This page aggregates all legal agreements and reference material for printing.

    Cedar CI Customer Agreement 

    ProviderCustomer
    Signature
    Date
    Name
    Title
    OrganizationCedar CI LLC
    Address5900 Balcones Drive #8225
    Austin, TX 78731, US

    Terms of Service 

    Last updated: July 26, 2024

    By using Cedar CI, a Service offered by Cedar CI LLC, the User agrees to and is therefore legally bound by the Terms of Service described herein.

    1. Definitions 

    User/Customer 

    Any individual, business, or organization that uses the Cedar CI Service.

    Service 

    The software service provided at cedarci.com, and any associated subdomain. This includes processing initiated by customer actions made through supported external services configured by the customer to be processed by the Cedar CI.

    Terms of Service/Agreement 

    The document located at https://doc.cedarci.com/about/terms.

    Privacy Policy 

    The document located at https://doc.cedarci.com/about/privacy.

    2. Termination 

    Cedar CI reserves the right to terminate Services for a User for any reason. If damages have been incurred the value will be deducted from any credit balance before the remainder, if any, is refunded.

    Subscriptions are self-managed by the Customer and may be terminated at any time.

    3. Responsibility 

    The Customer is responsible for:

    • maintaining the security of their account credential
    • maintaining the desired configuration of the Service on their account
    • using Service for the purpose of continuous integration

    Cedar CI is not liable for losses or damages arising from a Customer failure of the above.

    4. Payment 

    All payments will be made in advance of Service usage. Reversals will result in Termination.

    5. Ownership 

    Any account created with a business or organization e-mail address may be transferred at the request of an authorized representative of that business or organization.

    6. Security 

    Cedar CI will make a reasonable efforts to ensure the security of User data, however, we cannot guarantee that unauthorised parties will never be able to bypass those measures and gain unauthorised access to Customer data. By making use of the Service, the Customer hereby consents to providing all such data at their own risk.

    The Privacy Policy will apply to the protection of Customer information.

    7. Warranty 

    Cedar CI will use qualified personnel to build the Service using industry standard techniques, but provides the Service "as-is" without any warranties of any kind.

    8. Liability 

    To the maximum extent permitted by applicable law, in no event will either party or their licensors be liable for any indirect, punitive, incidental, special, consequential damages, loss of revenue, anticipated profits, lost business or lost sales, whether based in contract, tort (including negligence), strict liability, or otherwise, even if such party has been advised of the possibility of damages.

    To the maximum extent permitted by applicable law, the total liability of each party and its affiliates and licensors arising out of or related to this Agreement, whether based in contract, tort (including negligence or strict liability), or otherwise, will not exceed, in the aggregate, the total amount paid by customer or its affiliates hereunder in the one-year period preceding the first incident out of which the liability arose. The foregoing limitations will apply notwithstanding any failure of essential purpose of any limited remedy, but will not limit customer's or its affiliates' payment obligations under the "payment" section above.

    9. Update 

    Cedar CI reserves the right to:

    • change the Terms of Service
    • suspend or discontinue the Service

    Notice of updates will be provided via the Customer e-mail address. Continued use of the Service will constitute acceptance of the Terms of Service.

    10. Miscellaneous 

    If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.

    This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject of this Agreement. All waivers and modifications to this Agreement must be in a writing signed or otherwise agreed to by each party.

    Privacy Policy 

    Last updated: July 18, 2025

    Cedar CI LLC (Cedar CI, we) takes privacy and security of your information seriously. This Privacy Statement will explain what data we collect and the purpose of that data.

    Data 

    The data collected is either explicitly provided (during registration, payment, and configuration), or implicitly during the execution of CI workloads per user configuration (source code and artifacts).

    DataCollectionUse
    E-mailRegistrationNotification and subscription management
    UsernameRegistrationConfiguration
    SSH pubkeyRegistrationConfiguration
    NamePaymentPayment
    InstrumentPaymentPayment
    API TokenConfigurationThird-party CI interaction
    Source codeExecutionExecution of CI workload
    ArtifactsExecutionExecution of CI workload
    CI UsageBillingDebiting account credit

    Retention 

    • All information collected as part of registration and configuration is retained until an account is deleted. Unless held for legal purposes, all data, including caches, will be wiped within 48 hours.
    • Some Source Code and Artifacts downloaded during CI execution are cached. The cache period may vary based on usage, but generally ranges from an hour to two weeks. Cached data may be wiped at any time.
    • Payment and Usage information is kept to comply with tax, accounting, and financial reporting obligations.

