Data Processing Addendum (DPA) — OpenCommit#

Effective Date: 2026-01-31
Last Updated: 2026-04-04

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between Stichting OpenGit, operating as OpenCommit (OpenCommit Foundation), (“Processor”) and the entity subscribing to the Service (“Controller”).

1. Definitions#

  • “Data Protection Laws” means the EU General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG).
  • “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller within the Service.
  • “Sub-processor” means any third party appointed by Processor to process Personal Data.

2. Scope and Role#

This DPA applies where OpenCommit processes Personal Data as a Processor on behalf of the Controller in the course of providing git hosting services. This typically includes data contained within private repositories, issue trackers, and pull requests.

This DPA applies only to Personal Data processed by OpenCommit as a Processor on behalf of the Controller. For data made publicly available by the Controller (e.g., public repositories), OpenCommit may act as a separate or independent controller.

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

3. Processing Instructions#

Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law. The Agreement and the configuration of the Service constitute the Controller’s instructions.

Where Personal Data is transferred outside the EEA, Processor shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms under Data Protection Laws.

4. Confidentiality#

Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security Measures#

Taking into account the state of the art and the costs of implementation, Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS/SSL).
  • Access controls and authentication mechanisms.
  • Regular backups and disaster recovery procedures.
  • Security patching of the Forgejo environment.

6. Sub-processors#

Controller grants a general authorization to Processor to engage Sub-processors (e.g., cloud infrastructure providers).

  • Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors by updating the published sub-processor list at https://docs.opencommit.eu/trust/subprocessors/, giving Controller the opportunity to object.
  • Where the Controller objects on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is possible, the Controller may terminate the affected services.
  • Processor shall impose the same data protection obligations on Sub-processors as set out in this DPA.

7. Data Subject Rights#

Processor shall, insofar as this is possible, assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights (e.g., access, erasure).

8. Personal Data Breach#

Processor shall notify Controller without undue delay and, where feasible, within 48 hours after becoming aware of a Personal Data breach affecting Controller’s data.

9. Deletion or Return of Data#

Upon termination of the Service, Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless Union or Member State law requires storage of the Personal Data.

The Controller acknowledges that due to the nature of distributed version control systems, data may persist in backups, forks, or third-party clones outside the Processor’s control.

10. Audit Rights#

Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be subject to reasonable notice, confidentiality obligations, and limited to once per year unless required by law or following a security incident. Processor may satisfy audit obligations by providing relevant certifications, summaries, or independent audit reports where appropriate.

Annex 1: Details of Processing#

  • Subject Matter: Provision of git hosting and software collaboration services.
  • Duration: The term of the Agreement plus the period until all data is deleted.
  • Nature/Purpose: Storage, hosting, and version control of software code and related metadata.
  • Data Categories: Names, email addresses, IP addresses, and any Personal Data included by the Controller in code, commit messages, or issues.
  • Data Subjects: Controller’s employees, contractors, users, or contributors.
  • Processing Operations: Collection, storage, retrieval, transmission, and deletion of data in the course of providing the Service.
Edit Edit this page
OpenCommit Documentation - © 2025-2026, OpenCommit Foundation. This work is licensed under CC BY-SA 4.0

Fair web analytics Access your usage data