GitHub Marketplace Developer Agreement
THESE TERMS AND CONDITIONS (THE "AGREEMENT") GOVERN YOUR PARTICIPATION IN GITHUB’S MARKETPLACE PROGRAM. BY ENROLLING TO PARTICIPATE IN THE MARKETPLACE PROGRAM OR BY CLICKING “I ACCEPT” BELOW, YOU ARE CONFIRMING THAT YOU UNDERSTAND THIS AGREEMENT, AND THAT YOU ACCEPT ALL OF ITS TERMS AND CONDITIONS. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THE ENTITY TO THIS AGREEMENT, IN WHICH CASE “YOU” WILL MEAN THE ENTITY YOU REPRESENT.
Capitalized terms utilized in this Agreement and not defined herein shall have the meaning set forth in the GitHub Terms of Service located at
https://help.github.com/articles/github-terms-of-service (the “Terms” or “ToS”).
“Brand Features” means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each party, respectively, as owned (or licensed) by such party from time to time.
"Developer" means you, and you are the company or individual who has created the software, content, and digital materials for use in connection with GitHub and accessible via Marketplace.
"Developer Application" or "Developer Product" means the Software, content and digital materials created by You for use in connection with GitHub and accessible via Marketplace.
“End User” means any person, company or other legal entity that will acquire licenses to Developer Product via the GitHub Marketplace.
“GitHub API” means GitHub’s proprietary application program interface. Access to and use of the GitHub API is governed by the ToS.
“GitHub Marketplace” or “Marketplace” means the proprietary online marketplace site operated by GitHub where Developer Products may be delivered to End Users.
“Listing” means the content provided for listing the Developer Product on GitHub Marketplace.
“Taxes” means any federal, state, local or foreign income, gross receipts, franchise, estimated, alternative minimum, sales, use, transfer, value added, excise, real or personal property, withholding or other tax, of any kind whatsoever, including any interest, penalties or additions to tax or additional amounts in respect of the foregoing.”
“Usage Data” means Marketplace related data generated in connection with End User use of GitHub Marketplace and licensure of Developer Products, including but not limited to usage statistics and aggregated sales data. Usage Data does not include and specifically excludes banking and payment information.
2. PURPOSE AND LICENSE GRANT
2.1 This Agreement sets forth the terms and conditions pursuant to which Developer may publish Listings on GitHub Marketplace for purchase of Developer Products by End Users and use in connection with GitHub.com. This Agreement is applicable to Developer’s Products distributed for free and Products for which End Users are charged a fee. Developer agrees to use the GitHub Marketplace solely for purposes permitted by this Agreement or as otherwise allowed by applicable law. As between GitHub and Developer, Developer is solely responsible for Developer Products.
2.2 Developer grants to GitHub a non-exclusive, worldwide, transferable, sublicensable, fully paid-up, royalty-free license to (a) host, link to, reproduce, modify, publicly perform, publicly display, test, distribute, make available, license and otherwise use the Listing; (b) reproduce, perform, display, use and access the Listing for administration and demonstration purposes in connection with the operation and marketing of the Marketplace; and (c) reproduce, display, distribute and otherwise use any Developer Brand Features furnished by Developer to GitHub under this Agreement solely for use in connection with the Marketplace and in order to fulfill its obligations under the Agreement.
2.3 In addition to the licenses granted above, GitHub may include Developer Brand Features furnished by Developer to GitHub under this Agreement in any presentations, communications, marketing materials, press releases, customer lists (including, without limitation any customer lists, posted to GitHub websites), publicity campaigns and other advertising collateral for purposes of marketing the Marketplace. If Developer discontinues the distribution of specific Products on the Marketplace, GitHub will, after a commercially reasonable period of time, cease use of the discontinued Products’ Brand Features. Nothing in this Agreement gives Developer a right to use any GitHub Brand Features.
2.4 Developer grants to each End User a non-exclusive, worldwide right or license to perform, display, and use the Products and any content contained in, accessed by or transmitted through the Products in connection with the Marketplace. Developer must include a separate end user license agreement (“EULA”) in its Products that will govern the End User’s rights to the Products in lieu of the foregoing sentence. Developer acknowledges and agrees that the applicable EULA for each Product is solely between Developer and the End User. GitHub shall not be responsible, nor have any liability whatsoever, under any EULA.
2.5 Except for the license rights granted in this Agreement, (a) Developer retains all rights in the Products; (b) each party retains all rights it has independent of this Agreement, including rights under the US Copyright Act or similar laws of other jurisdictions; and (c) each party owns all rights, title and interest in its respective Brand Features. Each party is responsible for protecting and enforcing its own respective rights and neither party has an obligation to do so on the other’s behalf.
