GitHub Supplemental Terms for Microsoft Volume Licensing
In this article
- SECTION 1: GITHUB ENTERPRISE SERVER LICENSE TERMS
- 1.1 License Grant.
- 1.2 Restrictions.
- 1.3 Delivery.
- 1.4 Verification.
- 1.5 Support
- 1.6 Updates; Releases.
- 1.7 Add-On Software.
- 1.8 Data Protection Considerations for Use of GitHub Insights.
- 1.9 Limited Software Warranty.
- SECTION 2: GITHUB ENTERPRISE CLOUD TERMS OF SERVICE
- 2.1 Account Terms.
- 2.2 Compliance with Laws; Acceptable Use; Privacy.
- 2.3 Content Responsibility; Ownership; License Rights.
- 2.4 Private Repositories.
- 2.5. Intellectual Property Notices.
- 2.6 Suspension.
- 2.7 Communications with GitHub.
- 2.8 Service Levels.
- 2.9 Service Changes.
- 2.10 Additional Service Features.
- SECTION 3: GENERAL PROVISIONS.
- 3.1 Term; Termination; Effect of Termination.
- 3.2 Feedback.
- 3.3 Compliance with Laws and Regulations.
- 3.4 Order of Precedence
- EXHIBIT A: GITHUB DATA PROTECTION ADDENDUM
- 1. Definitions.
- 2. Status and Compliance.
- 3. Data Protection.
- 4. Security and Audit Obligations.
- 5. Use and Disclosure of Protected Data.
- 6. Subprocessing and Onward Transfer.
- 7. Termination.
- 8. Liability for Data Processing.
- EXHIBIT B: SECURITY EXHIBIT
- 1. Information Security Program.
- 2. Requests for Information and Compliance Reporting.
- 3. Cooperation with Regulatory Audits.
- EXHIBIT C: DEFINITIONS FOR SECTIONS 1-3
Version Effective Date: November 13, 2019
The following GitHub Supplemental Terms (including any applicable Order Forms) supplement Customer's Microsoft volume licensing agreement ("Microsoft Customer Agreement") and, together with the Microsoft Customer Agreement, govern Customer's use of the Products (as defined below). The Microsoft Customer Agreement is incorporated herein by this reference. Capitalized terms used but not defined in these supplemental terms have the meanings assigned to them in the Microsoft Customer Agreement.
These Supplemental Terms apply to the following GitHub Offerings, as further defined below (collectively, the "Products"):
GitHub Enterprise, comprised of GitHub Enterprise Server (which may include Add-on Software, such as Advanced Security and Insights) and GitHub Enterprise Cloud;
Any related Support; and
Any related Professional Services.
These GitHub Supplemental Terms include the following Sections and Exhibits, each of which is incorporated by reference herein:
SECTION 1: GitHub Enterprise Server License Terms;
SECTION 2: GitHub Enterprise Cloud Terms of Service;
SECTION 3: General Provisions;
EXHIBIT A: Data Protection Addendum (DPA);
EXHIBIT B: Security Exhibit; and
EXHIBIT C: Definitions.
SECTION 1: GITHUB ENTERPRISE SERVER LICENSE TERMS
This Section 1 details terms applicable to Customer’s use of the Software.
1.1 License Grant.
GitHub grants to Customer a non-exclusive, non-transferable, worldwide, royalty-free, limited-term license to install and use the Software for Customer’s internal business purposes during the applicable Subscription Term, in accordance with the Documentation, and only for the number of Subscription Licenses stated in Customer’s Order Form. The Software includes components licensed to GitHub by third parties, including software whose licenses require GitHub to make the source code for those components available. The source code for such components will be provided upon request.
Except as expressly permitted by law or by applicable third-party license, Customer and its Affiliates must not and must not allow any third party to: (i) sublicense, sell, rent, lease, transfer, assign, or redistribute the Software; (ii) host the Software for the benefit of third parties; (iii) disclose or permit any third party to access the Software, except as expressly permitted in this Section 1; (iv) hack or modify the License Key, or avoid or change any license registration process; (v) except for Customer Modifications, modify or create derivative works of the Software, or merge the Software with other software; (vi) disassemble, decompile, bypass any code obfuscation, or otherwise reverse engineer the Software or attempt to derive any of its source code, in whole or in part; (vii) modify, obscure, or delete any proprietary rights notices included in or on the Software or Documentation; or (viii) otherwise use or copy the Software or Documentation in a manner not expressly permitted by these GitHub Supplemental Terms.
GitHub will make the License Key available for Customer to download on a secure, password-protected website. All deliveries under this Section 1 will be electronic. For the avoidance of doubt, Customer is responsible for installation of any Software and acknowledge that GitHub has no further delivery obligation with respect to the Software after delivery of the License Key. As Updates become available, GitHub will make those available for download on the same website. Customer must Update the Software on a commercially reasonable basis but no less than one (1) time per year. Customer is responsible for maintaining the confidentiality of Customer’s usernames and passwords.
At GitHub's request, Customer will promptly provide GitHub with a Software-generated report verifying that Customer is using the Software in accordance with these GitHub Supplemental Terms. GitHub will invoice Customer for any additional use, effective from the date its use first exceeded the terms of these GitHub Supplemental Terms.
GitHub will provide technical support for the Software as further described in the Microsoft Customer Agreement. Notwithstanding anything to the contrary in the Microsoft Customer Agreement, (i) GitHub will use reasonable efforts to correct any material, reproducible errors in the Software upon Customer's notification of an error but will not be responsible for providing Support where (a) someone (other than GitHub) modifies the Software; (b) Customer changes its operating system or environment in a way that adversely affects the Software or its performance; (c) Customer uses the Software in a manner other than as authorized under the Microsoft Customer Agreement, this Section 1 or the Documentation; or (d) there is a Customer accident or negligence, or misuse of the Software; and (ii) GitHub will only Support a given Release for one (1) year from the original Release date, or six (6) months from the last Update of the Release, whichever is longer.
1.6 Updates; Releases.
GitHub will make Updates and Releases to the Software available to Customer on the same secure website where Customer downloaded the Software and the License Key.