    User rights 

    Users may:

    • access their data (registration, configuration, usage, and payment history)
    • request a copy of their data
    • request deletion of all their data
    • request a disclosure regarding if their data is being processed
    • request a correction to their data
    • object to the use of their data
    • opt out of processing their data

    Subprocessor 

    See our subprocessor list for details about what is not processed directly.

    Contact 

    For any concerns or requests use our privacy e-mail.

    Subprocessor List 

    Last updated: July 18, 2025

    Unless otherwise indicated customer data is processed directly by Cedar CI in the United States.

    • Registration through AWS CDN, but is processed and stored directly.
    • E-mail is processed through Linode.
    • Payment is processed by Stripe.
    • Configuration is processed directly.
    • Execution is processed directly.
    • CI definition and result are processed by your configured provider (ex. Gitlab.com).

    Any new subprocessor will be published at least 30 days in advance of authorization.

    Overview 

    NameScopeProcessingCorporate
    AWSContent delivery networkUnited StatesUnited States
    GitlabCI definition and resultDependentUnited States
    LinodeE-mailUnited StatesUnited States
    StripePaymentUnited StatesUnited States

    Previously 

    Basic runners are hosted by AWS and thus expand the scope to include compute and storage.

    Data Processing Agreement: Cover 

    Last updated: July 21, 2025

    This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1/ ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this Agreement. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement. A copy of the DPA Standard Terms is attached for convenience only.

    Key terms 

    Key TermMeaning
    AgreementTerms of Service
    Approved SubprocessorsSubprocessor list
    Provider Security ContactCedar CI Security
    Security PolicySecurity details
    Service Provider RelationshipTo the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.
    Governing Member StateEEA Transfers: Netherlands; UK Transfers: England

    Annex I(A): List of Parties 

    Key TermMeaning
    Data ExporterName: the Customer signing this DPA
    Activities relevant to transfer: See Annex 1(B)
    Role: Controller
    Data ImporterName: the Provider signing this DPA
    Contact person: Cedar CI Security
    Address: 5900 Balcones Drive #8225, Austin, TX 78731, US
    Activities relevant to transfer: See Annex 1(B)
    Role: Processor

    Annex I(B): Description of Transfer and Processing Activities 

    Key TermMeaning
    ServiceCedar CI provides Continuous Integration execution that integrates with Gitlab.
    Categories of Data SubjectsCustomer; Customer's employees
    Categories of Personal DataSee Privacy Policy: Data section
    Special Category DataNo
    Frequency of TransferContinuous
    Nature and Purpose of ProcessingProvider processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the Agreement. The nature of processing includes, without limitation, execution of Continuous Integration jobs.
    Duration of ProcessingProvider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

    Annex I(C) 

    Key TermMeaning
    Competent Supervisory AuthorityThe supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

    Annex II 

    Key TermMeaning
    Technical and Organizational Security MeasuresSee Security Policy

    Data Processing Agreement 

    1. Processor and Subprocessor Relationships

      1. Provider as Processor. In situations where Customer is a Controller of the Customer Personal Data, Provider will be deemed a Processor that is Processing Personal Data on behalf of Customer.

      2. Provider as Subprocessor. In situations where Customer is a Processor of the Customer Personal Data, Provider will be deemed a Subprocessor of the Customer Personal Data.

    2. Processing

      1. Processing Details. Annex I(B) on the Cover Page describes the subject matter, nature, purpose, and duration of this Processing, as well as the Categories of Personal Data collected and Categories of Data Subjects.

      2. Processing Instructions. Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Provider about Processing Customer Personal Data under this DPA. Provider will abide by these instructions unless prohibited from doing so by Applicable Laws. Provider will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

      3. Processing by Provider. Provider will only Process Customer Personal Data in accordance with this DPA, including the details in the Cover Page. If Provider updates the Service to update existing or include new products, features, or functionality, Provider may change the Categories of Data Subjects, Categories of Personal Data, Special Category Data, Special Category Data Restrictions or Safeguards, Frequency of Transfer, Nature and Purpose of Processing, and Duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.

      4. Customer Processing. Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.

      5. Consent to Processing. Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

      6. Subprocessors.

        a. Provider will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. Provider will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the Provider begins using the new Subprocessor(s). Provider will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Provider will cooperate in good faith to resolve Customer’s objection or concern.

        b. When engaging a Subprocessor, Provider will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.

        c. If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Provider’s agreement with the Subprocessor will incorporate these obligations, including details about how Provider and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, Provider will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Provider may redact the text of its agreement with its Subprocessor prior to sharing a copy.

        d. Provider remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Provider will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Provider and the Subprocessor.

