# Chromatic > description: Chromatic Acceptable Use Policy --- --- title: Acceptable Use Policy description: Chromatic Acceptable Use Policy sidebar: { order: 8 } --- # Acceptable Use Policy Chroma Software, Inc.® Last reviewed: Feb 22, 2024 Chroma Software, Inc., a business corporation (herein “Chromatic”, “we”, “us” or “our”), offers a cloud service (herein “Chromatic Service”) for Storybook that automates workflows for UI feedback, visual regression testing, and documentation. While we support the development of UIs to help create the core frontend technology for thousands of companies, Chromatic Service may only be used for lawful purposes. This Acceptable Use Policy (“AUP”) governs the use of Chromatic Service by our customers (“Customers” or “you”) and by users that have gained access to the Chromatic Service through Customer accounts (“Users”). By using the Chromatic Service, you acknowledge that you and your Users are responsible for compliance with this AUP, and agree to be bound by this AUP. You are responsible for violations of this AUP by any User that accesses the Chromatic Service through your account. We reserve the right to remove content, suspend or otherwise terminate your access to the Chromatic Service for usage that violates or may violate the AUP or that otherwise appears unlawful. The following activities are prohibited: - Violate any law, statute, ordinance, or regulation (including without limitation the laws and regulations governing export control, unfair competition, anti-discrimination, or false advertising); - Use or interact with the Chromatic Service in a manner that harasses, bullies, defames or threatens a specific person or entity or is fraudulent, deceptive, or otherwise objectionable (determined by Chromatic); - Attempt to undermine or jeopardize the security or integrity of the Chromatic Service and other user accounts; - Impersonate any person or entity; - Send unsolicited messages (SPAM); - “Crawl” or “scrape” any page of the Chromatic Service; - Interfere or disrupt the Chromatic Service or the servers and networks which are connected to the Chromatic Service; - Use the Chromatic Service for any purpose other than the legitimate testing or validation of websites, mobile websites and applications, team collaboration, and documentation. You and any User shall not, nor allow any third party to upload, record, publish, post, link to, transmit or distribute any content, nor otherwise utilize the Chromatic Service in a manner that: - infringe or violate the copyright, patent, trademark, service mark, trade name, trade secret, or other intellectual property rights of any third party or Chromatic, or any rights of publicity or privacy of any party; - advocates, promotes, incites, instructs, informs, assists and/or otherwise encourages violence, inappropriate behavior, hateful or harassing behavior, and/or any illegal activities; - promotes, solicits or comprises inappropriate, harassing, insensitive, abusive, profane, hateful, defamatory, libelous, threatening, obscene, indecent, vulgar, pornographic or otherwise objectionable or unlawful content or activity. --- --- title: Infrastructure upgrades description: Learn how Chromatic handles browser rendering changes to be minimally disruptive sidebar: { order: 4 } --- # Infrastructure upgrades Chromatic's browser infrastructure is periodically upgraded. This can lead to changes in how your stories render due to underlying rendering engine upgrades or tweaks in how stories are executed and snapshotted. Typically, upgrades happen without you needing to do anything. But more extensive upgrades may lead to noticeable rendering differences. Here's what we do in those cases. ## How to upgrade your project When an infrastructure upgrade is available you're notified in the app. You choose which projects are updated and when within a four week time window. Once the time window has passed, all projects will automatically upgrade. ### Opt-in to upgrade Opt-in to the upgrade on the Manage screen for your project. This will switch you over to the new infrastructure and migrate UI test baselines using **upgrade builds**. ![Opt-in to infrastructure upgrade](../../images/managescreen-infrastructure-upgrade.png) ### Upgrade builds Chromatic runs an "upgrade build" to ensure stories are snapshotted using a consistent infrastructure. That allows you to migrate your UI test baselines between infrastructures without test flake or false positives. Each open branch gets its own upgrade build(s). An upgrade build isolates all the UI changes caused by swapping infrastructure in one build. Unlike typical builds, upgrade builds don't snapshot new code. They work by **rerunning** the most recent build on that branch using the new infrastructure. ![Upgrade builds](../../images/infrastructure-upgrades-flow.png) Existing baselines that were snapshotted on old infrastructure are re-snapshotted using the new infrastructure. This ensures that subsequent builds are compared "apples-to-apples" to baselines snapshotted on the same infrastructure. ### Changes are auto-accepted Visual differences between old and new infrastructure are auto-accepted. Since the upgrade build compares the same code but on different infrastructure, minor visual variation can be attributed to the infrastructure upgrade itself (not your code). Future builds will use the upgrade build's auto-accepted baselines as the source of truth. ![Auto-accept changes](../../images/infrastructure-upgrades-auto-accept.png) ### Release notes for infrastructure upgrades Read about the infrastructure changes in the [release notes](/docs/infrastructure-release-notes). | Capture Stack version | Status | | :-------------------------------------------------------: | -------------------- | | [Version 8](/docs/infrastructure-release-notes#version-8) | General availability | | [Version 7](/docs/infrastructure-release-notes#version-7) | No longer available | | [Version 6](/docs/infrastructure-release-notes#version-6) | No longer available | | [Version 5](/docs/infrastructure-release-notes#version-5) | No longer available | | [Version 4](/docs/infrastructure-release-notes#version-4) | No longer available | | [Version 3](/docs/infrastructure-release-notes#version-3) | No longer available | | [Version 2](/docs/infrastructure-release-notes#version-2) | No longer available | | [Version 1](/docs/infrastructure-release-notes#version-1) | No longer available | --- ### Frequently asked questions
Can I run tests on a specific browser version? Chromatic does not support running tests on specific browser versions. With each infrastructure upgrade, our goal is to provide you with the latest stable browser versions, enabling a consistently flake-free testing environment while simplifying our infrastructure and customer support. Read our [documentation](/docs/browsers) to learn more about enabling additional browsers.
Can I continue using the previous capture stack version? When a new capture stack is released in **beta**, you’ll receive an invitation to opt in. Once the general rollout begins, you’ll have a limited upgrade window to switch over. After that window closes, all projects will automatically move to the new capture stack, and the older version will no longer be available. In short, you cannot remain on the older stack indefinitely.
--- --- title: Notifications description: Control when and how you receive activity notifications sidebar: { order: 3 } --- # Notifications Chromatic sends email notifications to keep [collaborators](/docs/collaborators) in the loop. You have control over when and how these notifications are delivered. ### [UI Tests](/docs#test-how-uis-look--function) In UI Tests, Chromatic emails the build owner when there are changes to a build and when there are discussions. If you're not the build owner but participate in a discussion thread, you'll get notified of replies for that discussion. ### [UI Review](/docs/review) In UI Review, Chromatic emails the PR owner and any participants when a discussion begins, is replied-to, or gets resolved. ### Change the default email address To set the default email address, go to the [Profile](https://www.chromatic.com/profile) page. ![Change email](../../images/profile-account-email-password.png) ### Forward emails for different projects to other addresses To adjust which activities trigger emails and where they get sent, go to the [Notifications](https://www.chromatic.com/notifications) page. By default, notifications get sent to your default email address. If you signed up via GitHub, Bitbucket, or GitLab, Chromatic will retrieve the email addresses associated with your account from your Git provider. You can forward notifications to any of these email addresses. --- ### Frequently asked questions
