The entity responsible for processing the data in the Cauldron.io website or through our services is Bitergium SLL, located at Av.da Gregorio Peces Barba, 1 - 28918 Leganés, Madrid. All communications regarding the processing of your personal data shall be directed to firstname.lastname@example.org
These data are mandatory and if they are not provided we cannot contact you and respond to your requests.
Cauldron automatically collects data regarding your browsing of the website, such as your IP address, the browser you are using, the site from which you came and the site to which you are going when you leave the site.
The personal data which may be generated during the course of services provided by Cauldron.io services will be processed by us as a Data Processor, as established in Annex I "Data Processing Addendum" below which regulates that data processing. Under no circumstances the personal data of third parties resulting from our analysis services will be disclosed.
It is important that the personal data we hold about you is accurate and current. You are responsible for the accuracy of the information you provide to us and you are expected to update any information you provide us with.
We use your personal data to:
Data collected automatically from website use will be maintained and used in aggregate form only and it will not contain personally identifiable information. We may use such aggregate information to analyse trends, administer the site/s, and gather broad demographic information for aggregate use.
The legal basis of this processing is the performance of our services (registration and user management), and our legitimate interest to contact you and respond to your requests, and your express consent where indicated by you (newsletter). For clients, processing the personal data of your staff and contacts is necessary for entering into and performing our contract.
If you tick the corresponding box, you consent to receiving commercial communications from us regarding our services and products and any new features, offers or promotions offered by us. If later you do not wish to receive commercial Information about Cauldron.io and our services, you can expressly opt out by sending a notification to email@example.com or by clicking the unsubscribe link in our email communications.
We process your personal data with strict confidentiality in accordance with applicable law. However, we shall disclose any personal or other data you provide us in compliance with a legal obligation or in order to correctly deliver our Services or perform other obligations in accordance with our website terms or professional terms of engagement, or in the event of a corporate operation involving investment, merger or sale.
Except as indicated, we do not reveal any of your data unless it is necessary for the performance of our services, or to our professional suppliers who provide us their services (email, storage, etc.).
International. We inform you that we use the following international third-party services to provide our Services:
These companies are located in the United States, territory which does not generally provide adequate safeguards in relation to data processing, but they are part of the EU-US Privacy Shield and have entered into contracts with us providing the appropriate safeguards according to law.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will retain the personal data submitted through our website and collected during the course of the services while we have commercial and professional relations with you. Once such personal data is no longer used for the purpose mentioned above, it will be deleted. We may retain personal data beyond the aforementioned periods for legal or administrative reasons, such as defending our responsibility and complying with mandatory legal obligations, subject to applicable law. For clients, we will retain your data during out engagement and 6 years thereafter (duly blocked) for tax and legal reasons. This period may be extended for the period of liability of Bitergia.
Note that we may retain the data collected from you in an anonymised and aggregated format.
We implement security measures and personal data protection schemes as required by law to maintain the confidentiality and integrity of your data and protection against unauthorised access, modification or destruction.
You have the following rights under data protection laws in relation to your personal data: Request access to your personal data (commonly known as a "data subject access request"), Request correction of the personal data that we hold about you, Request erasure of your personal data; Object to processing of your personal data where we are relying on a legitimate interest; Request restriction of processing of your personal data, Request the transfer to you or to a third party of personal data you have provided us (right to data portability), Withdraw consent at any time where we are relying on consent to process your personal data. Note that if you oppose or request erasure or restriction of processing, we may not be able to provide our services.
The aforementioned rights may be effective by contacting us at firstname.lastname@example.org or at Bitergium SLL, Av.da Gregorio Peces Barba, 1 - 28918 Leganés, Madrid. We may require proof of identity, e.g. a digital copy of your identification document such as your ID card or passport.
You also have the right to make any complaint to the competent authority, in this case the Spanish Data Protection Agency (Agencia Española de Protección de Datos), C/. Jorge Juan, 6, 28001 Madrid, Spain.
With the advent of the EU General Data Protection Regulation, it is all the more important to regulate the processing of this data in the context of the Agreement between Bitergia and its client (the “Parties”) in the use of the Cauldron.io services.
The parties agree as follows:
For the purpose of this Annex, the following terms shall take the meanings set out below:
Data Protection Laws Compliance
Each Party shall use all reasonable efforts to comply with all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation (2016/679) on and from 25 May 2018, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).
Bitergia as Data Processor
This section of the Addendum is entered into pursuant to Art. 28.3 of the GDPR and regulates the Processing of Personal Data by us in the course of providing our Services to the Cauldron.io User. The duration of such processing shall be for the period during which the Parties perform their applicable obligations when using the website and Cauldron.io service.
