Affiliate Data Sharing with Microsoft

What it is

GitHub may share your personal data with Microsoft and its subsidiaries for service, security, and product improvement purposes, and Microsoft may use that data under Microsoft's own privacy policy.

Why it matters (compliance & governance perspective)

The policy authorizes transfer of personal data to Microsoft's broader corporate family, meaning data collected by GitHub may be processed under Microsoft's separate privacy terms and for Microsoft's own operational purposes, not solely for GitHub service delivery.

This document changed recently

Consumer impact (what this means for users)

The policy permits GitHub to share user personal data including identifiers, usage data, and content interactions with Microsoft Corporation and affiliated entities, who may then process that data under Microsoft's privacy statement for purposes beyond direct GitHub service delivery.

What you can do

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision implicates GDPR Articles 26 and 28 (joint controllers and processors), Article 46 (transfers to third countries), and CCPA provisions on sharing personal information with affiliates. The Irish Data Protection Commission is the lead supervisory authority for GDPR purposes. Intra-group data transfers to Microsoft US entities require adequate transfer mechanisms such as Standard Contractual Clauses. (2) GOVERNANCE EXPOSURE: High. Affiliate sharing with a parent company of Microsoft's scale and data processing footprint creates significant compliance exposure for enterprise customers, particularly where employees' professional activity data may be shared across the Microsoft ecosystem. The scope of permitted sharing purposes (security, product improvement) is broadly stated and may require further specification to satisfy GDPR purpose limitation requirements. (3) JURISDICTION FLAGS: EU/EEA and UK users face heightened exposure given the volume of US-based Microsoft processing. California residents should note that affiliate data sharing may qualify as sharing under CCPA/CPRA. Organizations in financial services or healthcare sectors may have additional contractual or regulatory restrictions on affiliate data sharing. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should obtain and review GitHub's Data Processing Agreement to confirm the scope and basis for Microsoft affiliate data sharing. Where enterprise contracts include data residency requirements, teams should verify whether affiliate sharing is scoped or limited. Liability for downstream Microsoft processing may not be clearly allocated in standard GitHub agreements. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data transfer impact assessment for intra-group transfers to Microsoft US entities, verify that Standard Contractual Clauses are in place and current, and assess whether employee-facing privacy notices disclose Microsoft affiliate sharing in sufficient detail.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Data Collection Scope medium
• AI Product Improvement and Copilot Data Use high
• Public Repository Content Visibility medium
• International Data Transfers and Standard Contractual Clauses high
• User Rights: Access, Deletion, Portability, and Objection medium
• Cookies and Tracking Technologies medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.