GitHub Supplemental Terms for Microsoft Volume Licensing
The following terms supplement Customer's Microsoft volume licensing agreement ("Microsoft Customer Agreement") and, together with the Microsoft Customer Agreement, govern Customer's use of GitHub Enterprise (as defined below). The Microsoft Customer Agreement is incorporated herein by this reference.
"GitHub" means, collectively, GitHub, Inc. and its Affiliates, contractors, licensors, officers, directors, employees, and agents.
"GitHub Enterprise" means the GitHub offering comprised of GitHub Enterprise Server (as defined in Section A below) and GitHub Enterprise Cloud (as defined in Section B below).
"Seats" means the number of User accounts for GitHub Enterprise that you are authorized to create. You may only provision one Seat per User across GitHub Enterprise Server and GitHub Enterprise Cloud. For clarity, once you provision a Seat to a User, you will not be authorized to bifurcate the Seat so that one User can use a Seat on GitHub Enterprise Server while another User uses the same Seat on GitHub Enterprise Cloud.
Other capitalized terms used but not defined in these supplemental terms have the meanings assigned to them in the Microsoft Customer Agreement.
A. GitHub Enterprise Server Terms
The terms in this Section A govern Customer's use of GitHub Enterprise Server, including any related Support.
"Documentation" means any manuals, documentation and other supporting materials related to the Software (as defined below) that GitHub provides or makes available to Customer.
"License" means a data file used by the Software's access control mechanism that allows Customer to install, operate, and use the Software.
"License Key" means the means by which a License is delivered via a secure, password-protected website.
"Release" means a Software release that GitHub makes generally available to its customers, along with any corresponding changes to Documentation, that is comprised of an enhancement, new feature, or new functionality, generally indicated by a change in the digit to the right of the first decimal point (e.g., x.x.x to x.y.x) or to the left of the first decimal point (e.g., x.x.x to y.x.x).
"Software" means GitHub's proprietary GitHub Enterprise Server software. Software includes any Documentation, as well as any Updates to the Software that GitHub provides to Customer or that Customer can access under the Microsoft Customer Agreement and this Section A.
"Support" has the meaning set forth in Section 8 below.
"Update" means a Software release that GitHub makes generally available to its customers, along with any corresponding changes to Documentation, that is comprised of an error correction or bug fix, generally indicated by a change in the digit to the right of the second decimal point (e.g., x.x.x to x.x.y).
"User" means a single person or machine account that initiates the execution of the Software or interacts with or directs the Software in the performance of its functions. The number of Users should not exceed the number of Seats that Customer has licensed.
2. License Grant.
Subject to Customer's compliance with the Microsoft Customer Agreement and this Section A, GitHub grants to Customer a non-exclusive, non-transferable, worldwide, royalty-free, limited-term license to install and use a single production License of the Software for its internal business purposes, in accordance with the Documentation, and only for the number and type of Seats stated in Customer's order. Customer may make copies of the Software for non-production purposes only, such as for testing, staging or quality assurance, provided that Customer reproduces all copyright and other proprietary notices that appear on the original copy of the Software. Customer's Affiliates, agents and contractors (together, "Authorized Third Parties") may also use the Software, so long as they are using it on Customer's behalf and Customer agrees to remain fully responsible for such Authorized Third Parties' behavior under the Microsoft Customer Agreement and this Section A.
Except as expressly permitted by applicable law or by applicable third-party license, and in addition to any license restrictions set forth in the Microsoft Customer Agreement, Customer and its Affiliates must not and must not allow any third party to: (i) disclose or permit any third party to access the Software, except as expressly permitted in this Section A; (ii) hack or modify the License Key, or avoid or change any license registration process; (iii) modify or create derivative works of the Software, or merge the Software with other software; (iv) modify, obscure, or delete any proprietary rights notices included in or on the Software or Documentation; or (v) otherwise use or copy the Software in any manner not expressly permitted by this Section A.
Customer may modify the Software solely for the purpose of developing bug fixes, customizations and additional features to any libraries licensed under open source licenses that may be included with or linked to by the Software ("Customer Modifications"). Notwithstanding anything in this Section A to the contrary, GitHub has no support, warranty, indemnification or other obligation or liability with respect to Customer Modifications or its combination, interaction or use with the Software.
5. Third-Party Code.
The Software includes components licensed to GitHub by third parties, including components whose licenses require GitHub to make the source code for those components available. The source code for such components will be provided upon request.
Only one person may be associated with a User account. Multiple Users are not allowed to use the same Seat. Customer may swap out, delete, or suspend a User, and then assign a new User to the open Seat subject to the definition of Seats above.
GitHub will make the Software and the License available for Customer to download on a secure, password-protected website. All deliveries under this Section A will be electronic. For the avoidance of doubt, Customer is responsible for installation of any Software and acknowledges that GitHub has no further delivery obligation with respect to the Software after delivery of the License. As Updates become available, GitHub will make those available for download on the same website. Customer must Update the Software on a commercially reasonable basis but no less than one (1) time per year. Customer is responsible for maintaining the confidentiality of its usernames and passwords, including those it uses to download the Software and is responsible for any activity with respect to its usernames and passwords.
Subject to Customer's compliance with the Microsoft Customer Agreement and this Section A, GitHub will provide technical support for the Software as further described in the Microsoft Customer Agreement ("Support"). Notwithstanding anything to the contrary in the Microsoft Customer Agreement, (i) GitHub will use reasonable efforts to correct any material, reproducible errors in the Software upon Customer's notification of an error but will not be responsible for providing Support where (a) someone (other than GitHub) modifies the Software; (b) Customer changes its operating system or environment in a way that adversely affects the Software or its performance; (c) Customer uses the Software in a manner other than as authorized under the Microsoft Customer Agreement, this Section A or the Documentation; or (d) there is a Customer accident or negligence, or misuse of the Software; and (ii) GitHub will only Support a given Release for one (1) year from the original Release date, or six (6) months from the last Update of the Release, whichever is longer.
