This page aggregates all legal agreements and reference material for printing.

Cloud Service Agreement: Cover 

Last updated: August 12, 2025

If you signed a separate Order Form to access Cedar CI with the same account, and that agreement has not ended, the terms below do not apply to you. Instead, your separate Order Form applies to your use of the Product.

This Agreement is between Cedar CI LLC and the company or person accessing or using the Cloud Service. This Agreement consists of: (1) the Order Form below and (2) the Framework Terms defined below.

If you are accessing or using the Cloud Service on behalf of your company, you represent that you are authorized to accept this Agreement on behalf of your company. By signing up, accessing, or using the Product, Customer indicates its acceptance of this Agreement and agrees to be bound by the terms and conditions of this Agreement.

Order Form 

Term	Meaning
Framework Terms	This Order Form incorporates and is governed by the Framework Terms included below. If there is any inconsistency between this Order Form and the Framework Terms, this Order Form will control for this Agreement.
Cloud Service	The software service provided at cedarci.com, and any associated subdomain. This includes processing initiated by customer actions made through supported external services configured by the customer to be processed by the Cedar CI.
Order Date	The Effective Date

Subscription Details 

Variant

Term	Meaning
Subscription Period	1 month
Cloud Service Fees	Rate of 10 USD for 10 credits. Actual fee based on user selected subscription or one-time payment. Usage will be billed against credit. Usage rates may be changed given 30 days notice.
Payment Process	Customer authorizes Provider to bill and charge Customer's payment method on file monthly.
Auto-renewal	Non-Renewal Notice Date: At least 5 days before the end of the current Subscription Period

Term	Meaning
Pilot	Customer may access the Cloud Service for a limited day free trial ("Pilot Period"). Modifications to the Agreement that apply only to the Pilot Period: – Sections 6.3 (Representations & Warranties from Provider), 6.4 (Provider Warranty Remedy), 9 (Indemnification), and 12.8 (Logo Rights) do not apply during the Pilot Period. – The General Cap Amount is $100 for all claims that arise during the Pilot Period. – Either party may immediately terminate the Agreement during the Pilot Period for any or no reason by giving notice to the other party.
Subscription Period	Pilot Period
Cloud Service Fees	There is no fee.
Auto-renewal	Modifying Section 5.1 of the Standard Terms, this Order Form does not automatically renew and will expire at the end of the Subscription Period.

Term	Meaning
Subscription Period	month(s)
Cloud Service Fees	USD for credits to be proportionally granted by payment(s). Credit will act as a usage quota and reset after the Subscription Period.
Payment Process	Customer authorizes Provider to bill and charge Customer's payment method on file for immediate payment or deduction without further approval.
Auto-renewal	Modifying Section 5.1 of the Standard Terms, this Order Form does not automatically renew and will expire at the end of the Subscription Period.
Technical Support	Customer may request assistance via the support email. An attempt to will be made to answer requests within 10 business days. Excessive requests, as determined by Provider, may be grounds for termination of support.

Signature 

Provider and Customer have not changed the Standard Terms except for the details in the Order Form above and Key Terms below. By signing this Cover Page, each party agrees to enter into the Framework Terms.

	Provider	Customer
Signature
Date
Name
Title
Organization	Cedar CI LLC
Address	5900 Balcones Drive #8225 Austin, TX 78731, US

Key Terms 

The Framework Terms have 2 parts: (1) the Key Terms below (including any attached or referenced policies and documents) and (2) the Common Paper Cloud Service Standard Terms Version 2.1 posted at commonpaper.com/standards/cloud-service-agreement/2.1 which are incorporated by reference. If there is any inconsistency between the parts of the Framework Terms, the Key Terms will control over the Standard Terms. Capitalized words have the meanings or descriptions given in the Cover Page or Standard Terms. A copy of the Standard Terms is attached for convenience only.

Term	Meaning
Effective Date	The date Customer first accepts this Agreement.Date of last Cover Page signature
Governing Law	Nebraska, United States
Chosen Courts	Nebraska, United States
General Cap Amount	1 times the Fees paid or payable by Customer to Provider in the 12 month period immediately before the claim

Attachments, Supplements & Modifications 

Modification	Description
DPA	Data Processing Agreement
Security Policy	Security details
Other	Delete Section 1.6 (Machine Learning).

