Terms & Policies

Chainguard Customer Data Processing Addendum

This Data Processing Addendum including its annexes (the "DPA") is incorporated into and forms part of the agreement between the Customer and Chainguard, Inc. ("Chainguard") under which Chainguard provides the Services (the "Agreement"). Unless otherwise defined herein, capitalized terms used in this DPA have the same meaning given to them under the Agreement.

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates permitted to use the Services under the Agreement. 

1. Definitions

In this DPA, the following terms shall have the following meanings: 

(a) “Affiliate(s)” means an entity that directly or indirectly controls, is controlled by, or is under common control with a party to the Agreement, where “control” means the power to direct the management or affairs of the subject entity whether through ownership of voting securities or otherwise.

(b) "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law and/or US Data Protection Law.

(c) "Business", "Business Purpose", "Commercial Purpose", "Consumer," "Controller", "Data subject", "Personal Information", "Process" (and "Processing"), "Processor",  "Sell", "Service Provider", and "Share" shall have the meanings given to them under Applicable Data Protection Laws. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in the GDPR will apply.

(d) "Europe" means the European Economic Area and its Member States, Switzerland, and the United Kingdom ("UK").

(e) "European Data Protection Law" means: all data protection and privacy laws and regulations or other legislation enacted in Europe and applicable (in whole or in part) to the Processing of Personal Data such as (i) Regulation 2016/679 ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national data protection laws made under or pursuant to (i) or (ii); (iv) in respect of the UK, the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018, and any other laws in force in the UK applicable (in whole or in part) to the Processing of Personal Data (together, "UK Data Protection Law"); and (v) the Swiss Federal Act on Data Protection of 2020 and its Ordinance ("Swiss FADP"), in each case as may be amended, superseded, or replaced from time to time.

(f) "Personal Data" means information, which is protected as "personal data", "personally identifiable information" or "personal information" under any Applicable Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Law, “Personal Data” does not include de-identified data, or publicly available information as such terms are defined in Applicable Data Protection Laws.

(g) "Processor Data" means any Personal Data that is processed by Chainguard on behalf of Customer in the course of providing the Services, as more particularly described in Annex I of this DPA.

(h) "Restricted Transfer" means a transfer (directly or via onward transfer) of Personal Data that is subject to European Data Protection Law to a country outside of Europe (or other exporting country with similar transfer restrictions) which is not subject to an adequacy determination by the applicable data protection authority of the exporting country (e.g., European Commission, United Kingdom or Swiss authorities, etc.as applicable)

(i) "Standard Contractual Clauses" or ("SCCs") means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where UK Data Protection Law applies, the EU SCCs, as modified by the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").

(j) "Subprocessor" means any third party Processor (including any Chainguard Affiliates) engaged by Chainguard to process any Processor Data (but shall not include Chainguard employees, contractors or consultants).

(k) "US Data Protection Law" means any applicable US state data privacy and protection laws and regulations applicable to the Processor Data including: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), and its implementing regulations (“CCPA”); (ii) the Virginia Consumer Data Protection Act (VA Code Ann. §§ 59.1-575 et seq.) (“VCDPA”); (iii) the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.) and its implementing regulations (“CPA”); (iv) the Connecticut Data Privacy Act (Pub. Act No. 22015) (“CTDPA”); (v) the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.) (“UCPA”); (vi) the Oregon Consumer Privacy Act (ORS 646A.570-646A.589) ("OCPA"); (vii) the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ann. § 541.001 et seq.) ("TDPSA"); and (viii) the Montana Consumer Data Privacy Act (Mont. Code Ann. § 30-14-2801, et seq.) ("MTCDPA"), and any other applicable US state data privacy and protection laws that become effective on or after the effective date of this DPA, in each case as may be amended, superseded, or replaced from time to time. 

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that Chainguard processes Processor Data protected by Applicable Data Protection Laws as a Processor (or functionally equivalent role) on behalf of Customer in connection with the provision of the Services pursuant to the Agreement. Nothing in this DPA shall act to restrict or prevent Chainguard from processing any information (including Personal Data) that Chainguard collects and maintains independently of providing the Services to Customer for the purpose of improving Chainguard's product and service offerings.

3. Role and Scope of Processing

3.1 Roles of the Parties. The parties acknowledge and agree that for the purposes of this DPA Customer is the Controller with respect to the processing of Processor Data, and Chainguard shall process Processor Data only as a Processor on behalf of Customer, as further described in Annex I of this DPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Laws.