9. GitHub Connect.
Customer has the ability to connect Customer's Software with GitHub.com ("GitHub Connect"). In order to access GitHub Connect, Customer must have at least one (1) account on GitHub.com and one (1) licensed instance of the Software. In addition to this Section A, Customer's access to and use of GitHub Connect will also be governed by the terms of Section B below.
Customer may not use GitHub Connect to violate any terms of Section B below. Any use of GitHub Connect that violates any such terms will also be a violation of this Section A. GitHub Connect may be used for performing automated tasks. In addition, multiple Users may direct certain actions with GitHub Connect. Customer is responsible for actions that are performed on or through Customer's accounts.
GitHub may collect information about how Customer uses GitHub Connect to provide and improve the feature. By using GitHub Connect, Customer authorizes GitHub to collect protected data, which includes private repository data and User Personal Information (as defined in GitHub's Privacy Statement), from Customer's GitHub Enterprise Server account. Customer also authorizes the transfer of identifying instance information to GitHub through GitHub Connect, which information is governed by GitHub's Privacy Statement.
10. Limited Software Warranty.
GitHub warrants that, for ninety (90) days from the date it is made available for initial download, the unmodified Software will substantially conform to its Documentation. GitHub does not warrant that Customer's use of the Software will be uninterrupted, or that the operation of the Software will be error-free. This warranty will not apply if Customer modifies or uses the Software in any way that is not expressly permitted by this Section A and the Documentation. GitHub's only obligation, and Customer's only remedy, for any breach of this limited warranty will be as set forth in the Microsoft Customer Agreement.
B. GitHub Enterprise Cloud Terms
The terms in this Section B govern Customer's use of GitHub Enterprise Cloud and apply to Customer upon creation of a Corporate Account and/or an Organization on the Service by Customer's User(s) or by GitHub on Customer's behalf.
"Account" means Customer's legal relationship with GitHub. A "User Account" means an individual User's authorization to log in to and use the Service and serves as a User's identity on the Website. A "Corporate Account" means an Account created by a User on behalf of an entity. A Corporate Account may include a GitHub Enterprise Cloud subscription or a Team plan.
"Active User" means a user trying to access the Service at the time of an Outage.
"Content" means content featured or displayed through the Website, including, without limitation, text, data, articles, images, photographs, graphics, software, applications, designs, features, and other materials that are available on the Website or otherwise available through the Service. "User-Generated Content" is Content, written or otherwise, created or uploaded by All Users. "Customer Content" is Content that Customer creates, owns, or to which Customer is the rights holder.
"Customer" means the entity (such as a company or non-profit organization) that (i) visits or uses the Website or Service; (ii) accesses or uses any part of the Account; or (iii) directs the use of the Account in the performance of its functions. Special terms may apply for business or government accounts, as set forth in Section 2.6 below.
"Developer Product" means a third-party application or other developer product created by a third party that collects User Personal Information (as defined in GitHub's Privacy Statement) or User-Generated Content and integrates with the Service through GitHub's API, OAuth mechanism, or otherwise.
"Eligible User" means an individual who is designated as a member of the Customer's GitHub Enterprise Cloud organization by having such individual's GitHub account associated with the Customer's GitHub Enterprise Cloud account.
"Essential Services" means the services essential to GitHub's core version control functionality, including features and services such as creating, forking, and cloning repositories; creating, committing, and merging branches; creating, reviewing, and merging pull requests; and, web, API, and Git client interfaces to the core Git workflows. The following are examples of peripheral features and services not included: webhooks, Gists, Pages, or email notifications.
"GitHub Enterprise Cloud" (formerly known as Business Cloud) means the following features included in Customer's Service Account: an Organization account, SAML single sign-on, access provisioning, the uptime service level agreement (or "SLA") set forth in Section 14 below, and the GitHub Data Protection Addendum and Security Exhibit attached to these supplemental terms.
"Organization" means a shared workspace that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.
"Outage" means the interruption of an Essential Service that affects more than 50% of Active Users.
"Scheduled Downtime" means maintenance or updates to the Service (including to any servers or other hardware required to host the Service), which has been scheduled in advance, during which the Service may be down or inaccessible to Users.
"Service" means, collectively, the applications, software (excluding the Software covered in Section A above), products, and services provided by GitHub, including on or through the Website.
"Service Credit" means a dollar credit, calculated as set forth below, that GitHub may credit back to an eligible Account.
"User" means the individual who (i) visits or uses the Website or Service, (ii) accesses or uses any part of the Account, or (iii) directs the use of the Account in the performance of functions, in each case on Customer's behalf. "Other Users" means individuals, not including Customer's Users, who visit or use the Website or Service. Users and Other Users are collectively referred to as "All Users."
"Website" means, collectively, (i) GitHub's website located at github.com, (ii) GitHub-owned subdomains of github.com, such as education.github.com and pages.github.com, (iii) GitHub's conference websites, such as githubuniverse.com, and (iv) GitHub's product websites, such as atom.io. Occasionally, websites owned by GitHub may provide different or additional terms of service. If those terms conflict with this Section B, the more specific terms apply to the relevant page or service.
2. Account Terms.
2.1 Account Controls.
(i) Users. All Users retain ultimate administrative control over their User Accounts and the Content within them. GitHub's Standard Terms of Service govern All Users' use of the Website, except with respect to Users' activities under this Section B.
(ii) Organizations. Customer has ultimate administrative control over any Organization created on its behalf and User-Generated Content posted to the repositories within those Organizations, subject to this Section B. Customer can manage User access to the Organization's data and projects. Within the Service, Customer must designate one or more User Accounts as "owners" who are delegated administrative control of the Organization, but this designation does not supersede Customer's ultimate administrative rights over the Organization. This Section B will govern the use of Customer's Organization.
2.2 Corporate Terms Applicability. This Section B applies only if Customer is entering into an agreement with GitHub on behalf of an entity, such as a company or non-profit organization. To the extent this Section B conflicts with any other terms Customer has accepted for use of the Website, this Section B will govern with respect to any work a User does on the Website.
2.3 Corporate Account Association. If Customer would like to associate its Organization with a Corporate Account, GitHub will use best efforts to confirm that association based on the information Customer provides.
