1. Definitions
a. “Applicable Data Protection Laws” means any applicable laws, statutes or regulations as may be amended, extended, re-enacted from time to time, or any successor laws which relate to Personal Data including: (i) the GDPR and any European Economic Area (the “EEA”) Member State laws implementing the GDPR; (ii) the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and the California Attorney General Regulations thereof; (iii) the United Kingdom (the “UK”) Data Protection Act 2018, as amended, and the GDPR, as incorporated into UK law (the “UK GDPR”); (iv) the Swiss Federal Act on Data Protection of 25 September 2020 and its corresponding ordinances, as in force from September 1, 2023 (the “Swiss FADP”), and (v) any other applicable data protection or privacy law to which the Processing under this DPA is subject, in each case to the extent applicable to the respective Party in its role under this DPA. b. “Data Breach” means a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data. c. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 and Regulation (EU) 2016/679 as transposed into national law of the United Kingdom by the UK European Union (Withdrawal) Act 2018 and amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as may be amended from time to time). d. “Personal Data” has the meaning set out in Article 4(1) of the GDPR and, to the extent applicable, the equivalent term under any other Applicable Data Protection Law, in each case where Processed by Blacksmith under this DPA. e. “Process”, “Processing”, “Processor”, and “Controller” shall have the meaning as defined under GDPR and include equivalent terms in CCPA and CPRA, in each case as applicable to the Services. f. “Restricted Transfer(s)” means a transfer of Personal Data from the EEA, the UK or Switzerland to a country that has not received an adequacy decision from the European Commission or the UK or Swiss authorities. g. “Service(s)” means the software and services provided under the Services Agreement. h. “Standard Contractual Clauses (SCCs)” means (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum issued by the United Kingdom’s Information Commissioner’s Office to the EU Commission’s Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-datatransfer-addendum.pdf (the “UK SCCs”); and (iii) where the Swiss FADP applies, those clauses in Section 15.d of this DPA (the “Switzerland Clauses”). i. “Sub-processor(s)” means any third-party Processor engaged by Blacksmith to Process Personal Data in order to provide the Services to Customer under the Services Agreement. j. “Services Agreement” shall mean Blacksmith’s standard terms with respect to its Services generally made available at: https://docs.blacksmith.sh/about/terms-of-service or such other agreement (e.g. Blacksmith Master Services Agreement) as agreed to between the parties in writing, governing the use and delivery of Services.2. Scope and Order of Precedence
This DPA applies when Blacksmith Processes Customer Personal Data in the provision of the Services. In the event of any conflict or inconsistency between the terms of this DPA and any other terms in the Services Agreement, the terms of this DPA shall prevail. The terms of this DPA shall supersede any conflicting provisions with respect to the processing of Customer Personal Data.3. Processing Roles
a. Roles. You are the Controller of Customer Personal Data, and Blacksmith is the Processor of that data, unless: i. You are the Processor of the Customer Personal Data. In that case, Blacksmith is a Sub-processor; or ii. Blacksmith is an independent Controller processing Customer Personal Data for the purposes listed in Section 3.b of this DPA. b. Blacksmith’s Independent Processing of Data. Blacksmith Processes some Customer Personal Data as an independent Controller. Blacksmith conducts such Processing in compliance with Applicable Data Protection Laws generally, and the GDPR specifically, and in a manner consistent with the Blacksmith Privacy Policy. Those purposes include: i. To manage the relationship with Customer, such as billing and licensing management, the creation of customer relationship accounts, and facilitating transactional notifications related to Services; ii. To conduct internal business operations; including auditing, tax compliance, accounting, and various financial reporting obligations; iii. To ensure Service security and integrity, such abuse and misuse detection, and fraud prevention; iv. To comply with legal or regulatory obligations; v. To create aggregated statistical data for purposes such as capacity planning, product improvement, and sales/marketing.4. Processing of Customer Personal Data
a. Documented Instructions. Where Blacksmith acts as a Processor, Blacksmith shall only Process Personal Data on behalf of Customer and only in accordance with documented instructions received from Customer. The parties agree that this DPA, the Services Agreement, any features and settings used in the Services, and any processing initiated by Customer’s users in their use of the Services shall constitute Customer’s documented instructions. b. Compliance with Laws. It is Customer responsibility to ensure that the Processing instructions comply with Applicable Data Protection Laws. Customer will ensure that processing Customer Personal Data in accordance with its instructions will not cause Blacksmith to violate any law or regulation, including Applicable Data Protection Laws. Blacksmith will inform Customer if it becomes aware, or reasonably believes, that Customer instructions violate any applicable law or regulation. c. Disclosure of Customer Personal Data. Blacksmith will not disclose or provide access to any Customer Personal Data to third parties unless instructed by Customer, or as described in this DPA, or required by law or compelled by the legal process. Requests by law enforcement for Customer Personal Data will be directed to Customer where possible and Blacksmith will contact Customer if disclosure of Customer Personal Data is compelled, unless legally prohibited from doing so.5. Personnel Confidentiality