Cloud Service Agreement 

Service
1. Access and Use. During the Subscription Period and subject to the terms of this Agreement, Customer may (a) access and use the Cloud Service; and (b) copy and use the included Software and Documentation only as needed to access and use the Cloud Service, in each case, for its internal business purposes. If a Customer Affiliate enters a separate Order Form with Provider, the Customer’s Affiliate creates a separate agreement between Provider and that Affiliate, where Provider’s responsibility to the Affiliate is individual and separate from Customer and Customer is not responsible for its Affiliates’ agreement.
2. Support. During the Subscription Period, Provider will provide Technical Support as described in the Order Form.
3. User Accounts. Customer is responsible for all actions on Users’ accounts and for all Users’ compliance with this Agreement. Customer and Users must protect the confidentiality of their passwords and login credentials. Customer will promptly notify Provider if it suspects or knows of any fraudulent activity with its accounts, passwords, or credentials, or if they become compromised.
4. Feedback and Usage Data. Customer may, but is not required to, give Provider Feedback, in which case Customer gives Feedback "AS IS". Provider may use all Feedback freely without any restriction or obligation. In addition, Provider may collect and analyze Usage Data, and Provider may freely use Usage Data to maintain, improve, enhance, and promote Provider’s products and services without restriction or obligation. However, Provider may only disclose Usage Data to others if the Usage Data is aggregated and does not identify Customer or Users.
5. Customer Content. Provider may copy, display, modify, and use Customer Content only as needed to provide and maintain the Product and related offerings. Customer is responsible for the accuracy and content of Customer Content.
6. Machine Learning. Usage Data and Customer Content may be used to develop, train, or enhance artificial intelligence or machine learning models that are part of Provider’s products and services, including third-party components of the Product, and Customer authorizes Provider to process its Usage Data and Customer Content for such purposes. However, (a) Usage Data and Customer Content must be aggregated before it can be used for these purposes, and (b) Provider will use commercially reasonable efforts consistent with industry standard technology to de-identify Usage Data and Customer Content before such use. Nothing in this section will reduce or limit Provider’s obligations regarding Personal Data that may be contained in Usage Data or Customer Content under Applicable Data Protection Laws. Due to the nature of artificial intelligence and machine learning, information generated by these features may be incorrect or inaccurate. Product features that include artificial intelligence or machine learning models are not human and are not a substitute for human oversight.
Restrictions & Obligations
1. Restrictions on Customer. a. Except as expressly permitted by this Agreement, Customer will not (and will not allow anyone else to): (i) reverse engineer, decompile, or attempt to discover any source code or underlying ideas or algorithms of the Product (except to the extent Applicable Laws prohibit this restriction); (ii) provide, sell, transfer, sublicense, lend, distribute, rent, or otherwise allow others to access or use the Product; (iii) remove any proprietary notices or labels; (iv) copy, modify, or create derivative works of the Product; (v) conduct security or vulnerability tests on, interfere with the operation of, cause performance degradation of, or circumvent access restrictions of the Product; (vi) access accounts, information, data, or portions of the Product to which Customer does not have explicit authorization; (vii) use the Product to develop a competing service or product; (viii) use the Product with any High Risk Activities or with any activity prohibited by Applicable Laws; (ix) use the Product to obtain unauthorized access to anyone else’s networks or equipment; or (x) upload, submit, or otherwise make available to the Product any Customer Content to which Customer and Users do not have the proper rights. b. Use of the Product must comply with all Documentation and Use Limitations.
2. Suspension. If Customer (a) has an outstanding, undisputed balance on its account for more than 30 days; (b) breaches Section 2.1 (Restrictions on Customer); or (c) uses the Product in violation of the Agreement or in a way that materially and negatively impacts the Product or others, then Provider may temporarily suspend Customer’s access to the Product with or without notice. However, Provider will try to inform Customer before suspending Customer’s account when practical. Provider will reinstate Customer’s access to the Product only if Customer resolves the underlying issue.
Privacy & Security
1. Personal Data. Before submitting Personal Data governed by GDPR, Customer must enter into a data processing agreement with Provider. If the parties have a DPA, each party will comply with its obligations in the DPA, the terms of the DPA will control each party’s rights and obligations as to Personal Data, and the terms of the DPA will control in the event of any conflict with this Agreement.
2. Prohibited Data. Customer will not (and will not allow anyone else to) submit Prohibited Data to the Product unless authorized by the Order Form or Key Terms.
Payment & Taxes
1. Fees. Unless the Order Form specifies a different currency, all Fees are in U.S. Dollars and are exclusive of taxes. Except for the prorated refund of prepaid Fees allowed with specific termination rights given in the Agreement, Fees are non-refundable.
2. Invoicing. For a Payment Process with invoicing, Provider will send invoices for usage-based Fees in arrears and for all other Fees in advance, in each case according to the Payment Process.
3. Automatic Payment. For a Payment Process with automatic payment, Provider will automatically charge the credit card, debit card, or other payment method on file for Fees according to the Payment Process and Customer authorizes all such charges. In this case, Provider will make a copy of Customer’s bills or transaction history available to Customer.
4. Taxes. Customer is responsible for all duties, taxes, and levies that apply to Fees, including sales, use, VAT, GST, or withholding, that Provider itemizes and includes in an invoice. However, Customer is not responsible for Provider’s income taxes.
5. Payment. Customer will pay Provider Fees and taxes in U.S. Dollars, unless the Order Form specifies a different currency, according to the Payment Process.
6. Payment Dispute. If Customer has a good-faith disagreement about the Fees charged or invoiced, Customer must notify Provider about the dispute before payment is due, or within 30 days of an automatic payment, and must pay all undisputed amounts on time. The parties will work together to resolve the dispute within 15 days. If no resolution is agreed, each party may pursue any remedies available under the Agreement or Applicable Laws.
Term & Termination
1. Order Form and Agreement. For each Order Form, the Agreement will start on the Order Date, continue through the Subscription Period, and automatically renew for additional Subscription Periods unless one party gives notice of non-renewal to the other party before the Non-Renewal Notice Date.
2. Framework Terms. These Framework Terms will start on the Effective Date and continue for the longer of one year or until all Order Forms governed by the Framework Terms have ended.
3. Termination. Either party may terminate the Framework Terms or an Order Form immediately: a. if the other party fails to cure a material breach of the Framework Terms or an Order Form following 30 days notice; b. upon notice if the other party (i) materially breaches the Framework Terms or an Order Form in a manner that cannot be cured; (ii) dissolves or stops conducting business without a successor; (iii) makes an assignment for the benefit of creditors; or (iv) becomes the debtor in insolvency, receivership, or bankruptcy proceedings that continue for more than 60 days.