2.4 Corporate Account Requirements. Customer must create a User Account before it can create a Corporate Account or must allow GitHub to create a Corporate Account and/or an Organization on Customer's behalf.
In order to create a User Account:
A human must create the Account. Accounts registered by "bots" or other automated methods are not permitted. GitHub permits machine Accounts. A "machine Account" is an Account set up by an individual human who accepts the applicable terms of service on behalf of the Account, provides a valid email address, and is responsible for its actions. A machine Account is used exclusively for performing automated tasks. Multiple users may direct the actions of a machine Account, but the owner of the Account is ultimately responsible for the machine's actions. Customer may maintain no more than one free machine Account in addition to Customer's free User Account.
One person or entity may maintain no more than one free Account (if Customer chooses to control a machine Account as well, that's fine, but it can only be used for running a machine).
Customer may not create an Account for the use of any User under the age of 13. GitHub does not target the Service to children under 13, and it does not permit any Users under 13 on the Service. If GitHub learns of any User under the age of 13, it will terminate that User's Account immediately. If Customer is a resident of a country outside the United States, such country's minimum age may be older; in such a case, Customer is responsible for complying with such country's laws.
Customer's login may only be used by one person (i.e., a single login may not be shared by multiple people). A paid organization Account may only provide access to as many User Accounts as its subscription allows.
Overall, the number of Users accessing Organizations associated with Customer's Corporate Account must not exceed the number GitHub has authorized for such Corporate Account.
You are not a person who is barred from using GitHub under United States law or the laws of any other applicable jurisdiction. You may not be located in or ordinarily resident in a country or territory subject to comprehensive sanctions administered by the U.S. Office of Foreign Assets Control (OFAC). You may not use GitHub if you are or are working on behalf of a Specially Designated National (SDN) or a person subject to similar blocking or denied party prohibitions. For more information, please see our Export Controls policy.
2.5 User Account Security. Customer is responsible for the following:
Keeping Customer's Account secure while using the Website. GitHub offers tools such as two-factor authentication to help maintain Account security, but the content of Customer's Account and its security are up to Customer.
All content posted and activity that occurs under Customer's Account (even when content is posted by others who have Accounts under Customer's Account).
Maintaining the security of Customer's Account and password. GitHub will not be liable for any loss or damage from Customer's failure to comply with this security obligation.
Promptly notifying GitHub if Customer become aware of any unauthorized use of, or access to, the Service through Customer's Account, including any unauthorized use of any password or Account.
2.6 Additional Terms. In some situations, third parties' terms may apply to Customer's use of the Service. For example, Customer may be a member of an organization with its own terms or license agreements; Customer may download an application that integrates with the Service; or Customer may use the Service to authenticate to another service. While the Microsoft Customer Agreement and this Section B comprise GitHub's full agreement with Customer with respect to Customer's use of GitHub Enterprise Cloud, other parties' terms govern their relationships with Customer. If Customer is a government User or otherwise accessing or using any portion of the Service in a government capacity, the Government Amendment to GitHub Terms of Service applies to Customer, and Customer agrees to its provisions.
3. Acceptable Use.
3.1 Compliance with Laws and Regulations. Customer's use of the Website and Service must not violate any applicable laws, including copyright or trademark laws, U.S. and other applicable export control or sanctions laws, or other laws in Customer's jurisdiction. Customer is responsible for making sure that its and its Users' use of the Service is in compliance with all applicable laws and regulations.
3.2 Content Restrictions. Under no circumstances will Customer or its Users upload, post, host, or transmit any content that:
is unlawful or promotes unlawful activities;
is or contains sexually obscene content;
is libelous, defamatory, or fraudulent;
gratuitously depicts or glorifies violence, including violent images;
is discriminatory or abusive toward any individual or group;
contains or installs any active malware or exploits, or uses GitHub's platform for exploit delivery (such as part of a command and control system); or
infringes on any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other rights.
3.3 Conduct Restrictions. While using the Service, Customer agrees that under no circumstances, will it or its Users:
harass, abuse, threaten, or incite violence towards any individual or group, including GitHub and Other Users;
use GitHub servers for any form of excessive automated bulk activity (for example, spamming), or relay any other form of unsolicited advertising or solicitation through such servers, such as get-rich-quick schemes;
attempt to disrupt or tamper with GitHub servers in ways that could harm the Website or Service, to place undue burden on such servers through automated means, or to access the Service in ways that exceed Customer's authorization (other than those authorized by the GitHub Bug Bounty program);
impersonate any person or entity, including any GitHub employees or representatives, including through false association with GitHub, or by fraudulently misrepresenting Customer's identity or purpose; or
violate the privacy of any third party, such as by posting another person's personal information without consent.
3.4 Services Usage Limits. Customer will not reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without GitHub's express written permission.
3.4 Scraping. Scraping refers to extracting data from the Website via an automated process, such as a bot or webcrawler. It does not refer to the collection of information through GitHub's API. Customer may scrape the Website for the following reasons:
Researchers may scrape public, non-personal information from the Website for research purposes, only if any publications resulting from that research are open access.
Archivists may scrape the Website for public data for archival purposes.
Customer may not scrape the Website for spamming purposes, including for the purposes of selling Other Users' personal information, such as to recruiters, headhunters, and job boards.
3.5 Privacy. Any person, entity, or service collecting data from GitHub (including, without limitation, through scraping under Section 3.4 above) must comply with GitHub's Privacy Statement, particularly in regards to the collection of User Personal Information (as defined in the GitHub Privacy Statement). If Customer collects any User Personal Information from GitHub, Customer will only use such User Personal Information for the purpose for which the Other User has authorized it. Customer will reasonably secure any such User Personal Information, and will respond promptly to complaints, removal requests, and "do not contact" requests from GitHub or Other Users.
3.6 Excessive Bandwidth Use. If GitHub determines Customer's bandwidth usage to be significantly excessive in relation to Other Users, it reserves the right to suspend Customer's Account or throttle its file hosting until Customer can reduce its bandwidth consumption.
3.7 User Protection. Customer will not engage in activity that significantly harms Other Users. GitHub will resolve disputes in favor of protecting All Users as a whole.
