SonarQube Advanced Security Supplemental Terms

Updated June 1, 2026. For the prior version of the SonarQube Advanced Security Addendum (last live April 2026), see the April 2026 archive.

These Supplemental Terms (“Terms”) govern Customer’s access to and use of SonarQube Advanced Security (“SQAS”).

These Terms are incorporated into the Agreement between SonarSource and Customer. All capitalized terms used in the Terms but not otherwise defined have the meanings given to them in the Agreement.

1. Definitions

1. “Agreement” means the SonarSource Primary Customer Agreement set forth at sonarsource.com/legal/primary-agreement/ or other agreement between Customer and SonarSource governing Customer’s use of Sonar Products.
2. “Dependency Data” means lockfiles, manifests, and any other metadata regarding nonparty software dependencies, made available by Customer or its Users to SonarSource for the purpose of analyzing software dependencies and components. Dependency Data is Customer Data, as defined in the Agreement.
3. “Security Analysis Results” means the results that are generated by SQAS’s processing of Dependency Data, and made available to Customer via SQAS.

2. Grants and Conditions

1. Grant. SonarSource grants Customer and its Affiliates a limited, non-exclusive, non-transferable, non-sublicensable, revocable (i) right to access and use the SaaS Components of SQAS; (ii) license to download, deploy, and use any Self-Managed Components of SQAS; and (iii) license to access and use the Security Analysis Results.
2. Conditions. The grant of rights in Section 2.1 is conditioned on Customer’s and its Affiliates’ continuous compliance with the Agreement, these Terms, and the SonarSource Acceptable Use Policy set forth at sonarsource.com/legal/aup/, including continuous payment of fees for the underlying SonarQube Server or SonarQube Cloud subscription, and use of SQAS and the Security Analysis Results solely for internal development purposes.

3. Intellectual Property

1. Customer IP. As between the Customer and SonarSource, all right, title, and interest in and to Dependency Data, including all Intellectual Property rights in the Dependency Data, belong exclusively to Customer. Customer grants to SonarSource the right to use Dependency Data for the purpose of providing the Customer with SQAS and Security Analysis Results.
2. SonarSource IP. Except for rights expressly granted in Section 2.1 above, all right, title, and interest in and to SQAS and the Security Analysis Results, including all Intellectual Property rights in SQAS and the Security Analysis Results, belong exclusively to SonarSource and its licensors.

4. Dependency Data

1. Dependency Data. SQAS must transmit Dependency Data to SQAS’s SaaS Component in order to perform analysis and generate the Security Analysis Results. SQAS does not transmit Customer’s source code. To protect the security of Dependency Data, SonarSource has implemented and shall maintain the security practices described in the Technical and Organizational Measures set forth at sonarsource.com/legal/security-tom/.
2. Personal Data. SonarSource has designed SQAS so that, under conditions of normal operation, Dependency Data does not include Personal Data. If Customer causes Personal Data to be included within the Dependency Data, the SonarSource Data Processing Addendum (“DPA”) does not apply, and SonarSource disclaims all liability.

5. Term

1. Term. These Terms will apply until the expiration or termination of the Agreement.
2. Effect of Termination. Termination of these Terms for SQAS will not affect any liability or obligations incurred by Customer (such as obligations related to Confidential Information), or waivers granted by Customer (such as the license in Section 2.2 of these Terms), prior to the effective date of such termination.

6. Additional Regulatory Terms

1. DORA. If Customer is a financial entity subject to Regulation (EU) 2022/2554 (“DORA”), then the DORA Regulatory Requirements Annex, set forth at sonarsource.com/legal/dora/, supplements these Terms. In the context of SQAS and the DORA Regulatory Requirements Annex (i) “data” includes Security Analysis Results; and (ii) consistent with Section 4.2 of these Terms, the DPA is not applicable.

7. General

Except as supplemented or modified by these Terms, the Agreement remains in full force and effect.