2.6 Developer acknowledges and agrees that GitHub shall be entitled to provide Developer’s name, address and other contact details to any third party that reasonably, in GitHub’s sole determination, claims that Developer does not possess all of the necessary intellectual property rights in or to the Products.
3. RESTRICTIONS AND RESPONSIBILITIES
Notwithstanding any of the requirements set forth in Section 2, Purpose and License Grant, above, Developer acknowledges and agrees that its use of the Marketplace and participation in the Program is explicitly conditioned on Developer’s adherence to this Agreement, including without limitation, the restrictions and compliance requirements set forth in this Section 3.
3.1 Developer agrees it will protect the privacy and legal rights of all End Users. If an End User provides Developer with, or the Product otherwise collects, discloses, accesses or uses, End User names, passwords or other personal information, then the Developer must (a) inform End Users that such information will be available to the Products; and (b) provide legally adequate privacy notice and protection to End Users. Further, Developer Products may only use the information for the limited purpose for which Developer has obtained permission from End User. If Developer Products store or transmit personal or sensitive information provided by or obtained from End Users, then Developer must ensure all such activity is done so securely and must respond promptly to complaints, removal requests, and “do not contact” requests from GitHub or Marketplace End Users
3.2 In order to use and access the GitHub API, Developer must obtain API credentials (a “Token”) by becoming a subscriber. Developer may not share its Token with any third party, shall keep such Token and all login information secure and shall use the Token as Developer’s sole means of accessing the GitHub API.
3.3 Developer acknowledges and agrees that it will not engage in any activity with the Marketplace, including the distribution of Products, that violates Marketplace policies or that:
- 1. Violates any applicable laws or regulations or promotes unlawful activities;
- 2. Contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system);
- 3. Interferes with, disrupts, damages, harms, or accesses in an unauthorized manner the machines, systems, hardware, servers, networks, devices, data or other property or services of any third party;
- 4. Includes false or misleading content;
- 5. Infringes on any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other rights;
- 6. Is libelous, defamatory, or fraudulent;
- 7. Enables the unauthorized download of streaming content or media;
- 8. Displays or links to illegal content;
- 9. harasses, abuses, threatens, or incites violence toward any individual or group, including GitHub employees, officers, and agents, or any End Users;
- 10. Is or contains sexually obscene content;
- 11. Is discriminatory or abusive toward any individual or group;
- 12. Diverts End Users or provides links to any other site that mimics the Marketplace or passes itself off as the Marketplace.
3.4 Developer shall not, under any circumstances, through Developer Products or otherwise, repackage or resell the Marketplace, GitHub API or Usage Data. Developer is not permitted to use the GitHub API or any Usage Data in any manner that does or could potentially undermine the security of the Service, the GitHub API, Usage Data or any other data or information stored or transmitted using the Marketplace. In addition, Developer shall not, and shall not attempt to, interfere with, modify or disable any features, functionality or security controls of the Marketplace or the GitHub API, defeat, avoid, bypass, remove, deactivate or otherwise circumvent any protection mechanisms for the Marketplace or the GitHub API, or reverse engineer, decompile, disassemble or derive source code, underlying ideas, algorithms, structure or organizational form from the Marketplace or the GitHub API.
3.5 Developer acknowledges that Developer is solely responsible, and that GitHub has no responsibility or liability of any kind, for the content, development, operation, support or maintenance of Developer Products. Without limiting the foregoing, Developer will be solely responsible for
- (i) the technical installation and operation of its Developer Products;
- (ii) creating and displaying information and content on, through or within its Developer Products;
- (iii) ensuring that its Developer Products do not violate or infringe the intellectual property rights of any third party;
- (iv) ensuring that Developer Products are not offensive, profane, obscene, libelous or otherwise illegal;
- (v) ensuring that its Developer Products do not contain or introduce malicious software into the Marketplace, the GitHub API, any Usage Data or other data stored or transmitted using the Marketplace; and
- (vi) ensuring that its Developer Products are not designed to or utilized for the purpose of sending commercial electronic messages to any GitHub.com users, agents or End Users without their consent.
3.6 Developer will respect and comply with the technical and policy-implemented limitations of the GitHub API and the restrictions of this Agreement in designing and implementing Developer Products. Without limiting the foregoing, Developer shall not violate any explicit rate limitations on calling or otherwise utilizing the GitHub API.
3.7 Marketplace Security Requirements Developer agrees to meet the security requirements set forth below, with regard to development, support, and distribution of the Developer Product made available via the GitHub Marketplace.