3.2 Details of Processing. The subject matter, duration, nature, and purpose of the processing of Processor Data, and the types of Personal Data and categories of data subjects, are described in Annex I.

3.3 Customer Responsibilities. Customer shall have sole responsibility for the accuracy, quality, and legality of Processor Data and the means by which Customer acquired Processor Data. Customer represents and warrants that: 

(a) it has provided, and will continue to provide all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws, for Chainguard to lawfully process Processor Data for the purposes contemplated by this DPA; 

(b) it has complied with all Applicable Data Protection Laws in the collection and provision to Chainguard and its Sub-processors of such Processor Data; and 

(c) it shall ensure its processing instructions comply with Applicable Data Protection Laws and that the processing of Processor Data by Chainguard in accordance with Customer's instructions will not cause Chainguard to be in breach of Applicable Data Protection Laws.

3.4 Chainguard Responsibilities. Chainguard shall process Processor Data for the purposes described in Annex I of this DPA as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Laws. Chainguard shall promptly inform Customer if it becomes aware that such processing instructions infringe Applicable Data Protection Laws and in such event, Chainguard shall not be obligated to undertake such processing until such time as Customer has updated its processing instructions and Chainguard has determined that the incidence of non-compliance is resolved. 

3.5 No Assessment of Compliance. Notwithstanding the foregoing, Chainguard is not responsible for monitoring Customer's compliance with Applicable Data Protection Laws or determining if Customer's processing instructions are compliant with such laws. Furthermore, Chainguard has no obligation to assess Processor Data in order to identify information that is subject to specific legal requirements.

3.6 Confidentiality of Processing. Chainguard shall ensure that any person that it authorises to process the Processor Data (including Chainguard's staff, agents and Subprocessors) (an "Authorised Person") shall be subject to  a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Processor Data who is not under such a duty of confidentiality. Chainguard shall ensure that all Authorised Persons process the Processor Data only as necessary for the Permitted Purpose.

4. Subprocessing

4.1 Authorized Subprocessors. Customer agrees that Chainguard may engage Subprocessors to process Processor Data on Customer's behalf. A list of approved Subprocessors as at the date of this DPA is available online and Chainguard shall maintain and update this list when it adds or replaces Subprocessors at the following URL: https://security.chainguard.dev/subprocessors. Chainguard will notify Customer of any new or replacement Subprocessor at least fourteen (14) calendar days before such Subprocessor processes any Processor Data.

4.2 Subprocessor Obligations. Chainguard shall: (i) enter into a written agreement with each Subprocessor containing data protection terms that provide at least the same level of protection for Processor Data as those contained in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Chainguard to breach any of its obligations under this DPA.

4.3 Objection to Subprocessors. Customer may object in writing to Chainguard's appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Chainguard promptly in writing within seven (7) calendar days of receipt of Chainguard's notice. In such case, the parties shall discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Chainguard shall, at its sole discretion either not appoint the Subprocessor, or permit Customer to suspend or terminate this DPA without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). If such objection right is not exercised by Customer in the terms defined above, silence shall be deemed to constitute an approval of such engagement. 

5. International Data Transfers. 

5.1 Location of Processing. Customer acknowledges that Processor Data Chainguard processes under the Agreement may be processed in any country in which Chainguard, its Affiliates, partners and authorized Subprocessors maintain facilities to perform the Services. Chainguard shall not process or transfer (directly or via onward transfer) Processor Data (nor permit such data to be processed or transferred) outside of its country of origin unless it first takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws.

5.2 Standard Contractual Clauses. To the extent that Customer's transfer of Processor Data to Chainguard involves a Restricted Transfer, the SCCs shall be incorporated and form an integral part of the DPA as follows: 

(a) EU Transfers. In relation to Processor Data that is subject to the GDPR: (i) Module Two (Controller to Processor) shall apply; (ii) in Clause 7, the optional docking clause shall not apply; (iii) in Clause 9, Option 2 shall apply and the time period for prior notice of Subprocessor changes is set out in Section 4.3 (Objection to Subprocessors); (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17, Option 1 shall apply and the SCCs shall  be governed by the laws of [Ireland]; (vi) in Clause 18(b), disputes shall be resolved before the courts of [Ireland]; and (vii) Annexes I and II of the SCCs shall be deemed completed with the information set out in Annexes I and II of this DPA respectively.

