This Data Processing Addendum (“DPA”) constitutes a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and GitGuardian SAS (“we,” “us” or “our”) (each a “Party” and together, the “Parties"), which sets forth the duties and obligations of the Parties concerning the protection, security, processing, and privacy of personal data provided or made available to GitGuardian by you as part of the Services provided by GitGuardian to you under this DPA.
In the course of providing the Services to you under this DPA, GitGuardian may Process certain Personal Data provided or made available to GitGuardian by you and the Parties agree to comply with the following provisions concerning any such Personal Data, each acting reasonably and in good faith.
In the event of a conflict or inconsistency between the Agreement, this DPA, and the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.
GitGuardian may make changes to this DPA where (a) the change is required to comply with an applicable Data Protection Law and Regulation; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of GitGuardian’s processing of your Personal Data, and does not have a material adverse impact on your rights under this DPA.
1. Definitions
1.1 “Agreement” means the written or electronic agreement between you and GitGuardian for the provision of the Services.
1.2 “Approved Jurisdiction” means a member state of the EEA, or other jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-dataprotection/adequacy-decisions_en.
1.3 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§1798.100 to 1798.199) as amended by the California Privacy Rights Act (“CPRA”), and any related regulations or guidance provided by the California Attorney General.
1.4 “Controller” means an entity that determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under the GDPR and other equivalent terms under applicable Data Protection Laws (e.g.,“Business” as defined under the CCPA), as applicable.
1.5 “Data” means data provided by you to GitGuardian to enable the provision of the Services.
1.6 “Data Protection Laws and Regulations” means all applicable data privacy and security laws and regulations of any jurisdiction (including, without limitation, laws and regulations of the United States, the European Economic Area including its member states, Switzerland, and the United Kingdom) applicable to the Processing of Personal Data under this DPA that is already in force or that will come into force during the term of this DPA.
1.7 “Data Subject” means the individual to whom Personal Data relates (e.g., “Consumer” as defined under the CCPA).
1.8 “EEA” means those countries that are members of the European Free Trade Association (“EFTA”), and the then-current, post-accession member states of the European Union.
1.9 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”).
1.10 “Personal Data” means non-generally available personal information, personally identifiable information, personal data (as defined in the Data Protection Laws and Regulations), or similar term under Data Protection Laws and Regulations that is uploaded or submitted by you to GitGuardian for the performance of the Services.
1.11 “Processing” means any operation or set of operations that are performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. “Processes” and “Process” shall be construed accordingly.
1.12 “Processor an entity that processes Personal Data on behalf of a Controller. It shall have the same meaning ascribed to “processor” under the GDPR and other equivalent terms under other Data Protection Laws and Regulations (e.g., "Service Provider” as defined under the CCPA), as applicable.
1.13 “Security Documentation” means GitGuardian’s security documentation applicable to the Services, as made reasonably available by GitGuardian.
1.14 “Services” means either (i) a proof of concept of GitGuardian’s software and/or services applicable to your request or (ii) GitGuardian’s provision of software and/or services as defined in the Agreement.
1.15 “Standard Contractual Clauses” or “SCC” means the agreement incorporated herein by reference as approved by the European Commission for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection and any subsequent changes approved by the European Commission with an official decision.
1.16 “Subprocessor” means another Processor engaged by GitGuardian to carry out the Processing of your Personal Data.
1.17 “Supervisory Authority” means an independent public authority that is established by an EU Member State under the GDPR.
2. Obligations Of The Parties
2.1 You are the Controller and GitGuardian is the Processor concerning the Processing of Personal Data under the DPA.
2.2 Your obligations. You shall: (a) ensure all Personal Data provided to GitGuardian has been collected following Data Protection Laws and Regulations and that you have all authorizations and/or consents necessary to provide such Personal Data to GitGuardian, (b) use the Services in compliance with Data Protection Laws and Regulations, and(c) give GitGuardian instructions regarding the Processing of Personal Data for you, in all cases, following all applicable laws, rules, and regulations, including the Data Protection Laws and Regulations.