    3. Restricted Transfers

      1. Authorization. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Provider will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.

      2. Ex-EEA Transfers. Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Provider outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Provider are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:

        a. Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Provider is Processing Customer Personal Data for Customer as a Processor.

        b. Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Provider is Processing Customer Personal Data on behalf of Customer as a Subprocessor.

        c. For each module, the following applies (when applicable):

        • i. The optional docking clause in Clause 7 does not apply;

        • ii. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days;

        • iii. In Clause 11, the optional language does not apply;

        • iv. All square brackets in Clause 13 are removed;

        • v. In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Governing Member State;

        • vi. In Clause 18(b), disputes will be resolved in the courts of the Governing Member State; and

        • vii. The Cover Page to this DPA contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs.

      3. Ex-UK Transfers. Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Provider outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Provider are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:

        a. Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum.

        b. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.

        c. The Cover Page contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.

      4. Other International Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

    4. Security Incident Response

      1. Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Provider’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Provider of any fault or liability for the Security Incident.

    5. Audit & Reports

      1. Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and Provider will allow for and contribute to audits, including inspections by Customer, to assess Provider’s compliance with this DPA. However, Provider may restrict access to data or information if Customer’s access to the information would negatively impact Provider’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Provider to comply with the reporting and due diligence requirements below. Provider will maintain records of its compliance with this DPA for 3 years after the DPA ends.

      2. Security Reports. Customer acknowledges that Provider is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, Provider will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify Provider’s compliance with the standards defined in the Security Policy.

      3. Security Due Diligence. In addition to the Report, Provider will respond to reasonable requests for information made by Customer to confirm Provider’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the Provider Security Contact and may only be made once a year.

    6. Coordination & Cooperation

      1. Response to Inquiries. If Provider receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Provider will notify Customer about the request and Provider will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, Provider will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Provider, Provider will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Provider will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Provider’s Processing of Customer Personal Data under this DPA.

      2. DPIAs and DTIAs. If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.

    7. Deletion of Customer Personal Data

      1. Deletion by Customer. Provider will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. Provider will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.

      2. Deletion at DPA Expiration.

        a. After the DPA expires, Provider will return or delete Customer Personal Data at Customer’s instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Provider will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require Provider to continue hosting or Processing Customer Personal Data.

        b. If Customer and Provider have entered the EEA SCCs or the UK Addendum as part of this DPA, Provider will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.

    8. Limitation of Liability

      1. Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

      2. Related-Party Claims. Any claims made against Provider or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

      3. Exceptions. This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

    9. Conflicts Between Documents

      1. This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.

    10. Term of Agreement

      1. This DPA will start when Provider and Customer agree to a Cover Page for the DPA and sign or electronically accept the Agreement and will continue until the Agreement expires or is terminated. However, Provider and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Provider and Provider stops Processing Customer Personal Data.

    11. Definitions

      1. "Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.

      2. "Applicable Data Protection Laws" means the Applicable Laws that govern how the Service may process or use an individual’s personal information, personal data, personally identifiable information, or other similar term.

      3. "Controller" will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.

      4. "Cover Page" means a document that is signed or electronically accepted by the parties that incorporates these DPA Standard Terms and identifies Provider, Customer, and the subject matter and details of the data processing.

      5. "Customer Personal Data" means Personal Data that Customer uploads or provides to Provider as part of the Service and that is governed by this DPA.

      6. "DPA" means these DPA Standard Terms, the Cover Page between Provider and Customer, and the policies and documents referenced in or attached to the Cover Page.

      7. "EEA SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.

      8. "European Economic Area" or "EEA" means the member states of the European Union, Norway, Iceland, and Liechtenstein.

      9. "GDPR" means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.

      10. "Personal Data" will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.

      11. "Processing" or "Process" will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.

      12. "Processor" will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.

      13. "Report" means audit reports prepared by another company according to the standards defined in the Security Policy on behalf of Provider.

      14. "Restricted Transfer" means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

      15. "Security Incident" means a Personal Data Breach as defined in Article 4 of the GDPR.

      16. "Service" means the product and/or services described in the Agreement.

      17. "Special Category Data" will have the meaning given in Article 9 of the GDPR.

      18. "Subprocessor" will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.

      19. "UK GDPR" means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.

      20. "UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

    Security > Overview 

    We strive to ensure our service and software are secure.

    Access 

    Our production cluster is only accessible to our on-call team and on an as needed basis for debugging. Production data is never replicated to non-production systems.