Why am I not getting email notifications of discussions? If you signed up to Chromatic via the supported Git providers (e.g., GitHub, GitLab, BitBucket), notifications are sent automatically to the email address you have configured for any discussion you've subscribed to. Still, if you do not see any notifications, this could be an issue with your local Git configuration. Run the following command to verify which email is configured: ```shell git config user.email ``` In case you need to change it, you can run the following command: ```shell git config user.email 'your@email.com' ```
--- --- title: Open source sponsorships description: Chromatic sponsors open source component libraries sidebar: { order: 9, label: Open source plan } --- # Open source sponsorships Chromatic sponsors open source component libraries and design systems with free usage. As open source maintainers ourselves, we know how tough it can be to get professional tools that'll help your project grow. Chromatic supports the open source workflow out of the box. We mirror repository permissions for maintainers while allowing read-only access to viewers. See if your project qualifies – write to us via in-app chat. ## What's the eligibility criteria for OSS sponsorship? Chromatic offers a free plan (35k snapshots per month, Chrome only) to open-source design systems or UI component libraries that meet the following criteria: - Community-led project with any of the following: - Over 100 contributors - Over 40k weekly npm DLs - Over 10k GitHub stars - UI library or design system built specifically for a company: - Over 5 contributors - UI library or design system built for Government organizations: - Over 5 contributors - Must be a national-level or higher organization (e.g., European Union, Gov.UK, US Digital Service), not a local or municipal organization (e.g., State of Massachusetts). ## Considerations Open Source Storybooks are [**publicly visible**](/docs/collaborators#visibility). Custom domains can be set up for Open Source accounts, even for [free ones](/docs/permalinks#prerequisites). --- --- title: Privacy Policy description: Chromatic Privacy Policy sidebar: { order: 7 } --- # Privacy and Cookies Notice Chroma Software, Inc.® Updated: May 21, 2025 Chroma Software, Inc., a business corporation (herein “Chromatic”, “we”, “us” or “our”), based in the United States and headquartered at 548 Market St. \#26384 San Francisco, CA 94104, is committed to protecting and respecting your privacy and personal information (herein, “personal information” refers to any information that identifies you or is about you as an individual). This Privacy Notice describes how we collect, use and share personal information through your (herein, “you” or “your” refers to the person accessing our products and services) interaction with our website: [https://www.chromatic.com/](https://www.chromatic.com/), (herein, “Website”). Please read this Privacy Notice carefully so you can make an informed decision about your use of our Website. ## Contents - [Privacy and Cookies Notice](#privacy-and-cookies-notice) - [Contents](#contents) - [1. Scope of This Privacy Notice](#1-scope-of-this-privacy-notice) - [2. How We Collect Personal Information](#2-how-we-collect-personal-information) - [3. Categories of Personal Information We Collect](#3-categories-of-personal-information-we-collect) - [4. How We Use Personal Information](#4-how-we-use-personal-information) - [6. Links to Third-party Websites](#6-links-to-third-party-websites) - [7. Collection of Personal Information From Minors](#7-collection-of-personal-information-from-minors) - [8. Sharing and Sale of Your Personal Information](#8-sharing-and-sale-of-your-personal-information) - [9. Protection of Personal Information](#9-protection-of-personal-information) - [10. How Long We Keep Your Personal Information](#10-how-long-we-keep-your-personal-information) - [11. Where We Transfer Your Personal Information](#11-where-we-transfer-your-personal-information) - [12. Cookies Notice](#12-cookies-notice) - [13. Your Privacy Rights](#13-your-privacy-rights) - [14. Notice to European Users](#14--notice-to-european-users) - [15. Notice to Canadian Users](#15-notice-to-canadian-users) - [16. Notice to Australian Users](#16-notice-to-australian-users) - [17. Do Not Track Signals and Third-Party Tracking](#17-do-not-track-signals-and-third-party-tracking) - [18. Questions and Contacts](#18-questions-and-contacts) - [19. Changes to Our Privacy Notice](#19-changes-to-our-privacy-notice) ## 1. Scope of This Privacy Notice This Privacy Notice applies to anyone who interacts with us through our Website, which manages our product and service offerings. This Privacy Notice provides details about the personal information we collect about you, how we use it, and how we protect and safeguard your personal information. This Privacy Notice also provides information about your rights as an individual, in relation to the personal information that we collect from you. ## 2. How We Collect Personal Information We may collect personal information about you from various interactions on our Website. These interactions may include creating an account, placing an order, utilizing the comments feature, or utilizing the chat bot. Other interactions may include signing up for our newsletter or other marketing materials, and through your contact and interaction with us on social media, blogs, surveys, and/or product feedback communications. We may also collect certain online identifiers, which may be considered personal information, through your use of our Website. This information includes online activity information and technical information about your usage activities, to the extent that such information constitutes personal information. We may also set cookies on your web browser or use other tracking technologies when you interact with websites, applications, or advertisements in our network. This allows us to collect certain websites’ usage data and online identifiers which, under certain privacy regulations, may be considered personal information. However, in many cases such data may be aggregated or anonymized, and may only ever be used to attempt to identify you as an individual where we have a legal basis to do so (for example in the case of an investigation into fraudulent transactions). For more information, refer to our “Cookies Notice” in section 12 below. ## 3. Categories of Personal Information We Collect We may collect, and may have collected in the past, any of the following categories of personal information from you: - Contact information, such as, email address, and phone numbers; - Personal Identifiers, such as your name, alias, and other unique personal identifiers; - Financial details, such as details about your credit or payment card or payment account, including details of account numbers, payment details, or billing addresses; - Account Information, such as your username, and consent and preferences (e.g., to receive newsletters); - Credentials, such as passwords, password hints, and similar security information used for authentication and account access; - Commercial information, such as purchase history; - Geolocation data, such as physical location or movements; - We may collect information about interaction with, and responses to, our marketing communications; - Any personal information you send to us in emails, attachments, and other communications that you send us or otherwise contribute. Data and online identifiers we collect through our Website (e.g., through cookies and other tracking technologies) may include IP addresses, preferences, web pages visited prior to coming to our Website, information about browser, network or device (such as browser type and version, operating system, internet service provider, preference settings, unique device IDs, language, and other regional settings), and information about how you interact with our Website (such as pages visited, timestamps, clicks, scrolling, browsing times, and load times). For more information refer to our “Cookies Notice” in section 12 below. ## 4. How We Use Personal Information Your personal information may be used by us, our employees and service providers, and disclosed to third-parties for the following purposes: - **Communicate with you**, including by responding to questions or communications you send to us (e.g., as a response to communications you have sent via online webforms or email), and other relevant service or product-related announcements; - **Perform our services**, including personalizing Website user experience (e.g., delivering relevant content and product offerings), order fulfilment and fulfilling transactions, maintaining accounts and contracts, providing customer service, informing and updating our investors, monitoring disputes, or verifying information; - **Notify you about changes to our products and services;** - **Manage our affiliate, distributor, and customer relationships**, including to enforce or apply the agreements concerning you (including any applicable agreements between you and us); - **Perform marketing, including providing relevant details and informational updates related to our products and services, or advertising our products and services online**. This could include “remarketing” or “retargeting”, whereby users of our Website may