2.3 GitGuardian’s obligations. GitGuardian shall: (a) only Process Personal Data in accordance with (i) the requirements of Data Protection Laws and Regulations directly applicable to GitGuardian’s provision of its Services, (ii) your documented instructions, (iii) the Standard Contractual Clauses (where applicable), and (iv) this DPA. GitGuardian will promptly notify you if GitGuardian reasonably believes that your instructions are inconsistent with the applicable Data Protection Laws and Regulations; (b) act as your subprocessor, where you are the Processor; (c) maintain records of the Processing of any Personal Data received from you during the provision of the Services; (d) not lease, sell, distribute, or otherwise encumber Personal Data unless mutually agreed to by the Parties in a separate agreement; (e) not combine Personal Data received from or on your behalf and Personal Data collected by GitGuardian’s own interactions with the Data Subject other than as provided in the DPA or as otherwise permitted by Data Protection Laws and Regulations; (f) provide such assistance as you reasonably require (either on its own behalf or on behalf of its customers), and GitGuardian or GitGuardian Affiliates are able to provide, in order to meet any applicable filing, approval or similar requirements in relation to Data Protection Laws and Regulations.
3. Rights Of Data Subjects.
GitGuardian shall, to the extent legally permitted, promptly notify you if GitGuardian receives a request from a Data Subject to exercise the Data Subject’s rights under the Data Protection Laws and Regulations (“Data Subject Request”). Unless required by Data Protection Laws and Regulations, GitGuardian shall not respond to any such Data Subject Request without your prior written consent except to redirect the Data Subject to you. Taking into account the nature of the Processing, GitGuardian shall assist you with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
4. Subprocessors.
You acknowledge and agree that GitGuardian may engage third-party Subprocessors in connection with the provision of the Services. GitGuardian shall enter into written agreements with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of your Data to the extent applicable to the nature of the Services provided by such Subprocessor. GitGuardian shall not subcontract its obligations under this DPA to new Subprocessors, in whole or in part, without providing you with written notice and an opportunity to object. If you object in writing within ten (10) days at the latest to the proposed subcontracting on reasonable grounds relating to the protection of the Personal Data and the Parties cannot resolve the objection, you may terminate the applicable part of the Agreement with respect only to those Services which cannot be provided by GitGuardian without the use of the objected Subprocessors by giving written notice to GitGuardian. GitGuardian shall be liable for the acts or omissions of Subprocessors to the same extent it is liable for its own actions or omissions under this DPA.
5. Security.
GitGuardian shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. GitGuardian’s measures will include those set forth in the Security Documentation. GitGuardian regularly monitors compliance with these measures.
6. Your Data Incident Management And Notification.
GitGuardian maintains security incident management policies and procedures specified in the Security Documentation and shall, notify you without undue delay, but in no event in more than 72 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by GitGuardian or its Subprocessors(“Incident”). Such notice shall summarize in reasonable detail the timing and nature of the Incident, the impact on you, and/or the Data Subjects affected by such Incident, and the corrective action taken or proposed to be taken by GitGuardian. GitGuardian shall make reasonable efforts to identify the cause of such an Incident and take those steps as GitGuardian deems necessary and reasonable in order to remediate the cause of such an Incident to the extent the remediation is within GitGuardian’s reasonable control. The obligations herein shall not apply to Incidents that are caused by you. The notification of or response to an Incident under this DPA will not be construed as an acknowledgment by GitGuardian of any fault or liability with respect to the Incident.
7. Return And Deletion Of Your Data.
GitGuardian shall return your Data or, delete your Data in accordance with the procedures and timeframes specified in the Security Documentation, or upon written request from you approved by the GitGuardian.
8. Audit Rights
8.1 You may request (subject to obligations of confidentiality) relevant documentation, or relevant audit report GitGuardian might have been issued. If after having reviewed such audit report(s), you still reasonably deems that it requires additional information, GitGuardian shall further reasonably assist and make available to you, upon a written request and subject to obligations of confidentiality, any information (excluding legal advice) and/or documentation reasonably necessary to demonstrate compliance with this DPA.
8.2 You may, at your sole expense, and not more than once per calendar year, request to audit GitGuardian to verify compliance with the terms and conditions of this DPA, and all applicable Data Protection Laws and Regulations, with sixty (60) days written notice approved by GitGuardian in writing, on an agreed-upon audit date. Such audit shall be (i) completed within two (2) weeks; (ii) performed in a manner that, in GitGuardian’s reasonable judgment, does not disrupt GitGuardian’s operations; (iii) conducted by GitGuardian’s security team who shall provide all reasonably requested evidence to you and (iv) in the presence of either your employees or, with GitGuardian’s approval, by an independent third party.