1.6.2 Supported Releases.
GitHub will only Support a given Release of the Software for one (1) year from the original Release date, or six (6) months from the last Update of the Release, whichever is longer. If Customer requires Support for earlier Releases of the Software, then Customer must pay for that Support in accordance with the terms of a mutually agreed upon Order Form or SOW.
1.7 Add-On Software.
Add-On Software is licensed on a per User basis. For the avoidance of doubt, the number of Subscription Licenses Customer has at any given time for Add-On Software must equal the number of Subscription Licenses Customer has for the Products under this Agreement. For example, if Customer wishes to purchase a subscription to Insights and already holds Subscription Licenses for 100 Users for the Products, it must purchase Subscription Licenses for 100 Users for Insights.
1.8 Data Protection Considerations for Use of GitHub Insights.
If Customer’s planned use of GitHub Insights involves processing personal data, Customer is solely responsible for determining whether or not to complete a data protection impact assessment or otherwise secure formal legal analysis of Customer’s planned use. It is in Customer’s sole discretion whether to use GitHub Insights to process Customer’s employees’ and/or users’ data, and if Customer does so, Customer is solely responsible for conducting such processing in compliance with applicable law.
1.9 Limited Software Warranty.
GitHub warrants that, for ninety (90) days from the date it is made available for initial download, the unmodified Software will substantially conform to its Documentation. GitHub does not warrant that Customer's use of the Software will be uninterrupted, or that the operation of the Software will be error-free. This warranty will not apply if Customer modifies or uses the Software in any way that is not expressly permitted by this Section 1 and the Documentation. GitHub's only obligation, and Customer's only remedy, for any breach of this limited warranty will be as set forth in the Microsoft Customer Agreement.
SECTION 2: GITHUB ENTERPRISE CLOUD TERMS OF SERVICE
Upon creation of a Corporate Account and/or an Organization on the Service by Customer or by GitHub on Customer’s behalf, this Section 2 details terms applicable to Customer’s use of the Service.
2.1 Account Terms.
2.1.1 Account Controls.
(i) Users. Customer acknowledges that Users retain ultimate administrative control over their individual accounts and the Content within them. GitHub's Standard Terms of Service govern Users' use of the Service, except with respect to Users' activities under this Section 2.
(ii) Organizations. Customer retains ultimate administrative control over any Organization created on Customer’s behalf and User-Generated Content posted to the repositories within its Organization(s), subject to this Section 2. This Section 2 will govern the use of Customer’s Organization(s).
2.1.2 Account Requirements.
In order to create an account, Customer must adhere to the following:
(i) Customer must not create an account for use of any person under the age of 13. If GitHub learns of any User under the age of 13, it will terminate that User's account immediately. If Customer or its User(s) are located in a country outside the United States, that country's minimum age may be older; in such a case, Customer is responsible for complying with that country's laws.
(ii) A User’s login may not be shared by multiple people.
(iii) Customer must not use the Service (a) in violation of export control or sanctions laws of the United States or any other applicable jurisdiction, (b) if it is located in or ordinarily resident in a country or territory subject to comprehensive sanctions administered by the U.S. Office of Foreign Assets Control (OFAC), or (c) if Customer is or is working on behalf of a Specially Designated National (SDN) or a person subject to similar blocking or denied party prohibitions. For more information, please see GitHub’s Trade Controls policy.
2.1.3 Account Security.
Customer is responsible for: (i) all Content posted and activity that occurs under its Corporate Account; (ii) maintaining the security of its account login credentials; and (iii) promptly notifying GitHub upon becoming aware of any unauthorized use of, or access to, the Service through its account. GitHub will not be liable for any loss or damage from Customer’s failure to comply with this Section 2.1.3.
2.1.4 Additional Terms.
In some situations, third parties' terms may apply to Customer’s use of the Service. For example, Customer may be a member of an Organization with its own terms or license agreements; Customer may download an application that integrates with the Service; or Customer may use the Service to authenticate to another service. While the Microsoft Customer Agreement, including these GitHub Supplemental Terms, are GitHub's full agreement with Customer, other parties' terms govern their relationships with Customer.
2.1.5 U.S. Federal Government Terms.
If Customer is a U.S. federal government agency or otherwise accessing or using any portion of the Service in a government capacity, the U.S. Federal Government Amendment applies, and Customer agrees to its provisions.
2.2 Compliance with Laws; Acceptable Use; Privacy.
2.2.1 Compliance with Laws and Regulations.
Customer’s use of the Service must not violate any applicable laws, including copyright or trademark laws, export control laws, or regulations in its jurisdiction.
2.2.2 Acceptable Use.
Customer’s use of the Service must comply with GitHub's Acceptable Use Policies and GitHub’s Community Guidelines. Customer must not use the Service in any jurisdiction for unlawful, obscene, offensive or fraudulent Content or activity, such as advocating or causing harm, interfering with or violating the integrity or security of a network or system, evading filters, sending unsolicited, abusive, or deceptive messages, viruses or harmful code, or violating third party rights.
The GitHub Privacy Statement and the attached Exhibit A: Data Protection Addendum provide detailed notice of GitHub's privacy and data use practices. Any person, entity, or service collecting data from the Service must comply with the GitHub Privacy Statement, particularly in regards to the collection of Users' Personal Information (as defined in the GitHub Privacy Statement). If Customer collects any User Personal Information from GitHub, Customer will only use it for the purpose for which the External User has authorized it. Customer will reasonably secure any such Personal Information, and Customer will respond promptly to complaints, removal requests, and "do not contact" requests from GitHub or External Users.
2.3 Content Responsibility; Ownership; License Rights.
2.3.1 Responsibility for User-Generated Content.
Customer may create or upload User-Generated Content while using the Service. Customer is solely responsible for any User-Generated Content that it posts, uploads, links to or otherwise makes available via the Service, regardless of the form of that User-Generated Content. GitHub is not responsible for any public display or misuse of User-Generated Content.
2.3.2 Ownership of Content, Right to Post, and License Grants.
(i) Customer retains ownership of Customer Content that Customer creates or owns. Customer acknowledges that it: (a) is responsible for Customer Content, (b) will only submit Customer Content that Customer has the right to post (including third party or User-Generated Content), and (c) Customer will fully comply with any third-party licenses relating to Customer Content that Customer posts.