4. User-Generated Content.
4.1 Responsibility for User-Generated Content. Customer may create or upload User-Generated Content while using the Service. Customer is solely responsible for the content of, and for any harm resulting from, any User-Generated Content that it or its Users post, upload, link to or otherwise make available via the Service, regardless of the form of that Content. GitHub is not responsible for any public display or misuse of User-Generated Content.
4.2 GitHub May Remove Content. GitHub does not pre-screen User-Generated Content, but it has the right (though not the obligation) to refuse or remove any User-Generated Content that, in its sole discretion, violates any GitHub terms or policies.
4.3 Ownership of Content, Right to Post, and License Grants.
(i) Customer retains ownership of and responsibility for Customer Content. If Customer posts anything it or its Users did not create themselves and on Customer's behalf, or does not own the rights to, Customer and its Users (a) are responsible for such Customer Content, (b) will only submit Customer Content that Customer has the right to post, and (c) Customer will fully comply with any third-party licenses relating to Customer Content that Customer posts.
(ii) Customer grants to GitHub and Other Users the rights set forth in Sections 4.4 through 4.6 below with respect to Customer Content. If Customer uploads Content that already comes with a license granting GitHub the permissions it needs to run the Service, no additional license is required. Customer acknowledges and agrees that it will not receive any payment for any of the rights granted in Sections 4.4 through 4.6, and such rights will end when Customer removes Customer Content from GitHub's servers, unless Other Users have forked it.
4.4 License to GitHub. Customer grants to GitHub the right to store, parse, and display Customer Content, and make incidental copies as necessary to render the Website and provide the Service. This includes the right to do things like copy it to GitHub's database and make backups; parse it into a search index or otherwise analyze it on GitHub's servers; show it to Customer or those Customer chooses to show it to; share it with Other Users Customer chooses to share it with; and perform it, in case Customer Content is something like music or video. These rights apply to both public and private repositories. This license does not grant GitHub the right to sell Customer Content or otherwise distribute or use it outside of the provision of the Service.
4.5 License to Other Users.
(i) Any User-Generated Content Customer or its Users post publicly, including issues, comments, and contributions to Other Users' repositories, may be viewed by others. By setting Customer's repositories to be viewed publicly, Customer agrees to allow Other Users to view and "fork" such repositories (i.e., Other Users may make their own copies of Customer Content from Customer's repositories in repositories they control).
(ii) If Customer sets its pages and repositories to be viewed publicly, Customer grants to Other Users a nonexclusive, worldwide license to use, display, and perform Customer Content through the Service and to reproduce Customer Content solely on the Service as permitted through functionality provided by GitHub (for example, through forking). Customer may grant further rights if Customer adopts a license. If Customer is uploading Content it did not create or own, Customer is responsible for ensuring that the Content it uploads is licensed under terms that grant these permissions to Other Users.
4.6 Contributions Under Repository License. Whenever Customer makes a contribution to a repository containing notice of a license, Customer licenses such contribution under the same terms, and Customer agrees that it has the right to license such contribution under those terms. If Customer has a separate agreement to license such contribution under different terms, such as a contributor license agreement, that agreement will supersede.
5. Private Repositories.
5.1 Control of Private Repositories. Some Accounts may have private repositories, which allow a User to control access to Content.
5.2 Confidentiality of Private Repositories. GitHub considers the contents of your private repositories to be confidential to you. GitHub will protect and keep strictly confidential the contents of private repositories in accordance with the applicable confidentiality provision in your Microsoft Customer Agreement.
5.3 Access. GitHub employees may only access the content of Customer's private repositories in the following situations:
With Customer's consent and knowledge, for support reasons. If GitHub accesses a private repository for support reasons, it will only do so with the owner's consent and knowledge.
When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of GitHub's systems and Service.
Customer may choose to enable additional access to its private repositories. For example, Customer may enable various GitHub services or features that require additional rights to Customer Content in private repositories. These rights may vary depending on the service or feature, but GitHub will continue to treat Customer Content in private repositories as Customer's Confidential Information. If those services or features require rights in addition to those needed to provide the Service, GitHub will provide an explanation of those rights.
5.4 Exclusions. If GitHub has reason to believe the contents of a private repository are in violation of law, the Microsoft Customer Agreement or this Section B, GitHub has the right to access, review, and remove them. Additionally, GitHub may be compelled by law to disclose the contents of Customer's private repositories.
6. Copyright Infringement and DMCA Policy.
If Customer is a copyright owner and believes that content on the Website violates its copyright, Customer may contact GitHub in accordance with GitHub's Digital Millennium Copyright Act Policy, by notifying GitHub via its DMCA form or by emailing email@example.com. GitHub will terminate the Accounts of repeat infringers of this policy.
7. GitHub Trademarks and Logos.
If Customer would like to use GitHub's trademarks, it must follow all of GitHub's trademark guidelines, including those on the logos page.
8. API Terms.
Abuse or excessively frequent requests to GitHub via the API may result in the temporary or permanent suspension of Customer's Account access to the API. GitHub, in its sole discretion, will determine abuse or excessive usage of the API. GitHub will make a reasonable attempt to warn Customer via email prior to suspension. Customer may not share API tokens to exceed GitHub's rate limitations. Customer may not use the API to download data or Content from the Website for spamming purposes, including for the purposes of selling User Personal Information, such as to recruiters, headhunters, and job boards. All use of the GitHub API is subject to this Section B and the GitHub Privacy Statement. GitHub may offer subscription-based access to its API if Customer requires high-throughput access or access that would result in resale of GitHub's Service.
9. Additional Terms for GitHub Pages and GitHub Learning Lab.
9.1 GitHub Pages. Each Account comes with access to the GitHub Pages static hosting service (as further described at https://help.github.com/articles/what-is-github-pages/. This hosting service is intended to host static web pages for All Users. GitHub Pages are subject to some specific bandwidth and usage limits, and may not be appropriate for some high-bandwidth uses or other prohibited uses. Please see the GitHub Pages guidelines for more information. GitHub reserves the right at all times to reclaim any GitHub.com subdomain without liability.
