Icon privacy

Privacy at Docker

Docker is subject to various privacy laws and regulations protecting our worldwide customer base. By complying with leading privacy laws and regulations, our mission is to create and maintain a safe, protective environment for developers to build and share applications.

Gdpr logo
Ccpa logo
Apec privacy framework logo
APEC Privacy Framework
Gdpr logo
Ccpa logo
Apec privacy framework logo

Everyone has a right to privacy

Docker’s privacy program includes comprehensive policies and procedures related to data privacy and protecting personal data – personally identifiable information (PII). To keep your data safe, Docker complies with the leading privacy regulations such as the GDPR, CCPA, CPA, CTDPA, VCDPA, UCPA, and the APEC Privacy Framework.

Your data deserves protection

Building trust with our customers and developers is Docker’s top priority. Privacy is important for everyone. Docker has implemented safeguards to protect the data that we have been trusted by customers and developers to protect.

Customers have the option to sign Docker’s DPA Agreement. Customers and prospective customers may also check out Docker’s Whistic Profile, which has security and compliance documentation outlining and demonstrating Docker’s security and privacy posture.

Read our Data Protection Agreement

Request access to our Whistic profile

Privacy FAQs

Is Docker GDPR compliant?

Yes, Docker complies with GDPR (General Data Protection Regulation in EU). On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). Docker is DPF certified. However, as a proactive compliance mechanism, we incorporate the standard contractual clauses (SCCs) by reference should the DPF face insurmountable challenges.

Is Docker CCPA-CPRA compliant? What about other state privacy regulations?

Yes. Docker complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), as well as that of the other jurisdictions of the United States.

Does Docker have policies specific to Privacy?

Yes. For more information, please see Docker’s Privacy Policy

Does Docker provide data privacy impact assessments (DPIAs) or transfer impact assessments (TIAs) for its products?

Pursuant to the DPF, DPIAs and TIAs are no longer required for EU personal data transfers to the US. Nevertheless, Controllers are responsible for determining whether or not to conduct a DPIA or TIA. Docker acts as a processor in scope of its provision of Docker products. Docker will cooperate with customers as necessary and provide customers with information to assist the customer in its completion of a DPIA or TIA.

How does Docker evaluate sub-processors?

Docker performs vendor due diligence reviews which review security, privacy and confidentiality practices of a sub-processor prior to onboarding the third-party and annually thereafter. All sub-processors enter into written agreements with Docker. Docker publishes a list of sub-processors to our Whistic profile with the location and country of each sub-processor. Customers can subscribe to Whistic updates to receive email notifications of changes to the sub-processor listing.

Data Processing Agreement FAQ

Does Docker make its DPA available to Customers?

Yes, Docker’s DPA is available on our website here.

What is the scope of Docker's DPA?

Our DPA is scoped to cover data protection laws and regulations applicable to the processing of Customer Personal Data within Docker Desktop, Docker Hub, and Docker Scout. This includes, but is not limited to European Data Protection Law, U.S. Data Protection Law, and the data protection laws and regulations of various other jurisdictions, as these terms are defined or otherwise addressed in the DPA.

What Customers can be party to the DPA?

All Customers can be party to the DPA if the entity has signed Docker’s SSA that are subject to European laws and are entitled to use the contracted Docker products and services.

What is Docker's role as defined by our DPA?

Under the GDPR, Docker predominantly acts as a processor of personal data on behalf of our Customers in connection with the provision of our DevOps Products.

As pursuant to Docker’s SSA, customers may not and may not allow any third party to upload, post, transmit or otherwise make available through images any Personally Identifiable Information (PII), trade secrets or sensitive or confidential information in violation of contractual, profession or other similar obligations.

However, in certain circumstances, Docker acts as a controller of personal data (e.g. for billing processes, to comply with applicable laws, to ensure the security of our Cloud Products etc.). Please refer to Section 2.2 as well as Exhibit A, Annex 1(B), Parts A and B of the DPA for further information.

Under the CCPA, Docker predominately acts as a service provider of personal information on behalf of our Customers in connection with the provision of our Cloud Products. Please refer to Section 2.5(b) of the DPA for further information.

Purposes for which we collect Personal Data

We collect and process Personal Data for a variety of purposes, including:

  • to provide our websites and social media branded pages;
  • to display personalized advertisements and content;
  • to manage event registrations and attendance (including ensuring the health and safety of our visitors and employees); 
  • to send communications;
  • to handle contact and user support requests;
  • to provide and optimize the performance of our services; 
  • to bill for our services and manage our accounts (including usage and licensing compliance); 
  • to maintain the security of Salesforce and its services;
  • to administer surveys and conduct research; and
  • to comply with our legal obligations.
  • For the list of purposes for which we Process your Personal Data, please see the full Privacy Statement

We only collect and process your Personal Data to the extent it is necessary for fulfilling these purposes and where we can rely on a legal basis for such processing as set out in our full Privacy Statement. Where required, we will ask you for your prior consent to processing.

Please review the “What Personal Data do we collect?” and “Purposes for which we process Personal Data and the legal bases on which we rely” sections in our full Privacy Statement for further details. Also, please review the “How long do we keep your Personal Data?” section to learn how long we store your Personal Data.

International Transfers of Personal Data

Docker, Inc. and its U.S. subsidiary (InfoSiftr, LLC.) adhere to the EU-U.S. Data Privacy Framework and the UK extension to the EU-U.S. DPF, and the Swiss-U.S. Docker complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Docker has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Docker has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates and third parties (as disclosed in the full Privacy Statement).

Does Docker utilize sub-processors?

Yes. Docker maintains a current list of sub-processors. Docker provides 30 days notice when a new sub-processor will be added.

Where is Customer Data stored?

All customer data is stored within the United States via Docker’s cloud hosting providers. Due to the nature of Hub and the size of the Docker Hub registry, Docker does not offer cloud hosting outside of the United States.

What technical and organizational measures are in place to protect Customer Data?

Docker maintains technical and organizational measures to protect Customer Data. Docker’s Security website provides details on the security measures in place through the FAQ. Customers and prospective customers can also request access to Docker’s Whistic profile to access industry standard security questionnaires, policies, and attestations.

Docker’s Compliance website details our compliance posture.

How does Docker handle requests from Data Subjects?

If Docker receives a Data Subject Request from a Customer employee user, Docker will, to the extent legally permitted, ask the Data Subject to contact the Customer directly about the request. Docker will also notify the Customer as pursuant to our DPA.

Docker provides a Privacy Request Form for all other Data Subject Requests.

Related content

Trust compliance card


Learn about Docker’s certifications and compliance requirements such as SOC 2, GDPR and CCPA.

Go to compliance

Trust security card


Find answers to questions about Docker’s security program and links to see product security notices, report a vulnerability, and more.

Go to security

Trust availability card


Find information about our BC/DR, backup processes, and availability. Access real-time and historical uptime information.

Go to availability

Trust privacy card


Learn about Docker’s Privacy Program and how we comply with specific regulations such as GDPR and CCPA.

Go to privacy