(ii) Customer grants the rights set forth in Sections 2.3.3 through 2.3.6, free of charge and for the purposes identified in those sections until such time as Customer removes Customer Content from GitHub servers, except for Content Customer has posted publicly and that External Users have Forked, in which case the license is perpetual until such time as all Forks of Customer Content have been removed from GitHub servers. If Customer uploads Customer Content that already comes with a license granting GitHub the permissions it needs to run the Service, no additional license is required.
2.3.3 License Grant to GitHub.
Customer grants to GitHub the right to store, parse, and display Customer Content, and make incidental copies only as necessary to provide the Service. This includes the right to copy Customer Content to GitHub's database and make backups; display Customer Content to Customer and those to whom Customer chooses to show it; parse Customer Content into a search index or otherwise analyze it on GitHub's servers; share Customer Content with External Users with whom Customer chooses to share it; and perform Customer Content, in case it is something like music or video. These rights apply to both public and Private Repositories. This license does not grant GitHub the right to sell Customer Content or otherwise distribute or use it outside of the Service. Customer grants to GitHub the rights it needs to use Customer Content without attribution and to make reasonable adaptations of Customer Content as necessary to provide the Service.
2.3.4 License Grant to External Users.
(i) Any Content that Customer posts publicly, including issues, comments, and contributions to External Users' repositories, may be viewed by others. By setting its repositories to be viewed publicly, Customer agree to allow External Users to view and Fork Customer’s repositories.
(ii) If Customer sets its pages and repositories to be viewed publicly, Customer grants to External Users a nonexclusive, worldwide license to use, display, and perform Customer Content through the Service and to reproduce Customer Content solely on the Service as permitted through functionality provided by GitHub (for example, through Forking). Customer may grant further rights to Customer Content if Customer adopts a license. If Customer is uploading Customer Content that it did not create or own, Customer is responsible for ensuring that the Customer Content it uploads is licensed under terms that grant these permissions to External Users.
2.3.5 Contributions Under Repository License.
Whenever Customer makes a contribution to a repository containing notice of a license, Customer licenses such contribution under the same terms and agrees that it has the right to license such contribution under those terms. If Customer has a separate agreement to license its contributions under different terms, such as a contributor license agreement, that agreement will supersede.
2.3.6 Moral Rights.
Customer retains all moral rights to Customer Content that it uploads, publishes, or submits to any part of the Service, including the rights of integrity and attribution. However, Customer waives these rights and agrees not to assert them against GitHub, solely to enable GitHub to reasonably exercise the rights granted in Section 2.3, but not otherwise.
2.4 Private Repositories.
Customer is responsible for managing access to its Private Repositories, including invitations, administrative control of Organizations and teams, and termination of access.
GitHub considers Customer Content in Customer’s Private Repositories to be Customer’s Confidential Information. GitHub will protect and keep strictly confidential the Customer Content of Private Repositories in accordance with the applicable confidentiality provision in the Microsoft Customer Agreement.
GitHub may only access Customer’s Private Repositories (i) with Customer’s consent and knowledge, for support reasons, or (ii) when access is required for security reasons. Customer may choose to enable additional access to its Private Repositories. For example, Customer may enable various GitHub services or features that require additional rights to Customer Content in Private Repositories. These rights may vary depending on the service or feature, but GitHub will continue to treat Customer Content in Customer’s Private Repositories as Customer’s Confidential Information. If those services or features require rights in addition to those it needs to provide the Service, GitHub will provide an explanation of those rights.
If GitHub has reason to believe the Content of a Private Repository is in violation of the law or of these GitHub Supplemental Terms, GitHub has the right to access, review, and remove that Content. Additionally, GitHub may be compelled by law to disclose the Content of Customer’s Private Repositories. Unless otherwise bound by requirements under law or if in response to a security threat or other risk to security, GitHub will provide notice of such actions.
2.5. Intellectual Property Notices.
2.5.1 GitHub's Rights to Content.
2.5.2 Copyright Infringement and DMCA Policy.
If Customer is a copyright owner and believes that Content on the Service violates Customer’s copyright, Customer may contact GitHub in accordance with GitHub's Digital Millenium Copyright Act Policy by notifying GitHub via its DMCA Form or by emailing firstname.lastname@example.org.
2.5.3 GitHub Trademarks and Logos.
If Customer would like to use GitHub's trademarks, Customer must follow all of GitHub's trademark guidelines, including those on the GitHub Logos and Usage page.
GitHub has the right to suspend access to all or any part of the Service, including removing Content, at any time for violation of the Microsoft Customer Agreement, including these GitHub Supplemental Terms, or to protect the integrity, operability, and security of the Service, effective immediately, with or without notice. Unless prohibited by law or legal process or to prevent imminent harm to the Service or any third party, GitHub typically provides notice in the form of a banner or email on or before such suspension. GitHub will, in its discretion and using good faith, tailor any suspension as needed to preserve the integrity, operability, and security of the Service.
2.7 Communications with GitHub.
For contractual purposes, Customer (1) consents to receive communications in an electronic form via the email address it submitted or via the Service; and (2) agrees that all Terms of Service, agreements, notices, disclosures, and other communications that GitHub provides electronically satisfies any legal requirement that those communications would satisfy if they were on paper. This section does not affect Customer's non-waivable rights.
2.8 Service Levels.
2.8.1 Program Benefits - Uptime Guarantee and Calculation.
GitHub guarantees that the Service will have a quarterly Uptime percentage of 99.95%. That means GitHub's Essential Services will not be interrupted by an Outage affecting more than 50% of Active Users, for more than .05% of the quarter. If GitHub doesn't meet such 99.95% quarterly Uptime guarantee, GitHub may issue Service Credits to customers. GitHub's Uptime calculation is based on the percentage of successful requests it serves through its web, API, and Git client interfaces.
Exclusions from the Uptime guarantee include Outages resulting from: (i) Customer’s acts, omissions, or misuse of the Services, including violations of the Microsoft Customer Agreement and these GitHub Supplemental Terms; (ii) Failures of Customer’s internet connectivity; (iii) Factors outside GitHub's reasonable control, including force majeure events and third-party services or technology; or (iv) Customer’s equipment, services, or other technology.