3.7.1 Developer Security Risk Assessment Prior to listing on Marketplace and thereafter, upon request, Developer will respond in writing to GitHub's standard risk assessment within thirty (30) days of receipt of such request. During the Term of the Agreement, GitHub will make no more than one (1) annual request for Developer's completion of a standard written risk assessment. Notwithstanding the foregoing, GitHub may make operational security or compliance inquires at any time with any degree of frequency. The standard annual risk assessment shall include, to the best of Developer's ability, the following:
- (i) SOC 1 and/or SOC 2 audit report;
- (ii) 3rd party proof of PCI compliance (a certificate showing Developer's handling of credit card payments is compliant);
- (iii) Privacy Shield Attestation;
- (iv) ISO Certification or Cloud Security Alliance Self-Assessment;
- (v) Cloud Security Self Assessment;
- (vi) any information on subcontractor or vendor production datacenter(s), IaaS, PaaS, or private hosting providers, as required by GitHub based on data and services rendered; and
- (vii) Written responses and evidence of specific security requirements as outlined in this agreement
3.7.2 Meeting Security Requirements Developer will, for the Term of the Agreement, maintain equivalent or higher security controls over developer services as outlined in the security requirements described herein, and Developer will confirm compliance with such requirements in response to the security risk assessment described in Section 3.7.1 above.
3.7.3 Vulnerability Management Developer agrees to establish and maintain security vulnerability management processes meeting security industry standards, including but not limited to regular scanning, reporting, and patching, where patching is based on the risk rating of the vulnerability as determined by the Developer.
3.7.4 Clear escalation contacts Developer will provide an internal contact list/call tree for escalation for Security and Audit/Compliance operational functions with notifications to be sent to GitHub as follows:
- (i) Security Incident notifications to be sent to email@example.com; and
- (ii) Risk, Audit, and Compliance Contact Information to be sent to security-GRC@github.com
3.7.5 Security Incident Response and Breach Process 184.108.40.206 Developer will maintain a Security Incident and Breach Response function capable of identifying, mitigating the effects of, and preventing the recurence of security incidents and breaches (occurrence). Upon confirmation of an incident occurrence that may put GitHub data or accounts at risk, Developer shall take all reasonable measures to mitigate the harmful effects of the occurrence.
220.127.116.11 Developer must notify GitHub of confirmed breach no later than twenty-four (24) hours after confirmation of a breach impacting GitHub data or GitHub customer data.
18.104.22.168 Developer must notify GitHub of an occurrence no later than seventy-two (72) hours after confirmation of a security incident impacting GitHub data or GitHub customers.
22.214.171.124 Notice. Notice of breach (Section 126.96.36.199) and notice of occurrence (Section 188.8.131.52) must include:
- (i) the identification of the GitHub data which has been, or is reasonably believed to have been affected (used, accessed, acquired or disclosed);
- (ii) a description of what happened, including the date of the occurrence and the date of discovery of the occurrence, if known at time of reporting;
- (iii) the scope of the occurrence, including a description of the threat actors including known tactics, techniques, and procedures (TTPs) and other threat intelligence data as such data becomes available;
- (iv) all corrective and remedial actions completed;
- (v) all efforts taken to mitigate the risks of further Incidents; and
- (vi) a description of Developer’s response to the occurrence, including steps Developer has taken to mitigate the harm caused by the occurrence.
184.108.40.206 Security Incident and Breach Notifications. For avoidance of doubt, GitHub classifies all non-public customer account, Organization and Repository information received from GitHub as confidential data. For the purpose of this Section 3.7.1, a Security Incident shall be defined as an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed, identified attempts from unauthorized sources to access systems or data, or unplanned disruption to a service or denial of a service, and a Breach shall be defined as an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.
220.127.116.11 Security and Breach Notifications must be sent to firstname.lastname@example.org.
3.7.6 Regulator Audit Should GitHub realize a regulatory audit that requires participation from Developer, Developer shall fully cooperate with requests by providing access to relevant knowledgeable personnel, documentation, infrastructure, and application software. GitHub shall ensure use of an independent 3rd party (such as regulator or regulators delegate) and that findings not relevant to GitHub are not disclosed to GitHub. Notification of such audit will be provided to Developer in a timely fashion, pending regulator notification, and in a manner that allows for appropriate personnel to be made available to assist. The third party auditor shall disclose to Developer any findings and recommended actions where allowed by regulator. Where regulators provide no advanced notice to GitHub of audit or investigation, Developer shall respond in as timely a fashion as required by regulators.