9.1 GitHub Learning Lab. If you decide to purchase and use the GitHub Learning Lab application and associated documentation, depending on the nature of your usage, the GitHub Learning Lab Terms and Conditions found at either https://lab.github.com/organizations/terms or https://lab.github.com/terms will apply.
10. Third-Party Applications.
10.1 Creating Applications. If Customer creates a Developer Product and makes it available for Other Users, then Customer must comply with the following requirements:
Customer must comply with this Section B and the GitHub Privacy Statement.
Except as otherwise permitted, such as by law or by a license, Customer must limit its usage of the User Personal Information or User-Generated Content it collects to that purpose for which the User has authorized its collection.
Customer must take all reasonable security measures appropriate to the risks, such as against accidental or unlawful destruction, or accidental loss, alteration, unauthorized disclosure or access, presented by processing the User Personal Information or User-Generated Content.
Customer must provide Users with a method of deleting any User Personal Information or User-Generated Content it has collected through GitHub after it is no longer needed for the limited and specified purposes for which the User authorized its collection, except where retention is required by law or otherwise permitted, such as through a license.
10.2 Using Third-Party Applications.
(i) Customer may grant a Developer Product authorization to use, access, and disclose the contents of Customer's repositories, including its private repositories. Some Developer Products are available through GitHub Marketplace. Some Developer Products can be used for performing automated tasks, and in some cases, multiple Users may direct the actions of a Developer Product. However, if Customer purchases and/or sets up a Developer Product on its Account, or Customer is an owner of an Account with an integrated Developer Product, then Customer will be responsible for the Developer Product's actions that are performed on or through Customer's Account. Please see GitHub's Privacy Statement for more information about how GitHub shares data with Developer Products.
(ii) GitHub makes no warranties of any kind in relation to Developer Products and is not liable for disclosures to third parties that Customer authorize to access Customer Content. Customer's use of any third-party applications is at its sole risk.
(iii) If Customer buys Developer Products through GitHub Marketplace, the GitHub Marketplace Terms of Service controls such purchase. This Section B, as well as the GitHub Marketplace Terms of Service, will govern Customer's use of GitHub Marketplace.
11. Advertising on GitHub.
11.1 GitHub Pages. GitHub offers Pages sites primarily as a showcase for personal and organizational projects. Some monetization efforts are permitted on Pages, such as donation buttons and crowdfunding links.
11.2 GitHub Repositories. Repositories are intended to host Content. Customer may include static images, links, and promotional text in the README documents associated with its repositories, but they must be related to the project Customer is hosting on the Website. Customer may not advertise in Other Users' repositories, such as by posting monetized or excessive bulk content in issues.
11.3 Spamming and Inappropriate Use of GitHub. Advertising Content must not violate the law or these supplemental terms, for example through excessive bulk activity such as spamming. GitHub reserves the right to remove any advertisements that, in its sole discretion, violate any GitHub terms or policies.
12. Cancellation and Termination.
12.1 Account Cancellation. It is Customer's responsibility to properly cancel its Account with GitHub. Customer may cancel its Account at any time by going into its Settings in the global navigation bar at the top of the screen. GitHub is not able to cancel Accounts in response to an email or phone request.
12.2 Upon Cancellation or Termination.
GitHub will retain and use Customer information as necessary to comply with GitHub's legal obligations, resolve disputes, and enforce its agreements, but barring legal requirements, GitHub will delete Customer's full profile and the Content of Customer's repositories within ninety (90) days of cancellation or termination (though some information may remain in encrypted backups). This information cannot be recovered once Customer's Account is cancelled. GitHub will not delete Customer Content that Customer has contributed to Other Users' repositories or that Other Users have forked.
Upon request, GitHub will use reasonable efforts to provide an Account owner with a copy of Customer's lawful, non-infringing Account contents after any Account closure, suspension, or downgrade. Customer must make this request within ninety (90) days of closure, suspension, or downgrade.
12.3 Suspension and Termination. GitHub has the right to suspend access to all or any part of the Service at any time for violation of these Terms or to protect the integrity, operability, and security of the Website or the Service, effective immediately, with or without notice. Unless prohibited by law or legal process or to prevent imminent harm to the Service or any third party, GitHub typically provides notice in the form of a banner or email on or before such suspension. GitHub will, in our discretion and using good faith, tailor any suspension as needed to preserve the integrity, operability, and security of the Website and Service. GitHub has the right to terminate your Account at any time (i) with cause, upon 30 days’ advance notice, or (ii) if your Account has been suspended for more than 90 days.
13. Communications with GitHub.
GitHub only offers support via email, in-Service communications, and electronic messages.
14. GitHub Enterprise Cloud SLA.
14.1. Uptime Guarantee and Calculation. GitHub guarantees that the Service will have a quarterly Uptime percentage of 99.95%. That means GitHub's Essential Services will not be interrupted by an Outage affecting more than 50% of Active Users, for more than .05% of the quarter. If GitHub doesn't meet such 99.95% quarterly Uptime guarantee, GitHub may issue Service Credits to Customers. GitHub's Uptime calculation is based on the percentage of successful requests it serves through its web, API, and Git client interfaces.
14.2 Exclusions from Uptime Guarantee. Exclusions from the Uptime Guarantee include Outages resulting from:
Customer's acts, omissions, or misuse of the Service, including violations of these supplemental terms.
Failures of Customer's internet connectivity
Factors outside GitHub's reasonable control, including Internet access related problems, force majeure events, and third-party services or technology
Customer equipment, services, or other technology
14.3 Uptime Service Credits.
If GitHub's quarterly Uptime percentage drops below the 99.95% Uptime guarantee set forth above, then Customer will be entitled to receive 25 times the amount that was paid for the Outage time that exceeds the quarterly Uptime guarantee ("Uptime Service Credit"), which will be applied against the Customer's next bill. Uptime Service Credits are calculated at the end of each quarter, and may only be granted upon request.
To find out about GitHub's Uptime percentage, Customer may request an Uptime report at the end of each quarter.