2.8.3 Calculation of Uptime Service Credits; Redemption of Uptime Service Credits.
If GitHub's quarterly Uptime percentage drops below its 99.95% Uptime guarantee, then Customer is entitled to receive a Service Credit equal to 25 times the amount that was paid for the Outage time that exceeds the quarterly Uptime guarantee. Service Credits are calculated at the end of each quarter, and may only be granted upon request. To find out about GitHub's Uptime percentage, Customer can request an Uptime report at the end of each quarter. In order to be granted Service Credits, either an account Owner or Billing Manager must send a written request, on Customer’s behalf, within thirty (30) days of the end of each quarter. Service Credits may not be saved. After being granted a Service Credit, it will be automatically applied to Customer’s next bill. Written requests should be sent to GitHub Support.
2.8.4 Disclaimer; Limitation of Liability.
GitHub's Status Page is not connected to the Uptime guarantee set forth in this Section and is not an accurate representation of GitHub's Uptime for the purposes of calculating Service Credits. Service Credits are limited to thirty (30) days of paid service, per quarter. Service Credits are Customer’s only remedy for any failure by GitHub to meet any Uptime obligations as identified in this Section.
2.9 Service Changes.
GitHub changes the Service via Updates and addition of new features. Subject to Section 2.8, GitHub reserves the right at any time to modify or discontinue, temporarily or permanently, the Service (or any part of it) with or without notice.
2.10 Additional Service Features.
Some Service features may be subject to additional terms as set forth in the GitHub Additional Product Terms. By accessing or using these features, Customer agrees to the GitHub Additional Product Terms.
SECTION 3: GENERAL PROVISIONS.
This Section 3 sets forth the terms and conditions applicable to Customer’s purchase and use of any of the Products.
3.1 Term; Termination; Effect of Termination.
These GitHub Supplemental Terms will continue in effect until terminated by a Party in accordance with this Section 3.1.
3.1.2 Termination for Convenience; Account Cancellation.
Either Party may terminate an Order Form or these GitHub Supplemental Terms, without cause, upon at least thirty (30) days' prior written notice before the end of the then-current Subscription Term. If Customer elects to terminate an Order Form or these GitHub Supplemental Terms, it is Customer's responsibility to properly cancel its account with GitHub by going into Settings in the global navigation bar at the top of the screen. GitHub cannot cancel accounts in response to an email or phone request.
3.1.3 Termination for Material Breach.
Either Party may terminate these GitHub Supplemental Terms immediately upon notice if the other Party breaches a material obligation under these GitHub Supplemental Terms and fails to cure the breach within thirty (30) days from the date it receives notification. GitHub may terminate these GitHub Supplemental Terms if Customer's Account has been suspended for more than 90 days.
3.1.4 Effect of Termination.
Upon termination of these GitHub Supplemental Terms, Customer may not execute additional Order Forms; however, these GitHub Supplemental Terms will remain in effect for the remainder of any active Order Forms. When an Order Form terminates or expires, as to that Order Form: (i) the Subscription Term will immediately end; (ii) any Subscription Licenses in the Order Form will automatically terminate, and Customer will no longer have the right to use the Products; (iii) if any Fees were owed prior to termination, Customer must pay those Fees immediately; (iv) Customer must destroy all copies of the Software in Customer’s possession or control, and certify in writing to GitHub that Customer has done so; (v) each Party will promptly return (or, if the other party requests it, destroy) all Confidential Information belonging to the other to the extent permitted by the Service. Notwithstanding the foregoing, Customer may continue to access the Software to migrate Customer’s data and may request migration of the data in its repositories for up to ninety (90) days after termination or expiration of this Agreement or an Order Form; however, Customer may not use the Software or Service on a production basis during that time. Any provisions which by their nature should reasonably survive will survive the termination or expiration of this Agreement or an Order Form.
Customer may provide Feedback to GitHub regarding the Products. Feedback is voluntary and is not Customer Confidential Information, even if designated as such. GitHub may fully exercise and exploit such Feedback for the purpose of (i) improving the operation, functionality and use of GitHub’s existing and future product offerings and commercializing such offerings; and (ii) publishing aggregated statistics about the quality of the Products, provided that no data in any such publication will be used to specifically identify Customer, its employees or Customer’s proprietary software code.
3.3 Compliance with Laws and Regulations.
Customer will comply with all applicable laws and regulations, including, but not limited to, data protection and employment laws and regulations, in its use of the Products.
3.4 Order of Precedence
In the event of a conflict between the Supplemental Terms, on one hand, and an Order Form, on the other, the Order Form will govern with respect to that order only. In the event of a conflict between the Supplemental Terms (including any Order Form) and the Microsoft Customer Agreement, the Supplemental Terms will govern with respect to the subject matter only.
EXHIBIT A: GITHUB DATA PROTECTION ADDENDUM
1.1 The "Applicable Data Protection Laws" means certain laws, regulations, regulatory frameworks, or other legislations relating to the processing and use of Personal Data, as applicable to Customer's use of GitHub and the GitHub Service, including:
a. The EU General Data Protection Regulation 2016/679 ("GDPR"), along with any implementing or corresponding equivalent national laws or regulations, once in effect and applicable; and
b. The U.S. Department of Commerce and European Commission's EU--U.S. Privacy Shield Framework ("Privacy Shield"), or any succeeding legislation, available at https://www.privacyshield.gov/, or any succeeding URL, as may be amended. The "Privacy Shield Principles" refer to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
1.2 "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," "Processor," and "Supervisory Authority" have the meanings given to them in the Applicable Data Protection Laws. In the event of a conflict, the meanings given in the GDPR will supersede.
1.3 "Customer Personal Data" means any Personal Data for which Customer is a Controller, whether supplied by Customer for processing by GitHub or generated by GitHub in the course of performing its obligations under these GitHub Supplemental Terms. It includes data such as billing information, IP addresses, corporate email addresses, and any other Personal Data for which Customer is a Controller.