4. Force Majeure. Either party may terminate an affected Order Form upon notice if a Force Majeure Event prevents the Product from materially operating for 30 or more consecutive days. Provider will pay to Customer a prorated refund of any prepaid Fees for the remainder of the Subscription Period. A Force Majeure Event does not excuse Customer’s obligation to pay Fees accrued prior to termination.
5. Effect of Termination. Termination of the Framework Terms will automatically terminate all Order Forms governed by the Framework Terms. Upon any expiration or termination: a. Customer will no longer have any right to use the Product. b. Upon Customer’s request, Provider will delete Customer Content within 60 days. c. Each Recipient will return or destroy Discloser’s Confidential Information in its possession or control. d. Provider will submit a final bill or invoice for all outstanding Fees accrued before termination and Customer will pay the invoice according to Section 4 (Payment & Taxes).
6. Survival. a. The following sections will survive expiration or termination of the Agreement: Section 1.4 (Feedback and Usage Data), Section 1.6 (Machine Learning), Section 2.1 (Restrictions on Customer), Section 4 (Payment & Taxes) for Fees accrued or payable before expiration or termination, Section 5.5 (Effect of Termination), Section 5.6 (Survival), Section 6 (Representations & Warranties), Section 7 (Disclaimer of Warranties), Section 8 (Limitation of Liability), Section 9 (Indemnification), Section 10 (Confidentiality), Section 11 (Reservation of Rights), Section 12 (General Terms), Section 13 (Definitions), and the portions of a Cover Page referenced by these sections. b. Each Recipient may retain Discloser’s Confidential Information in accordance with its standard backup or record retention policies maintained in the ordinary course of business or as required by Applicable Laws, in which case Section 3 (Privacy & Security) and Section 10 (Confidentiality) will continue to apply to retained Confidential Information.
Representations & Warranties
1. Mutual. Each party represents and warrants to the other that: (a) it has the legal power and authority to enter into this Agreement; (b) it is duly organized, validly existing, and in good standing under the Applicable Laws of the jurisdiction of its origin; (c) it will comply with all Applicable Laws in performing its obligations or exercising its rights in this Agreement; and (d) it will comply with the Additional Warranties.
2. From Customer. Customer represents and warrants that it, all Users, and anyone submitting Customer Content each have and will continue to have all rights necessary to submit or make available Customer Content to the Product and to allow the use of Customer Content as described in the Agreement.
3. From Provider. Provider represents and warrants to Customer that it will not materially reduce the general functionality of the Cloud Service during the Subscription Period.
4. Provider Warranty Remedy. If Provider breaches the warranty in Section 6.3 (Representations & Warranties from Provider), Customer must give Provider notice (with enough detail for Provider to understand or replicate the issue) within 45 days of discovering the issue. Within 45 days of receiving sufficient details of the warranty issue, Provider will attempt to restore the general functionality of the Cloud Service. If Provider cannot resolve the issue, Customer may terminate the affected Order Form and Provider will pay to Customer a prorated refund of prepaid Fees for the remainder of the Subscription Period. Provider’s restoration obligation, and Customer’s termination right, are Customer’s only remedies if Provider does not meet the warranty in Section 6.3 (Representations & Warranties from Provider).
Disclaimer of Warranties
1. Provider makes no guarantees that the Product will always be safe, secure, or error-free, or that it will function without disruptions, delays, or imperfections. The warranties in Section 6 (Representations & Warranties) do not apply to any misuse or unauthorized modification of the Product, nor to any product or service provided by anyone other than Provider. Except for the warranties in Section 6 (Representations & Warranties), Provider and Customer each disclaim all other warranties and conditions, whether express or implied, including the implied warranties and conditions of merchantability, fitness for a particular purpose, title, and non-infringement. These disclaimers apply to the maximum extent permitted by Applicable Laws.
Limitation of Liability
1. Liability Caps. a. Except as provided in Section 8.4 (Exceptions), each party’s total cumulative liability for all claims arising out of or relating to this Agreement will not be more than the General Cap Amount. b. If there are Increased Claims, each party’s total cumulative liability for all Increased Claims arising out of or relating to this Agreement will not be more than the Increased Cap Amount.
2. Damages Waiver. Except as provided in Section 8.4 (Exceptions), under no circumstances will either party be liable to the other for lost profits or revenues (whether direct or indirect), or for consequential, special, indirect, exemplary, punitive, or incidental damages relating to this Agreement, even if the party is informed of the possibility of this type of damage in advance.
3. Applicability. The limitations and waivers contained in Sections 8.1 (Liability Caps) and 8.2 (Damages Waiver) apply to all liability, whether in tort (including negligence), contract, breach of statutory duty, or otherwise.
4. Exceptions. The liability cap in Section 8.1(a) does not apply to any Increased Claims. Section 8.1 (Liability Caps) does not apply to any Unlimited Claims. Section 8.2 (Damages Waiver) does not apply to any Increased Claims or a breach of Section 10 (Confidentiality). Nothing in this Agreement will limit, exclude, or restrict a party's liability to the extent prohibited by Applicable Laws.
Indemnification
1. Protection by Provider. Provider will indemnify, defend, and hold harmless Customer from and against all Provider Covered Claims made by someone other than Customer, Customer’s Affiliates, or Users, and all out-of-pocket damages, awards, settlements, costs, and expenses, including reasonable attorneys’ fees and other legal expenses, that arise from the Provider Covered Claims.
2. Protection by Customer. Customer will indemnify, defend, and hold harmless Provider from and against all Customer Covered Claims made by someone other than Provider or its Affiliates, and all out-of-pocket damages, awards, settlements, costs, and expenses, including reasonable attorneys’ fees and other legal expenses, that arise from the Customer Covered Claims.
3. Procedure. The Indemnifying Party’s obligations in this section are contingent upon the Protected Party: (a) promptly notifying the Indemnifying Party of each Covered Claim for which it seeks protection; (b) providing reasonable assistance to the Indemnifying Party at the Indemnifying Party’s expense; and (c) giving the Indemnifying Party sole control over the defense and settlement of each Covered Claim. A Protected Party may participate in a Covered Claim for which it seeks protection with its own attorneys only at its own expense. The Indemnifying Party may not agree to any settlement of a Covered Claim that contains an admission of fault or otherwise materially and adversely impacts the Protected Party without the prior written consent of the Protected Party.
4. Changes to Product. If required by settlement or court order, or if deemed reasonably necessary in response to a Provider Covered Claim, Provider may: (a) obtain the right for Customer to continue using the Product; (b) replace or modify the affected component of the Product without materially reducing the general functionality of the Product; or (c) if neither (a) nor (b) are reasonable, terminate the affected Order Form and issue a pro-rated refund of prepaid Fees for the remainder of the Subscription Period.