3.7.7 Notification of material service changes Developer will notify GitHub, Inc. of any material changes in services offered that impacts data protection and could result in use, transmission, or exposure of GitHub data in a manner not supported under contract. GitHub reserves the right to reassess risk and technical controls related to changes to service offered by Developer under this Agreement. Developer shall provide advance notice to GitHub of implementation of any material service changes. Material service changes may include, but are not limited to:
- (i) Migration to, or addition of, a new third party IaaS or PaaS provider;
- (ii) Changes in geographic location of stored or processed data, e.g. a United States based Developer adding storage or process services in a new EU or APAC region; or
- (iii) Changes in OAuth authorization scope your service requests, e.g. your application moving from only
read:orgscope to including
3.7.8 Notification of Acquisition Developer will notify GitHub, Inc. 90 days before any transfer of ownership by or of another company that will impact any data protection agreements.
3.7.9 GitHub Initiated Security Operations The following Section 3.7.10 does not preclude the Developer from maintaining their own appropriate operational security and/or application security practices. Developer will hold GitHub harmless for any outcome of acting on reported security intelligence, vulnerabilities and defects.
3.7.10 External Vulnerability Scanning Developer agrees to allow GitHub, at its discretion, to execute industry standard vulnerability scans of Developer’s public facing IPs. GitHub will provide any findings to Developer if deemed of sufficient risk for remediation and will track closure on material findings.
3.7.11 Private Bug Bounty GitHub may, at its discretion, establish a private Bug Bounty for the Developer through a vendor of GitHub’s choice, to facilitate reporting and tracking to closure any security defects found in the Developer’s product or service.
3.7.12 Security Intelligence Sharing GitHub may, at its discretion, choose to share security intelligence that may have an impact on GitHub customer and account security. Developer agrees to participate in such discussions to ensure the security of GitHub customer and user accounts and data.
3.8 GitHub reserves the right to terminate this Agreement immediately if GitHub determines that Developer breached any requirement or obligation of this Section 3.
3.9 Nothing in this Agreement shall prevent either party from developing and/or publishing applications that are similar or otherwise compete with the other party's applications.
4.1 Your Takedowns. Upon providing GitHub with thirty (30) days written notice in advance of the 1st day of the succeeding calendar month, you may remove your Listings from future distribution via Marketplace, but you must comply with this Agreement for any Listing distributed through Marketplace, including but not limited to refund requirements. Removing your Listing from future distribution via Marketplace does not (a) affect the license rights of End Users who have previously purchased or installed your Listing or (b) change your obligation to deliver or support Listing that has been previously purchased or installed by users.
Notwithstanding the foregoing, in no event will GitHub maintain on any portion of Marketplace any Listing that you have removed from Marketplace and provided written notice to GitHub that such removal was due to
- (i) an allegation of infringement, or actual infringement, of any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person,
- (ii) an allegation of defamation or actual defamation,
- (iii) an allegation of violation, or actual violation, of any third party's right of publicity or privacy, or
- (iv) an allegation or determination that such Listing does not comply with applicable law.
If you remove a Listing from Marketplace pursuant to clauses (i), (ii), (iii) or (iv) of this Section 4.1, and an End User purchased such Listing within a year before the date of takedown, GitHub is not responsible for refund(s) to the affected buyer of any amount paid by such End Customer during the year before the date of takedown for such affected Listing.
4.2 GitHub Review and Takedowns. While GitHub is not obligated to monitor the Listing or their content, GitHub may at any time review or test your Listing for compliance with this Agreement, the Marketplace program policies, and any other applicable terms, obligations, laws, or regulations. GitHub retains the right to refuse to include a Listing on Marketplace in its sole discretion. You may be required to provide information about yourself (such as identification or contact details) as part of the registration process for Marketplace, or as part of your continued use of Marketplace. You agree that any information you give to Marketplace will always be accurate, correct and up to date. As part of the specification for your Listing, GitHub may ask that you include in the file for your Listing information such as your name and email address. GitHub may use this information when featuring the Listing in our directory or for other uses.
