Legal at Harness
>
Privacy

Data Protection Addendum

As of Nov 04, 2025

View Version History

This Data Protection Addendum is made and entered into by and between customer referenced in the Order (“Customer”) and Harness Inc. (“Harness”), collectively “Parties”. The Parties have entered into an agreement for the provision of Services (“Master Subscription Agreement”) under which Harness will process certain Personal Data provided or made available by Customer, or collected or otherwise obtained by Harness, in the course of providing Services to Customer. The Parties intend this Data Protection Addendum to be an extension of the Master Subscription Agreement that will outline certain requirements for the processing of such Personal Data. In the event of a conflict between any terms in this Data Processing Addendum and those in the Master Subscription Agreement, the terms of this DPA shall prevail.

  1. Definitions Capitalized terms not defined herein shall have the meaning given in the Master Subscription Agreement. In this Data Processing Addendum, the following terms (and derivations of such terms) shall have the following meanings:  
    1. "Applicable Data Protection Law" means all international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Master Subscription Agreement.
    2. California Consumer Privacy Act of 2018” or “CCPA” means California Civil Code Section 1798.100 et seq. and related regulations, as amended from time to time. 
    3. "Controller" means the entity that determines the purposes and means of the Processing of Personal Data;
    4. “Data Subject” means an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    5. "EU Data Protection Law" means the laws and regulations applicable to the Processing of Personal Data under the Data Protection Addendum including but not limited to (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018 (together, "UK Data Protection Laws"). 
    6. Europe” means the European Economic Area ("EEA"), and the United Kingdom ("UK").
    7. GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
    8. "Personal Data" means an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
    9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
    10. Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    11. "Processor" means an entity that processes Personal Data on behalf of the Controller
    12. Restricted Transfer” means (i) where the GDPR applies, an International Transfer of Personal Data from the EEA to a country outside of the EEA, which is not part of the Adequacy List published by the European Commission; (ii) where the UK GDPR applies, an International Transfer of Personal Data from the UK to any other country, which is not part of the Adequacy Regulations, under Section 17A of the UK GDPR and (iii) where the Swiss DPA applies, an International Transfer of Personal Data from Switzerland to any other country which is not subject to an Adequacy Decision by the Swiss Federal Data Protection and Information Commissioner.
    13. Services” means the software and services as further described in the Master Subscription Agreement.
    14. “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the Controller.
    15. “Standard Contractual Clauses” shall mean (i) where the GDPR applies, the EU standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (“EU SCCs”) (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, where the UK GDPR means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein  ("UK SCCs") (in each case, as updated, amended or superseded from time to time).
    16. Special Category of Personal Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 
  1.  Roles of the Parties and Scope of the DPA 
    1. Roles. The Parties agree that, as between the Parties, the Customer is a Controller and that Harness is a Processor in relation to Personal Data that Harness processes on behalf of Customer in the course of providing the Services under the Master Subscription Agreement. 
    2. Scope. The subject-matter of the Personal Data Processing, the types of Personal Data processed, and the categories of Data Subjects are limited to that which is necessary to provide the Services as described in the Master Subscription Agreement.  The details of the Processing of the Personal Data are found in Annex I.B:
    3. Processing Instructions
      1. Harness will process the Personal Data only in accordance with documented instructions from the Customer. Such instructions may be set out in this Data Processing Addendum, the Master Subscription Agreement, or as otherwise notified by the Customer to Harness in writing from time to time. 
      2. Harness will not retain any of the Personal Data for longer than is necessary to provide the Services.  In accordance with our standard deletion practices, or upon Customer's request, Harness will initiate the secure destruction, or return (at Customer’s election), of the Personal Data to the Customer.
      3. The Customer must not configure the Services to collect the following types of information: bank account numbers, bank transaction details, payment card or credit card information, social security numbers, state ID numbers, passport numbers, and any Special Category of Data (collectively referred to as “Prohibited Data”). If the Customer submits any Prohibited Data, they acknowledge that Harness will not be liable for any consequences arising from the Processing of such Prohibited Data. 