1.4 "Customer Repository Data" means any data or information that is uploaded or created by Customer into any of its Private Repositories.
1.5 A "Data Breach" means a Personal Data Breach or any other confirmed or reasonably suspected breach of Customer's Protected Data.
1.6 "End User" means an individual Data Subject who controls a GitHub account and has agreed to the GitHub Terms of Service, and whose Personal Data is being transferred, stored, or processed by GitHub. For example, each Customer employee or contractor who has a GitHub account is also a GitHub End User.
1.7 "Permitted Purposes" for data processing are those limited and specific purposes of providing the Service as set forth in these GitHub Supplemental Terms, the GitHub Privacy Statement, and this Exhibit A, or the purposes for which a Data Subject has authorized the use of Customer Personal Data.
1.8 "Protected Data" includes any Customer Personal Data and any Customer Repository Data processed by GitHub on behalf of Customer under these GitHub Supplemental Terms.
1.9 "Sensitive Data" means any Personal Data revealing racial or ethnic origin; political opinions, religious or philosophical beliefs or trade union membership; processing of genetic data or biometric data for the purposes of uniquely identifying a natural person; data concerning health, a natural person's sex life or sexual orientation; and data relating to offences, criminal convictions, or security measures.
2. Status and Compliance.
2.1 Data Processing. GitHub acts as a Processor in regard to any Customer Personal Data it receives in connection with these GitHub Supplemental Terms, and GitHub will process Customer Personal Data only for Permitted Purposes in accordance with Customer's instructions as represented by these GitHub Supplemental Terms and other written communications. In the event that GitHub is unable to comply with Customer's instructions, such as due to conflicts with the Applicable Data Protection Laws, or where processing is required by the Applicable Data Protection Laws or other legal requirements, GitHub will notify Customer to the extent permissible. GitHub processes all Customer Personal Data in the United States or in the European Union; however, GitHub's subprocessors may process data outside of the United States or the European Union. Additionally, GitHub acts as a Processor for any Customer Repository Data.
2.2 Data Controllers. GitHub receives Personal Data both from Customer and directly from Data Subjects who create End User accounts. Customer is a Controller only for the Customer Personal Data it transfers directly to GitHub. Notwithstanding the foregoing, Customer is the Controller of any of the data on its GitHub Enterprise Server installation that it chooses to process with GitHub Insights.
2.3 GitHub Compliance. GitHub represents and warrants that it complies with Privacy Shield, which governs cross-border transfers of Personal Data. GitHub will remain certified under Privacy Shield for the duration of the GitHub Supplemental Terms, provided Privacy Shield remains a valid data transfer mechanism. In the event that GitHub is unable to remain certified, or that Privacy Shield does not remain a valid data transfer mechanism, please see Section 7. GitHub will comply with Applicable Data Protection Laws in relation to the processing of Personal Data.
3. Data Protection.
3.1 Purpose Limitation. GitHub will process and communicate the Protected Data only for Permitted Purposes, unless the Parties agree in writing to an expanded purpose.
3.2 Data Quality and Proportionality. GitHub will keep the Customer Personal Data accurate and up to date, or enable Customer to do so. GitHub will take commercially reasonable steps to ensure that any Protected Data it collects on Customer's behalf is adequate, relevant, and not excessive in relation to the purposes for which it is transferred and processed. In no event will GitHub intentionally collect Sensitive Data on Customer's behalf. Customer agrees that the GitHub Service is not intended for the storage of Sensitive Data; if Customer chooses to upload Sensitive Data to the Service, Customer must comply with Article 9 of the GDPR, or equivalent provisions in the Applicable Data Protection Laws.
3.3 Data Retention and Deletion. Upon Customer's reasonable request, unless prohibited by law, GitHub will return, destroy, or deidentify all Customer Personal Data and related data at all locations where it is stored after it is no longer needed for the Permitted Purposes within thirty days of request. GitHub may retain Customer Personal Data and related data to the extent required by the Applicable Data Protection Laws, and only to the extent and for such period as required by the Applicable Data Protection Laws, provided that GitHub will ensure that Customer Personal Data is processed only as necessary for the purpose specified in the Applicable Data Protection Laws and no other purpose, and Customer Personal Data remains protected by the Applicable Data Protection Laws.
3.4 Data Processing. GitHub provides the following information, required by Article 28(3) of the GDPR, regarding its processing of Customer's Protected Data:
a. The subject matter and duration of the processing of Customer Personal Data are set out in the GitHub Supplemental Terms and this Addendum.
b. The nature and purpose of the processing of Customer Personal Data is described in Section 3.1 of this Addendum.
c. The types of Customer Personal Data to be processed are described in the GitHub Privacy Statement, and include Customer Personal Data such as user names, passwords, email addresses, and IP addresses. GitHub also processes information necessary for billing Customer's account, but does not process or store credit card information. Customer may choose to supply GitHub with additional Customer Personal Data, such as in Customer's profile settings or by uploading Customer Personal Data to its GitHub repositories.
d. The categories of Data Subject to whom the Customer Personal Data relates are the Customer itself and its End Users.
e. The obligations and rights of Customer are set out in the GitHub Supplemental Terms and this Addendum.
4. Security and Audit Obligations.
4.1 Technical and Organizational Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GitHub will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks, such as against accidental or unlawful destruction, or loss, alteration, unauthorized disclosure or access, presented by processing the Protected Data. GitHub will regularly monitor compliance with these measures and will continue to take appropriate safeguards throughout the duration of the GitHub Supplemental Terms. Please see Section 1.1 of the GitHub Security Exhibit regarding GitHub's responsibilities in relation to security safeguards.
4.2 Incident Response and Breach Notification. GitHub will comply with the Information Security obligations in the GitHub Security Exhibit and the Applicable Data Protection Laws, including Data Breach notification obligations. Please see Section 1.2 of the GitHub Security Exhibit regarding GitHub's responsibilities in relation to Data Breach response and notification.
4.3 GitHub Personnel. GitHub represents and warrants that it will take reasonable steps to ensure that all GitHub personnel processing Protected Data have agreed to keep the Protected Data confidential and have received adequate training on compliance with this Addendum and the Applicable Data Protection Laws.