If GitHub is notified by you or otherwise becomes aware and determines in its sole discretion that a Listing or any portion thereof or your Brand Features
- (a) violates the intellectual property rights or any other rights of any third party;
- (b) violates any applicable law or is subject to an injunction;
- (c) is pornographic, obscene or otherwise violates GitHub's hosting policies or other terms of service as may be updated by GitHub from time to time in its sole discretion;
- (d) is being distributed by you improperly;
- (e) may create liability for GitHub or any third party;
- (f) is deemed by GitHub to be malicious or defective;
- (g) violates the terms of this Agreement or the Marketplace program policies;
- (h) the display of the Listing is impacting the integrity of GitHub servers (i.e., users are unable to access such content or otherwise experience difficulty);
- (i) is deemed by GitHub to add undue risk to Marketplace End Users’ data or impair the user experience of Marketplace or GitHub;
- (j) is subject to user complaints in regards to your breach of your EULA, or
- (k) otherwise violates the Terms or this Agreement,
GitHub may: prevent the Listing from being made available on Marketplace; remove the Listing from Marketplace; flag, filter, or modify related materials (including but not limited to descriptions, screenshots, or metadata); or reclassify the Listing at its sole discretion. GitHub reserves the right to suspend or bar any Listing from Marketplace at its sole discretion.
In the event that your Listing is involuntarily removed because it is defective, malicious, infringes intellectual property rights of another person, defames, violates a third party's right of publicity or privacy, or does not comply with applicable law, and an end user purchased such Listing within a year before the date of takedown:
- (i) you must refund to the affected buyer all amounts paid by such End Customer during the year before the date of takedown for such affected Listing.
- (ii) GitHub may, at its sole discretion, withhold from your future sales the amount in subsection (i) above.
4.3 From time to time, GitHub may check for available updates to Listing, including but not limited to bug fixes or enhanced functionality. If you update your Listing to Marketplace, you agree that such update will be automatically requested, downloaded, and installed without further notice to you. GitHub makes no guarantees regarding the timing of such updates. For the avoidance of doubt, updates to Listing are subject to the same terms and conditions as the Listing, including without limitation Section 4.2 of this Agreement (GitHub Review and Takedowns).
4.4 End-User Takedowns. If an End-User uses your Developer Product in a way that violates the Terms, then we have the right to suspend or terminate that End-User's access to the Developer Product without any liability to you.
5. REPRESENTATIONS, WARRANTIES AND COVENANTS
5.1 Developer represents and warrants that Developer has notified all users of such Developer Applications that their account data will be transmitted outside the Service and Developer terms will control the privacy, security or integrity of such account data. Developer further represents and warrants that to the extent Developer’s Applications store, process or transmit account data, neither Developer nor Developer’s Application will, without appropriate prior user consent or except to the extent required by applicable law
- (i) modify the content of account data in a manner that adversely affects the integrity of account data;
- (ii) disclose account data to any third party; or
- (iii) use account data for any purpose other than providing the Developer Application functionality to users of such Developer Application. Developer shall maintain and handle all account data in accordance with privacy and security measures reasonably adequate to preserve the confidentiality and security of all account data and all applicable privacy laws and regulations.
5.2 Developer agrees that it will comply with the GitHub Data Protection Addendum.
5.3 Developer represents, warrants and covenants that: (i) its Developer Products and Developer Brand Features do not and will not violate, misappropriate or infringe upon the intellectual property rights of any third party; (ii) Developer will comply with all applicable local, state, national and international laws and regulations, including, without limitation, all applicable export control laws, and maintain all licenses, permits and other permissions necessary to develop, implement and distribute its Developer Products; and (iii) its Developer Products do not and will not contain or introduce into the Marketplace, the GitHub API, any Usage Data or other data stored or transmitted using the Marketplace, any malicious software; (vi) its Developer Products are not designed to or utilized for the purpose of sending commercial electronic messages to any GitHub customers, agents or End Users without their consent; (vi) it has all right, power and authority to grant the licenses granted to GitHub and End Users herein; (vii) it acknowledges GitHub’s right to charge transaction and/or listing fees as provided in Section 6 herein; any images and text that are used to market the Developer Products or that Developer has uploaded to the Marketplace are truthful, accurate and not intended to mislead or confuse the End User.
5.4 DISCLAIMER OF WARRANTIES. ALL ASPECTS OF THE MARKETPLACE AND THE GITHUB API, INCLUDING ALL SERVER AND NETWORK COMPONENTS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND TO THE FULLEST EXTENT PERMITTED BY LAW, AND GITHUB EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT. DEVELOPER ACKNOWLEDGES THAT GITHUB DOES NOT WARRANT THAT THE MARKETPLACE OR GITHUB API WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE OR FREE FROM VIRUSES, MALWARE, OR WORMS (OTHERWISE KNOWN AS COMPUTER CODE OR OTHER TECHNOLOGY SPECIFICALLY DESIGNED TO DISRUPT, DISABLE, OR HARM YOUR SOFTWARE, HARDWARE, COMPUTER SYSTEM, OR NETWORK), AND NO INFORMATION OR ADVICE OBTAINED BY DEVELOPER FROM GITHUB OR THROUGH THE MARKETPLACE OR GITHUB API SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS. GITHUB IS NOT RESPONSIBLE FOR AND SPECIFICALLY DISCLAIMS ANY LIABILITY FOR ANY UNAUTHORIZED USE OF PRODUCTS OUTSIDE THE MARKETPLACE.