  1. Security of the Processing
    1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Harness will implement and maintain appropriate technical and organizational measures to protect Personal Data against Personal Data Breaches. 
    2. Personnel. Harness will ensure that all Harness personnel required to access the Personal Data are informed of the confidential nature of the Personal Data, and have committed themselves to confidentiality or are under an appropriate statutory obligation of.
    3. Customer Responsibilities. The Customer is responsible for ensuring the secure use of the services at all times. This includes, but is not limited to, safeguarding account authentication credentials, ensuring that passwords are kept secure and confidential, regularly updating passwords as necessary, and implementing and maintaining role-based access controls to limit access to the Software based on user roles and responsibilities.
    4. Security Reports and Audits. The Customer acknowledges that Harness holds certifications under ISO/IEC 27001, ISO/IEC 27001, 27017, and ISO/IEC 27018, which pertain to global standards for information security management, cloud security, and the protection of Personal Data in public cloud environments, respectively. The Harness Platform also holds a SOC 2 Type II attestation report. This report provides assurance over the Security, Availability, and Confidentiality of the platform, its supporting processes, and the internal controls of the organization. The Customer further acknowledges that such certifications substantiate that Harness' Information Security Management System (ISMS) conforms to established security and privacy standards. The Customer shall have access to the results of security penetration tests, as well as copies of Harness’ most recent ISO certifications and SOC 2 Type II reports (“Security Certifications”), which are available through the TrustCenter at trust.harness.io.
      To the extent that the information provided by Harness pursuant to this Section is insufficient for such verification, the Customer is entitled to conduct audits not more than once per year. Customer and Harness will mutually agree upon the scope, timing, duration, control and evidence requirements.  Customer is responsible for all costs and fees related to such audit.
  1. Subprocessors. The Subprocessors listed at harness.io/legal/subprocessors are hereby pre-approved by the Customer, Customer shall have the opportunity to object to a new Subprocessor following notice of such Subcontractor by sending an email to privacy@harness.com within ten (10) calendar days of the notice, provided that such objection is based on reasonable grounds relating only to Applicable Data Protection Laws and the failure to provide such notice within the objection period shall constitute approval of the new Subprocessor.. To receive such notice(s), Customer must subscribe to the Trust Center and activate notifications. In the event of a valid objection, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties cannot agree on a resolution, Harness shall be entitled, at its discretion, either to perform its services under the respective Master Subscription Agreement without using the rejected additional Subprocessor or to terminate the Master Subscription Agreement and this Data Protection Addendum. Harness must ensure the reliability and competence of such Subprocessors, their employees or agents who access the Personal Data processed in the provision of the Services, and must include in any contract with such Subprocessors provisions in favor of Customer which are substantially equivalent to those in this Data Protection Addendum and the Master Subscription Agreement and as are required by Applicable Data Protection Laws.
  2. Cooperation. 
    1. Data Subjects’ Rights. As the Controller of Personal Data, the Customer shall manage data subjects rights requests under the GDPR directly with the Data Subjects. However, to the extent that Customer is unable to independently use Harness’s processes or controls to retrieve, correct, delete or restrict Customer Data in connection with Customer's obligations under the GDPR, Harness shall provide reasonable cooperation to assist Customer to respond to requests from Data Subjects relating to the processing of Personal Data under the Master Subscription Agreement, or respond directly. In this event, Harness shall respond to such communications without Customer's prior authorization. 
    2. Law enforcement. If a law enforcement agency sends Harness a demand for Personal Data (for example, through court order), Harness will attempt to redirect the law enforcement agency to request that Personal Data directly from the Customer. As part of this effort, Harness may provide the Customer's basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Harness will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy, unless Harness is legally prohibited from doing so. To the extent that Harness is required under Applicable Data Protection Laws, Harness shall provide reasonably requested information to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
  3. International Transfers of Personal Data. With regard to Personal Data related to Data Subjects located in Europe, Harness will not process such Personal Data in a location outside Europe except as reasonably necessary to provide the Services under the Master Subscription Agreement and, as provided for in Clause 4.1 “Use of Subprocessors”. The Parties agree that when a transfer of Personal Data is a Restricted Transfer, such Restricted Transfer shall be subject to the Standard Contractual Clauses, as described in Annex I.
  4. CCPA.  If Harness is processing Personal Data within the scope of the CCPA, Harness makes the following additional commitments to Customer. Harness will process Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will Harness sell any such data. These CCPA terms do not limit or reduce any data protection commitments Harness makes to Customer in this DPA.
  5. Breaches.  If Harness becomes aware of a Personal Data Breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data while processed by Harness, Harness will promptly and without undue delay (1) notify Customer of the Personal Data Breach; (2) investigate the Personal Data Breach and provide Customer with detailed information about the Personal Data Breach; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.

ANNEX I.A
PARTIES

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: Customer, as referenced in the Order

Address: as referenced in the Order

Contact person’s name, position and contact details:  as referenced in the Order

Activities relevant to the data transferred under these Clauses: as referenced in the Order

Signature and date: as referenced in the Order

Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Harness Inc.

Address: 55 Stockton Street, San Francisco, CA 94108

Contact person’s name, position and contact details: Catia Reis, Head of Product Compliance, AI and Employment, Privacy@harness.io

Activities relevant to the data transferred under these Clauses: The processing of Personal Data in order to provide the Services  described in the Master Subscription  Agreement. 