In order to be granted Uptime Service Credits, either an Account Owner or Billing Manager must send in a written request, on Customer's behalf, within thirty (30) days of the end of each quarter. Uptime Service Credits may not be saved. After being granted an Uptime Service Credit, it will be automatically applied to Customer's next bill. Written requests should be sent to GitHub Support or Microsoft Support.
14.4 Disclaimer and Limitation of Liability. GitHub's Status Page is not connected to the GitHub Enterprise Cloud SLA and is not an accurate representation of GitHub's uptime for the purposes of calculating Uptime Service Credits. Service Credits are limited to thirty (30) days of paid service, per quarter. Service Credits are Customer's only remedy for any failure by GitHub to meet any uptime obligations as identified in this Section B.
GITHUB DATA PROTECTION ADDENDUM
1.1 The "Applicable Data Protection Laws" refer to certain laws, regulations, regulatory frameworks, or other legislations relating to the processing and use of Personal Data, as applicable to Customer's use of GitHub and the GitHub Service, including:
a. The EU General Data Protection Regulation 2016/679 ("GDPR"), along with any implementing or corresponding equivalent national laws or regulations, once in effect and applicable; and
b. The U.S. Department of Commerce and European Commission's EU--U.S. Privacy Shield Framework ("Privacy Shield"), or any succeeding legislation, available at https://www.privacyshield.gov/, or any succeeding URL, as may be amended. The "Privacy Shield Principles" refer to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
1.2 "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," "Processor," and "Supervisory Authority" have the meanings given to them in the Applicable Data Protection Laws. In the event of a conflict, the meanings given in the GDPR will supersede.
1.3 "Customer Personal Data" means any Personal Data for which Customer is a Controller, whether supplied by Customer for processing by GitHub or generated by GitHub in the course of performing its obligations under the Agreement. It includes data such as billing information, IP addresses, corporate email addresses, and any other Personal Data for which Customer is a Controller.
1.4 "Customer Repository Data" means any data or information that is uploaded or created by Customer into any of its private GitHub repositories.
1.5 A "Data Breach" refers to a Personal Data Breach or any other confirmed or reasonably suspected breach of Customer's Protected Data.
1.6 "End User" means an individual Data Subject who controls a GitHub account and has agreed to the GitHub Terms of Service, and whose Personal Data is being transferred, stored, or processed by GitHub. For example, each Customer employee or contractor who has a GitHub account is also a GitHub End User.
1.7 "Permitted Purposes" for data processing are those limited and specific purposes of providing the Service as set forth in the Agreement, the GitHub Privacy Statement, and this Addendum, or the purposes for which a Data Subject has authorized the use of Customer Personal Data.
1.8 "Protected Data" includes any Customer Personal Data and any Customer Repository Data processed by GitHub on behalf of Customer under the Agreement.
1.9 "Sensitive Data" means any Personal Data revealing racial or ethnic origin; political opinions, religious or philosophical beliefs or trade union membership; processing of genetic data or biometric data for the purposes of uniquely identifying a natural person; data concerning health, a natural person's sex life or sexual orientation; and data relating to offences, criminal convictions, or security measures.
2. Status and Compliance
2.1 Data Processing. GitHub acts as a Processor in regard to any Customer Personal Data it receives in connection with the Agreement, and GitHub will process Customer Personal Data only for Permitted Purposes in accordance with Customer's instructions as represented by the Agreement and other written communications. In the event that GitHub is unable to comply with Customer's instructions, such as due to conflicts with the Applicable Data Protection Laws, or where processing is required by the Applicable Data Protection Laws or other legal requirements, GitHub will notify Customer to the extent permissible. GitHub processes all Customer Personal Data in the United States or in the European Union; however, GitHub's subprocessors may process data outside of the United States or the European Union. Additionally, GitHub acts as a Processor for any Customer Repository Data.
2.2 Data Controllers. GitHub receives Personal Data both from Customer and directly from Data Subjects who create End User accounts. Customer is a Controller only for the Customer Personal Data it transfers directly to GitHub.
2.3 GitHub Compliance. GitHub represents and warrants that it complies with Privacy Shield, which governs cross-border transfers of Personal Data. GitHub will remain certified under Privacy Shield for the duration of the Agreement, provided Privacy Shield remains a valid data transfer mechanism. In the event that GitHub is unable to remain certified, or that Privacy Shield does not remain a valid data transfer mechanism, please see Section 7. GitHub will comply with Applicable Data Protection Laws in relation to the processing of Personal Data.
3. Data Protection
3.1 Purpose Limitation. GitHub will process and communicate the Protected Data only for Permitted Purposes, unless the Parties agree in writing to an expanded purpose.
3.2 Data Quality and Proportionality. GitHub will keep the Customer Personal Data accurate and up to date, or enable Customer to do so. GitHub will take commercially reasonable steps to ensure that any Protected Data it collects on Customer's behalf is adequate, relevant, and not excessive in relation to the purposes for which it is transferred and processed. In no event will GitHub intentionally collect Sensitive Data on Customer's behalf. Customer agrees that the GitHub Service is not intended for the storage of Sensitive Data; if Customer chooses to upload Sensitive Data to the Service, Customer must comply with Article 9 of the GDPR, or equivalent provisions in the Applicable Data Protection Laws.
3.3 Data Retention and Deletion. Upon Customer's reasonable request, unless prohibited by law, GitHub will return, destroy, or deidentify all Customer Personal Data and related data at all locations where it is stored after it is no longer needed for the Permitted Purposes within thirty days of request. GitHub may retain Customer Personal Data and related data to the extent required by the Applicable Data Protection Laws, and only to the extent and for such period as required by the Applicable Data Protection Laws, provided that GitHub will ensure that Customer Personal Data is processed only as necessary for the purpose specified in the Applicable Data Protection Laws and no other purpose, and Customer Personal Data remains protected by the Applicable Data Protection Laws.