6. PRICING AND PAYMENT TERMS
6.1 GitHub will be the merchant of record for Products purchased by End Users via Marketplace.
6.2 Prices for Marketplace Listings will be set in US Dollars (USD). Developer has complete control over setting pricing for each Listing, and once set, such pricing cannot be changed. You may retire a pricing plan for an existing Listing and add a new pricing plan for such Listing, provided that such new pricing plan shall not negatively impact existing End Users. The prices you set for Products will determine the amount of payment you will receive. GitHub will remit 75% of the sale price in USD without reduction for Taxes except for any withholding taxes that are required under applicable law. The remaining 25% of the sales price will be allotted to and retained by GitHub. At the end of each month and upon reaching a minimum value of $500 USD, GitHub will remit your share of payments.
6.3 Refund Requirements. You will be responsible for specifying the terms and conditions regarding refunds to your End Users. In no event shall GitHub be responsible for providing any support for refunds, nor shall GitHub be liable for payment of any refund.
6.4 You Support Your Product. You will be solely responsible for support and maintenance of your Products and any complaints about your Products. Your support contact information will be displayed in each application detail page and made available to users for customer support purposes. Failure to provide adequate support for your Products may result in less prominent product exposure, or in some cases removal from Marketplace or anywhere else on GitHub.com where previously purchased or downloaded Products are stored on behalf of users.
Subject to the limited licenses expressly provided in this Agreement, nothing in this Agreement transfers or assigns to a party any of the other party’s intellectual property rights in its Brand Features or other technology, and nothing in this Agreement transfers or assigns a party any of the other party’s intellectual property rights.
8. LIMITATION OF LIABILITY
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) WILL GITHUB, OR ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR SUPPLIERS BE LIABLE TO DEVELOPER OR ANY THIRD PARTY UNDER THIS AGREEMENT FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, PUNITIVE OR OTHER SIMILAR DAMAGES, INCLUDING LOST PROFITS, LOST SALES OR BUSINESS, LOST DATA, BUSINESS INTERRUPTION OR ANY OTHER LOSS INCURRED BY DEVELOPER OR ANY THIRD PARTY IN CONNECTION WITH THIS AGREEMENT, REGARDLESS OF WHETHER DEVELOPER HAS BEEN ADVISED OF THE POSSIBILITY OF OR COULD HAVE FORESEEN SUCH DAMAGES NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, GITHUB’S AGGREGATE LIABILITY TO DEVELOPER OR ANY THIRD PARTY ARISING OUT OF THIS AGREEMENT SHALL NOT EXCEED SIX (6) MONTHS’ SPEND.
9.1 To the maximum extent permitted by applicable law, Developer agrees to defend, indemnify and hold harmless GitHub, its affiliates and their respective directors, officers, employees and agents from and against any and all claims, actions, suits or proceedings, as well as any losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) arising from or relating to (a) Developer’s use of the Marketplace in violation of this Agreement, the Terms or any applicable laws or regulations; (b) Developer’s Products that infringe any copyright, trademark, trade secret, patent or other intellectual property right of any third party; (c) any loss or disclosure of data or personal information by Developer Products; and (d) Developer’s EULA (or ToS).
10.1 This Agreement will continue to apply until terminated by either party as set forth below.
10.2 Either party may terminate this Agreement for any reason upon providing written notice to the other forty-five (45) days prior to the immediately following calendar month. During such 45 day period the terms in effect at the time such notice of termination has been provided shall govern for the duration of the 45-day notice period until the date of actual termination.
10.3 GitHub may terminate this Agreement at any time if (a) you have breached any provision of this Agreement or (b) GitHub is required to do so by law.
10.4 Effects of Termination by Developer. Upon receiving forty-five (45) days’ advanced written notice of termination from Developer, Developer will be disabled from taking on new customers via Marketplace. Any outstanding fees shall be remitted upon termination and removal of the Product from Marketplace. If termination is initiated as a result of a GitHub modication to these terms (Section 11), the terms in effect immediately prior to such modification shall govern for the duration of the 45-day notice period until the date of actual termination.
10.5 The obligations in Sections 2, 3, 4, 5, 8, 9 and 12-18 will survive any expiration or termination of this Agreement.