Blacksmith will limit access to Customer Personal Data strictly to those who are required to access Customer Personal Data to perform obligations under the Services Agreement. Blacksmith shall impose appropriate contractual obligations upon its personnel to ensure the confidentiality of Customer Personal Data.6. Security of Processing
Blacksmith will implement and maintain appropriate technical and organizational measures and security safeguards as set out in Annex II to this DPA.7. Security Incident Notification
If Blacksmith confirms a Data Breach, Blacksmith shall: a. Inform Customer without unnecessary delay following such confirmation; b. Provide details regarding the Data Breach, as available, to facilitate Customer’s compliance with notification obligations under Applicable Data Protection Laws; and c. Promptly initiate an inquiry into the incident and implement remediation to mitigate potential damage. Failed attempts or activities that leave Personal Data security intact are not considered a Data Breach. Customer must immediately alert Blacksmith to any suspected compromise of credentials or security events involving the Services. Any notification or action taken regarding a Data Breach under this Section does not constitute an acknowledgement by Blacksmith of any fault or liability with respect to the Data Breach.8. Sub-processors
a. General Authorization. Customer hereby authorizes Blacksmith to engage Sub-processors of our choosing. b. Written Agreement. Blacksmith will enter into written agreements with each Sub-processor that impose data protection obligations consistent with this DPA and remain liable to Customer where a Sub-processor fails to fulfill its data protection obligations. c. Sub-processor List. Blacksmith maintains an up-to-date list of Sub-processors, available at https://docs.blacksmith.sh/about/sub-processors which contains details about Sub-processor functions, the location of processing, and a mechanism for the Customer to subscribe to notification of new Sub-processors or replacement of existing Sub-processors. d. Notification of Changes. At least thirty (30) days before a new Sub-processor begins processing Customer Personal Data, Blacksmith will add such new Sub-processor to the Sub-processor list and, if Customer has subscribed to notifications, provide Customer with a written notice. e. Objections to Sub-processors. Customer may submit a written objection to Blacksmith’s use of any new Sub-processor during the notification period, provided such objection is based on reasonable grounds relating to data protection. Upon receipt of such objection, the parties will engage in good faith discussions to identify a mutually acceptable resolution. Should a consensus not be reached prior to the conclusion of the 30 day notice period, Blacksmith reserves the right to engage the Sub-processor. In such circumstances, Customer’s exclusive recourse is the termination of the relevant Services Agreement for the impacted Services via written notification to Blacksmith.9. Data Subject Rights
If Blacksmith, acting as a Processor, receives requests from data subjects concerning Customer, Blacksmith will notify Customer or advise the individual to contact Customer. Customer remains responsible for managing such requests under Applicable Data Protection Laws. Blacksmith shall provide reasonable assistance to Customer in fulfilling these obligations. Where Blacksmith acts as an independent Controller and receives such requests, Blacksmith will fulfill its duties in accordance with Applicable Data Protection Laws.10. Impact Assessments and Consultations
Considering the processing’s specific nature, Blacksmith shall offer reasonable aid to Customer regarding data protection impact assessments or regulatory authority consultations necessitated by Applicable Data Protection Laws.11. International Data Transfers
Customer designates Blacksmith to execute the transfer of Customer Personal Data to the United States or any other jurisdiction where Blacksmith or its Sub-processors maintain operations, and to Process and store such data for the delivery of Services, contingent upon the protective measures established herein and elsewhere in this DPA. a. Adequacy. Customer agrees that Blacksmith may transfer Customer Personal Data outside the EEA, the United Kingdom, Switzerland, or other relevant geographic territory as necessary to provide the Services and to administer the Customer relationship. If Blacksmith transfers such data to a territory for which the European Commission, the UK Secretary of State / ICO, or the Swiss FDPIC has not issued an adequacy decision, Blacksmith will implement appropriate safeguards consistent with Applicable Data Protection Laws. b. Adaptations. A transfer of Personal Data from the EEA, the UK or Switzerland to a country that has not received an adequacy decision from the European Commission or the UK or Swiss authorities, Blacksmith will implement an adequate level of protection through the SCCs. c. SCCs. For the SCCs, all parties agree: i. Ex-EAA Transfers. 