Signature and date: as referenced in the Order

Role (controller/processor): Processor

The Parties agree that when a transfer of Personal Data is a Restricted Transfer, such Restricted Transfer shall be subject to the Standard Contractual Clauses, as follows:

(a)    In relation to Restricted Transfers of Personal Data that fall within the scope of the GDPR, the EU SCCs will apply and are hereby incorporated by reference and completed as follows:

               (i)          Module Two will apply;

              (ii)          In Clause 7, the optional docking clause will apply;

            (iii)          In Clause 9, OPTION 2: GENERAL WRITTEN AUTHORISATION will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Clause 4 of this Data Protection Addendum;

            (iv)          In Clause 11, the optional language will not apply;

              (v)          In Clause 17, OPTION 1 will apply and the EU SCCs will be governed by Irish law.

            (vi)          In Clause 18(b), disputes shall be resolved before the courts of Ireland;

           (vii)          Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I.A to this Data Protection Addendum;

         (viii)          Annex II of the EU SCCs shall be deemed completed with the  information set out in Annex I.B to this Data Protection Addendum.

(b)    In relation to Restricted Transfers of Personal Data that fall within the scope of the UK GDPR, the UK Addendum will apply complete as follows:

               (i)          The EU SCCs, completed above in paragraph (a) shall also apply to the Restricted Transfers of Personal Data, subject to sub-clause (ii) below;

              (ii)          Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set above, and the option “importer” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this Data Protection Addendum.

(c)    In relation to Restricted Transfers of Personal Data that are protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraph (a) above, with the following modifications:

               (i)          Any references in the EU SCCs to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; any references to "EU", "Union" and "Member State law" shall be interpreted as references to Swiss law; and any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland, unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which case the Swiss SCCs shall instead be incorporated by reference and form an integral part of this Data Protection Addendum and shall apply to such Restricted Transfers. For the purposes of the Swiss SCCs, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in the Annexes I.A and I.B to this Data Protection Addendum (as appropriate) and the interpretive provisions set out in this section 6.2(c) shall apply (as applicable and as required for the purposes of complying with the Swiss DPA).

(d) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Master Subscription Agreement or this Data Protection Addendum, the Standard Contractual Clauses shall prevail to the extent of such conflict.

ANNEX I.B
DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred

  • Current employees or contractors of Customer 

Categories of Personal Data transferred: 

  • Name, usernames, email addresses, IP addresses, customer preferences and other online identifiers. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous basis. 

Nature of the processing

  • The provision of the Services described in the Master Subscription  Agreement.

Purpose(s) of the data transfer and further processing

  • The provision of the Services, as described in the MSA.

Harness Data Processing Agreement (v2)
November 4, 2025

Customer Terms

Subscription Terms
Privacy Center
Trust Center
Acceptable Use Policy
Privacy Center
Trust Center
Support Terms & SLA
Privacy Center
Trust Center
Product-Specific Terms
Privacy Center
Trust Center
DevOps Essentials Usage Definitions
Privacy Center
Trust Center
Subscription Terms (2024)
Privacy Center
Trust Center
Subscription Terms (06-03-2024)
Privacy Center
Trust Center
Support Terms & SLA (06-17-2025)
Privacy Center
Trust Center
Products & License Unit Definitions
Privacy Center
Trust Center

Privacy

Privacy Statement
Privacy Center
Trust Center
Harness AI Data Privacy
Privacy Center
Trust Center
Privacy Statement (07-23-2024)
Privacy Center
Trust Center
Subprocessors 
Privacy Center
Trust Center
Data Protection Addendum
Privacy Center
Trust Center

ESG

Responsible Sourcing Policy
Privacy Center
Trust Center
Modern Slavery Statement
Privacy Center
Trust Center
Vendor Code of Conduct
Privacy Center
Trust Center
Workplace Health and Safety Statement
Privacy Center
Trust Center
UK Modern Slavery Statement (07-30-2024)
Privacy Center
Trust Center

Services

General Service Terms
Privacy Center
Trust Center
Onboarding Statement of Work
Privacy Center
Trust Center
Adoption Statement of Work
Privacy Center
Trust Center
DevOps Essentials Guided Onboarding Program
Privacy Center
Trust Center
Advisory Statement of Work
Privacy Center
Trust Center
Education Statement of Work
Privacy Center
Trust Center
General Service Terms (01-09-2025)
Privacy Center
Trust Center
Onboarding Statement of Work (01-09-2024)
Privacy Center
Trust Center
Adoption Statement of Work (01-09-2024)
Privacy Center
Trust Center

Website Terms

Website Terms Of Use
Privacy Center
Trust Center
Engineering X Terms of Use
Privacy Center
Trust Center

Contact Us

Contact LegalContact Privacy

the State of

AI in Software Engineering

2025

View the full report
Platform
Pricing
For Developers
Resources
Company
© 2025 Harness Inc.
Subscription TermsWebsite Terms of UsePrivacy Statement
Opt Out
Do Not Sell / Share My Personal Information
Cookie Settings
© 2025 Harness Inc.