12. ASSIGNMENT; ENTIRE AGREEMENT; REVISIONS
12.1 Developer may not, directly or indirectly, by operation of law or otherwise, assign all or any part of this Agreement or Developer’s rights under this Agreement or delegate performance of Developer’s duties under this Agreement without GitHub’s prior written consent. The rights granted in this Agreement may be assigned or transferred by GitHub without Developer’s prior approval. In addition, GitHub may delegate its responsibilities or obligations under this Agreement without Developer’s consent.
12.2 This Agreement, together with the Terms, constitute the entire agreement between the parties with respect to the subject matter of this Agreement. GitHub’s failure to enforce at any time any provision of this Agreement does not constitute a waiver of that provision or of any other provision of this Agreement.
If any provision in this Agreement is held by a court of competent jurisdiction to be unenforceable, such provision shall be modified by the court and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.
14. RELATIONSHIP OF THE PARTIES
The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship among the parties. Developer agrees that each member of the group of companies to which GitHub belongs shall be a third party beneficiary to this Agreement and that such other companies shall be entitled to directly enforce, and rely upon, any provision of this Agreement that confers a benefit or grants a right in favor or GitHub. No other person, company or legal entity shall be a third party beneficiary to the Agreement.
All notices to be provided by GitHub to Developer under this Agreement may be delivered in writing (i) by nationally recognized overnight delivery service (“Courier”) or U.S. mail to the contact mailing address provided by Developer to GitHub; or (ii) electronic mail to the electronic mail address provided by Developer. Developer must give notice to GitHub in writing by Courier or U.S. Mail to the following address: GitHub, Inc., Attn: Legal Department, 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107 USA. All notices shall be deemed to have been given immediately upon delivery by electronic mail, or if otherwise delivered upon receipt or, if earlier, two (2) business days after being deposited in the mail or with a Courier as permitted above.
16. GOVERNING LAW
This Agreement shall be governed by the laws of the State of California without regard to conflict of law principles. Developer hereby expressly agrees to submit to the exclusive personal jurisdiction of the federal and state courts of the State of California, San Francisco County, for the purpose of resolving any dispute relating to this Agreement. Notwithstanding the foregoing, GitHub shall be entitled to seek injunctive remedies or other types of urgent legal relief in any jurisdiction.
17. EXPORT RESTRICTIONS
DEVELOPER PRODUCTS DISTRIBUTED VIA MARKETPLACE MAY BE SUBJECT TO EXPORT CONTROLS OR RESTRICTIONS BY THE UNITED STATES OR OTHER COUNTRIES OR TERRITORIES. DEVELOPER AGREES TO COMPLY WITH ALL APPLICABLE US AND INTERNATIONAL EXPORT LAWS AND REGULATIONS. THESE LAWS MAY INCLUDE RESTRICTIONS ON DESINATIONS, CONTENT AND/OR END USERS.
18. USAGE DATA
In order to operate and improve Marketplace, GitHub may collect Usage Data from Marketplace and GitHub API or anywhere previously purchased or downloaded Products are stored on behalf of End Users by GitHub. The Usage Data will be maintained in accordance with GitHub’s then in effect privacy policies. Limited Usage Data may be available for use by Developer in GitHub’s sole discretion.
Addendum1: Data Protection Addendum
This Data Protection Addendum (this “Addendum”) is attached to and made a part of the GitHub Marketplace Developer Agreement between you and GitHub (the “Agreement”). Terms not defined in this Addendum have the meanings ascribed to them in the Agreement. In the event of a conflict or inconsistency, the terms of this Addendum will supersede those of the Agreement.
A1-1. Purpose and Scope GitHub maintains personal information from individuals all over the world, some of whom are residents of countries and areas with strong data protection laws. This Addendum establishes your responsibilities when you receive and process any protected data from GitHub.
- a. “Personal Information” means any information which relates to an individual GitHub customer or employee which could, alone or together with other information, personally identify him or her, whether supplied by GitHub for processing by the Developer or whether generated by the Developer in the course of performing its obligations under this Agreement.
- b. “Principles” means the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability, available at PrivacyShield.gov.
- c. “Processing” means any operation or set of operations performed on GitHub Protected Data, whether by manual or automatic means, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, blocking, erasure, or destruction.
- d. “Protected Data” means any confidential information transferred by GitHub to the Developer about a GitHub End User, including the Personal Information, metadata, Usage Data, or other data or information that is associated with GitHub End Users.
- e. “Privacy Shield” means the U.S. Department of Commerce and European Commission’s EU–U.S. Privacy Shield Framework, available at PrivacyShield.gov.