be marketed to on other third-party websites through use of Marketing Cookies – see “Cookies Policy” section 12 below for further information. In addition to third-party cookies, remarketing may also involve our use of personal information (such as name and email address) collected from you in prior interactions, which may then be used to provide you with relevant updates, marketing, or other information related to your prior interactions with our products and services; - **Administer promotions** such as offering product discounts, giveaways, or other incentives; - **To improve the Services,** including undertaking monitoring, market research, trend analysis, and customer satisfaction survey activities to verify, maintain, or improving the quality and types of products and services being provided, including on our Website, or to handle and respond to complaints or questions, analyzing your interactions with our products and services, or acting on feedback you provide through surveys, product feedback, emails, etc.; - **Audit our transactions and interactions**, for purposes where we have legal grounds to do so, such as security or for regulatory compliance; - **Detect, remediate, and, if applicable, prosecute any physical security or information security-related or criminal incidents**, including protecting against any illegal activity such as fraud to ensure the security and integrity of our services; - **Enforce our legal rights and comply with legal or regulatory obligations** including in connection with court orders, complaints, or performance of identity verification to respond to certain requests for information, or to establish, make, or defend against legal claims; - **Act in the public interest**, in line with any laws that apply; - **Evaluate job applications and business proposals** (e.g., agreements or requests proposed by affiliates and distributors, or prospective affiliates and distributors); - **Post customer product comments** on our Website that may contain personal information, such as name. By submitting express written consent, your comment regarding your experience with our products/services could be potentially posted on our Website. If you wish to delete your comment, please contact us at [privacy@chromatic.com](mailto:privacy@chromatic.com) and be sure to include your name, comment location, and contact information. ## 6. Links to Third-party Websites Our Website may also contain links to and marketing from the websites of third-parties. We have no control over the content or operation of these websites, nor do we control the confidentiality or privacy practices of the website operators. Consequently, any personal information you submit through such website is governed by the privacy policies of the website in question. It is therefore your responsibility to find out about the third-party policies in order to protect your personal information when visiting these third-party websites. ## 7. Collection of Personal Information From Minors Our Website is not designed or intended to attract children under 13 years of age, and we do not knowingly collect information from minors. By using our Website, you hereby represent that you are at least the age of legal majority in your place of residence. If you believe that we have inadvertently collected personal information from a child under 13 years of age, please contact us at privacy@chromatic.com. ## 8. Sharing and Sale of Your Personal Information We may disclose your personal information to service providers and other third-parties. In the past, we may have disclosed to such third-parties any of the categories of personal information outlined in the above section 3, “Categories of Personal Information We Collect”, wherever we have legal basis for such sharing. However, we endeavor to share only the minimum relevant personal information that is required to fulfill the business purpose for sharing such personal information. We may disclose, and may have already disclosed, personal information to the following categories of third-parties: - **Our service providers** - Our business partners, suppliers and sub-contractors who help us provide our Website, products and services. This includes, for example, our e-commerce platform providers, analytics providers, marketing and advertising service providers, website development and troubleshooting service providers. Our service providers may include, but are not limited to: - **Intercom.** Intercom assists us in providing a unified customer communications platform for customer interaction and experience management. For more information about Intercom’s privacy practices, visit [https://www.intercom.com/legal/privacy](https://www.intercom.com/legal/privacy). - **Cloudflare.** Cloudflare assists us in analyzing the performance of the Site and the Services. For more information about Cloudflare’s privacy practices, visit https://www.cloudflare.com/privacypolicy/. - **Stripe.** Stripe assists us in processing your payments. For more information about Stripe’s privacy practices, visit [https://stripe.com/privacy](https://stripe.com/privacy). - **Google Analytics/Ads.** Google helps us better understand your use of our Website and services. Google Analytics collects information such as how often users visit our Website, what pages are visited, and what other sites may have been used prior to visiting. We also use Doubleclick by Google in order to serve ad based on a user’s prior visit to websites, and YouTube Ads in order to help us advertise the Services. Google’s ability to use and share information collected by Google Analytics about your visits to our Website is restricted by the [Google Analytics Terms of Use](https://marketingplatform.google.com/about/analytics/terms/us/) and the [Google Privacy Policy](https://policies.google.com/privacy). You can also opt-out of and manage your preferences for Google’s use of personalized advertising and related cookies by visiting Google’s [Ad Settings](https://support.google.com/accounts/answer/2662856?co=GENIE.Platform%3DDesktop&hl=en), and Google Analytics also offers an opt-out mechanism for the web available [here](https://tools.google.com/dlpage/gaoptout/). - **HubSpot.** HubSpot is an analytics provider that utilizes cookie and usage data collected to track and examine the use of the Site and the Services, analyze demographic information, and to prepare reports on user activities and share them with other HubSpot services. HubSpot may use the data collected to contextualize and personalize the ads of its own advertising network. You can find out more information about HubSpot and the data it collects at [https://legal.hubspot.com/privacy-policy](https://legal.hubspot.com/privacy-policy). - **Microsoft Clarity.** Microsoft Clarity assists us in capturing information regarding how you use and interact with the Site through behavioral metrics, heatmaps, and session replay. We use this information to improve and market our products and services and fraud prevention/security. You can find out more information about Microsoft Clarity and the data it collects at [https://privacy.microsoft.com/en-US/privacystatement](https://privacy.microsoft.com/en-US/privacystatement). - **Twilio Segment.** We use Twilio Segment to help analyze how users use the Site. Twilio Segment uses Cookies to collect information such as how often users visit the Site, what pages they visit, and what other sites they used prior to coming to the Site. To view the Twilio privacy policy, click here: [https://www.twilio.com/en-us/legal/privacy](https://www.twilio.com/en-us/legal/privacy). - **Gatsby.** Gatsby helps us provide functionality for the Site. You can view Gatsby’s privacy policy here: [https://www.gatsbyjs.com/privacy-policy](https://www.gatsbyjs.com/privacy-policy). - **Meta/Facebook.** Meta helps us to customize our advertising and to serve you ads on your social media based on your browsing behavior. This allows your behavior to be tracked after you have been redirected to one of our Websites by clicking on the Meta/Facebook ad. The Meta Pixel stores a cookie on your device to enable us to measure the effectiveness of Facebook ads for statistical and market research purposes. We do not have access to the information collected through the Meta Pixel. However, the information collected via the Meta Pixel is also stored and processed by Facebook. You can learn more about Meta’s privacy preferences by visiting [https://www.facebook.com/privacy/policy/](https://www.facebook.com/privacy/policy/). - **Adobe Analytics.** Adobe Analytics helps us to understand your use of our Website and services. Adobe uses cookies or other tracking technologies to help us analyze how users interact with the Sites and Services, compile reports on their activity, and provide other services related to their activity and usage. The technologies used by Adobe may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. You can opt out of the use of Adobe Analytics by visiting https://www.adobe.com/privacy/opt-out.html. - **Common Room.