5. Exclusions. a. Provider’s obligations as an Indemnifying Party will not apply to Provider Covered Claims that result from (i) modifications to the Product that were not authorized by Provider or that were made in compliance with Customer’s instructions; (ii) unauthorized use of the Product, including use in violation of this Agreement; (iii) use of the Product in combination with items not provided by Provider; or (iv) use of an old version of the Product where a newer release would avoid the Provider Covered Claim. b. Customer’s obligations as an Indemnifying Party will not apply to Customer Covered Claims that result from the unauthorized use of the Customer Content, including use in violation of this Agreement.
6. Exclusive Remedy. This Section 9 (Indemnification), together with any termination rights, describes each Protected Party’s exclusive remedy and each Indemnifying Party’s entire liability for a Covered Claim.
Confidentiality
1. Non-Use and Non-Disclosure. Except as otherwise authorized in the Agreement or as needed to fulfill its obligations or exercise its rights under this Agreement, Recipient will not (a) use Discloser’s Confidential Information; nor (b) disclose Discloser’s Confidential Information to anyone else. In addition, Recipient will protect Discloser’s Confidential Information using at least the same protections Recipient uses for its own similar information but no less than a reasonable standard of care.
2. Exclusions. Confidential Information does not include information that (a) Recipient knew without any obligation of confidentiality before disclosure by Discloser; (b) is or becomes publicly known and generally available through no fault of Recipient; (c) Recipient receives under no obligation of confidentiality from someone else who is authorized to make the disclosure; or (d) Recipient independently developed without use of or reference to Discloser’s Confidential Information.
3. Required Disclosures. Recipient may disclose Discloser’s Confidential Information to the extent required by Applicable Laws if, unless prohibited by Applicable Laws, Recipient provides Discloser reasonable advance notice of the required disclosure and reasonably cooperates, at Discloser’s expense, with Discloser’s efforts to obtain confidential treatment for the Confidential Information.
4. Permitted Disclosures. Recipient may disclose Discloser’s Confidential Information to Users, employees, advisors, contractors, and representatives who each have a need to know the Confidential Information, but only if the person or entity is bound by confidentiality obligations at least as protective as those in this Section 10 (Confidentiality) and Recipient remains responsible for everyone’s compliance with the terms of this Section 10 (Confidentiality).
Reservation of Rights
1. Except for the limited license to copy and use Software and Documentation in Section 1.1 (Access and Use), Provider retains all right, title, and interest in and to the Product, whether developed before or after the Effective Date. Except for the limited rights in Section 1.5 (Customer Content) and 1.6 (Machine Learning), Customer retains all right, title, and interest in and to the Customer Content.
General Terms
1. Entire Agreement. This Agreement is the only agreement between the parties about its subject and this Agreement supersedes all prior or contemporaneous statements (whether in writing or not) about its subject. Provider expressly rejects any terms included in Customer’s purchase order or similar document, which may only be used for accounting or administrative purposes. No terms or conditions in any Customer documentation or online vendor portal will apply to Customer’s use of the Product unless expressly agreed to in a legally binding written agreement signed by an authorized Provider representative, regardless of what such terms may say.
2. Modifications, Severability, and Waiver. Any waiver, modification, or change to the Agreement must be in writing and signed or electronically accepted by each party. If any term of this Agreement is determined to be invalid or unenforceable by a relevant court or governing body, the remaining terms of this Agreement will remain in full force and effect. The failure of a party to enforce a term or to exercise an option or right in this Agreement will not constitute a waiver by that party of the term, option, or right.
3. Governing Law and Chosen Courts. The Governing Law will govern all interpretations and disputes about this Agreement, without regard to its conflict of laws provisions. The parties will bring any legal suit, action, or proceeding about this Agreement in the Chosen Courts and each party irrevocably submits to the exclusive jurisdiction of the Chosen Courts.
4. Injunctive Relief. Despite Section 12.3 (Governing Law and Chosen Courts), a breach of Section 10 (Confidentiality) or the violation of a party’s intellectual property rights may cause irreparable harm for which monetary damages cannot adequately compensate. As a result, upon the actual or threatened breach of Section 10 (Confidentiality) or violation of a party’s intellectual property rights, the non-breaching or non-violating party may seek appropriate equitable relief, including an injunction, in any court of competent jurisdiction without the need to post a bond and without limiting its other rights or remedies.
5. Non-Exhaustive Remedies. Except where the Agreement provides for an exclusive remedy, seeking or exercising a remedy does not limit the other rights or remedies available to a party.
6. Assignment. Neither party may assign any rights or obligations under this Agreement without the prior written consent of the other party. However, either party may assign this Agreement upon notice if the assigning party undergoes a merger, change of control, reorganization, or sale of all or substantially all its equity, business, or assets to which this Agreement relates. Any attempted but non-permitted assignment is void. This Agreement will be binding upon and inure to the benefit of the parties and their permitted successors and assigns.
7. Beta Products. If Provider gives Customer access to a Beta Product, the Beta Product is provided "AS IS" and Section 6.3 (Representations & Warranty From Provider) does not apply to any Beta Products. Customer acknowledges that Beta Products are experimental in nature and may be modified or removed at Provider’s discretion with or without notice.
8. Logo Rights. Provider may identify Customer and use Customer’s name and logo in marketing to identify Customer as a user of Provider’s products and services.
9. Notices. Any notice, request, or approval about the Agreement must be in writing and sent to the Notice Address. Notices will be deemed given (a) upon confirmed delivery if by email, registered or certified mail, or personal delivery; or (b) two days after mailing if by overnight commercial delivery.
10. Independent Contractors. The parties are independent contractors, not agents, partners, or joint venturers. Neither party is authorized to bind the other to any liability or obligation.
11. No Third-Party Beneficiary. There are no third-party beneficiaries of this Agreement.
12. Force Majeure. Neither party will be liable for a delay or failure to perform its obligations of this Agreement if caused by a Force Majeure Event. However, this section does not excuse Customer’s obligations to pay Fees.
13. Export Controls. Customer may not remove or export from the United States or allow the export or re-export of the Product or any related technology or materials in violation of any restrictions, laws, or regulations of the United States Department of Commerce, OFAC, or any other United States or foreign agency or authority. Customer represents and warrants that it is not (a) a resident or national of an Embargoed Country; (b) an entity organized under the laws of an Embargoed Country; (c) designated on any list of prohibited, restricted, or sanctioned parties maintained by the U.S. government or agencies or other applicable governments or agencies, including OFAC’s Specially Designated Nationals and Blocked Persons List and the UN Security Council Consolidated List; nor (d) 50% or more owned by any party designated on any of the above lists. Provider may terminate this Agreement immediately without notice or liability to comply, as determined in Provider’s sole discretion, with applicable export controls and sanctions laws and regulations.