(b) UK Transfers. In relation to Processor Data that is subject to UK Data Protection Law, the SCCs shall apply in accordance with Section 5.2(a) (EU Transfers) and as modified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Sections 10 and 11 of the UK Addendum. Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out in Annexes I and II of this DPA respectively, and Table 4 shall be deemed completed by selecting "neither party". 

(c) Swiss Transfers. In relation to Processor Data that is subject to the Swiss FADP, the SCCs shall apply in accordance with Section 5.2(a) (EU Transfers) and the following modifications: (i) references to "Regulation (EU) 2016/679" and specific articles therein shall be replaced with references to the Swiss FADP and the equivalent articles or sections therein; (ii) references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland"; (iii) the competent supervisory authority shall be the Swiss Federal Data Protection Information Commissioner; (iv) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland"; and (v) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the applicable courts of Switzerland. 

(d) Alternative Transfer Mechanism. If and to the extent that a court of competent jurisdiction or supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Processor Data from Customer to Chainguard, the parties will reasonably cooperate to agree and take any actions that may be required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of Processor Data. 

5.3 In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

5.4 Onward Transfers. Chainguard shall not participate in (nor permit any Subprocessor to participate in) any other Restricted Transfers of Processor Data (whether as an exporter or an importer of the data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Laws and pursuant to a lawful data transfer mechanism (such as the SCCs) implemented between the relevant exporter and importer of the Processor Data.

6. Security

6.1 Security Measures. Chainguard shall implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident").  Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures shall include the measures identified in Annex II. Customer acknowledges that such measures are subject to technical progress and development and that Chainguard may update or modify such measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services under the Agreement.

6.2 Security Incident Response. Upon becoming aware of a Security Incident, Chainguard shall inform Customer without undue delay and provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Laws.  Chainguard shall further take all such measures and actions as are reasonable and necessary to investigate, contain, and remediate or mitigate the effects of the Security Incident, to the extent that the remediation is within Chainguard's control, and shall keep Customer informed of all material developments in connection with the Security Incident.

7. Security Reports and Audits

7.1 Audits and Security Certifications. Upon written request, and subject to reasonable notice and confidentiality agreements, Chainguard shall provide Customer with access to reasonably requested documentation to demonstrate Chainguard's compliance with this DPA, including providing copies of any certifications, audit reports, and/or other relevant documentation. Where appropriate, Chainguard may instead make available a summary of the results of third-party certifications and/or audits relevant to its compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 7.1 and where applicable, the Standard Contractual Clauses) by instructing Chainguard to comply with the audit measures described in Section 7.2 below. 

7.2 Onsite Audits. Except where otherwise required by Applicable Data Protection Laws or a data protection authority, the parties agree that Section 7.1 satisfies Customer’s audit requirements.  Where Applicable Data Protection Laws or a data protection authority requires it, Customer may provide Chainguard with thirty (30) days' prior written notice requesting that a third party conduct an audit of Chainguard's relevant systems ("Audit"); provided that (i) any Audit shall be conducted at Customer's expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; (iii) the Audit shall not unreasonably impact Chainguard's regular operations; and (iv) in no event shall Customer obtain any access to data of any other customer or third party. 

8. Cooperation and Data Subject Rights

Chainguard shall provide all reasonable and timely assistance (which may include by appropriate technical and organisational measures) to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Processor Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Chainguard, Chainguard shall promptly inform Customer providing full details of the same.

9. Data Protection Impact Assessment

Upon reasonable written request, and to the extent required under Applicable Data Protection Laws, Chainguard shall, considering the nature of the processing and the information available to Chainguard, provide Customer with reasonable cooperation and assistance necessary to fulfil Customer's obligation to carry out data protection impact assessments and consult with supervisory authorities related to its use of the Service. Chainguard shall comply with the foregoing by:

(a) complying with Section 7.1 (Security Reports and Audits); 

(b) providing the information contained in the Agreement (including this DPA); or 

(c) upon request, if the information provided under sub-sections (a) and (b) is insufficient for Customer to fulfil such obligations, providing additional reasonable cooperation and assistance.

10. Deletion or Return of Data

10.1 Upon Customer's request, or upon termination or expiry of the Agreement, Chainguard shall destroy or return to Customer all Processor Data in its possession or control in accordance with the Agreement. This requirement shall not apply to the extent that Chainguard is required by any applicable law to retain some or all of the Processor Data, or to Processor Data it has archived on back-up systems, which Chainguard shall isolate and protect from any further processing and eventually delete in accordance with Chainguard's retention policies, except to the extent required by law. The parties agree that the certification of deletion described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Chainguard to Customer only upon Customer's written request. 