4.4 Records. GitHub will maintain complete, accurate, and up to date written records of all categories of processing activities carried out on behalf of Customer containing the information required under the Applicable Data Protection Laws. To the extent that assistance does not risk the security of GitHub or the privacy rights of individual Data Subjects, GitHub will make these records available to Customer on request as reasonably required, such as to help Customer demonstrate its compliance under the Applicable Data Protection Laws. To learn more about GitHub's requirements to provide assistance in the event of a security incident, please see Section 1.2 of the GitHub Security Exhibit.
4.5 Compliance Reporting. GitHub will provide security compliance reporting in accordance with Section 2.3 of the GitHub Security Exhibit and privacy compliance reporting in accordance with Section 2.3 of the GitHub Security Exhibit. Customer agrees that any information and audit rights granted by the Applicable Data Protection Laws (including, where applicable, Article 28(3)(h) of the GDPR) will be satisfied by these compliance reports, and will only arise to the extent that GitHub's provision of a compliance report does not provide sufficient information, or to the extent that Customer must respond to a regulatory or Supervisory Authority audit. Section 3.1 of the GitHub Security Exhibit describes the Parties' responsibilities in relation to a regulatory or Supervisory Authority audit.
4.6 Assistance. GitHub will provide reasonable assistance to Customer with concerns such as data privacy impact assessments, Data Subject rights requests, consultations with Supervisory Authorities, and other similar matters, in each case solely in relation to the processing of Customer's Personal Data and taking into account the nature of processing.
5. Use and Disclosure of Protected Data.
5.1 No Use in Marketing. GitHub will not use the Protected Data for the purposes of advertising third-party content, and will not sell the Protected Data to any third party except as part of a merger or acquisition.
6. Subprocessing and Onward Transfer.
6.1 Protection of Data. GitHub is liable for onward transfers of Protected Data to its subprocessors, such as its third-party payment processor. In the event that GitHub does transfer the Protected Data to a third-party subprocessor, or GitHub installs, uses, or enables a third party or third-party services to process the Protected Data on GitHub's behalf, GitHub will ensure that the third-party subprocessor is contractually bound to comply with or provide at least the same level of confidentiality, security, and privacy protection as is required of subprocessors by the Privacy Shield Principles and the Applicable Data Protection Laws.
6.2 Acceptance of GitHub Subprocessors. Customer authorizes GitHub to appoint (and permit each subprocessor appointed in accordance with this Section 6 to appoint) subprocessors in accordance with Section 6 and any other restrictions in the GitHub Supplemental Terms. GitHub may continue to use those subprocessors currently engaged as of the Effective Date of this Addendum.
6.3 General Consent for Onward Subprocessing. Customer provides a general consent for GitHub to engage onward subprocessors, conditional on GitHub's compliance with the following requirements:
a. Any onward subprocessor must agree in writing to only process data in a country that the European Commission has declared to have an "adequate" level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities, or pursuant to a compliant US-EU Privacy Shield certification; and
b. GitHub will restrict the onward subprocessor's access to Customer Personal Data only to what is strictly necessary to perform its services, and GitHub will prohibit the subprocessor from processing the Customer Personal Data for any other purpose.
6.4 Disclosure of Subprocessor Agreements. GitHub maintains a list of onward subprocessors it has engaged to process Customer Personal Data at https://help.github.com/articles/github-subprocessors-and-cookies/, including the categories of Customer Personal Data processed, a description of the type of processing the subprocessor performs, and the location of its processing. GitHub will, upon Customer's written request, provide Customer with this list of subprocessors and the terms under which they process the Customer Personal Data. Pursuant to subprocessor confidentiality restrictions, GitHub may remove any confidential or commercially sensitive information before providing the list and the terms to Customer. In the event that GitHub cannot disclose confidential or sensitive information to Customer, the Parties agree that GitHub will provide all information it reasonably can in connection with its subprocessing agreements.
6.5 Objection to Subprocessors. GitHub will provide thirty days' prior written notice of the addition or removal of any subprocessor, including the categories listed in Section 6.4, by announcing changes on its https://github.com/github/site-policy site. If Customer has a reasonable objection to GitHub's engagement of a new subprocessor, Customer must notify GitHub promptly in writing. Where possible, GitHub will use commercially reasonable efforts to provide an alternative solution to the affected Service to avoid processing of data by the objectionable subprocessor. In the event that GitHub is unable to provide an alternative solution and the Parties cannot resolve the conflict within ninety days, Customer may terminate the GitHub Supplemental Terms.
7.1 Suspension. In the event that GitHub is in breach of its obligations to maintain an adequate level of security or privacy protection, Customer may temporarily suspend the transfer of all Customer Personal Data or prohibit collection and processing of Customer Personal Data on Customer's behalf until the breach is repaired or the GitHub Supplemental Terms are terminated.
7.2 Termination with Cause. In addition to any termination rights Customer has under the GitHub Supplemental Terms, Customer may terminate the GitHub Supplemental Terms without prejudice to any other claims at law or in equity in the event that:
a. GitHub notifies Customer that it can no longer meet its privacy obligations;
b. the transfer, collection, or processing of all Customer Personal Data has been temporarily suspended for longer than one month pursuant to Section 7.1;
c. GitHub is in substantial or persistent breach of any warranties or representations under this Addendum;
d. GitHub is no longer carrying on business, is dissolved, enters receivership, or a winding up order is made on behalf of GitHub; or
e. Customer objects to a subprocessor pursuant to Section 6.5, and GitHub has not been able to provide an alternative solution within ninety days.
7.3 Breach. Failure to comply with the material provisions of this Addendum is considered a material breach under the GitHub Supplemental Terms.
7.4 Failure to perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate the Addendum in good faith. If renegotiation would not cure the impossibility, or if the Parties cannot reach an agreement, the Parties may terminate the GitHub Supplemental Terms after thirty days.
7.5 Notification. In the event that GitHub determines that it can no longer meet its privacy obligations under this Addendum, GitHub will notify Customer in writing immediately.
7.6 Modifications. GitHub may modify this Addendum from time to time as required by the Applicable Data Protection Laws, with thirty days' notice to Customer.
