Revised enterprise DPA with new standard contractual clauses

As part of GitHub’s strong commitment to developer privacy, we are excited to announce updates to our privacy agreements in line with new legal requirements and our own robust data protection practices.

In July 2020, the Court of Justice of the European Union (CJEU) ruled that the EU-US Privacy Shield—a mechanism governing personal data transfers from the EU to the US—was invalid due to concerns about US government access to EU personal data. To facilitate GitHub’s commitment to provide uninterrupted support for trans-Atlantic developer collaboration and our belief that privacy is a fundamental human value, GitHub continued to protect all developers and customers with standard contractual clauses (SCCs), as well as additional security measures. This change was reflected in updated customer data protection terms and the Privacy Statement. GitHub has also continued to support strong privacy protections beyond the SCCs (see GitHub’s Global Privacy Practices and our transparency reporting for details).

Since last year’s court ruling, we have been working diligently to further safeguard developers’ and customers’ personal data. This includes reviewing the new form of SCCs published by the European Commission on 4 June 2021 and accompanying guidance. The new SCCs provide stronger protection surrounding EU data transfers, modular approach to transfers, as well as other enhancements. We are proud to announce GitHub’s revised Data Protection Agreement (DPA) and Addendum to Microsoft’s DPA, which incorporate the new SCCs, and you can find them here: github.com/enterprise-legal.

Our goals with these updates are to build developer trust by both increasing transparency about our strong data protection practices and demonstrating compliance with applicable privacy laws and regulations. We are happy to announce these updates and will continue to uphold strong privacy protections for developers and customers.