11. Additional Provisions for compliance with US Data Protection Law

11.1 Scope and Role of Parties. This Clause 11 shall only apply to the extent the processing of Processor Data is subject to US Data Protection Law under this DPA. When the processing of Processor Data is subject to US Data Protection Law, the parties acknowledge and agree that Customer is a Business or Controller (as applicable), and Chainguard is a Service Provider, Processor, or Contractor (as applicable) on behalf of Customer.   

11.2 Responsibilities. To the extent the processing of Processor Data is subject to US Data Protection Law under this DPA, Chainguard shall not: (i) "Sell" or "Share" such Processor Data (as those terms are defined by applicable US Data Protection Law); (ii)  retain, use or disclose Processor Data outside of the direct business relationship between Chainguard and Customer, except as otherwise permitted by applicable US Data Protection Law; (iii) retain, use or disclose Processor Data for any purpose other than for one or more Business Purpose(s) specified under this DPA; or (iv) combine the Processor Data received from Customer with Personal Data that it collects or receives from or on behalf of another person, except as otherwise permitted under US Data Protection Law. 

12. General Provisions

12.1 Legal Effect; Term. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. This DPA shall continue in force until the termination of the Agreement and so long as Chainguard continues to process Processor Data on Customer's behalf. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.

12.2 Limitation of Liability. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the main body of the Agreement. Any claims against Chainguard or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement. Notwithstanding any other provision of the Agreement or this DPA, in no event does this DPA restrict or limit the rights of any data subject under Applicable Data Protection Laws.

12.3 Disclosure of this DPA. Customer acknowledges that Chainguard may disclose this DPA and any relevant privacy provisions of the Agreement to a supervisory authority or other judicial or regulatory body upon request.

12.4 Governing Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless otherwise required by Applicable Data Protection Laws.

Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller. 

A. LIST OF PARTIES

В. DESCRIPTION OF PROCESSING / TRANSFER

Annex II

Technical and Organizational Security Measures

Chainguard has implemented and shall maintain an information security program in accordance with AICPA SOC 2 Type II. This is an overview of some of the technical and organizational security measures that Chainguard uses. 

Measures of encryption of Personal Data

Chainguard implements encryption to adequately protect Personal Data using:

• state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;

• trustworthy public-key certification authorities and infrastructure;

• all systems encrypt data-at-rest and in-transit; and

• effective encryption algorithms and parameterization: we require AES-128 or TLS v1.3 for data in transit and AES-256 for data at rest.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Chainguard enhances the security of processing systems and services in production environments by:

• employing a code review process to increase the security of the code used to provide the Services; and testing code and systems for vulnerabilities before and during use;

• using checks to validate the integrity of encrypted data; 

• preventative and reactive intrusion detection; and

• high-availability systems across geographically distributed data centers.

Chainguard implements input control measures to protect and maintain the confidentiality of personal data, including:

• an authorization policy for the input, reading, alteration, and deletion of data;

• authenticating authorized personnel using unique authentication credentials (passwords) and physical non-reproducible two-factor authentication keys;

• automatically signing out users after a period of inactivity;

• protecting the input of data, as well as the reading, alteration, and deletion of stored data; and

• requiring that data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked and secure.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Chainguard implements measures to ensure that Personal Data is protected from accidental destruction or loss, including by maintaining:

• disaster-recovery and business continuity plans and procedures;

• geographically-distributed data centers;

• alerting when backups fail;

• backups stored at alternative Cloud providers and available for restoration in case of failure of primary systems; and

• incident management and disaster recovery procedures that are regularly tested.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing

Chainguard’s technical and organizational measures are regularly tested and evaluated by external third-party auditors as part of Chainguard’s Security & Privacy Compliance Program. These include annual AICPA SOC 2 Type II and other external audits. Measures are also regularly tested by internal audits, as well as annual and targeted risk assessments.

Measures for user identification and authorization

Chainguard implements effective measures for user authentication and privilege management by:

• applying a mandatory access control and authentication policy;

• applying a zero-trust model of identification and authorization;

• authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;

• allocating and managing appropriate privileges according to role, approvals, and exception management;

• using OpenID Connect (OIDC) for customer authentication; and

• applying the principle of least privilege access.

