What is the severity of this clause?

ConductAtlas classifies this Third-Party Service Provider Sharing clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Third-Party Service Provider Sharing clauses across approximately 2 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Third-Party Service Provider Sharing — GitHub

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity GitHub recorded 3 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for GitHub Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

ⓘ

This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes the operational framework for GitHub's use of third-party service providers in its technology infrastructure. The contractual restriction mechanism described creates a formal requirement that service providers limit data processing to authorized purposes.

⚠

Interpretive note: The specific identity of third-party service providers and the data categories shared with each are not enumerated in the statement, limiting the ability to fully assess sub-processor risk without additional documentation.

Recent Activity

This document changed recently

High Apr 28, 2026

The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.

View change record →

Consumer impact (what this means for users)

Users' personal data will be accessible to third-party service providers selected by GitHub for operational and security functions. The provision conditions this sharing on contractual limitations that restrict service providers' independent use of the data to purposes directed by GitHub.

How other platforms handle this

Snapchat Medium

If you use a third-party service — like a social network or login service — to access our services, those services will tell us basic information about you, like your username and profile picture. In addition, information about you may be shared with other businesses within the Snap Inc. corporate f...

Robinhood Medium

We may share your personal information with: Service providers who perform services on our behalf. Financial partners, such as banks, payment processors, and financial institutions. Professional advisors, such as lawyers, auditors, and insurers. Business partners with whom we jointly offer products ...

Coinbase Medium

We may share personal information with third-party service providers and partners who support our business operations, including identity verification providers, payment processors, analytics providers, marketing partners, and blockchain analytics companies.

See all platforms with this clause type →

Monitoring

GitHub has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
GitHub shares personal data with a limited number of third-party vendors and service providers that help us provide, secure, and improve our services. These service providers are contractually required to use your personal data only as directed by GitHub and in accordance with our privacy statement.

— Excerpt from GitHub's GitHub Privacy Statement

Applicable regulations

CCPA/CPRA

California, USA

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

UK GDPR

United Kingdom

Universal Opt-Out Mechanism Expansion 2026

VPPA

United States Federal

Provision details

Document information

Document

GitHub Privacy Statement

Entity

GitHub

Document last updated

May 5, 2026

Tracking information

First tracked

May 10, 2026

Last verified

May 12, 2026

Record ID

CA-P-008683

Document ID

CA-D-00254

Evidence Provenance

Source URL

https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

Wayback Machine

View archived versions →

Content hash (SHA-256)

d21b58443ca0b4402240dbd06996ada072c72ed842fcccc6b13acab2d7bc6c4d

Analysis generated

May 10, 2026 09:46 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: GitHub
Document: GitHub Privacy Statement
Record ID: CA-P-008683
Captured: 2026-05-10 09:46:36 UTC
SHA-256: d21b58443ca0b440…
URL: https://conductatlas.com/platform/github/github-privacy-statement/third-party-service-provider-sharing/
Accessed: May 20, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Data Collection Scope medium
Affiliate Data Sharing with Microsoft high
AI Product Improvement and Copilot Data Use high
Public Repository Content Visibility medium
International Data Transfers and Standard Contractual Clauses high
User Rights: Access, Deletion, Portability, and Objection medium

Related Analysis

Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
23andMe Is Bankrupt. What Happens to Your DNA Now?
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does GitHub's Third-Party Service Provider Sharing clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.

Is ConductAtlas affiliated with GitHub?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.