7.7 Termination Requirements. Upon Termination, GitHub must:
a. take reasonable and appropriate steps to stop processing the Customer Personal Data;
b. within ninety days of termination, delete or deidentify any Customer Personal Data GitHub stores on Customer's behalf pursuant to Section 3.3; and
c. provide Customer with reasonable assurance that GitHub has complied with its obligations in Section 7.7.
8. Liability for Data Processing.
8.1 Limitations. Except as limited by the Applicable Data Protection Laws, any claims brought under this Addendum will be subject to the terms of the Microsoft Customer Agreement regarding Limitations of Liability.
EXHIBIT B: SECURITY EXHIBIT
1. Information Security Program.
1.1 Security Management.
Throughout the duration of the GitHub Supplemental Terms, GitHub will maintain and enforce a written information security program ("Security Program") that aligns with industry recognized frameworks; includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of Customer Protected Data; is appropriate to the nature, size, and complexity of GitHub's business operations; and complies with the Applicable Data Protection Laws and other specific information security related laws and regulations that are applicable to the geographic regions in which GitHub does business.
a. Security Officer. GitHub has designated a senior employee to be responsible for overseeing and carrying out its Security Program and for governance and internal communications regarding information security matters.
b. Security Program Changes. GitHub will not make changes to its Security Program that adversely affect the security of any Customer Protected Data where notification is required under applicable laws and regulations.
c. GitHub will maintain standard security industry practices to include, but are not limited to:
- Vulnerability Management Program
- Secure Development Training, Review and Coding Practices
- Production Systems Logical and Physical Access Controls
- External Technical Assessments and Audits
- Security Policies, Standards and Standard Operating Procedures
- Security and Privacy Awareness Training
1.2 Security Incident Management. Throughout the duration of the GitHub Supplemental Terms, and where applicable, GitHub will provide a Security incident management program as follows:
a. Security Availability and Escalation. GitHub will maintain appropriate security contact and escalation processes on a 24-hours-per-day, 7-days-per-week basis to ensure customers and employees can submit issues to the GitHub Security team.
b. Incident Response. If GitHub becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data (each a "Security Incident"), GitHub will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
c. Notification. Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means GitHub selects. It is Customer's sole responsibility to ensure Customer's administrators monitor for and respond to any notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
d. Reasonable Assistance. GitHub will make commercially reasonable efforts to assist Customer in fulfilling Customer's obligation under applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
1.3 Due Diligence over Subcontractors and Vendors. GitHub will maintain appropriate due diligence when utilizing subcontractors and vendors. GitHub will maintain vendor assessment reports and any assessment work for a minimum of three years.
1.4 Data Center Physical Safeguards. To the extent GitHub utilizes third party vendors to host production environments, GitHub will select vendors that comply with physical security controls outlined in industry standards and that issue an annual external audit report such as SOC 2 or ISO 27001 certification. All access to areas, cabinets, or racks that house telecommunications, networking devices, and other "data transmission lines" or equipment will be controlled as follows:
a. access will be controlled by badge reader at one or more entrance points;
b. doors used only as exit points will have only "one way" doorknobs or crash bar exit devices installed;
c. all doors will be equipped with door alarm contacts;
d. all exit doors will have video surveillance capability; and
e. all card access and video systems will be tied in to generator or UPS backup systems.
2. Requests for Information and Compliance Reporting.
2.1 Requests for Information. Upon Customer's written request and no more than once annually, GitHub will respond to one request for information to assess security and compliance risk-related information. The response will be provided in writing within thirty days of receipt of the request, pending needed clarifications of any request.
2.2 Response Contents. GitHub will include in its annual response relevant audit reports for production datacenter, IaaS, PaaS or private hosting providers, as deemed relevant by GitHub, in its sole discretion and based on data and services rendered.
2.3 GitHub Security Audit Report. GitHub will execute external audits to produce a SOC1, type 2, audit report and a SOC2, type 2, audit report. GitHub will continue to execute audits and issue corresponding reports for the duration of the GitHub Supplemental Terms on at least an annual basis.
3. Cooperation with Regulatory Audits.
3.1 Regulatory Audits. Should Customer realize a regulatory audit or an audit in response to a Supervisory Authority that requires participation from GitHub, GitHub will fully cooperate with related requests by providing access to relevant knowledgeable personnel, documentation, and application software. Customer has the following responsibilities regarding any such regulatory or Supervisory Authority audits:
a. Customer must ensure use of an independent third party (meaning the regulator or regulator's delegate), and that findings and data not relevant to Customer are restricted from Customer’s access.
b. Notification of such audit must be written and provided to GitHub in a timely fashion, pending regulator notification, and in a manner that allows for appropriate personnel to be made available to assist. Where regulators provide no advance notice to Customer of audit or investigation, GitHub will respond in as timely a fashion as required by regulators.
c. Any third party auditor must disclose to GitHub any findings and recommended actions where allowed by regulator.
d. In the event of a regulatory audit, access will be permitted only during regular business hours, Pacific time.
e. To the extent permitted by law, Customer must keep confidential any information gathered through any such audit of GitHub that, by its nature, should be confidential.
EXHIBIT C: DEFINITIONS FOR SECTIONS 1-3
"Active User" means a User trying to access the Service at the time of an Outage.
”Add-On Software” means Advanced Security, Insights, and other additional Software add-on products that GitHub may offer from time to time.
“Advanced Security” means the Software feature which enables Customer to identify security vulnerabilities through customizable and automated semantic code analysis.
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party where "control" means having more than fifty percent (50%) ownership or the right to direct the management of the entity.
“All Users” means, collectively, Customer’s Users and External Users who use the Service.
“Connect” or “GitHub Connect” means a feature included in the Software that enables Customer to connect the Software with the Service. Use of GitHub Connect is subject to the GitHub Connect terms set forth in the GitHub Additional Product Terms.
"Content" means, without limitation, text, data, articles, images, photographs, graphics, software, applications, designs, features, and other materials that are featured, displayed, or otherwise made available through the Service.
"Corporate Account" means an account created by a User on behalf of an entity.
