoring: Monitoring tools and services are used to monitor systems for various events. Logs are stored securely and reviewed by the security team utilizing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) technology.
    5. Network Security: Zero-Trust Security Technology to prevent unauthorized access to JFrog networks, servers, or applications.
    6. Cloud Security: Utilization of cloud provider-managed DDoS mitigation services, next-generation Web Application Firewall (WAF), API protection, advanced rate limiting, and bot protection. These measures are designed to safeguard against various types of cyber threats. Regular cloud security scanning tools are employed, including advanced Cloud Security Posture Management (CSPM) solutions, to enforce security best practices and mitigate potential misconfigurations.
    7. Development Security: Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, and management of software components. JFrog follows OWASP (Open Web Application Security Project) guidelines to ensure that security is integrated throughout the development process.
    8. Infrastructure as Code: Infrastructure as Code (IaC) serves as a critical component aligning DevOps, Security, and compliance efforts within JFrog’s operational framework. This approach ensures secure management of infrastructure processes by automating and standardizing deployments. JFrog’s application images undergo rigorous hardening using secured base images and deployment configurations. Continuous security scanning through JFrog’s Xray during the CI build process further enhances security measures.
  6. Incident Response
    JFrog maintains an Incident Response Plan and computer incident response team (CIRT) to respond to Security Incidents. The plan is reviewed at least annually. Affected Customers will be notified in accordance with the applicable Security Incident section in the Agreement or DPA.
  7. Third-Party Risk Management
    JFrog has implemented and maintains the following measures:

    1. JFrog conducts security due diligence and risk assessments of Third Parties.
    2. Periodic audits validate the ongoing governance of control operations and risk.
    3. Security controls and obligations are incorporated into Third Party contracts.
    4. Data Center Security: JFrog Data Centers are hosted by Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) which offer robust data center security measures. These include physical security with 24/7 staff and access control, advanced environmental controls, extensive network security, and compliance with standards like ISO/IEC 27001:2013 and SOC 2 Type II. Data centers are designed for high availability with redundancy and failover capabilities, and data is encrypted both at rest and in transit to ensure protection against unauthorized access.
  8. Customer Security Considerations
    Customers are responsible for their own security measures, including secure password practices, user management, timely software updates (outside of JFrog cloud), and proper access controls. JFrog is not liable for security incidents or data losses resulting from client-side vulnerabilities. JFrog maintains an inventory of infrastructure assets and has documented data disposal policies. Customer Data will be securely deleted as referenced in the Agreement.
  9. Contingency Planning
    JFrog has implemented and maintains the following measures:

    1. A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), which are reviewed annually, to manage significant disruptions.
    2. Data backup, replication, and recovery systems are deployed to support resilience.
    3. Annual Disaster Recovery drills are conducted to test and validate JFrog recovery procedures.