3.4 Data Processing. GitHub provides the following information, required by Article 28(3) of the GDPR, regarding its processing of Customer's Protected Data:
a. The subject matter and duration of the processing of Customer Personal Data are set out in the Agreement and this Addendum.
b. The nature and purpose of the processing of Customer Personal Data is described in Section 3.1 of this Addendum.
c. The types of Customer Personal Data to be processed are described in the GitHub Privacy Statement, and include Customer Personal Data such as user names, passwords, email addresses, and IP addresses. GitHub also processes information necessary for billing Customer's account, but does not process or store credit card information. Customer may choose to supply GitHub with additional Customer Personal Data, such as in Customer's profile settings or by uploading Customer Personal Data to its GitHub repositories.
d. The categories of Data Subject to whom the Customer Personal Data relates are the Customer itself and its End Users.
e. The obligations and rights of Customer are set out in the Agreement and this Addendum.
4. Security and Audit Obligations
4.1 Technical and Organizational Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GitHub will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks, such as against accidental or unlawful destruction, or loss, alteration, unauthorized disclosure or access, presented by processing the Protected Data. GitHub will regularly monitor compliance with these measures and will continue to take appropriate safeguards throughout the duration of the Agreement.
4.2 Incident Response and Breach Notification. GitHub will comply with the Information Security obligations in the GitHub Security Exhibit and the Applicable Data Protection Laws, including Data Breach notification obligations. Please see Section 1.2 of the GitHub Security Exhibit regarding GitHub's responsibilities in relation to Data Breach response and notification.
4.3 GitHub Personnel. GitHub represents and warrants that it will take reasonable steps to ensure that all GitHub personnel processing Protected Data have agreed to keep the Protected Data confidential and have received adequate training on compliance with this Addendum and the Applicable Data Protection Laws.
4.4 Records. GitHub will maintain complete, accurate, and up to date written records of all categories of processing activities carried out on behalf of Customer containing the information required under the Applicable Data Protection Laws. To the extent that assistance does not risk the security of GitHub or the privacy rights of individual Data Subjects, GitHub will make these records available to Customer on request as reasonably required, such as to help Customer demonstrate its compliance under the Applicable Data Protection Laws. To learn more about GitHub's requirements to provide assistance in the event of a security incident, please see Section 1.2 of the GitHub Security Exhibit.
4.5 Compliance Reporting. GitHub will provide security compliance reporting in accordance with Section 2.3 of the GitHub Security Exhibit and privacy compliance reporting in accordance with Section 2.4 of the GitHub Security Exhibit. Customer agrees that any information and audit rights granted by the Applicable Data Protection Laws (including, where applicable, Article 28(3)(h) of the GDPR) will be satisfied by these compliance reports, and will only arise to the extent that GitHub's provision of a compliance report does not provide sufficient information, or to the extent that Customer must respond to a regulatory or Supervisory Authority audit. Section 3.1 of the GitHub Security Exhibit describes the parties' responsibilities in relation to a regulatory or Supervisory Authority audit.
4.6 Assistance. GitHub will provide reasonable assistance to Customer with concerns such as data privacy impact assessments, Data Subject rights requests, consultations with Supervisory Authorities, and other similar matters, in each case solely in relation to the processing of Customer's Personal Data and taking into account the nature of processing.
5. Use and Disclosure of Protected Data
5.1 No Use in Marketing. GitHub will not use the Protected Data for the purposes of advertising third-party content, and will not sell the Protected Data to any third party except as part of a merger or acquisition.
6. Subprocessing and Onward Transfer
6.1 Protection of Data. GitHub is liable for onward transfers of Protected Data to its subprocessors, such as its third-party payment processor. In the event that GitHub does transfer the Protected Data to a third-party subprocessor, or GitHub installs, uses, or enables a third party or third-party services to process the Protected Data on GitHub's behalf, GitHub will ensure that the third-party subprocessor is contractually bound to comply with or provide at least the same level of confidentiality, security, and privacy protection as is required of subprocessors by the Privacy Shield Principles and the Applicable Data Protection Laws.
6.2 Acceptance of GitHub Subprocessors. Customer authorizes GitHub to appoint (and permit each subprocessor appointed in accordance with this Section 6 to appoint) subprocessors in accordance with Section 6 and any other restrictions in the Agreement. GitHub may continue to use those subprocessors currently engaged as of the Effective Date of this Addendum.
6.3 General Consent for Onward Subprocessing. Customer provides a general consent for GitHub to engage onward subprocessors, conditional on GitHub's compliance with the following requirements:
a. Any onward subprocessor must agree in writing to only process data in a country that the European Commission has declared to have an "adequate" level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses, or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities, or pursuant to a compliant US-EU Privacy Shield certification; and
b. GitHub will restrict the onward subprocessor's access to Customer Personal Data only to what is strictly necessary to perform its services, and GitHub will prohibit the subprocessor from processing the Customer Personal Data for any other purpose.
6.4 Disclosure of Subprocessor Agreements. GitHub maintains a list of onward subprocessors it has engaged to process Customer Personal Data at https://help.github.com/articles/github-subprocessors-and-cookies/, including the categories of Customer Personal Data processed, a description of the type of processing the subprocessor performs, and the location of its processing. GitHub will, upon Customer's written request, provide Customer with this list of subprocessors and the terms under which they process the Customer Personal Data. Pursuant to subprocessor confidentiality restrictions, GitHub may remove any confidential or commercially sensitive information before providing the list and the terms to Customer. In the event that GitHub cannot disclose confidential or sensitive information to Customer, the Parties agree that GitHub will provide all information it reasonably can in connection with its subprocessing agreements.
6.5 Objection to Subprocessors. GitHub will provide thirty days' prior written notice of the addition or removal of any subprocessor, including the categories listed in Section 6.4, by announcing changes on its https://github.com/github/site-policy site. If Customer has a reasonable objection to GitHub's engagement of a new subprocessor, Customer must notify GitHub promptly in writing. Where possible, GitHub will use commercially reasonable efforts to provide an alternative solution to the affected Service to avoid processing of data by the objectionable subprocessor. In the event that GitHub is unable to provide an alternative solution and the Parties cannot resolve the conflict within ninety days, Customer may terminate the Agreement.
7.1 Suspension. In the event that GitHub is in breach of its obligations to maintain an adequate level of security or privacy protection, Customer may temporarily suspend the transfer of all Customer Personal Data or prohibit collection and processing of Customer Personal Data on Customer's behalf until the breach is repaired or the Agreement is terminated.