14. Government Rights. The Cloud Service and Software are deemed "commercial items" or "commercial computer software" according to FAR section 12.212 and DFAR section 227.7202, and the Documentation is "commercial computer software documentation" according to DFAR section 252.227-7014(a)(1) and (5). Any use, modification, reproduction, release, performance, display, or disclosure of the Product by the U.S. Government will be governed solely by the terms of this Agreement and all other use is prohibited.
15. Anti-Bribery. Neither party will take any action that would be a violation of any Applicable Laws that prohibit the offering, giving, promising to offer or give, or receiving, directly or indirectly, money or anything of value to any third party to assist Provider or Customer in retaining or obtaining business. Examples of these kinds of laws include the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010.
16. Titles and Interpretation. Section titles are for convenience and reference only. All uses of "including" and similar phrases are non-exhaustive and without limitation. The United Nations Convention for the International Sale of Goods and the Uniform Computer Information Transaction Act do not apply to this Agreement.
17. Signature. This Agreement may be signed in counterparts, including by electronic copies or acceptance mechanism. Each copy will be deemed an original and all copies, when taken together, will be the same agreement.
Definitions
1. Defining Variables. Variables have the meanings or descriptions given on a Cover Page. However, if the Order Form and the governing Framework Terms omit or do not define a Variable, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to that Agreement.
2. "Affiliate" means an entity that, directly or indirectly, controls, is under the control of, or is under common control with a party, where control means having more than fifty percent (50%) of the voting stock or other ownership interest.
3. "Agreement" means the Order Form between Provider and Customer as governed by the Framework Terms.
4. "Applicable Data Protection Laws" means the Applicable Laws that govern how the Cloud Service may process or use an individual’s personal information, personal data, personally identifiable information, or other similar term.
5. "Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern Provider or Customer.
6. "Beta Product" means an early or prerelease feature or version of the Product that is identified as beta or similar, or a version of the Product that is not generally available.
7. "Cloud Service" means the product described in the Order Form.
8. "Confidential Information" means information in any form disclosed by or on behalf of a Discloser, including before the Effective Date, to a Recipient in connection with this Agreement that (a) the Discloser identifies as "confidential", "proprietary", or the like; or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Confidential Information includes the existence of this Agreement and the information on each Cover Page. Customer’s Confidential Information includes non-public Customer Content and Provider’s Confidential Information includes non-public information about the Product.
9. "Cover Page" means a document that is signed or electronically accepted by the parties, incorporates these Standard Terms or is governed by the Framework Terms, and identifies Provider and Customer. A Cover Page may include an Order Form, Key Terms, or both.
10. "Covered Claim" means either a Provider Covered Claim or Customer Covered Claim.
11. "Customer Content" means data, information, or materials submitted by or on behalf of Customer or Users to the Product but excludes Feedback.
12. "Discloser" means a party to this Agreement when the party is providing or disclosing Confidential Information to the other party.
13. "Documentation" means the usage manuals and instructional materials for the Cloud Service or Software that are made available by Provider.
14. "Embargoed Country" means any country or region to or from where Applicable Laws generally restrict the export or import of goods, services, or money.
15. "Feedback" means suggestions, feedback, or comments about the Product or related offerings.
16. "Fees" means the applicable amounts described in an Order Form.
17. "Force Majeure Event" means an unforeseen event outside a party’s reasonable control where the affected party took reasonable measures to avoid or mitigate the impacts of the event. Examples of these kinds of events include unpredicted natural disasters like a major earthquake, war, pandemic, riot, act of terrorism, or public utility or internet failure.
18. "Framework Terms" means these Standard Terms, the Key Terms between Provider and Customer, and any policies and documents referenced in or attached to the Key Terms.
19. "GDPR" means European Union Regulation 2016/679 as implemented by local law in the relevant European Union member nation, and by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.
20. "High Risk Activity" means any situation where the use or failure of the Product could be reasonably expected to lead to death, bodily injury, or environmental damage. Examples include full or partial autonomous vehicle technology, medical life-support technology, emergency response services, nuclear facilities operation, and air traffic control.
21. "Indemnifying Party" means a party to this Agreement when the party is providing protection for a particular Covered Claim.
22. "Key Terms" means a Cover Page that includes the key legal details and Variables for this Agreement. The Key Terms may include details about Covered Claims, set the Governing Law, or contain other details about this Agreement.
23. "OFAC" means the United States Department of Treasury's Office of Foreign Assets Control.
24. "Order Form" means a Cover Page that includes the key business details and Variables for this Agreement that are not defined in the Framework Terms. An Order Form includes the policies and documents referenced in or attached to the Order Form. An Order Form may include details about the level of access and use granted to the Cloud Service, length of Subscription Period, or other details about the Product.
25. "Personal Data" will have the meaning(s) set forth in the Applicable Data Protection Laws for personal information, personal data, personally identifiable information, or other similar term.
26. "Product" means the Cloud Service, Software, and Documentation.
27. "Prohibited Data" means (a) patient, medical, or other protected health information regulated by the Health Insurance Portability and Accountability Act; (b) credit, debit, bank account, or other financial account numbers; (c) social security numbers, driver’s license numbers, or other unique and private government ID numbers; (d) special categories of data as defined in the GDPR; and (e) other similar categories of sensitive information as set forth in the Applicable Data Protection Laws.
28. "Protected Party" means a party to this Agreement when the party is receiving the benefit of protection for a particular Covered Claim.
29. "Recipient" means a party to this Agreement when the party receives Confidential Information from the other party.
30. "Software" means the client-side software or applications made available by Provider for Customer to install, download (whether onto a machine or in a browser), or execute as part of the Product.
31. "Standard Terms" means these Common Paper Cloud Service Agreement Standard Terms Version 2.1, which are posted at https://commonpaper.com/standards/cloud-service-agreement/2.1/.
32. "Usage Data" means data and information about the provision, use, and performance of the Product and related offerings based on Customer’s or User’s use of the Product.
33. "User" means any individual who uses the Product on Customer’s behalf or through Customer’s account.
34. "Variable" means a word or phrase that is highlighted and capitalized, such as Subscription Period or Governing Law.

