Yes. Docker is certified to ISO/IEC 27701: [2019 or 2025]. If 2019: Docker is tracking the 2025 transition timeline and will update its certification accordingly. Our ISO 27701 certificate and documentation is available on our Trust Center.

Yes, Docker complies with GDPR (General Data Protection Regulation in EU). On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). Docker is DPF certified. However, as a proactive compliance mechanism, we incorporate the standard contractual clauses (SCCs) by reference should the DPF face insurmountable challenges.

Yes. Docker complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), as well as that of the other jurisdictions of the United States.

Yes. For more information, please see Docker’s Privacy Policy

Docker’s EU-U.S. Data Privacy Framework (DPF) certification may eliminate the need for a Transfer Impact Assessment (TIA) for EU-to-U.S. personal data transfers. Acting as a processor, Docker will cooperate with customers and provide information necessary to support any required impact assessments.

Prior to onboarding and on an annual basis thereafter, Docker conducts due diligence reviews evaluating the security, privacy, and confidentiality practices of all sub-processors. Written agreements are required with each sub-processor before engagement. Docker maintains and publicly publishes a list of sub-processors on its website, including each sub-processor’s location and links to applicable security and compliance documentation.

Yes. Notifications specific to sub-processor changes are sent out 30 days in advance to account administrators (organization owners) of the Docker platform. Organization owners are responsible for routing the notification internally to the appropriate customer contact.

Yes, Docker’s DPA is available on our website here.

Our DPA is scoped to cover data protection laws and regulations applicable to the processing of Customer Personal Data within Docker Desktop, Hub,  Scout, Build Cloud, Testcontainers Cloud, DHI and Offload. This includes, but is not limited to European Data Protection Law, U.S. Data Protection Law, and the data protection laws and regulations of various other jurisdictions as applicable, as these terms are defined or otherwise addressed in the DPA.

Customers who have signed Docker’s Subscription Services Agreement (SSA) and are subject to applicable data protection laws may sign Docker’s Data Processing Agreement (DPA).

Under the GDPR, Docker predominantly acts as a processor of personal data on behalf of our Customers in connection with the provision of our DevOps Products.

As pursuant to Docker’s SSA, customers may not and may not allow any third party to upload, post, transmit or otherwise make available through images any Personally Identifiable Information (PII), trade secrets or sensitive or confidential information in violation of contractual, professional or other similar obligations.

However, in certain circumstances, Docker acts as a controller of personal data (e.g. for billing processes, to comply with applicable laws, to ensure the security of our Cloud Products etc.). Please refer to Section 2.2 as well as Exhibit A, Annex 1(B), Parts A and B of the DPA for further information.

Under the CCPA, Docker predominately acts as a service provider of personal information on behalf of our Customers in connection with the provision of our Cloud Products. Please refer to Section 2.5(b) of the DPA for further information.

We collect and process Personal Data for a variety of purposes, including:

• to provide our websites and social media branded pages;
• to display personalized advertisements and content;
• to manage event registrations and attendance (including ensuring the health and safety of our visitors and employees); 
• to send communications;
• to handle contact and user support requests;
• to provide and optimize the performance of our services; 
• to bill for our services and manage our accounts (including usage and licensing compliance); 
• to maintain the security of Docker and its services;
• to administer surveys and conduct research; and
• to comply with our legal obligations.

For the list of purposes for which we Process your Personal Data, please see the full Privacy Statement.

We only collect and process your Personal Data to the extent it is necessary for fulfilling these purposes and where we can rely on a legal basis for such processing as set out in our full Privacy Statement. Where required, we will ask you for your prior consent to processing.

For further details, please refer to the following sections of our full Privacy Statement: ‘What Personal Data Do We Collect?’, ‘Purposes for Which We Process Personal Data and the Legal Bases on Which We Rely’, and ‘How Long Do We Keep Your Personal Data?’

Docker, Inc. and its U.S. subsidiary (InfoSiftr, LLC.) adhere to the EU-U.S. Data Privacy Framework and the UK extension to the EU-U.S. DPF, and the Swiss-U.S. Docker complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Docker has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Docker has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates and third parties (as disclosed in the full Privacy Statement).

Yes. Docker maintains a current list of sub-processors and provides 30 days notice prior to adding any new sub-processor.

All customer data is stored in the United States by default through Docker’s cloud hosting providers. Some products offer the flexibility of non-US data center deployments upon customer request. Note that due to the scale of the Docker Hub registry, Hub hosting is only available within the United States.

Docker maintains technical and organizational measures to protect Customer Data. Docker’s Security website provides details on the security measures in place through the FAQ. Customers and prospective customers can also request access to Docker’s Trust Center on Whistic to access industry standard security questionnaires, policies, and attestations.

Docker’s Compliance website details our compliance posture.

If Docker receives a Data Subject Request from a Customer employee user, Docker will, to the extent legally permitted, ask the Data Subject to contact the Customer directly about the request. Docker will also notify the Customer as pursuant to our DPA.

Docker provides a Privacy Request Form for all other Data Subject Requests.