1. Module One (Controller to Controller). Applies to Personal Data where Customer is a Controller and Blacksmith is an independent Controller. 2. Module Two (Controller to Processor). Applies to Personal Data, where Customer is a Controller and Blacksmith Processes that data as a Processor. 3. Module Three (Processor to Sub-Processor). Applies to Personal Data, where Customer is a Processor and Blacksmith Processes that data as a Sub-processor. 4. For each applicable Module, the following applies: i. In Clause 7, the optional docking clause will apply; ii. Clause 9 applies to Modules Two and Three only. Where it applies, Option 2 applies, and the time period for prior notice of Sub-processor changes shall be as set out in Section 8 of this DPA; iii. In Clause 11, the optional language will not apply; iv. In Clause 17, Option 1 will apply, and the New EU SCCs will be governed by the law of the Netherlands; v. In Clause 18(b), disputes shall be resolved before the courts of the Netherlands. ii. Ex-UK Transfers. Regarding Personal Data governed by the UK GDPR, the UK SCCs shall be implemented and finalized as follows: 1. Personal Data transfers are additionally governed by the SCCs, as modified by subsection (2) below; 2. Tables 1 through 3 of the UK Addendum incorporate the information from the SCCs as finalized in Section 11.b of this DPA, with Table 4 set to “neither party”; 3. The UK Addendum’s effective date is the date of DPA execution. iii. Ex-Switzerland Transfers. With respect to Personal Data subject to the Swiss FADP, the EU SCCs shall be implemented pursuant to Section 11.c.(i)-(ii) of this DPA subject to the following adjustments: 1. Any mention of “Directive 95/46/EC” or “Regulation (EU) 2016/679” within the EU SCCs shall be construed as a reference to the Swiss FADP; 2. Terms such as “EU”, “Union”, “Member State”, or “Member State law” shall be understood to denote Switzerland or Swiss law, as appropriate; and, 3. References to the “competent supervisory authority” or “competent courts” shall be deemed to refer to the FDPIC or the relevant judicial bodies in Switzerland, unless the EU SCCs as adapted above are insufficient for the lawful transfer of Personal Data under the Swiss FADP, in which case the Swiss SCCs shall be incorporated by reference as an essential component of this DPA. In such instances, the applicable Annexes of the Swiss SCCs shall be completed using the data provided in Annexes I and II of this DPA.12. Audits and Certifications
a. Certification Audits. Blacksmith engages external auditors to validate the sufficiency of its security protocols, omitting the physical and environmental protections of third-party data centers used for Services delivery, as such controls are maintained by the respective third-party Sub-processors. This assessment: (i) shall occur no less than annually; (ii) shall be conducted pursuant to SOC 2 Report standards or equivalent alternative frameworks; (iii) shall be performed by independent security experts at Blacksmith’s discretion and cost; and (iv) shall produce an audit report, which constitutes Blacksmith Confidential Information. Blacksmith makes its security compliance documentation, including the SOC 2 Type 2 audit report, available to customers upon request via our trust center. b. Customer Audits. Blacksmith facilitates remote self-service evaluations of its security framework by providing Customer access to the trust center. These resources include evidence of Blacksmith’s policies and security safeguards, as well as the third-party reports referenced in Section 12.a. Blacksmith may decline to disclose information that would present a security risk to Blacksmith or its customers. c. Feedback. Following the remote self-service assessment, Customer is permitted to provide written findings to Blacksmith. Blacksmith shall, at its discretion, use commercially reasonable endeavors to address and integrate any proposed enhancements suggested by Customer. d. Audit Rights Under SCCs. If Blacksmith’s role is that of a Processor and the self-service evaluations or third-party reports provided in Section 12 fail to satisfy Customer’s audit obligations under Article 28 of the GDPR or the SCCs, Customer may solicit a supplementary audit. Prior to any such engagement, the parties shall mutually establish the audit’s scope, schedule, duration, and associated costs. Blacksmith will grant access to relevant information to the extent necessary for the audit, excluding any third-party confidential information. Audits shall be performed by a third party accredited auditing firm during Blacksmith’s standard business hours, upon at least thirty (30) days written notice, and adhering to strict confidentiality protocols. Customer shall bear all associated cost, including compensation for Blacksmith’s time. Customer must disclose all findings and results of the audit to Blacksmith and all findings and results of such audit shall be considered Confidential Information of Blacksmith. Customer may not disclose such findings or the results to third parties. This provision does not alter the SCCs or infringe upon the rights of data subjects or regulatory authorities.13. Return and Deletion of Customer Personal Data
Following the termination of Services, provided Blacksmith is acting as a Processor, Blacksmith will, at Customer’s election, return or delete all Customer Personal Data and destroy existing copies within thirty (30) days in accordance with its standard deletion and retention policies, unless applicable law requires continued storage.14. CCPA and CPRA