Privacy Policy 

Last updated: July 18, 2025

Cedar CI LLC (Cedar CI, we) takes privacy and security of your information seriously. This Privacy Statement will explain what data we collect and the purpose of that data.

Data 

The data collected is either explicitly provided (during registration, payment, and configuration), or implicitly during the execution of CI workloads per user configuration (source code and artifacts).

Data	Collection	Use
E-mail	Registration	Notification and subscription management
Username	Registration	Configuration
SSH pubkey	Registration	Configuration
Name	Payment	Payment
Instrument	Payment	Payment
API Token	Configuration	Third-party CI interaction
Source code	Execution	Execution of CI workload
Artifacts	Execution	Execution of CI workload
CI Usage	Billing	Debiting account credit

Retention 

All information collected as part of registration and configuration is retained until an account is deleted. Unless held for legal purposes, all data, including caches, will be wiped within 48 hours.
Some Source Code and Artifacts downloaded during CI execution are cached. The cache period may vary based on usage, but generally ranges from an hour to two weeks. Cached data may be wiped at any time.
Payment and Usage information is kept to comply with tax, accounting, and financial reporting obligations.

User rights 

Users may:

access their data (registration, configuration, usage, and payment history)
request a copy of their data
request deletion of all their data
request a disclosure regarding if their data is being processed
request a correction to their data
object to the use of their data
opt out of processing their data

Subprocessor 

See our subprocessor list for details about what is not processed directly.

Contact 

For any concerns or requests use our privacy e-mail.

Subprocessor List 

Last updated: July 18, 2025

Unless otherwise indicated customer data is processed directly by Cedar CI in the United States.

Registration through AWS CDN, but is processed and stored directly.
E-mail is processed through Linode.
Payment is processed by Stripe.
Configuration is processed directly.
Execution is processed directly.
CI definition and result are processed by your configured provider (ex. Gitlab.com).

Any new subprocessor will be published at least 30 days in advance of authorization.

Overview 

Name	Scope	Processing	Corporate
AWS	Content delivery network	United States	United States
Gitlab	CI definition and result	Dependent	United States
Linode	E-mail	United States	United States
Stripe	Payment	United States	United States

Previously 

Basic runners are hosted by AWS and thus expand the scope to include compute and storage.

Data Processing Agreement: Cover 

Last updated: July 21, 2025

This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1/ ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this Agreement. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement. A copy of the DPA Standard Terms is attached for convenience only.

