Last updated: July 21, 2025
This DPA has 2 parts: (1) the Key Terms on this Cover Page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1/ ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, the Cover Page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on the Cover Page. However, if the Cover Page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this Agreement. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement. A copy of the DPA Standard Terms is attached for convenience only.
Key terms
| Key Term | Meaning |
|---|---|
| Agreement | Terms of Service |
| Approved Subprocessors | Subprocessor list |
| Provider Security Contact | Cedar CI Security |
| Security Policy | Security details |
| Service Provider Relationship | To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA. |
| Governing Member State | EEA Transfers: Netherlands; UK Transfers: England |
Annex I(A): List of Parties
| Key Term | Meaning |
|---|---|
| Data Exporter | Name: the Customer signing this DPA Activities relevant to transfer: See Annex 1(B) Role: Controller |
| Data Importer | Name: the Provider signing this DPA Contact person: Cedar CI Security Address: 5900 Balcones Drive #8225, Austin, TX 78731, US Activities relevant to transfer: See Annex 1(B) Role: Processor |
Annex I(B): Description of Transfer andProcessing Activities
| Key Term | Meaning |
|---|---|
| Service | Cedar CI provides Continuous Integration execution that integrates with Gitlab. |
| Categories of Data Subjects | Customer; Customer's employees |
| Categories of Personal Data | See Privacy Policy: Data section |
| Special Category Data | No |
| Frequency of Transfer | Continuous |
| Nature and Purpose of Processing | Provider processes Customer’s Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the Agreement. The nature of processing includes, without limitation, execution of Continuous Integration jobs. |
| Duration of Processing | Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws. |
Annex I(C)
| Key Term | Meaning |
|---|---|
| Competent Supervisory Authority | The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum. |
Annex II
| Key Term | Meaning |
|---|---|
| Technical and Organizational Security Measures | See Security Policy |