The following provisions shall govern where Blacksmith Processes Customer Personal Data subject to the CCPA or the CPRA: a. The parties acknowledge and agree that Blacksmith serves as a service provider (as such term is defined by the CCPA), and any transfer of Personal Data is conducted solely for legitimate business purposes and to enable the performance of Services; b. Save for CCPA-specified exclusions, Blacksmith covenants that it shall neither sell nor share Personal Data governed by the Services Agreement, according to the statutory meanings of “sell” and “share” within such law; c. Blacksmith shall refrain from the retention, use, or disclosure of Personal Data for any objectives outside of the specific business purposes delineated within this DPA and the Services Agreement, except as otherwise sanctioned by the CCPA; d. Blacksmith shall refrain from the use or disclosure of Personal Data beyond the scope of its immediate engagement with Customer; e. Blacksmith shall refrain from commingling Personal Data obtained via the Services Agreement or through Service delivery with data acquired from third parties or collected directly from California residents; provided, however, that Blacksmith may aggregate Personal Data as necessary to fulfill legitimate business purposes authorized under the CCPA or CPRA; and f. Blacksmith hereby confirms it understands the limitations prescribed within this section, and ensures compliance with such requirements.15. Regulated Data
Absent explicit and prior written authorization from Blacksmith, Customer shall refrain from submitting any Personal Data that: a. Concerns criminal history or offenses, or any information processed under the FBI’s Criminal Justice Information Services Security Policy; b. Represents “protected health information” as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations at 45 C.F.R. Parts 160 and 164; c. Was gathered during clinical trials or biomedical research governed by the Federal Policy for the Protection of Human Subjects; d. Is subject to any biometric privacy regulations, including data relating to physical, biological, or behavioral traits used for individual identification, whether processed individually or in combination with each other or other information, to establish individual identity.16. Liability
Subject to the maximum extent permitted by Applicable Data Protection Laws, the total aggregate liability of either party arising from or in connection with this DPA, regardless of the legal theory, shall be governed by the “Limitation of Liability” provision set forth in the Services Agreement. Any reference to a party’s liability in the Services Agreement shall be construed as the combined liability under both the Services Agreement and this DPA.17. Miscellaneous
a. Supersedes. This DPA, inclusive of the SCCs, represents the final and complete understanding between the parties, and supersedes any previous arrangements or discussions concerning the Processing of Personal Data under this engagement. The obligations set forth in this DPA shall remain in effect notwithstanding the expiration or termination of the Services Agreement. b. Updates. Blacksmith reserves the right to modify the provisions of this DPA if such revisions are (i) mandated for adherence to Applicable Data Protection Laws, relevant regulations, or directives from a competent regulatory body; or (ii) do not result in a material reduction of the security measures or safeguards afforded to Personal Data herein.DPA Attachment 1: Annex I to the SCCs (EU/EEA)
A. List of Parties
Module One: Controller to Controller; Module Two: Controller to Processor; and Module Three: Processor to Processor. Data exporter(s) for the above modules: Name and contact details: as delineated in the Services Agreement. Activities relevant to the data transferred under these Clauses: as delineated in the Services Agreement. Signature and date: Annex I is considered finalized upon the initiation of data transfer or the execution of the Services Agreement, whichever occurs first. Role: Module One: Controller, Module Two: Controller, Module Three: Processor. Data importer(s): Name and contact details: as delineated in the Services Agreement. Activities relevant to the data transferred under these Clauses: as delineated in the Services Agreement. Signature and date: Annex I is considered finalized upon the initiation of data transfer or the execution of the Services Agreement, whichever occurs first. Role: Module One: Controller, Module Two: Processor, Module Three: Processor.B. Description of Transfer
Module One: Controller to Controller; Module Two: Controller to Processor; and Module Three: Processor to Processor. Categories of data subjects whose personal data is transferred: The data subjects are determined by Customer through its use of the Service. Depending on that use, the Personal Data may concern the following categories of data subjects:- Customer employees, contractors, temporary workers, and other personnel (current, former, or prospective), including developers, operators, and administrators who use or configure the Service;
- Customer account administrators and billing contacts (relevant to Account Data, for which Blacksmith acts as an independent Controller);
- Customer own end users, customers, collaborators, and other natural persons whose personal data Customer or its personnel include in source code, repositories, build inputs, configuration, test data, logs, or other content processed through the Service; and
- Any other individuals whose personal data is contained in Customer Personal Data that Customer elects to process using the Service.