Key terms 

Key Term	Meaning
Agreement	Terms of Service
Approved Subprocessors	Subprocessor list
Provider Security Contact	Cedar CI Security
Security Policy	Security details
Service Provider Relationship	To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.
Governing Member State	EEA Transfers: Netherlands; UK Transfers: England

Annex I(A): List of Parties 

Key Term	Meaning
Data Exporter	Name: the Customer signing this DPA Activities relevant to transfer: See Annex 1(B) Role: Controller
Data Importer	Name: the Provider signing this DPA Contact person: Cedar CI Security Address: 5900 Balcones Drive #8225, Austin, TX 78731, US Activities relevant to transfer: See Annex 1(B) Role: Processor

Annex I(B): Description of Transfer and Processing Activities 

Key Term	Meaning
Service	Cedar CI provides Continuous Integration execution that integrates with Gitlab.
Categories of Data Subjects	Customer; Customer's employees
Categories of Personal Data	See Privacy Policy: Data section
Special Category Data	No
Frequency of Transfer	Continuous
Nature and Purpose of Processing	Provider processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the Agreement. The nature of processing includes, without limitation, execution of Continuous Integration jobs.
Duration of Processing	Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C) 

Key Term	Meaning
Competent Supervisory Authority	The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II 

Key Term	Meaning
Technical and Organizational Security Measures	See Security Policy

Data Processing Agreement 

Processor and Subprocessor Relationships
1. Provider as Processor. In situations where Customer is a Controller of the Customer Personal Data, Provider will be deemed a Processor that is Processing Personal Data on behalf of Customer.
2. Provider as Subprocessor. In situations where Customer is a Processor of the Customer Personal Data, Provider will be deemed a Subprocessor of the Customer Personal Data.
Processing
1. Processing Details. Annex I(B) on the Cover Page describes the subject matter, nature, purpose, and duration of this Processing, as well as the Categories of Personal Data collected and Categories of Data Subjects.
2. Processing Instructions. Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Provider about Processing Customer Personal Data under this DPA. Provider will abide by these instructions unless prohibited from doing so by Applicable Laws. Provider will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.
3. Processing by Provider. Provider will only Process Customer Personal Data in accordance with this DPA, including the details in the Cover Page. If Provider updates the Service to update existing or include new products, features, or functionality, Provider may change the Categories of Data Subjects, Categories of Personal Data, Special Category Data, Special Category Data Restrictions or Safeguards, Frequency of Transfer, Nature and Purpose of Processing, and Duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.
4. Customer Processing. Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.
5. Consent to Processing. Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.
6. Subprocessors.
  
  a. Provider will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. Provider will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the Provider begins using the new Subprocessor(s). Provider will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and Provider will cooperate in good faith to resolve Customer’s objection or concern.
  
  b. When engaging a Subprocessor, Provider will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.
  
  c. If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) Provider’s agreement with the Subprocessor will incorporate these obligations, including details about how Provider and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, Provider will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including personal data, Provider may redact the text of its agreement with its Subprocessor prior to sharing a copy.
  
  d. Provider remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Provider will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Provider and the Subprocessor.
Restricted Transfers
1. Authorization. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Provider transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Provider will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.
2. Ex-EEA Transfers. Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Provider outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Provider are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
  
  a. Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Provider is Processing Customer Personal Data for Customer as a Processor.
  
  b. Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Provider is Processing Customer Personal Data on behalf of Customer as a Subprocessor.
  
  c. For each module, the following applies (when applicable):
  - i. The optional docking clause in Clause 7 does not apply;
  - ii. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days;
  - iii. In Clause 11, the optional language does not apply;
  - iv. All square brackets in Clause 13 are removed;
  - v. In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Governing Member State;
  - vi. In Clause 18(b), disputes will be resolved in the courts of the Governing Member State; and
  - vii. The Cover Page to this DPA contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs.
3. Ex-UK Transfers. Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Provider outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Provider are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
  
  a. Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum.
  
  b. Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section ‎18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.
  
  c. The Cover Page contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.
4. Other International Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
Security Incident Response
1. Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. Provider’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by Provider of any fault or liability for the Security Incident.
Audit & Reports
1. Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and Provider will allow for and contribute to audits, including inspections by Customer, to assess Provider’s compliance with this DPA. However, Provider may restrict access to data or information if Customer’s access to the information would negatively impact Provider’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing Provider to comply with the reporting and due diligence requirements below. Provider will maintain records of its compliance with this DPA for 3 years after the DPA ends.
2. Security Reports. Customer acknowledges that Provider is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, Provider will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify Provider’s compliance with the standards defined in the Security Policy.
3. Security Due Diligence. In addition to the Report, Provider will respond to reasonable requests for information made by Customer to confirm Provider’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the Provider Security Contact and may only be made once a year.
Coordination & Cooperation
1. Response to Inquiries. If Provider receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Provider will notify Customer about the request and Provider will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, Provider will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Provider, Provider will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Provider will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Provider’s Processing of Customer Personal Data under this DPA.
2. DPIAs and DTIAs. If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.
Deletion of Customer Personal Data
1. Deletion by Customer. Provider will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. Provider will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.
2. Deletion at DPA Expiration.
  
  a. After the DPA expires, Provider will return or delete Customer Personal Data at Customer’s instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Provider will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require Provider to continue hosting or Processing Customer Personal Data.
  