** We utilize Common Room in order to aid us with understanding your use of our Website and services. You have view Common Room’s privacy policy by visiting https://www.commonroom.io/privacy-policy/. - **Our professional advisers** - Including accountants, lawyers and other professional advisers that assist us in carrying out our business activities; - **Government authorities and third-parties involved in legal or regulatory action** - External agencies and organizations (including the police and the relevant local authority) for the purpose of complying with applicable legal and regulatory obligations. We may also disclose your personal information to other third-parties, for example: - In the event that we sell or buy any business or assets, or restructure our business or assets, we may disclose your personal information to the prospective affiliate, seller or buyer of such business or assets; - If we are under a duty to disclose or share your personal information in order to comply with any legal obligation. ## 9. Protection of Personal Information We are committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. No method of transmission over the internet, or method of electronic storage, is 100% secure, however. Therefore, while we use reasonable efforts to protect your personal information, we cannot guarantee its absolute security. ## 10. How Long We Keep Your Personal Information We will retain your personal information for as long as is necessary for the purposes for which it was collected, or longer if required by applicable law. Those periods are also based on the requirements of applicable data protection laws, applicable legal and regulatory requirements and periods relating to the commencement of legal actions. ## 11. Where We Transfer Your Personal Information We are headquartered in the United States and we will process your personal information in the United States. Your personal information will be transferred and stored in the United States. If we transfer personal information outside the European Economic Area (EEA), Asia, or Australia, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection laws. For further information as to the safeguards we implement please contact [privacy@chromatic.com](mailto:privacy@chromatic.com). ## 12. Cookies Notice This Cookies Notice applies when using our Website. **Cookie Overview and How They are Used on Our Website** Our Website uses cookies to distinguish you from other users of our Website. Cookies are pieces of information stored directly on the device you are using by your browser. Cookies allow us to recognize your device and allows our Website to remember certain information about you (such as marketing preferences or account information), and to perform analytics and other functions in relation to your, and others’, use of our Website. This helps us to provide you with a good, secure, and personalized experience when you browse our Website and allows us to improve our Website over time. Cookies set by us on our Website, named “first-party” cookies, are used to help evaluate and enable performance and secure functionality of our Website. These may enable us to collect or remember certain usage data and data about your device. This may include data on website pages visited prior, during and after visiting our Website, clicks or interactions made with the pages on our Website, consents and preferences, time spent on our pages and date/timestamps of visits and interactions, device identifiers such as IP address or operating system type, and browser type. We also use “third-party” cookies, which are cookies from a website domain other than our Website. These are used for our Website’s analytics, site functionality, security, and marketing efforts by sharing usage and device-related data with relevant third-parties. We, and third-parties performing services on our behalf, may use cookies for security purposes (for example, in helping prevent fraud), to facilitate navigation, to display information more effectively, and to personalize your experience while using our services. In addition, we may use the information to gather statistical information about the usage of our services in order to understand how they are used, continually improve their design and functionality, and assist us with resolving questions about them. Cookies further allow us to present to you the advertisements or offers that are most likely to appeal to you. We may also use cookies to track your responses to our advertisements and we may use cookies or other files to track your use of other websites. **Web Beacon Overview and How They are Used on Our Website** The pages of our Website contain images (called a “single-pixel gif” or “web beacons”) that allow our third-party service providers and us to count page views or to collect other anonymous data. In general, any electronic image viewed as part of a web page, including an ad banner, can act as a web beacon. Web beacons are typically very small, usually 1 by 1 pixel in size, but their presence can be easily seen with your browser’s inspection tools. Web beacons are small in order to minimize both their display and their loading time. Our web beacons may collect, gather, monitor or share personal information about our online service visitors for web tracking purposes; they also may be used to compile anonymous, aggregated statistics about the usage of our online services. For tracking purposes, we use web beacons on our Website along with other technical methods. We also employ third-party services (e.g., Twitter) that collect data remotely through the use of web beacons. This service then returns the completely anonymous data to us as site traffic reports. **Types of Cookies on Our Website** We use the following types of cookies for the following purposes: - **Strictly Necessary Cookies**: These cookies are essential for you to browse our Website and use its intended functionality, including accessing secure areas of our Website. These cookies cannot be opted-in or out of. - **Performance Cookies**: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Website. They help us to know which pages are the most and least popular and see how visitors move around our Website. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site. - **Functional Cookies**: These cookies enable the Websites to provide enhanced functionality. They may be set by us or by third-party service providers whose services we have added to our pages (for example, embedding videos on webpages). - **Marketing Cookies**: These cookies may be set on our Website by our advertising and marketing service providers. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. They are based on uniquely identifying your browser and internet device. This recognition is used to serve relevant adverts, links, or other information about our products and services to users visiting other websites after having previously visited our Website or interacted with our products and services. If you consent to these cookies, you may experience targeted advertising. ## 13. Your Privacy Rights You have several choices regarding the use of your personal information on the Site and our Services. Depending on the jurisdiction you reside in, you may have certain additional rights in relation to the personal information we have collected about you, which are detailed in jurisdiction-specific sections of this Privacy Policy below. **Email Communications.** We may periodically send you free newsletters and e-mails that directly promote the use of our Site or Services. When you receive newsletters or promotional communications from us, you may indicate a preference to stop receiving further communications from us and you will have the opportunity to “opt-out” by following the unsubscribe instructions provided in the e-mail you receive or by contacting us directly (please see [contact information](#18-questions-and-contacts) below). Despite your indicated e-mail preferences, we may send you Service-related communications, including notices of any updates to our Privacy Policy or terms of service/terms of use. **Cookies.** If you decide at any time that you no longer wish to accept cookies from our Site for any of the purposes described above, then you can instruct your browser, by changing its settings, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. Consult your browser’s technical information. If you do not accept cookies, however, you may not be able to use all portions of the Site or all functionality of the Services. If you have any questions about how to disable or modify cookies, visit [https://www.allaboutcookies.org/](https://www.allaboutcookies.org/). ## 14. Notice to European Users The information provided in this “Notice to European Users” section applies only to individuals in Europe. **Personal information**.  References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation. **Controller.