Measures for the protection of data during transmission

Chainguard implements effective measures to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by:

• using state-of-the-art transport encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;

• using trustworthy public-key certification authorities and infrastructure;

• implementing protective measures against active and passive attacks on the sending and receiving systems providing transport encryption, such as adequate firewalls, mutual TLS encryption, API authentication, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and possible backdoors;

• effective encryption algorithms and parameterization: we require AES-128 or TLS v1.3 for data in transit and AES-256 for data at rest;

• using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing;

• enforcing secure measures to reliably generate, manage, store, and protect encryption keys; and

• audit logging, monitoring, and tracking data transmissions.

For more information, see https://cloud.google.com/docs/security/encryption-in-transit

Measures for the protection of data during storage

Chainguard implements effective measures to protect Personal Data during storage, controlling and limiting access to data processing systems, and by:

• using state-of-the-art encryption protocols designed to provide effective protection against active and passive attacks with resources known to be available to public authorities;

• using trustworthy public-key certification authorities and infrastructure;

• testing systems storing data for software vulnerabilities and possible backdoors;

• employing effective encryption algorithms and parameterization, such as requiring all disks storing Personal Data to be encrypted with AES-XTS using a key length of 128-bits or longer;

• using correctly implemented and properly maintained software, covered under a vulnerability management program, and tested for conformity by auditing;

• enforcing secure measures to reliably generate, manage, store, and protect encryption keys;

• identifying and authorizing systems and users with access to data processing systems;

• automatically signing-out users after a period of inactivity; and

• audit logging, monitoring, and tracking access to data processing and storage systems.

Chainguard implements access controls to specific areas of data processing systems to ensure only authorized users are able to access the Personal Data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures, including:

• employee policies and training in respect of each employee’s access rights to the Personal Data;

• applying a zero-trust model of user identification and authorization;

• authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical two-factor tokens;

• monitoring actions of those authorized to delete, add or modify Personal Data;

• release data only to authorized persons, including the allocation of differentiated access rights and roles; and

• controlling access to data, with controlled and documented destruction of data.

Measures for ensuring event logging

Chainguard has implemented a logging and monitoring program to log, monitor, and track access to Personal Data, including by system administrators, and to ensure data is processed in accordance with instructions received. This is accomplished by various measures, including:

• authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;

• applying a zero-trust model of user identification and authorization;

• maintaining updated lists of system administrators’ identification details;

• adopting measures to detect, assess, and respond to high-risk anomalies;

• keeping secure, accurate, and unmodified access logs to the processing infrastructure for twelve months; and

• testing the logging configuration, monitoring system, alerting, and incident response process at least once annually.

Measures for ensuring system configuration, including default configuration

Chainguard maintains all production configurations using Infrastructure as Code (IaC), including the baseline configuration. Production configuration changes are limited to a small number of authorized Chainguard personnel and must follow change control processes. Changes must be auditable and checked regularly to detect deviations from baseline configurations.

Chainguard configures baselines for the information system using the principle of least privilege. By default, access configurations are set to “deny-all,” and default passwords must be changed to meet Chainguard’s policies prior to device installation on the Chainguard network or immediately after software or operating system installation. Systems are configured to synchronize system time clocks based on Coordinated Universal Time (UTC), and access to modify time data is restricted to authorized personnel.

Measures for internal IT and IT security governance and management

Chainguard maintains internal policies on the acceptable use of IT systems and general information security. Chainguard requires all employees to undergo general security awareness training yearly.

Chainguard will keep documentation of technical and organizational measures for audits and evidence conservation. Chainguard shall take reasonable steps to ensure that its employees and other persons at the place of work concerned are aware of and comply with the technical and organizational measures set forth in this Annex 2.

Measures for ensuring data minimization

Chainguard maintains internal data privacy policies and processes to ensure that we:

• only collect and process personal and sensitive information for legitimate business purposes;

• retain personal and sensitive data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations; 

• when data is no longer needed, it is securely deleted or anonymized; and

• automatic purging of records containing IP addresses after 90 days.

Measures for ensuring erasure

Chainguard maintains processes to ensure secure destruction and deletion of any and all Personal Data at the completion of a contract. Such Personal Data will be securely destroyed and deleted by Chainguard so that Personal Data cannot be practicably read or reconstructed.

Measures for certification/assurance of processes and products

Chainguard maintains an AICPA SOC 2 Type II certification, which is audited annually by a third-party Qualified Security Assessor. Details of these and other certifications that Chainguard may undertake from time to time will be made available on Chainguard’s website.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:

Chainguard shall require its Subprocessors to take appropriate technical and organizational measures to provide assistance to the controller and/or data exporter that are at least as protective as those identified above.