This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes the operational framework under which GitHub processes personal data across jurisdictions with varying legal protections. The use of Standard Contractual Clauses represents the contractual mechanism GitHub employs to comply with EU data transfer requirements and provide a defined safeguard structure for international data flows.
Interpretive note: The statement does not specify whether GitHub has self-certified under the EU-US Data Privacy Framework or which SCC module applies to specific processing relationships, creating some uncertainty about the precise transfer mechanism in effect.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →Users' personal data may be transferred to and processed in countries outside their country of residence under this provision. The terms apply Standard Contractual Clauses as the safeguard mechanism for such transfers, establishing the contractual basis for cross-border data processing.
How other platforms handle this
Roblox is based in the United States, and your personal information may be transferred to and processed in the United States or other countries where Roblox or its service providers operate. These countries may have data protection laws that differ from the laws of your home country. By using the Ro...
Uber operates globally and may transfer the personal data of drivers and delivery people to countries other than the country in which they reside. These countries may have different and less protective data protection laws than those of your country of residence. Uber uses standard contractual claus...
Shopify is a global business. We may transfer your personal information to countries other than the country in which it was originally collected, including to Canada and the United States where our servers are located. These countries may not have the same data protection laws as your country. When ...
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"GitHub may transfer your personal data to countries outside your country of residence, including to the United States, where data protection laws may differ from those in your country. Where required by applicable law, GitHub uses Standard Contractual Clauses approved by the European Commission as a safeguard for cross-border data transfers from the EEA.— Excerpt from GitHub's GitHub Privacy Statement
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes the operational framework under which GitHub processes personal data across jurisdictions with varying legal protections. The use of Standard Contractual Clauses represents the contractual mechanism GitHub employs to comply with EU data transfer requirements and provide a defined safeguard structure for international data flows.
Users' personal data may be transferred to and processed in countries outside their country of residence under this provision. The terms apply Standard Contractual Clauses as the safeguard mechanism for such transfers, establishing the contractual basis for cross-border data processing.
ConductAtlas has identified this type of provision across 77 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.