    Authentication 

    All development and production resources require Multi-Factor Authentication (MFA).

    Transport 

    All systems utilize either Transport Layer Security (TLS), version 1.2 or greater, or Secure Shell (SSH) using industry standard encryption algorithms.

    Storage 

    All storage is encrypted at rest using AES-256 encryption.

    Backup 

    The only customer supplied data included in backups is the configuration repository. Data removed by the customer will propagate through backups. See our Privacy Policy for details on requesting a purge from backups.

    Payment 

    All payment information is entered on Stripe's site directly. Only the transaction amount and reference ID is tracked in our system. See Stripe's policies on security and privacy for more details.

    Runner 

    Security measures vary between our enhanced and basic runners, but both ensure customer data and CI jobs are isolated.

    Patch 

    Our engineering team monitors various security feeds and static analysis tools for security vulnerabilities and applies patches as needed.

    Monitoring 

    System health and performance metrics are collected for both automated and manual analysis.

    Logging 

    Any logs containing customer data are ephemeral and maintained within the production cluster.

    Testing 

    Penetration testing is conducted no less than annually. Reports are available upon request.

    Corporate 

    Credential 

    Shared credentials are secured using a password manager.

    Device 

    All employee devices are secured using a complex password and AES-256 encryption.

    Employee 

    Background 

    Background checks are required before joining.

    Termination 

    All production and development access can be revoked remotely.

    Security > Customer 

    Access 

    The customer is responsible for controlling the SSH private key paired to the supplied SSH public key.

    Authentication 

    Customer authentication is achieved by verifying the SSH key pair.

    Transport 

    Browser based access utilizes Transport Layer Security (TLS), version 1.2 or greater.

    Configuration information, cache control, and billing information is access via Secure Shell (SSH) using industry standard encryption algorithms.

    Workload 

    The customer controls and is thus responsible for the security aspects of their CI jobs.

    Security > Runner: Enhanced 

    Compute 

    Both the runner and worker virtual machines (VM) are executed on hardware owned and operated by Cedar CI in the U.S.

    Ephemeral 

    A dedicated VM is utilized for each job such that no two jobs are executed in the same VM.

    The Intelligent Cache maintains data within our production cluster based on usage and the expiration configuration. Cache data is partitioned by customer and only accessible by the owning customer CI jobs when executed within our cluster.

    Cached data may be wiped at any time.

    Security > Runner: Basic 

    Compute 

    Both the runner and worker virtual machines (VM) are executed on Amazon Web Services (AWS) in the U.S.

    Ephemeral 

    A dedicated VM is utilized for each job such that no two jobs are executed in the same VM. If desired, this can be relaxed for performance and efficiency to allow multiple jobs to run sequentially in the same VM. When exhausted the VM is destroyed and no artifacts are kept.

    If jobs utilize the cache feature, S3 storage will be utilized and kept for 7 days. All cache access is performed using pre-signed URLs.

    Security > Incident 

    In accordance with industry standards, Cedar CI utilizes the following procedure for handling security incidents. The amount of emphasis placed on each phase will vary based on the severity of the incident.

    In case of a suspected security breach or vulnerability, immediately e-mail security.

    Triage 

    All reports of a suspicious nature are escalated to management and security personnel. An incident is declared when an employee senses that an adverse risk to the company exists.

    Investigate 

    An incidence response team comprising the main stakeholders of the affected systems is assembled and given access to relevant backups, logs, and deployments. Any third-party vendors that may be involved or affected are contacted to aid in containment and investigation.

    The investigation is performed in a fact-based, scientific manner. Records and notes are kept up-to-date throughout the process for later reference.

    If affected, customers should be notified of a potential data breach as soon as possible.

    Where applicable, Cedar CI will notify relevant law enforcement agencies and third parties of the incident and keep them up-to-date on the resolution process.

    Resolve 

    Once clearly identified, securing the vulnerable system becomes the highest priority item for the involved teams. Resolving a security incident may involve changes to infrastructure, code, process, or team composition. Additionally, security scans for similar vulnerabilities should be performed on all systems.

    As a final precaution, access tokens, passwords, and encryption keys of all affected and directly connected systems and accounts are changed, regardless of the investigations findings as to their integrity.

    Postmortem 

    A formal follow-up report is created that details the scope of the incident and the steps taken in its mitigation. The report should outline new systems and procedures to prevent such incidents in the future. It may make suggestions for improvements to long term monitoring and changes to access policies, where appropriate.