9. Transfers Of Personal Data
9.1 Transfers of Personal Data from EEA to third countries. Where GitGuardian Processes Personal Data from the EEA on your behalf in a country which is not an Approved Jurisdiction, GitGuardian shall perform such Processing in accordance with the SCC, which are incorporated into this DPA by reference, as follows: (a) Module Two applies where you are a Controller and GitGuardian is a Processor; (b) in Clause 7, the optional docking clause will apply; (c) in Clause 9(a) of Module Two, Option 2 applies, and the period for prior notice of subprocessor changes is set forth in Section 4 of this DPA; (d) in Clause 11 (a), the optional language does not apply; (e) in Clause 17, Option 1 applies with the governing law being that of France; (f) in Clause 18(b), disputes will be resolved before the courts in Paris, France;(g) Annex I of the SCCs is completed with the information in Schedule A to this DPA; (h) Annex III of the SCCs is completed with the information in Schedule B to this DPA. If and to the extent the SCC conflict with any provision of this DPA, the SCC will prevail to the extent of such conflict.
9.2 Transfers of Personal Data from the United Kingdom to third countries. Where GitGuardian Processes Personal Data from the United Kingdom on your behalf in a third country, such Processing shall be performed in accordance with the SCC, as modified in Section 9.1 above, as further amended by the United Kingdom International Data Transfer Addendum to the SCC (the “UK Addendum”). Tables 1, 2, and 3 of the UK Addendum will be deemed completed with the information set out in this DPA and Table 4 will be deemed completed by selecting “neither party”; and any conflict between the terms of the SCC and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
9.3 Transfers of Personal Data from Switzerland to third countries. Where GitGuardian Processes Personal Data from Switzerland on your behalf in a third country, such Processing shall be performed in accordance with the SCC, as modified in Section 9.1 above, as further amended by the Swiss Addendum to the SCC (the “Swiss Addendum”) as follows: (i) references to "Regulation(EU) 2016/679" will be interpreted as references to the Swiss Addendum; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".
10. Liability Of The Parties
Each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the SCC), whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a Party means the aggregate liability of that Party and its Affiliates under the Agreement.
11. General Provisions.
The DPA will, not withstanding the expiration or termination of the Services, remain in effect until, and automatically expire upon, GitGuardian’s deletion or return of all Personal Data. If any provision of this DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect and enforceable. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either Party may assign this DPA, without the other Party’s consent (but upon providing notice) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, except in the event that this assignment involves a competitor of the non-assigning Party. This DPA is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications, and other understandings relating to the subject matter of this DPA, and all waivers and modifications must be in a writing signed by both Parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this DPA and you do not have any authority of any kind to bind GitGuardian in any respect whatsoever. This DPA shall be governed by the laws of France without regard to its conflict of laws provisions, and any claims relating or arising under this DPA shall be exclusively submitted to the jurisdiction of the courts of Paris, France.
12. Schedules To The DPA.
The DPA includes the following Schedules:
(a) Schedule A (Annex 1 to the SCC); and
(b) Schedule B (Supplementary Measures to the SCC).
13. Data Protection Representative.
GitGuardian has designated a data protection representative for this DPA: legal@gitguardian.com.
SCHEDULE A: Annex 1 to the SCC
The following details of processing apply to circumstances in which GitGuardian Processes as a Processor. Where the SCC applies, these details are also deemed to constitute Appendix 1 thereto:
Data exporter
Name: You
Address: your principal place of business
Contact person’s name, position, and contact details: as indicated in the Agreement
Role (controller/processor): Controller.
Data importer
Name: GitGuardian SAS.
Address: 54 rue de Seine, 75006 Paris, France
Contact person’s name, position, and contact details: Legal Department, legal@gitguardian.com
Role (controller/processor): Processor
Purpose of transfer
The purpose of the Processing of Personal Data is to provide the Services detailed in the DPA.
Data subjects
With respect to account Data: the data subjects may include your employees. With respect to your Personal Data, the data subjects may include your employees and customers.
Categories of personal data
With respect to account Data: the Personal Data that is sent to GitGuardian by you for the purpose of using the Services. With respect to your Personal Data: the Personal Data that is sent to GitGuardian by you for the purpose of using the Services.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable
The basic Processing operations to which the Personal Data will be subject:
Include but are not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment, or combination, blocking, erasure, and destruction.
Frequency of processing/the transfer:
Continuous basis.
Duration of processing:
The duration of the processing of Personal Data is generally determined by you and is subject to the term of this DPA.
Maximum data retention periods, if applicable:
The retention period of Personal Data is generally determined by you and is subject to the term of this DPA.
SCHEDULE B – Supplementary Measures to the SCC
By this Schedule B (this “Schedule”), the Parties provide additional safeguards to and additional redress to the Data Subjects to whom Personal Data relates. This Schedule supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to a transfer of Personal Data.
GitGuardian is SOC 2 Type II compliant. Upon your request, GitGuardian may provide you with the SOC 2 Type II report.