7.2 Termination with Cause. In addition to any termination rights Customer has under the Agreement, Customer may terminate the Agreement without prejudice to any other claims at law or in equity in the event that:
a. GitHub notifies Customer that it can no longer meet its privacy obligations;
b. the transfer, collection, or processing of all Customer Personal Data has been temporarily suspended for longer than one month pursuant to Section 7.1;
c. GitHub is in substantial or persistent breach of any warranties or representations under this Addendum;
d. GitHub is no longer carrying on business, is dissolved, enters receivership, or a winding up order is made on behalf of GitHub; or
e. Customer objects to a subprocessor pursuant to Section 6.5, and GitHub has not been able to provide an alternative solution within ninety days.
7.3 Breach. Failure to comply with the material provisions of this Addendum is considered a material breach under the Agreement.
7.4 Failure to perform. In the event that changes in law or regulation render performance of this Addendum impossible or commercially unreasonable, the Parties may renegotiate the Addendum in good faith. If renegotiation would not cure the impossibility, or if the Parties cannot reach an agreement, the Parties may terminate the Agreement after thirty days.
7.5 Notification. In the event that GitHub determines that it can no longer meet its privacy obligations under this Addendum, GitHub will notify Customer in writing immediately.
7.6 Modifications. GitHub may modify this Addendum from time to time as required by the Applicable Data Protection Laws, with thirty days' notice to Customer.
7.7 Termination Requirements. Upon Termination, GitHub must:
a. take reasonable and appropriate steps to stop processing the Customer Personal Data;
b. within ninety days of termination, delete or deidentify any Customer Personal Data GitHub stores on Customer's behalf pursuant to Section 3.3; and
c. provide Customer with reasonable assurance that GitHub has complied with its obligations in Section 7.7.
8. Liability for Data Processing
8.1 Limitations. Except as limited by the Applicable Data Protection Laws, any claims brought under this Addendum will be subject to the terms of the Agreement regarding Limitations of Liability.
1. Information Technology Security Program Exhibit
1.1 Security Management.
Scope and Contents. Throughout the duration of the Agreement, GitHub will maintain and enforce a written information security program ("Security Program") that aligns with industry recognized frameworks; includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of Customer Protected Data; is appropriate to the nature, size, and complexity of GitHub's business operations; and complies with the Applicable Data Protection Laws and other specific information security related laws and regulations that are applicable to the geographic regions in which GitHub does business.
a. Security Officer. GitHub has designated a senior employee to be responsible for overseeing and carrying out its Security Program and for governance and internal communications regarding information security matters.
b. Security Program Changes. GitHub will provide details of any material changes to its Security Program that may adversely affect the security of any Customer Protected Data where notification is required under applicable laws and regulations.
1.2 Security Incident Management. Throughout the duration of the Agreement, and where applicable, GitHub will provide a Security incident management program as follows:
a. Security Availability and Escalation. GitHub will maintain appropriate security contact and escalation processes on a 24-hours-per-day, 7-days-per-week basis to ensure customers and employees can submit issues to the GitHub Security team.
b. Incident Response. If GitHub becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data (each a "Security Incident"), GitHub will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
c. Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means GitHub selects. It is Customer's sole responsibility to ensure Customer's administrators monitor for and respond to any notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
d. GitHub will make reasonable efforts to assist Customer in fulfilling Customer's obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
1.3 Due Diligence over Subcontractors and Vendors. GitHub will maintain appropriate due diligence when utilizing subcontractors and vendors. GitHub will maintain vendor audit reports and any assessment work for a minimum of three years.
1.4 Data Center Physical Safeguards. To the extent GitHub utilizes third party vendors to host production environments, GitHub will select vendors that comply with physical security controls outlined in industry standards and that issue an annual external audit report such as SOC 2 or ISO 27001 certification. All access to areas, cabinets, or racks that house telecommunications, networking devices, and other "data transmission lines" or equipment will be controlled as follows:
a. access will be controlled by badge reader at one or more entrance points;
b. doors used only as exit points will have only "one way" doorknobs or crash bar exit devices installed;
c. all doors will be equipped with door alarm contacts;
d. all exit doors will have video surveillance capability; and
e. all card access and video systems will be tied in to generator or UPS backup systems.
2. Requests for Information and Compliance Reporting
2.1 Requests for Information. Upon Customer's written request and no more than once annually, GitHub will respond to one request for information to assess security and compliance risk-related information. The response will be provided in writing within thirty days of receipt of the request, pending needed clarifications of any request.
2.2 Response Contents. GitHub will include in its annual response relevant audit reports for production datacenter, IaaS, PaaS or private hosting providers, as deemed relevant by GitHub, in its sole discretion and based on data and services rendered.
2.3 GitHub Security Audit Report. GitHub will execute external, independent audit to produce a SOC1 audit report and a SOC2 audit report. GitHub will continue to execute audits and issue corresponding reports for the duration of the agreement on at least an annual basis.
3 Cooperation with Regulatory Audits
3.1 Regulatory Audits. Should Customer realize a regulatory audit or an audit in response to a Supervisory Authority that requires participation from GitHub, GitHub will fully cooperate with related requests by providing access to relevant knowledgeable personnel, documentation, and application software. Customer has the following responsibilities regarding any such regulatory or Supervisory Authority audits:
a. Customer must ensure use of an independent third party (meaning the regulator or regulator's delegate), and that findings and data not relevant to Customer are restricted.
b. Notification of such audit must be written and provided to GitHub in a timely fashion, pending regulator notification, and in a manner that allows for appropriate personnel to be made available to assist. Where regulators provide no advance notice to Customer of audit or investigation, GitHub will respond in as timely a fashion as required by regulators.
c. Any third party auditor must disclose to GitHub any findings and recommended actions where allowed by regulator.
d. In the event of a regulatory audit, access will be permitted only during regular business hours, Pacific time.
e. To the extent permitted by law, Customer must keep confidential any information gathered through any such audit of GitHub that, by its nature, should be confidential.