The Apache Software Foundation is a non commercial, open source organization that relies on a large community of volunteers and companies to maintain its software. It provides this software freely (and gratis) ‘as is’ - as per its license.
As such we are not a ‘vendor’ or a ‘supplier’, but a steward. While you agree to our aforementioned license agreement, the Apache Software Foundation does not commit to things that a vendor or supplier would usually commit to, such as providing a typical commercial helpdesk, commercial support, a 24x7 service level agreement and so on.
For readers not yet familiar, it might be interesting to read more about how the ASF works, and consider participating.
Service Level Agreement
While we strive to keep our software secure and up to date - the license, under which our software was provided to you, does not come with a Service Level Agreement.
There are no strict pre-agreed timelines for Apache releases or security patches: when handling security issues projects take a risk-based approach, where issues that are likely to have serious downstream consequences are dealt with quickly, while issues with less impact may be fixed in the regular release cadence.
The Apache Security Team monitors this process, and projects that fail to meet reasonable response times will be retired following our Attic process. If you want to prevent this from happening, the best way is to join the project community while it’s healthy and actively contribute (security) analyses and improvements.
Data processing
While The Apache Software Foundation provides software that can process user data, we do not process your user data for you. We only provide the software under an open source license. We do not run it. And thus are not involved in any processing of Personally Identifiable Data (PII) that it may do.
This means we are not a Data Processor in the sense of the GDPR or its international equivalents: whoever is running the software is the data processor. Therefore there is no reason to sign any kind of Data Processing Agreement (DPA) with us.
If someone else is running Apache software on your behalf, such as Amazon WebServices, you might need a DPA with them. For example when that party processes data for you.
Compliance statements
We do not directly provide any compliance statements (such as CC, STIG, CJIS, USGBC, 508, Army NW, etc).
Nonetheless, many organizations that use Apache software projects have successfully passed various audits and received the corresponding certification.
This is in part due to the fact that as a responsible Open Source Steward, we have a solid governance structure in place, with Program Management Committees overseeing the projects, and the board setting overall policy for the foundation.
In particular, any software that is released will adhere to the release policy and follows best practices, and security issues are handled according to our security process.
You may either complete various certifications in house, by using a third party or by procuring the software from a commercial entity that provides such services. We cannot make any particular recommendations, but if that is relevant to you that might be something to seek out.
Provenance and export restrictions
As a Delaware incorporated 501(c)3 organisation the Apache Software Foundation labours under the rules and regulation of the United States. We have a separate page dedicated to detailed information on the export control status of the Apache Software Foundation’s releases.
The provenance of code contributed to the Apache Software Foundation is tracked carefully through CLAs and Software Grants, as well as the terms of the license itself. Even with that solid foundation, however, the trustworthiness of our code comes mainly from the transparency that we practice in all aspects of development.
Attic
The Attic contains historic code that is no longer fit for purpose. It is code that can no longer be used as it was originally intended. A project that was moved to the Attic is not subject to our various security- and release-policies. It is no longer considered a release by the Apache Software Foundation.