  b. If Customer and Provider have entered the EEA SCCs or the UK Addendum as part of this DPA, Provider will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.
Limitation of Liability
1. Liability Caps and Damages Waiver. To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.
2. Related-Party Claims. Any claims made against Provider or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.
3. Exceptions. This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
Conflicts Between Documents
1. This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
Term of Agreement
1. This DPA will start when Provider and Customer agree to a Cover Page for the DPA and sign or electronically accept the Agreement and will continue until the Agreement expires or is terminated. However, Provider and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Provider and Provider stops Processing Customer Personal Data.
Definitions
1. "Applicable Laws" means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.
2. "Applicable Data Protection Laws" means the Applicable Laws that govern how the Service may process or use an individual’s personal information, personal data, personally identifiable information, or other similar term.
3. "Controller" will have the meaning(s) given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.
4. "Cover Page" means a document that is signed or electronically accepted by the parties that incorporates these DPA Standard Terms and identifies Provider, Customer, and the subject matter and details of the data processing.
5. "Customer Personal Data" means Personal Data that Customer uploads or provides to Provider as part of the Service and that is governed by this DPA.
6. "DPA" means these DPA Standard Terms, the Cover Page between Provider and Customer, and the policies and documents referenced in or attached to the Cover Page.
7. "EEA SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council.
8. "European Economic Area" or "EEA" means the member states of the European Union, Norway, Iceland, and Liechtenstein.
9. "GDPR" means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.
10. "Personal Data" will have the meaning(s) given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.
11. "Processing" or "Process" will have the meaning(s) given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data, including by automatic methods.
12. "Processor" will have the meaning(s) given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.
13. "Report" means audit reports prepared by another company according to the standards defined in the Security Policy on behalf of Provider.
14. "Restricted Transfer" means (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
15. "Security Incident" means a Personal Data Breach as defined in Article 4 of the GDPR.
16. "Service" means the product and/or services described in the Agreement.
17. "Special Category Data" will have the meaning given in Article 9 of the GDPR.
18. "Subprocessor" will have the meaning(s) given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.
19. "UK GDPR" means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 in the United Kingdom.
20. "UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner for Parties making Restricted Transfers under S119A(1) Data Protection Act 2018.

Security > Overview 

We strive to ensure our service and software are secure.

Access 

Our production cluster is only accessible to our on-call team and on an as needed basis for debugging. Production data is never replicated to non-production systems.

Authentication 

All development and production resources require Multi-Factor Authentication (MFA).

Transport 

All systems utilize either Transport Layer Security (TLS), version 1.2 or greater, or Secure Shell (SSH) using industry standard encryption algorithms.

Storage 

All storage is encrypted at rest using AES-256 encryption.

Backup 

The only customer supplied data included in backups is the configuration repository. Data removed by the customer will propagate through backups. See our Privacy Policy for details on requesting a purge from backups.

Payment 

All payment information is entered on Stripe's site directly. Only the transaction amount and reference ID is tracked in our system. See Stripe's policies on security and privacy for more details.

Runner 

Security measures vary between our enhanced and basic runners, but both ensure customer data and CI jobs are isolated.

Patch 

Our engineering team monitors various security feeds and static analysis tools for security vulnerabilities and applies patches as needed.

Monitoring 

System health and performance metrics are collected for both automated and manual analysis.

Logging 

Any logs containing customer data are ephemeral and maintained within the production cluster.

Testing 

Penetration testing is conducted no less than annually. Reports are available upon request.

Corporate 

Credential 

Shared credentials are secured using a password manager.

Device 

All employee devices are secured using a complex password and AES-256 encryption.

Employee 

Background 

Background checks are required before joining.

Termination 

All production and development access can be revoked remotely.

Security > Customer 

Access 

The customer is responsible for controlling the SSH private key paired to the supplied SSH public key.

Authentication 

Customer authentication is achieved by verifying the SSH key pair.

Transport 

Browser based access utilizes Transport Layer Security (TLS), version 1.2 or greater.

Configuration information, cache control, and billing information is access via Secure Shell (SSH) using industry standard encryption algorithms.

Workload 

The customer controls and is thus responsible for the security aspects of their CI jobs.

Security > Runner: Enhanced 

Compute 

Both the runner and worker virtual machines (VM) are executed on hardware owned and operated by Cedar CI in the U.S.

Ephemeral 

A dedicated VM is utilized for each job such that no two jobs are executed in the same VM.

The Intelligent Cache maintains data within our production cluster based on usage and the expiration configuration. Cache data is partitioned by customer and only accessible by the owning customer CI jobs when executed within our cluster.

Cached data may be wiped at any time.

Security > Runner: Basic 

Compute 

Both the runner and worker virtual machines (VM) are executed on Amazon Web Services (AWS) in the U.S.

Ephemeral 

A dedicated VM is utilized for each job such that no two jobs are executed in the same VM. If desired, this can be relaxed for performance and efficiency to allow multiple jobs to run sequentially in the same VM. When exhausted the VM is destroyed and no artifacts are kept.

If jobs utilize the cache feature, S3 storage will be utilized and kept for 7 days. All cache access is performed using pre-signed URLs.

Security > Incident 

In accordance with industry standards, Cedar CI utilizes the following procedure for handling security incidents. The amount of emphasis placed on each phase will vary based on the severity of the incident.

In case of a suspected security breach or vulnerability, immediately e-mail security.

Triage 

All reports of a suspicious nature are escalated to management and security personnel. An incident is declared when an employee senses that an adverse risk to the company exists.

Investigate 

An incidence response team comprising the main stakeholders of the affected systems is assembled and given access to relevant backups, logs, and deployments. Any third-party vendors that may be involved or affected are contacted to aid in containment and investigation.

The investigation is performed in a fact-based, scientific manner. Records and notes are kept up-to-date throughout the process for later reference.

If affected, customers should be notified of a potential data breach as soon as possible.

Where applicable, Cedar CI will notify relevant law enforcement agencies and third parties of the incident and keep them up-to-date on the resolution process.

Resolve 

Once clearly identified, securing the vulnerable system becomes the highest priority item for the involved teams. Resolving a security incident may involve changes to infrastructure, code, process, or team composition. Additionally, security scans for similar vulnerabilities should be performed on all systems.

As a final precaution, access tokens, passwords, and encryption keys of all affected and directly connected systems and accounts are changed, regardless of the investigations findings as to their integrity.

Postmortem 

A formal follow-up report is created that details the scope of the incident and the steps taken in its mitigation. The report should outline new systems and procedures to prevent such incidents in the future. It may make suggestions for improvements to long term monitoring and changes to access policies, where appropriate.