During the provision of its services to Users through the Cauldron.io website, we may access certain Personal Data for and on behalf of the User, in particular (but without limitation), the data set out below (“User Personal Data”) relating to the indicated persons (“Data Subjects”). This includes the Project Developer and Maintainer information, etc. Under applicable privacy regulations, the User is responsible for this data and is what is known under privacy regulation as the “data controller”. On requesting the data analytics services, the Cauldron User appoints Bitergia as a data processor of this Personal Data, to process the Personal Data on User’s behalf, for the purpose of providing the Service.
Data accessed and processing, purposes
For the provision of the Cauldron.io Service, we access different systems used to support, or related to FOSS development, including (but not limited to): source code versioning systems, issue tracking systems, asynchronous and synchronous communication systems, testing systems, code review systems, and storage and distribution systems (collectively, “SDSS”).
In carrying out the Services, the following personal data in the SDSS may be accessed and processed for Users:
Our processing of this data consists in:
The purpose of this processing is to provide the Services, including carrying out an analysis of the attributes, health and sustainability of the FOSS projects, and:
Attribution of responsibility
User is made aware that for the purpose of providing the Service, we may access and process the aforementioned User Personal Data on behalf of User without the prior informed consent of the data subject. The Parties agree that the processing of the Personal Data on behalf of the User as part of the Services is legitimized as set out in the introductory note above and developed in more detail in the Annex.
User understands that there is still a risk that Data Subjects may (a) object to the processing under this Engagement and (b) request cancellation or suppression of their data (as indicated below), or (c) request certain limitation or restriction to the processing or even (d) claim against either party for breach of his/her privacy rights under Applicable Privacy Laws. We respect developers’ privacy and will comply with the exercise of these rights on request from the developers/Data Subjects.
In the event of any claim or procedure made against either of the Parties with respect to the processing of any User Personal Data hereunder, provided compliance at all times with the remainder of terms of this Annex, User will be responsible for dealing with such claim, with our support. In particular, both Parties undertake to come into compliance with applicable privacy law as soon as possible and minimise any harm to Data Subjects’ rights; and to cooperate in good faith to respond to such claims.
Notwithstanding the foregoing, User agrees to indemnify and hold us harmless from all claims, losses and fines relating to the processing of personal data hereunder, provided we are in compliance with the terms of this Annex.
Compliance with Art. 14 GDPR (Information)
Pursuant to Art. 14 GDPR, Data Controller that has access to User Personal Data not directly from the Data Subject must inform the Data Subject that their data is being processed, providing the information set out in that Article. While it is User’s responsibility to provide this information, User and Bitergia will cooperate in good faith to determine the best method to achieve this, in each case, and at the request of User and on its behalf, we will use our best efforts to ensure that this information is provided to the Data Subjects (e.g. through the appropriate FOSS Project communication mechanisms). Given our experience in the matter, we can work with the User, and support them whenever possible, in this information effort.
Rights and responsibilities of the User as Data Controller
As established in the GDPR, User as Data Controller shall:
Rights and responsibilities of Bitergia as Data Processor
As established in the GDPR, Bitergia as Data Processor shall:
Data subjects’ exercise of their rights
If the Data Subjects addresses a request or exercises any of the rights established in the General Data Protection Regulation, the Controller and / or the Processor must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.
Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.
As Data Processor, we may provide access to a subcontractor processor to User Personal Data if it reasonably considers such access and processing necessary to the performance of the Services. In the event of such access and before the access takes place, we shall ensure that an Engagement with the third party is in place which is sufficient to require it to treat personal data in accordance with the applicable provisions of this Engagement and applicable. Sub-contractors indicated at the end of this document are approved by User, and further subcontractors may be engaged upon prior notice to User (including with international transfers, provided section 7 is respected).
International transfer of data
International transfers of Personal Data may only be performed if the requirements of Data Protection Law and regulations that regulate them, are met. If a party carries out an international transfer of data without the other party’s consent, the latter shall be exempted from any liability that may arise as a result of or in connection with such transfer. As stated above, we may transfer User Personal Data outside the EEA to its subprocessors indicated in section 6 above, who have entered into contract with us with appropriate contractual safeguards. Sub-processors in other countries, including the USA, indicated in the table below are approved by the User.
Security breach of the User Personal Data
Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 48 hours after it happened.
Termination, resolution and expiration
In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Data Controller and the Data Processor, the latter shall not keep the Personal Data unless otherwise legally required to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, the Data Processor shall destroy or return to the Data Controller all Personal Data and any copies of it, as well as any support or other document containing any Personal Data.
Current Subcontractors and International Transfers with access to User Personal Data for the provision of their services to us
|Digital Ocean Inc. (USA)||Hosting||https://www.digitalocean.com/ and https://www.digitalocean.com/security/gdpr/|
|Gigas Hosting S.A. (Spain)||Hosting||https://gigas.com/ and https://gigas.com/en/seguridad.html|
Last updated: 2020-01-24