CloudBees Data Processing Agreement

9 minute read

This Data Processing Agreement (“DPA”) forms a part of the software subscription agreement or other written agreement between Cloudbees and Customer (“Agreement”) regarding Cloudbees subscriptions and/or products or services provided by Cloudbees and ordered by Customer (“CloudBees Products”) in accordance with the Agreement. All contacts regarding this DPA must be made to


Capitalized terms shall have the meaning set out below. Any capitalized terms not defined in this DPA shall have the meaning set out in the Agreement or as otherwise defined in the applicable data protection laws and regulations:

“Breach Event”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored, or otherwise processed by CloudBees.

“CCPA” refers to the California Consumer Privacy Act of 2018 and its implementing regulations, as well as the California Privacy Rights Act of 2020.

“Processing”: any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, which may be supplied to and Processed by Processor on behalf of the Controller pursuant to or in connection with the Agreement.

“Processor”: CloudBees as the legal person who processes the Personal Data on behalf of the Customer.

“Standard Contractual Clauses”: (i) the Standard Contractual Clauses approved by the Commission Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and (ii) the International Data Transfer Agreement issued by the Information Commissioner’s Office in the United Kingdom.

“Sub-Processor”: an entity engaged by the Processor exclusively for the Processing activities to be carried out pursuant to or in connection with the Agreement on behalf of the Controller and in accordance with its instructions, as transmitted by the Controller.


2.1 Unless otherwise agreed in writing, this DPA will take effect on the date of the Agreement’s effective date and, notwithstanding its expiry, remain in effect until, and automatically expire upon, deletion of all Personal Data by CloudBees as described in this DPA.

2.2. This DPA applies when Personal Data is Processed by CloudBees as part of the provision of the CloudBees Products, as further specified in the Agreement and the applicable order form, quote, SoW or equivalent document.

2.3. The parties acknowledge and agree that the european data protection legislation, such as GDPR will apply to the processing of Controller Personal Data if, for example: i) the processing is carried out in the context of the activities of an establishment of Controller in the territory of the EEA; and/or ii) the Controller provides data that is personal data relating to Data Subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA.

2.4. The Parties acknowledge and agree that non-european data protection legislation, such as the CCPA or the Brazilian Lei Geral de Proteção de Dados, may also apply to the processing of Controller Data.


3.1. To the extent that the GDPR or other privacy Laws and regulations with analogous terms apply to CloudBees’s Processing of Personal Data on behalf of the Customer under the Agreement, CloudBees is the Processor to the Customer, who can act either as the controller or processor of Personal Data, as those or analogous terms are defined under applicable legislation.

3.2. To the extent that the CCPA applies to CloudBees Processing of Personal Data on behalf of Customer under the Agreement, (a) Customer is the “Business” and CloudBees is the “Service Provider”; (b) CloudBees will Process Personal Data solely on behalf of Customer and for the specific business purposes set forth in the Agreement; and (c) CloudBees will not retain, use, disclose, or otherwise Process such Personal Data for any purpose other than for the specific purpose of performing the Service as specified in the Agreement.

3.3. CloudBees will process the Personal Data in accordance with the Customer’s instructions and applicable laws: (a) to provide the Service, (b) as documented in the Agreement, including this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged by CloudBees as constituting instructions for purposes of this DPA. CloudBees will comply with all lawful and reasonable Controller instructions. If CloudBees cannot comply with an instruction, it will notify the Customer without undue delay.

3.4. The nature and purpose of the Processing and the type of Personal Data and categories of Data Subjects about whom Personal Data shall be processed are determined by Customer, based on Customer’s use of the CloudBees Products and the Personal Data that Customer chooses to upload to the Service(s) or otherwise provide to CloudBees for the purpose of Processing. The categories of Data Subjects may include Customer’s employees, staff, vendors, end users, or the Personal Data of any other Individuals whom Customer chooses to provide to CloudBees under the Agreement. Details of the data processing are further described in Appendix 1.

3.5. At Customer’s request, CloudBees will reasonably support the Customer or any Data Controller in dealing with requests from Data Subjects or regulatory authorities regarding CloudBees’s processing of Personal Data under this DPA. Where requested to do so by the Customer, CloudBees shall disclose the information reasonably required to demonstrate compliance with the applicable data protection Laws, including the necessary information for the Customer to carry out a privacy impact assessment of the CloudBees Products and implement mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.6. CloudBees shall, upon request, make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and/or the necessary information for the Controller to carry out a privacy impact assessment of the Service and in implementing mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.7. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, CloudBees will (as applicable) return to Customer or destroy all Personal Data. After such 30-day period, CloudBees will destroy such Personal Data.


4.1. CloudBees will implement and maintain technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“Security Measures”). Those are further described in Appendix 2. CloudBees may update or modify the Security Measures from time to time at its discretion, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

4.2. CloudBees will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3.CloudBees will make commercially reasonable efforts to assist Customers in ensuring compliance with their obligations in respect to the applicable laws.

4.4. CloudBees shall notify Customers without undue delay but in no event later than seventy-two (72) hours after becoming aware of any Breach Event.


5.1. Customer acknowledges and agrees that may engage Subprocessor(s) in the performance of the Service(s) on Customer’s behalf. All Subprocessors to whom CloudBees transfers Personal Data are bound by substantially the same material obligations as CloudBees undertakes under this DPA and provide adequate guarantees of security and compliance. CloudBees will be liable for the acts and omissions of its Subprocessors to the same extent that CloudBees would be liable if performing the Service directly, under the terms of the Agreement.