- Basic personal data (for example name, username, email address);
- Authentication data (for example usernames, password, security question);
- Contact information (for example addresses, email);
- Device identification;
- Pseudonymous identifiers;
- Any other personal data identified in Article 4 of GDPR.
C. Competent Supervisory Authority
Module One: Controller to Controller; Module Two: Controller to Processor; and Module Three: Processor to Processor. The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679.DPA Attachment 2: Annex II to the SCCs (EU/EEA)
Module One: Controller to Controller; Module Two: Controller to Processor; and Module Three: Processor to Processor. The Technical and Organizational Security Measures below describe the security measures implemented and maintained by Blacksmith. Further detail is set out in Blacksmith’s trust center, and Blacksmith’s compliance is evidenced by its SOC 2 Type 2 report, available on request and via the trust center.| Technical and Organizational Security Measure | Description |
|---|---|
| Confidentiality and encryption of Customer Personal Data | Encryption of Customer Personal Data in transit and at rest, and other confidentiality measures consistent with industry standards. |
| Systems integrity, availability, and resilience | Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including redundancy, backup, and disaster-recovery arrangements. |
| Restoring availability after an incident | Backup and disaster-recovery processes designed to restore access to and availability of Customer Personal Data in a timely manner following a physical or technical incident. |
| Regular security testing and validation | A security program including regular risk assessments, vulnerability scanning, and penetration testing, validated by an independent SOC 2 Type 2 examination. The current SOC 2 Type 2 report is available via the trust center on request. |
| User access control and authentication | Role-based access controls and strong authentication (including multi-factor authentication) governing access to systems that process Customer Personal Data. |
| Isolation of execution environments | Customer workloads are executed in isolated, ephemeral virtual machine environments that are provisioned per job and torn down on completion, providing isolation between tenants and between workloads. |
| Secrets and credential management | Controls for the handling of secrets, access tokens, API keys, and environment variables used within the Services, including restricted access, encryption, and scoping of credentials to the workloads that require them. |
| Physical security of data processing locations | Physical and environmental security of the data centers and facilities where Customer Personal Data is processed is provided through Blacksmith’s infrastructure Sub-processors, which maintain their own independently audited physical-security controls and certifications for those facilities. |
| Logging and monitoring | Logging of system and security events, security monitoring, and incident detection and response procedures. |
| Limited data retention and deletion | Customer Personal Data is retained only as long as necessary to provide the Services and is deleted or returned on termination in accordance with Section 13 of this DPA, except where retention is required by applicable law. |
| Data portability and erasure | Mechanisms enabling Customer to access, export, or delete Customer Personal Data, as described in Section 13 of this DPA. |
| Sub-processor oversight | Written agreements with Sub-processors imposing data-protection obligations no less protective than this DPA, with Blacksmith remaining liable for their performance, as described in Section 8. The current Sub-processor list is available at https://docs.blacksmith.sh/about/sub-processors. |
Changelog
Subscribe to this changelog via the RSS feed to be notified about changes to this Data Processing Addendum.Published the initial Blacksmith Data Processing Addendum.