**  We are the controller of your personal information covered by this Privacy Policy for the purposes of European data protection legislation, except to the extent that we process your personal information on behalf of our customer, including personal information that we process on behalf of our Clients, in which case our customer is the controller of your personal information, and we are the processor. We have appointed a Data Protection Officer, whose contact information is: ``` DP Dock DPO Services GmbH Grüffkamp 10 24159 Kiel Germany chromatic@dp-officer.com  ``` **Legal bases for processing**.  We use your personal information only as permitted by law.  Our legal bases for processing the personal information described in this Privacy Policy are described in the table below. | Processing Purpose | Legal basis | | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **To operate the services** | Processing is necessary to perform the contract governing our provision of the services or to take steps that you request prior to signing up for the services. If we have not entered into a contract with you, we process your personal information based on our legitimate interest in providing the services you access and request. | | **To communicate with you Notify you of changes to our products/services To manage affiliate, distributor and customer relationships To market, or advertise our products/services For administer promotions** **To improve the services** **To provide security** **For compliance, fraud prevention and safety** **To act in the public interest** **For employment purposes To post customer product comments** | These activities constitute our legitimate interests. We do not use your personal information for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise permitted to by law). | | **To comply with law To audit our transactions and interactions** | Processing is necessary to comply with our legal obligations. | | **With your consent** | Processing is based on your consent. Where we rely on your consent you have the right to withdraw it at any time in the manner indicated when you consent or in the services. | **Use for new purposes.**  We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it.  If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis. **Sensitive personal information.**  We ask that you not provide us with any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the services, or otherwise to us. If you provide us with any sensitive personal information when you use the services, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy.  If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through the services. **Automated Decision-Making and Profiling.**  We do not use automated decision-making and/or profiling in regard to your personal information in connection with the services. **Retention.**  We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.  If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you. **Your rights.** European data protection laws give you certain rights regarding your personal information.  If you are located within the European Economic Area, the United Kingdom or Switzerland, you may ask us to take the following actions in relation to your personal information that we hold: - **Access.** Provide you with information about our processing of your personal information and give you access to your personal information. - **Correct.** Update or correct inaccuracies in your personal information. - **Delete.** Delete your personal information. - **Transfer.** Transfer a machine-readable copy of your personal information to a third party of your choice. - **Restrict.** Restrict processing of your personal information. - **Object.** Object to our reliance on our legitimate interests as a legal basis of our processing of your personal information that impacts your rights. You may submit these requests by email to [privacy@chromatic.com](mailto:privacy@chromatic.com) or our postal address provided below.  We may request specific information from you to help us confirm your identity and process your request.  Applicable law may require or permit us to decline your request.  If we decline your request, we will tell you why, subject to legal restrictions.  If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction.  You can find your data protection regulator [here](https://edpb.europa.eu/about-edpb/about-edpb/members_en). **Cross-Border Data Transfer.** If we transfer your personal information out of Europe to a country not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be performed: - Pursuant to the recipient’s compliance with standard contractual clauses or Binding Corporate Rules; - Pursuant to the consent of the individual to whom the personal information pertains; or - As otherwise permitted by applicable European requirements. You may contact us at [privacy@chromatic.com](mailto:privacy@chromatic.com) or via our contact information below if you want further information on the specific mechanism used by us when transferring your personal information out of Europe. **EU Representative** DP-Dock has been appointed as our representative in the European Union for data protection matters, pursuant to Article 27 of the GDPR. If you are in the [European Economic Area](https://verasafe.com/public-resources/eea-members/), DP-Dock can be contacted in addition to [privacy@chromatic.com](mailto:privacy@chromatic.com), only on matters related to the processing of personal data. To make such an inquiry, please contact DP-Dock at: Website: [www.dp-dock.com](https://www.dp-dock.com/)  Email: [chromatic@gdpr-rep.com](mailto:chromatic@gdpr-rep.com) ``` EU: DP-Dock GmbH, Attn: Chroma Software, Inc., Ballindamm 39, 20095 Hamburg, Germany ``` ``` UK: DP Data Protection Services UK Ltd., Attn: Chroma Software, Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom ``` ## 15. Notice to Canadian Users The information provided in this “Notice to Canadian Users” section applies only to individuals in Canada.  Individuals located in Canada have certain rights pursuant to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable substantially similar provincial legislation (“Canadian data protection legislation”). **Personal information.**  References to “personal information” in this Privacy Policy are equivalent to “personal information” governed by Canadian data protection legislation. **Consent.**  By using the services and providing personal information to us, you are consenting to the collection, use and disclosure of your personal information as described in this Notice.  If you do not consent to the processing of your personal information in accordance with this Notice, please do not access or continue to use the services or otherwise provide any personal information to us. **Your rights.** You have certain rights with respect to your personal information under Canadian data protection legislation.  Subject to certain exceptions and limitations, and depending upon the province where you reside, such rights may include: - **To withdraw consent.**  The right to withdraw your consent to the collection, use or disclosure of your personal information. - **To be informed.**  The right to be informed of the existence, use, and disclosure of your personal information, and to be provided with an account of the use that has been made or is being made of this information as well as the third parties to which it has been disclosed (including a list of organizations to which your information may have disclosed). - **To correct.**  The right to challenge the accuracy and completeness of your personal information, and have it amended, updated or rectified as appropriate. - **To challenge.**  The right to challenge our compliance with the applicable Canadian data protection legislation. - **To be forgotten.**  The right to restrict the dissemination of your personal information in certain circumstances if such dissemination contravenes a law or court order, or otherwise causes serious injury to your reputation or privacy. - **Data portability.**  The right to receive computerized personal information in a structured, commonly-used and technological format, or to have such personal information transferred directly to any person or body authorized by law to collect such personal information. **Automated Decision-Making**.  We do not use automated decision-making in regard to your personal information in connection with the services. **Complaints**.  The Office of the Privacy Commissioner of Canada (Commissariat à la protection de la vie privée du Canada) advises individuals to file an objection or challenge with the relevant company before lodging a formal complaint with a regulatory authority. If you are dissatisfied with our response to an objection or inquiry, or you if wish to file a complaint with a regulatory authority first, you may file a complaint with the [Office of the Privacy Commissioner of Canada](https://www.priv.gc.ca/). Depending upon the province where you live, you may also (or instead) have the right to file a complaint with the applicable provincial privacy commissioner/regulator. ## 16. Notice to Australian Users The information provided in this “Notice to Australian Users” section applies only to individuals in Australia.  