A1-3. Compliance with Privacy Shield
- a. GitHub Compliance. GitHub represents and warrants that it complies with Privacy Shield. GitHub will only transfer Personal Information to the Developer for the limited and specified purposes for which it was collected.
b. Developer Compliance.
- i. Developer represents and warrants that it complies with Privacy Shield; OR
- ii. If Developer is not certified with Privacy Shield, Developer represents and warrants that it will provide at least the same level of data protection as is required by Privacy Shield Principles.
A1-4. Data Protection
b. Purpose Limitation.
- i. GitHub will provide Developer with Protected Data elements for the purpose of establishing and facilitating a relationship between the Developer and the End User, and permitting Developer to provide services to the End User. Developer must limit its usage of the Protected Data to that purpose, unless the End User agrees to allow different uses.
- ii. Developer must process and communicate the Protected Data to third parties only for the limited and specific purposes of providing its services to the End User as described in its agreement with the End User, unless the End User agrees to allow different uses.
- c. Data Quality and Proportionality. Developer must keep the Protected Data accurate and up to date.
- d. Security. Developer must take all reasonable security measures appropriate to the risks, such as against accidental or unlawful destruction, or accidental loss, alteration, unauthorized disclosure or access, presented by processing the Protected Data.
- e. Data Retention and Deletion. Upon GitHub’s reasonable request, unless prohibited by law, Developer must return or destroy all Personal Information and related data at all locations where it is stored after it is no longer needed for the limited and specified purposes for which it was collected. Developer must have in place or develop information destruction processes that meet GitHub’s security requirements in Section 3.8 of the Agreement.
- f. Subprocessing and Onward Transfer. Developer is liable for onward transfers of Protected Data to its subprocessors. In the event that Developer must transfer the Protected Data to a third party, or Developer installs, uses, or enables third party services to process the Protected Data on Developer’s behalf, Developer must ensure that the third party will provide at least the same level of privacy protection as is required by the Privacy Shield Principles.
A1-5. Use of Protected Data
- a. Permitted Use. Developer may process the Protected Data only for the purposes set out in Section 4(b)(i), and no other purpose.
- b. No Use in Marketing. Developer must not use the Protected Data for the purposes of advertising any third party goods or services, and may not sell the Protected Data to any third party.
- c. Automated Decisions. In the event that the Developer makes automated decisions affecting GitHub customers’ rights, including employment, credit, or health, the Developer must provide notice to the individuals.
a. Developer must comply with reasonable requests for information on its privacy and data use practices in the following manner:
- ii. Developer will comply with the Information Security and Audit obligations in Section 3.7 of the GitHub Marketplace Developer Agreement.
- a. Suspension. In the event that Developer is in breach of its obligations to maintain an adequate level of privacy protection, GitHub may temporarily suspend the transfer of Protected Data or prohibit collection and processing of Protected Data on GitHub’s behalf until the breach is repaired or the Agreement is terminated.
b. Termination With Cause. GitHub may terminate the Agreement without prejudice to any other claims at law or in equity in the event that:
- i. the Developer notifies GitHub that it can no longer meet its privacy obligations;
- ii. the transfer, collection, or processing of Protected Data has been temporarily suspended for longer than one month pursuant to 7(a);
- iii. the Developer is in substantial or persistent breach of any warranties or representations under this Data Protection Addendum;
- iv. the Developer is no longer carrying on business, is dissolved, enters receivership, or a winding up order is made on behalf of Developer.
- c. Breach. Failure to comply with the provisions of this Data Protection Addendum is considered a material breach under the Master Services Agreement.
- d. Notification. In the event that Developer determines that it can no longer meet its privacy obligations under this Agreement, it must notify GitHub immediately. In the event that Developer was certified under Privacy Shield and allows that certification to lapse or otherwise cannot remain certified under Privacy Shield, Developer must notify GitHub immediately.
- e. Modifications. GitHub may modify this Addendum from time to time as required by law, with thirty days’ notice to Developer. If Developer is unable to comply with the modifications to the Addendum, GitHub may terminate the Agreement.
f. Upon Termination, Developer must:
- i. take reasonable and appropriate steps to stop processing of the Protected Data;
- ii. within thirty days of termination, delete any Protected Data Developer stores on GitHub’s behalf; and
- iii. provide GitHub with reasonable assurance that Developer has stopped processing the Protected Data and deleted the stored Protected Data.
A1-8. Liability for Data Processing
- a. Direct Liability. Developer will be liable to GitHub for actual damages caused by any breach of this Addendum subject to the terms in Section 8, Limitation on Liability of the Marketplace Developer Agreement.