"Customer" means, collectively, the company or organization that has entered into these GitHub Supplemental Terms with GitHub by clicking on the "I AGREE" or similar button or by accessing the Products, and Customer's Affiliates and Representatives.
"Customer Content" means Content that Customer creates, owns, or to which Customer holds the rights.
“Customer Modifications” means Software modifications Customer may make solely for the purpose of developing bug fixes, customizations, or additional features to any libraries licensed under open source licenses that may be included with or linked to by the Software.
"Documentation" means any manuals, documentation and other supporting materials relating to the Software or Service that GitHub provides or makes available to Customer.
"Effective Date" is the earlier of the date on which Customer (i) agrees to the terms and conditions of these GitHub Supplemental Terms as described above, or (ii) first places an order for the Products.
"Essential Services" means the services essential to GitHub's core version control functionality, including creating, Forking, and cloning repositories; creating, committing, and merging branches; creating, reviewing, and merging pull requests; and, web, API, and Git client interfaces to the core Git workflows. The following are examples of peripheral features and services not included: webhooks, Gists, Pages, and email notifications.
"External User" means an individual, not including Customer’s Users, who visit or use the Service.
"Fees" means the fees Customer is required to pay GitHub to (i) use the Products during the applicable Subscription Term or (ii) receive Professional Services, as such fees are reflected on an Order Form or SOW.
“Feedback” means any ideas, know-how, algorithms, code contributions, suggestions, enhancement requests, recommendations or any other feedback on GitHub products or services.
“Fork” means to copy the Content of one repository into another repository.
"GitHub" means, collectively, GitHub, Inc., its Affiliates and Representatives.
"GitHub Content" means Content that GitHub creates, owns, or to which it holds the rights.
"GitHub Insights" or “Insights” means the Software feature which provides Customer with metrics, analytics, and recommendations relating to their use of the Software. GitHub Insights does not include legacy features of GitHub including organization insights and repository insights.
"License Key" means the data file used by the Software's access control mechanism that allows Customer to install, operate, and use the Software.
“Machine Account” means an account registered by an individual human who accepts the applicable terms of service on behalf of the Machine Account, provides a valid email address, and is responsible for its actions. A Machine Account is used exclusively for performing automated tasks. Multiple Users may direct the actions of a Machine Account, but the owner of the account is ultimately responsible for the machine's actions.
"Order Form" means written or electronic documentation (including a quote) that the Parties use to order the Products.
“Organization” means a shared workspace that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User can be a member of more than one Organization.
"Outage" means the interruption of an Essential Service that affects more than 50% of Active Users.
“Private Repository” means a repository which allows a User to control access to Content.
"Professional Services" means training, consulting, or implementation services that GitHub provides pursuant to a mutually executed SOW. Professional Services do not include Support.
“Public Repository” means a repository whose Content is visible to All Users.
"Release" means a Software release that GitHub makes generally available to its customers, along with any corresponding changes to Documentation, that contains enhancements, new features, or new functionality, generally indicated by a change in the digit to the right of the first decimal point (e.g., x.x.x to x.y.x) or to the left of the first decimal point (e.g., x.x.x to y.x.x).
"Representatives" means a Party’s employees, agents, independent contractors, consultants, and legal and financial advisors.
“Scraping” means extracting data from the Service via an automated process, such as a bot or webcrawler, and does not include the collection of information through GitHub's API.
"Service" means the hosted GitHub Enterprise Cloud service. The Service includes: Organization account(s), SAML single sign-on, access provisioning, and any applicable Documentation. This list of features and services is non-exhaustive and may be updated from time to time.
"Service Credit" means a dollar credit, calculated as set forth below, that GitHub may credit back to an eligible account.
"Software" means GitHub Enterprise Server on-premises software. Software includes the GitHub Connect feature, any applicable Documentation, any Updates to the Software that GitHub provides to Customer or that it can access under these GitHub Supplemental Terms, and, if included in Customer’s subscription, Add-On Software.
"SOW" means a mutually executed statement of work detailing the Professional Services GitHub will perform, any related Fees, and each Party's related obligations.
“Subscription License” means the license assigned to each User to install, operate, access, and use the Products on Customer’s behalf. Customer may only assign one Subscription License per User across its GitHub Enterprise Server instances and GitHub Enterprise Cloud Organizations. Each User will have access to as many of Customer’s Enterprise Server instances or Enterprise Cloud Organizations, as Customer permits. For clarity, however, once Customer assigns a Subscription License to a User, Customer will not be authorized to bifurcate the Subscription License so that one User can use a Subscription License on Enterprise Server while another User uses the same Subscription License on another instance of GitHub Enterprise Server or on an Organization on GitHub Enterprise Cloud. Subscription Licenses are granted on a per User basis and multiple Users may not use the same Subscription License. Customer may reassign a Subscription License to a new User only after ninety (90) days from the last reassignment of that same Subscription License, unless the reassignment is due to (i) permanent hardware failure or loss, (ii) termination of the User’s employment or contract, or (iii) temporary reallocation of Subscription Licenses to cover a User’s absence. When Customer reassigns a Subscription License from one User to another, Customer must block the former User’s access to the Subscription License and Customer’s Organizations.
“Subscription Term” means one (1) year from the applicable effective date of an order or as otherwise stated in the Order Form.
“Support” means technical support for the Software or Service that GitHub may provide.
“Update” means a Software release that GitHub makes generally available to its customers, along with any corresponding changes to Documentation, that contains error corrections or bug fixes, generally indicated by a change in the digit to the right of the second decimal point (e.g., x.x.x to x.x.y).
“Uptime” means the percentage of time in a given quarter where GitHub's Essential Services will not be interrupted by an Outage affecting more than 50% of Active Users
“User” means (i) with respect to the Software, a single person or Machine Account that initiates the execution of the Software or interacts with or directs the Software in the performance of its functions; and (ii) with respect to the Service, an individual or Machine Account who (a) accesses or uses the Service, (b) accesses or uses any part of Customer’s account, or (c) directs the use of Customer’s account in the performance of functions, in each case on Customer’s behalf. The number of Users should not exceed the number of Subscription Licenses that Customer has purchased.
“User-Generated Content” means Content created or owned by a third party or External User.