We take reasonable steps to make sure that third party recipients located outside Australia handle your personal information in a secure manner consistent with Australian privacy principles and in accordance with this Privacy Notice. However, we cannot always ensure that such third party recipients will comply with Australian privacy law in relation to your personal information. As such, where a foreign third party recipient does not handle your personal information in compliance with Australian privacy law, we will not be accountable to you and you will not be able to seek redress under Australian privacy law for such non-compliance. By providing us with your personal information, you consent to us disclosing your personal information to recipients outside Australia on this basis. If you have any questions, concerns or complaints in relation to our handling of your personal information, you can contact us at: [privacy@chromatic.com](mailto:privacy@chromatic.com). If you are unhappy with, or have further questions concerning, our handling of your question, concern, or complaint, you may contact the Office of the Australian Information Commissioner (telephone [\+61 1300 363 992](tel:+611300363992) or email [enquiries@oaic.gov.au](mailto:enquiries@oaic.gov.au)). ## 17. Do Not Track Signals and Third-Party Tracking Certain mechanisms may allow you to send web browser signals, known as “Do Not Track” (“DNT”) signals, indicating your choice to disable tracking on our Website. We do not respond to browser DNT signals at this time. We may not be aware of or be able to respond to every such mechanism. Third-parties, other than our service providers (such as our Website’s analytics provider), do not have authorization from us to track which website you visited prior to and after visiting our Website. That said, we cannot control third-party tracking; therefore, there may be some third-party tracking that occurs without our knowledge or consent. ## 18. Questions and Contacts We hope this Privacy Notice has been helpful in explaining the way we handle your personal information and your rights to control it. For any questions or comments in relation to this Privacy Notice and our privacy practices in general, please contact our Privacy Office who will be pleased to help you by email at [privacy@chromatic.com](mailto:privacy@chromatic.com). ## 19. Changes to Our Privacy Notice Any changes we make to this Privacy Notice in the future will be posted on this page. The updated Privacy Notice will take effect as soon as it has been updated or otherwise communicated to you. --- --- title: Security description: Security overview and responsible disclosure sidebar: { order: 5 } --- # Security policy Our priority is securing your intellectual property and information. - [View latest security report](https://app.drata.com/security-report/36340072-4a17-4b9e-80be-1b80562aeb41/30c79316-dfa2-42a8-9b0c-2766cd6ecb89) - [View SOC 2 Type 2 report](https://security.chromatic.com/) For questions, contact our security team [security@chromatic.com](mailto:security@chromatic.com). ## Responsible disclosure Before submitting a vulnerability request, download the **Responsible Disclosure Policy** from [security.chromatic.com](https://security.chromatic.com/) for submission instructions. ### Acknowledgments Chromatic is grateful to the following individuals for responsibly disclosing security issues, allowing us to make Chromatic safer for everyone. #### 2025 - [Matt Gill](https://www.linkedin.com/in/mattagill) - [Mridul Rastogi](https://www.linkedin.com/in/mridul-rastogi-532726292/) - [Harsh Maheta](https://www.linkedin.com/in/harsh-maheta-7057542a9) - [Parth Narula](https://www.linkedin.com/in/parth-narula-86283821a) #### 2024 - [Harish Harishwar](https://x.com/Hari_harishwar) - [James Zeilenga](https://www.linkedin.com/in/james-zeilenga) #### 2023 - [Rohit Sharma](https://www.linkedin.com/in/r0x5r/) - [Professor the Hunter](https://www.linkedin.com/in/bughuntar/) - [Kunal Mhaske](https://www.linkedin.com/in/kunal-mhaske-59928a170/) #### 2022 - [Bharat Adhikari](https://www.linkedin.com/in/bharat-adhikari-726337225) --- --- title: Terms of Service description: Chromatic Terms of Service sidebar: { order: 6 } --- # Terms of Service Chroma Software, Inc.® Last Updated: July 28, 2022 The Chroma Terms of Service Agreement (the “Agreement”) is made by and between the customer identified in a Subscription Order that references this Agreement (“Customer”, “You”, or “Your”) and Chroma Software, Inc. (referred to herein as “Chroma”, “We”, “Us”, or “Our”). This Agreement is effective as of the date Customer accepts the terms of this Agreement (the “Effective Date”) or, if earlier, when you use any of the Chroma Services. You understand and agree that Chroma will treat your use of the Chroma Services as acceptance of the Terms from that point onwards. You may not access the Services if You are a direct competitor, except with Chroma’s prior written consent. In addition, You may not access the Services for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes IN ORDER TO USE CHROMA SERVICES, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS AGREEMENT WHICH WILL GOVERN CUSTOMER’S PURCHASE AND USE OF CHROMA SERVICES, INCLUDING USES BY CUSTOMER’S EMPLOYEES, CONTRACTORS, AGENTS, AND OTHER AUTHORIZED USERS. IF YOU ARE ACTING ON BEHALF OF AN ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT ON BEHALF OF THAT ENTITY. IF CUSTOMER DOES NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN IT MUST NOT PURCHASE OR USE THE CHROMA SERVICES. IF YOU REGISTER FOR A FREE VERSION OUR SERVICES, THIS AGREEMENT WILL ALSO GOVERN THAT FREE VERSION. ## Table of contents - [Terms of Service](#terms-of-service) - [Table of contents](#table-of-contents) - [1. Definitions](#1-definitions) - [2. Chroma Delivery of Services and Content](#2-chroma-delivery-of-services-and-content) - [3. Use of Services and Content](#3-use-of-services-and-content) - [4. Non-Chroma Providers](#4-non-chroma-providers) - [5. Fees Payment and Terms Audit](#5-fees-payment-and-terms-audit) - [6. Proprietary Rights](#6-proprietary-rights) - [7. Confidentiality](#7-confidentiality) - [8. Term and Termination](#8-term-and-termination) - [9. Warranty](#9-warranty) - [10. Indemnification](#10-indemnification) - [11. Limitation of Liability](#11-limitation-of-liability) - [12. General](#12-general) ## 1. Definitions As used in this Agreement, the following terms shall have the meanings set forth in this Section 1. Certain other terms may be defined in the context of their use elsewhere in the Agreement. "**Affiliate**" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party to this Agreement. For purposes of this definition, “control” means ownership of at least fifty percent (50%) of the outstanding voting shares of the subject entity. "**Applications**" means a software application developed by the Customer, its Affiliate(s), or a third-party service provider. "**Beta Services**" means Chroma Services that are not generally available to customers. "**Chromatic**” means Chroma’s application testing platform or Chroma’s user interface development platform both hosted at [https://chromatic.com](https://chromatic.com). "**Confidential Information**" means any and all confidential or proprietary information or materials which have been or are hereafter disclosed or made available by one party (the “Disclosing Party”) to the other (the “Receiving Party”) in connection with this Agreement, whether provided orally or in writing and in any form or media, including without limitation: - (i) All trade secrets; - (ii) Existing or contemplated products, services, designs, technology, processes, technical data, engineering techniques, methodologies and concepts and any related information; - (iii) Information relating to business plans, sales or marketing methods and customer lists or requirements; - (iv) Customer-specific terms or pricing set forth in business proposals, this Agreement or any Subscription Order and - (v) where Chroma is the Disclosing Party, - (a) Chroma’s Pre-Existing Intellectual Property, - (b) General Enhancements, - (c) Services Materials, - (d) Training Materials, - (e) Documentation, including data security related certification such as SOC 2 reports, and - (f) Implementation architectures that encompass Chromatic and any of the foregoing items (a) – (e) (“Implementation Architectures”). "**Content**" means information obtained by Chroma from Our content licensors or publicly available sources and provided to Customer pursuant to an Order Form, as more fully described in the Documentation. "**Documentation**" means all Chroma published user manuals and guides, regardless of media, that explain or facilitate the use of Chromatic, and other related services. "**General Enhancements**" means any improvements, modifications, enhancements, or extensions to or derivative works of Chroma Pre-existing