Home / Legal / DPDPA

Data Processing Agreement

Defining our commitment to secure, compliant data handling for your repositories and pipelines.

Active Agreement
Effective: October 24, 2024
Last Updated: January 15, 2025

1. Preamble

This Data Processing Agreement ("Agreement") is entered into between .git, Inc., a corporation organized under the laws of Delaware ("Processor"), and the entity or individual using the .git platform ("Controller"). This Agreement governs the processing of Personal Data by .git on behalf of the Controller in connection with the use of the .git developer platform services.

By accessing the .git/dpa endpoint, executing the agreement via the API, or accepting through the dashboard, the Controller acknowledges and agrees to the terms outlined herein. This document supplements the main Terms of Service and Privacy Policy.

⚠️ Important Notice

This DPA is auto-generated based on your configuration settings. For Enterprise plans, custom amendments may apply. Please review your specific addendum in the dashboard under Settings → Compliance.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to names, email addresses, commit author metadata, and IP addresses.
  • Processing: Any operation performed on Personal Data, including collection, storage, analysis, transmission, and deletion.
  • Data Subject: Any individual whose Personal Data is processed by .git (e.g., team members, repository collaborators).
  • Confidential Information: Proprietary code, build artifacts, and pipeline configurations uploaded by the Controller.

3. Scope of Processing

.git processes data strictly to provide the services detailed in the Controller's subscription plan. The scope is defined as follows:

JSON
// Processing Scope Configuration { "data_categories": [ "repository_metadata", "commit_history", "build_logs", "user_identifiers", "access_tokens" ], "purposes": [ "service_delivery", "security_monitoring", "compliance_reporting" ], "retention_policy": "contract_duration + 30_days" }

Processing includes:

  1. Ingesting repository data for CI/CD pipeline execution.
  2. Storing build artifacts and deployment logs.
  3. Maintaining user directory synchronization via SCIM or LDAP.
  4. Providing analytics and usage reporting as configured.

4. Obligations of the Processor

.git agrees to:

  • Process Personal Data only on documented instructions from the Controller, including with respect to transfers outside the EEA or India.
  • Ensure persons authorized to process Personal Data are subject to a duty of confidentiality or an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5).
  • Not engage another processor (sub-processor) without prior specific or general written authorization.
  • Assist the Controller in fulfilling requests to exercise Data Subject rights.

5. Security Measures

.git maintains a robust security posture aligned with industry standards. Our technical and organizational measures include:

🔒 Security Certifications

.git is SOC 2 Type II certified and ISO 27001 compliant. Audit reports are available to Enterprise customers under NDA.

  • Encryption: AES-256 encryption at rest for all repository data and artifacts. TLS 1.3 for data in transit.
  • Access Control: Role-Based Access Control (RBAC) with MFA enforcement for administrative actions.
  • Network Security: VPC isolation, DDoS mitigation via edge network, and private networking options for Enterprise.
  • Monitoring: 24/7 automated threat detection and anomaly alerting.
  • Backups: Automated, encrypted backups with immutable storage for ransomware protection.

6. Sub-processors

.git may engage third-party service providers ("Sub-processors") to assist in providing the services. The Controller is notified of changes to the sub-processor list via the Changelog and email.

YAML
# Current Sub-processors infrastructure: - AWS: Cloud hosting, compute, storage - Cloudflare: CDN, DDoS protection support: - Intercom: Customer support interface analytics: - Segment: Product usage analytics

The Controller may object to the use of a specific sub-processor by notifying .git in writing. .git will provide reasonable alternatives to minimize disruption.

7. Data Subject Rights Assistance

.git will assist the Controller in responding to Data Subject requests, including:

  • Access: Providing a export of Personal Data associated with a Data Subject.
  • Rectification: Updating inaccurate Personal Data within 30 days of request.
  • Erasure: Deleting Personal Data upon request, subject to technical constraints and legal retention requirements.
  • Portability: Facilitating data transfer to another processor where technically feasible.

Requests can be submitted via the API endpoint POST /api/v1/dpa/requests or through the Compliance Dashboard.

8. Data Breach Notification

In the event of a Personal Data Breach, .git will notify the Controller without undue delay, and in no case later than 72 hours after becoming aware of the breach. The notification will include:

  1. Description of the nature of the breach, including categories and approximate number of Data Subjects concerned.
  2. The likely consequences of the breach.
  3. Measures taken or proposed to be taken to address the breach, including mitigation measures.

For security incident reporting, contact security@.git.dev or use the Bug Bounty Program.

9. Audit and Inspection

.git will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor appointed by the Controller, to verify compliance with this Agreement.

  • Standard Plans: Annual SOC 2 Type II report provided upon request.
  • Enterprise Plans: Right to conduct on-site or remote audits with reasonable notice, not to exceed once per calendar year unless a specific incident warrants additional review.

10. Contact & Data Protection Officer

If you have questions regarding this Agreement or the processing of your data, please contact our Data Protection Officer (DPO):

VCard
DPO Name: Elena Vasquez Email: dpo@.git.dev Phone: +1 (555) 019-2834 Address: .git, Inc.\n100 Cloud Avenue\nSan Francisco, CA 94105\nUnited States

Execute Agreement

By clicking "Accept & Commit", you confirm that you have read and understood this Data Processing Agreement and that you are authorized to bind your organization to its terms.

Legal Effect: This action will generate an immutable audit log entry and update your account compliance status. You may download a signed copy immediately after acceptance.

By accepting, you agree to the processing of your Personal Data as described. You may withdraw consent at any time, though this may impact service availability.

Review Complete? Execute the DPA to finalize your compliance posture for this organization.
Download PDF Execute Agreement →