5.2. The current Subprocessors are mentioned in Appendix 1-A. CloudBees may use new Subprocessors provided it notifies the Customer in advance of any changes to the list of Subprocessors in place on the Effective Date. If Customer has a legitimate reason, Customer may object to CloudBees’s use of a Subprocessor, by notifying CloudBees in writing within thirty days after receipt of CloudBees’s notice. If the Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. CloudBees may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options is reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days' written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.


6.1. Where (i) Customer transfers Personal Data within the European Economic Area, the United Kingdom, or Switzerland to CloudBees (where such transfer includes Personal Data subject to the GDPR), and (ii) CloudBees will be Processing such Personal Data in a country that (a) is not subject to an adequacy decision of the EU Commission (or in case such adequacy decision is invalidated) and (b) does not provide an adequate level of protection within the meaning of applicable Privacy Laws and Regulations, the Parties shall be subject to the appropriate Standard Contractual Clauses mentioned in Appendix 1. Nothing in this DPA will be construed to prevail over any conflicting clause of the Standard Contractual Clauses.


This DPA shall be governed by, and construed and enforced in accordance with, the governing clause established in the Agreement. In the absence of a governing clause, the law of CloudBees’s registered office shall apply.

Appendix List

  • Appendix 1 - Details of Data Processing and Data Exporting

  • Appendix 2 - Technical and Organizational Measures

Appendix 1

A - Subject Matter and Details of the Data Processing

Subject Matter

CloudBees’s provision of the CloudBees Products (software for managing application delivery) and related technical support to Customer.

Duration of the Processing

The applicable term plus the period from expiry of such term until deletion of all Controller Data by Customer in accordance with the Data Processing Agreement.

Nature and Purpose of the Processing

CloudBees will process Controller Personal Data submitted, stored, sent or received by Customer, its Affiliates or end users via the CloudBees Products to monitor and provide the CloudBees Products and related technical support to Controller.

Processing Operations (Activities relevant to the data transferred under the DPA)

The transferred Personal Data is subject to the following basic processing activities:

  • use of Personal Data to set up, operate, monitor and provide the CloudBees Products (including Operational and Technical Support);

  • communication to authorised users;

  • upload any fixes or upgrades to the CloudBees Products;

  • execution of instructions of Customer in accordance with the Agreement-

Categories of Data

Personal data submitted, stored, sent or received by Customer, its Affiliates or end users via the CloudBees Products may include employees, contractors, business partners or other individuals having been granted access credentials to the Service.

  • Frequency of the transfer: Continuous.

  • The period for which the personal data will be retained is defined in the Agreement.

  • Competent supervisory authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

List of Sub-Processors and Locations

Company Purpose Hosting location

Amazon Web Services, Inc.

Cloud service provider

United States (North Virginia)


Cloud-based Customer support services

United States

B - International Transfers

Data Exporter

The Customer or other Data Controller subscribed to a Service that allows authorised users to enter, amend, use, delete or otherwise process Personal Data, as identified in the Agreement in the role of Controller.

Data Importer

CloudBees and its Subprocessors, each as identified in the Agreement and DPA, in the roles of processor and subprocessor.


In case the controller is an EU entity the Parties shall enter into the model of SCC Clauses (standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council) found at

In case the controller is an UK entity, the Parties shall enter into the international data transfer agreement (IDTA), found at


Security Measures

  1. Defining, publishing and communicating to staff and sub-processors a set of policies for information security.

  2. Reviewing policies for information security planned intervals or when significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

  3. Performing pre-hire screening and background checks consistent with local hiring practices and laws.

  4. Holding staff with access to personal data accountable for maintaining confidentiality obligations.

  5. Requiring business ethics, data security, and international data privacy training upon initial hire and at least annually.

  6. Making copies of security standards and procedures available to all staff.

  7. Establishing an appropriate access control policy and reviewing it based on business requirements and related information security requirements.

  8. Assigning responsibility for information security practices and standards as part of an information security program.

  9. Granting the minimum necessary logical access necessary to support the data processing services.

  10. Removing access for terminated staff promptly.

  11. Requiring secure passwords for staff with access to personal data.

  12. Requiring secure log-on procedures to access personal data.

  13. Controlling changes to Data Importers Information Processing Facilities and Information Systems that affect personal data.

  14. Monitoring the capacity and availability of information resources that store, process or transmit personal data.

  15. Ensuring our third party providers limit physical access to data centres processing personal data to authorised individuals supporting the physical equipment or facility; including data centre physical and environmental protections including 24x7 video surveillance; require visitor pre-authorization and full- time accompaniment at all times.

  16. Protecting facilities against reasonable physical and environmental threats such as natural disasters, fires, etc.

  17. Destroying physical media using industry standard practices; encrypting backups if using removable tape or other media.

  18. Providing network protections like firewalls, intrusion detection and monitoring for unauthorised access.

  19. Securing personal data transmitted over the internet and between external networks with industry standard encryption.

  20. Periodically conducting vulnerability tests; regularly applying security patches; implementing malware protection for servers and workstations.

  21. Data importer will not materially decrease the overall security of the data processing services during the term of the DPA.