Intellectual Property that have or could have general applicability to Chroma customers, including, but not limited to, any modifications to, or derivative works of, Chromatic. "**Intellectual Property**" means any and all patents, inventions, copyrights, works of authorship, trademarks, trade secrets, know-how, and all other intellectual property (whether registered or unregistered and including the right to register such intellectual property) that are, in each case, protected under the laws of any governmental authority having jurisdiction. "**Malicious Code**" means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses. "**Pre-Existing Intellectual Property**" means: - (a) Intellectual Property in existence as of the Effective Date of this Agreement, and - (b) Intellectual Property that a party creates or develops outside the scope of Services or Support provided under this Agreement and without the use of the other party’s Confidential Information. “**Subscription Order”** means an online order form or order document executed by the parties that sets forth specific Services and/or Support being purchased by Customer under this Agreement. “**Service**” or “**Services**” means Chroma technologies, products, support, and/or professional services as set forth in an applicable Subscription Order or free version. "**Services Materials**" means: - (a) The processes, know-how, proprietary information and methodologies, document templates, and project tools including, but not limited to, best practice guides and reference architecture materials; and - (b) Utilities, connectors, scripts, tools, Chromatic implementation code, and other software (and any updates thereto) that, in each case, are used by Chroma to deliver the Services or Support to Customer. “**Support**” means email and in-app support for Chromatic. "**Training Materials**" means Chroma training courses, documentation, and other associated training materials, including any and all updates thereto. "**Training Services**” means Chroma’s training services offerings as set forth in an applicable Subscription Order. "**User**" means an individual who is authorized by Customer to use Chroma Services, for whom Customer has ordered Chroma Services, and to whom Customer (or Chroma, at Your request) has supplied a user identification and password. Users may include, for example, Customer’s employees, consultants, contractors, agents, or, subject to Chroma’s approval, a third party with which Customer transacts business. "**We**" "**Us**" or "**Our**" means the Chroma Software company described in Section 12 (Governing Law and Venue). "**You**" or "**Your**" means the company or other legal entity for which you are accepting this Agreement, and Affiliates of that company or entity. "**Your Data**" or “**Customer Data**” means electronic data and information submitted by or for You to Chroma Services or collected and processed by or for You using Chroma Services. ## 2. Chroma Delivery of Services and Content Subject to the terms and conditions of this Agreement, Chroma will provide to Customer the Services and Content agreed by the parties in applicable Subscription Orders. Subscription Orders shall be deemed incorporated herein. Services and Support are only for Customer’s internal use. Customer may not use the Services or Support to supply any training or support services to any third party. All Services and Content delivered under this Agreement are deemed accepted by Customer upon delivery. **2.1. Provision of Purchased Services** Chroma will: - (a) Make the Services and Content available to Customer pursuant to this Agreement and the applicable Subscription Orders, and - (b) Use commercially reasonable efforts to make Chroma Services available, except for: - (i) Planned downtime (of which We shall give at least 1 business day notice and which We shall schedule to the extent practicable during the off-peak hours of our choosing), and - (ii) Any unavailability caused by circumstances beyond Our reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, civil unrest, war, act of terror, quarantine, strike or other labor problem (other than one involving Our employees), Internet service provider failure or delay, or denial of service attack. **2.2. Protection of Customer Data** Chroma will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality (to the extent applicable) and integrity of Customer Data. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Data by Chroma personnel except: - (a) To provide Chroma Services and prevent or address service or technical problems, - (b) As compelled by law in accordance with Section 7 below, or - (c) As Customer expressly permits in writing. **2.3 Chroma Personnel** Chroma will be responsible for the performance of Chroma personnel (including Chroma employees and contractors) and their compliance with Chroma obligations under this Agreement, except as otherwise specified herein. **2.4. Free Services** Some Chroma Services may be provided to you without charge up to certain limits as published on the Chroma website or Subscription Order. Usage over this limit may require your purchase of Chroma Services. **2.5 Beta Services** From time to time Chroma may invite Customer to try, at no charge, Chroma products or services that are not generally available to Chroma customers ("Beta Services"). You may accept or decline any such trial in its sole discretion. Any Beta Services will be clearly designated as beta, pilot, limited release, early access, developer preview, non-production or by a description of similar import. Beta Services are provided for evaluation purposes and not for production use, are not supported, may contain bugs or errors, and may be subject to additional terms. Beta Services are not considered " Chroma Services" hereunder and are provided "AS IS" with no express or implied warranty. Chroma may discontinue Beta Services at any time in its sole discretion and may never make them generally available. Chroma will have no liability for any harm or damage arising out of or in connection with a Beta Service. **2.6 Recommendations** Chroma may, and Customer grants us permission to, make recommendations via Chroma Services or other marketing channels for products or services we think may be of interest to you based on your Application(s), the Content, and/or your use of Chroma Services. **2.7 Modification of Chroma Services** Chroma is constantly innovating in order to provide the best possible experience for its customers and users. Customer acknowledges and agree that the form and nature of the Chroma Services provided may change from time to time without prior notice to you. Changes to the form and nature of the Chroma Services will be effective with respect to all versions of Chromatic; examples of changes to the form and nature of the Chroma Services includes without limitation security patches, added functionality, and other enhancements. ## 3. Use of Services and Content **3.1 Subscriptions** Unless otherwise provided in the Subscription Order Form, - (a) Services and Content are purchased as subscriptions, - (b) New subscriptions may be added during a subscription term, and - (c) Any added subscriptions shall terminate on the same termination date as the underlying subscriptions. Customer must provide accurate and complete registration information any time you register to use the Chroma Services. Customer is responsible for the security of your passwords and for any use of your account. If you become aware of any unauthorized use of your password or of your account, you shall notify Chroma immediately. **3.2 Usage Limits** Chroma Services and Content are provided subject to usage limits, including, for example, the quantities specified in a Subscription Order Form or Chromatic website. If Customer’s use of Chroma Services exceeds the aforementioned usage limits, Customer shall be billed for such usage on the applicable invoices, and Customer agrees to pay such additional fees in accordance with Section 5. Unpaid amounts may cause termination of this Agreement or suspension of Services, at Chroma’s discretion, as set forth in [Section 5](#fees-payment-and-terms-audit). **3.3 Customer Responsibilities** Customer will - (a) Be responsible for Users’ compliance with this Agreement, - (b) Be responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired Customer Data, - (c) Use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Chroma promptly of any such unauthorized access or use, - (d) Use Services and Content only in accordance with the Documentation and applicable laws and government regulations of the United States or other countries, including the country in which you are resident or from which you use Chroma Services. Customer agrees that Chroma has no responsibility or liability for Customer’s deletion or failure to store any Customer Data, content, applications, and other communications maintained or transmitted through Chroma Services. Customer further acknowledges that you are solely responsible for securing and backing