Terms of Use

The following terms of use apply to the use of Porsche Skyway (hereinafter Skyway)

1. Introduction

Skyway is available to employees of Dr. Ing. h.c. F. Porsche AG, the subsidiaries and contract partners (hereinafter Porsche) as a central build- and deployment-tool, based on several applications in the company available at https://skyway.porsche.com/. The use of Skyway is voluntary for employees. It is part of the Porsche corporate culture and requires respectful and polite interaction with one another. With use, these terms of use are accepted. An internal data owner (owner) is defined for each project and group in the Skyway - for the time being, always the creator of the project. The data owner is responsible to ensure compliance with the requirements and the issues relevant to data protection, data security and data privacy.

2. Requirements for use

2.1. General guidelines

The content and offers of the Skyway are created to the best of our knowledge. Porsche assumes no liability for the correctness, quality and completeness of the information available.

The anonymous publication of content is not permitted. The author is responsible for the content and links to external websites. Porsche assumes no liability.

The employees generally do not receive any ownership rights to the information, documents and other content they post.

The creation of pages with violent, pornographic or sexist, racist, defamatory, discriminatory or extremist content is not permitted.

Skyway is not a social medium for party political or in-house election advertising or the dissemination of other political opinions.

The operators reserve the right to change the offers (especially the tools). An appropriate deadline for migrations or the like is met.

The operators will update the platform continuously to the newest versions during announced downtimes.

2.2. Requirements for GitLab

When using GitLab, the user is obliged to scan the source code in a separate tool (e.g. SonarQube), in compliance with the Porsche development guidelines if available for the respective language. Here, special focus should be placed on bugs, vulnerability and security hotspots.
Please note that the responsibility for the quality, security and the source code itself lies with the respective data owner.

It is strictly forbidden to use credentials (e.g. login data) in any form in the source code or in scripts. The GitLab Keystore or an approved password management tool should be used for this.

Sensitive information in CI/CD Variables should be configured as secrets, i.e., masked (for instance the AWS_OIDC_IAM_ROLE_ARN).

Don't rename the key of the provided top-level group.

2.3. Requirements for Integration of Cloud Platforms with GitLab

The GitLab OIDC provider integration is only valid for the Porsche Skyway Gitlab environment and Porsche-approved cloud platforms (AWS and Azure) via Porsche CloudCity.

The limitation mentioned in the Skyway User Documentation must be ensured and actively monitored:

It is crucial to ensure the principle of least privilege while connecting both platforms on the project level. This includes:

3. Access data and user profile

The use of Skyway is permitted for all employees.

No separate user accounts are required. A login with the Windows login and PPN login data is possible.

Employees must ensure that the authentication data is not misused. These must not be passed on to third parties or to other Porsche employees.

In the event of loss, identification of unauthorized persons or misuse of the authentication data, informationssicherheit@porsche.de must be notified immediately.

If an employee does not log on to the Skyway for more than 90 days, the user profile is automatically deactivated. The profile is reactivated automatically after logging in again.

In the event of leaving the company or if the contract ends, the user profile is deactivated.

Porsche can - after agreement with the responsible works council and the human resources department - permanently or temporarily block the user profile in case of

4. Data protection

By using Skyway, employees consent to the collection, processing and use of the personal data published there by Porsche.

It is not permitted to collect personal information about other users or to copy, change or distribute the content of other advertisements without the consent of the respective user. The publication of personal data from third parties without their explicit written approval is prohibited.

The Federal Data Protection Act applies.

The parties shall in particular comply with the general principles of the GDPR such as data minimization and purpose specification, define and adhere to limited storage periods where necessary and process data only if a legal basis exists for the processing. If the cooperation of other parties is necessary in this context, these parties reasonably support the respective party.

In addition, the principle of data economy must be applied:

GitLab provides technical integration to third-party applications. Only the integrations approved by Porsche are allowed to be used.

Deleted content can’t be restored again.

Tokens provided by Porsche Skyway as variables when provisioning top level groups for Jira, Confluence, Artifactory and SonarQube integration may not be modified and used for other use cases on other platforms. We reserve the privilege to rotate these tokens.

The Jira integration may not be done with personal access tokens. Only with the technical users and tokens provided by the Skyway team.

The processing of data is carried out within the limits of these Terms of Use with regard to purpose, duration, type and scope. The Parties will comply with the requirements of the data protection regulations applicable to them.

Porsche Skyway has a maximal confidential level of high. It's important to add a comment in your source code about the confidential level of your project. It is not allowed to store secret information in this platform.

Please store only absolutely necessary data and documents in this platform.

The rights of end/system users should be restricted to the extent that they only have access to the data for which they are legitimized ("need-to-know").

It has to be ensured that no hidden information are exposed to third parties, e.g. names or departments within automatically filled formulas. The responsibility lies on the users.

5. Limitation of liability

Unless otherwise provided for in these Terms of Use including the following provisions, the platform operator shall be liable in accordance with statutory provisions in the event of a breach of contractual and non-contractual obligations.

The platform operator is liable for damages - irrespective of the legal grounds – in case of wilful misconduct and gross negligence. In case of simple negligence, the platform operator shall only be liable, subject to a more lenient liability standard in accordance with the statutory provisions (e.g. diligentia quam in suis, the duty of care observed in ones own affairs), for

The limitations of liability resulting from clause 11.2 also apply to breaches of duty by or in favour of persons for whose fault the platform operator is responsible in accordance with statutory provisions. The limitation of liability, however, do not apply if the platform operator has fraudulently concealed a defect or is liable under mandatory statutory provisions.

6. Violation of the terms of use

By using Skyway, employees consent to the collection, processing and use of the personal data published there by Porsche.

Any termination of the contract based on these Terms of Use does not affect other business relationships of the business partner with PAG, the Porsche distribution organization or Porsche subsidiaries.

7. Guidelines of the company

The systems Jira, Confluence, GitLab, Sonarqube, Artifactory and Code Review Service do not implement the requirements for a KSU and Legal Hold conform IT system on project content level. The respective data owner of the projects is organizationally responsible for compliance with the deletion and retention periods in accordance with the P10 regulations.

The data owners of the Skyway projects are responsible for reviewing the access of companies and persons from countries affected by an EU embargo and complies with the Porsche regulations.

8. Other Provisions

The platform operator may make use of third parties to provide services at any time and to any extent.

The legal relationship between the business partner and the platform operator is governed exclusively by the laws of the Federal Republic of Germany, excluding the United Nations Convention on Contracts for the International Sale of Goods.

The exclusive place of jurisdiction for all disputes arising from these Terms of Use with the platform operator is Stuttgart. Mandatory statutory provisions on exclusive places of jurisdiction shall remain unaffected by this.

Amendments or additions to the Terms of Use must be made in writing or in text form. This also applies to any change of this form requirement itself.

Should any provision of these Terms of Use be void or contestable or be invalid for any other reason, the remaining provisions of these Terms of Use shall nonetheless remain effective. The parties are aware that according to the case law of the German Federal Court of Justice, a severability clause only leads to a shift in the burden of proof. However, it is the explicit intention of the parties to maintain the validity of the remaining provisions in any case and to accordingly exclude the applicability of section 139 of the German Civil Code (BGB) as a whole. In such a case, the parties undertake to agree on a provision which comes as close as possible to the void, contestable or invalid provision and which provides for a corresponding economic effect.

Version: 03.06.2024