up your Applications and any associated data and content. Customer agrees that your purchases of Chroma Services are not contingent on the delivery of any future functionality or features or dependent on any oral or written public comments made by Chroma or any of its affiliates regarding future functionality or features. Customer is responsible for technical support of its Applications. Customer affirms that you are over the age of 13, as you must be over 13 years of age to use the Services, and children under the age of 13 cannot use or register for the Services. **3.4 Usage Restrictions** Chroma may suspend or terminate access to Chroma Services if Customer has violated usage restrictions impacting the stability, availability or integrity of the Chroma Services. Customer will not - (a) Make any Service or Content available to, or use any Service or Content for the benefit of, anyone other than Customer or Your Users, - (b) Sell, resell, license, sublicense, distribute, rent or lease any Service or Content, or include any Service or Content in a service bureau or outsourcing offering, unless you have been specifically allowed to do so in a separate agreement with Chroma, - (c) Use a Service or Content to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, - (d) Use a Service to store or transmit Malicious Code, - (e) Interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, - (f) Attempt to gain unauthorized access to any Service or Content or its related systems or networks, - (g) Permit direct or indirect access to or use of any Service or Content in a way that circumvents a contractual usage limit, - (h) Copy a Service or any part, feature, function or user interface thereof, (i) copy Content except as permitted herein or in an Order Form or the Documentation, - (i) Copy Content except as permitted herein or in an Order Form or the Documentation, - (j) Frame or mirror any part of any Service or Content, other than framing on Customer’s own intranets or otherwise for Customer’s own internal business purposes or as permitted in the Documentation, - (k) Access any Service or Content for the purposes of building a competitive product or service, creating derivative works based on Chroma Services, or bringing an intellectual property infringement claim against Chroma, or - (l) Reverse engineer, modify, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to any Chroma Service. Customer may not develop multiple Applications to simulate or act as a single Application or otherwise access the Chroma Services in a manner intended to avoid incurring fees. **3.5 Open Source Software Licenses** Chroma Services may include certain open source components that are subject to open source licenses (“Open Source Software”). Such Open Source Software is licensed under the terms of the license that accompanies the Open Source Software. Nothing in this Agreement limits your rights under, or grants you rights that supersede, the terms and conditions of any applicable license terms for such Open Source Software. **3.6 Removal or Suspension of Customer Application and Data** Customer understands that all information (such as data files, written text, computer software, music, audio files or other sounds, photographs, videos or other images) to which you may have access as part of, or through your use of, the Chroma Services are the sole responsibility of the person from which such content originated. Chroma reserves the right (but shall have no obligation) to remove any or all Customer applications and data from Chroma Services. Customer agrees to immediately take down any content that violates the [Acceptable Use Policy](/docs/acceptable-use), including pursuant to a take-down request from Chroma. In the event that you elect not to comply with a request from Chroma to take down certain content, Chroma reserves the right to directly take down such content. If Chroma is required by a licensor to remove Content, or receive information that Content provided to Customer may violate applicable law or third-party rights, Chroma may so notify Customer and in such event You will promptly remove such Content from Your systems. If Customer does not take required action in accordance with the above, Chroma may disable the applicable Content and/or Service until the potential violation is resolved. **3.7 Administrative Access to Chromatic** Customer agrees not to - (a) Access (or attempt to access) the administrative interface of Chromatic by any means other than through the interface that is provided by Chroma in connection with the Chroma Services, unless you have been specifically allowed to do so in a separate agreement with Chroma, or - (b) Engage in any activity that interferes with or disrupts the Chroma Services (or the servers and networks which are connected to Chromatic). ## 4. Non-Chroma Providers **4.1. Non-Chroma Applications and Customer Data** If Customer installs or enables a Non-Chroma Application for use with the Chroma Services, Customer grants Chroma permission to allow the provider of that Non-Chroma Application to access Your Data as required for the interoperation of that Non-Chroma Application with the Chroma Services. Chroma is not responsible for any disclosure, modification or deletion of Your Data resulting from access by a Non-Chroma Application. **4.2. Integration with Non-Chroma Applications** Chroma Services may contain features designed to interoperate or integrate with certain Non-Chroma Applications. To use such features, Customer may be required to obtain access to such Non-Chroma Applications subject to their terms and conditions, or to grant Chroma access to Customer’s account(s) on such Non-Chroma Applications. If the provider of a Non-Chroma Application ceases to make the Non-Chroma Application available for interoperation or integration with the corresponding Service features on reasonable terms, Chroma may, at its sole discretion, cease providing those Service features without providing Customer any prior notice, refund, credit, or other compensation. **4.3 Non-Chroma Content** Chroma Services may include hyperlinks to other websites, resources, or content which are provided by companies or persons other than Chroma (“Non-Chroma Content”). Chroma has no control over any Non-Chroma Content. Chroma is not responsible for the quality or availability of any such Non-Chroma Content, and does not endorse any advertising, products or other materials on or available from such Non-Chroma Content. Chroma is not liable for any loss or damage which may be incurred by you or your Users in connection with Non-Chroma Content or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products or other materials on, or available from, such Non-Chroma Content. ## 5. Fees Payment and Terms Audit **5.1 Fees and Expenses** For purchased Chroma Services and Support, Customer will pay Chroma the fees set forth in the applicable Subscription Order. **5.2 Payment Terms** Unless otherwise agreed by the parties in an applicable Subscription Order, Chroma will charge Customer credit card at the interval specified in an applicable order invoice as follows: - (a) For Services, upon execution of the applicable Subscription Order; and - (b) for Training Services, monthly in-arrears as such Services are delivered by Chroma. Customer will pay all such invoices issued by Chroma in full within thirty (30) days of receiving each invoice, without setoff, counterclaim, or deduction of any kind. All unpaid amounts will accrue interest at the rate of 1.5% per month on any outstanding balance, or the maximum amount permitted by law, whichever is lower, plus all expenses of collection. Chroma may, in its sole discretion, suspend the provision of Services or Support, as applicable, (i) upon ten (10) days prior written notice to Customer, if any invoice is more than thirty (30) days past due, or (ii) immediately if Customer is a non-enterprise, self-service customer paying by credit card, and said credit card payment has been declined after reasonable attempts. This right of suspension will not limit any other of Chroma’s rights or remedies related to Customer’s failure to pay. To the fullest extent permitted by law, Customer waives all claims relating to charges unless claimed within 60 days after the charge (this does not affect your credit card issuer rights). Charges are solely based on Chroma's measurements of your use of the Chroma Services, unless otherwise agreed to in writing. Nothing in these Terms obligates Chroma to extend credit to any party. Chroma may change its fees and payment policies for the Chroma Services by notifying you at least fifteen (15) days before the beginning of the billing cycle in which such change will take effect. Changes to the fees or payment policies will be posted on the Chromatic website (or such other URL Chroma may provide from time to time). Customer acknowledges and agrees that any credit card and related billing and payment information that you provide to Chroma may be shared by Chroma with companies who work on Chroma’s behalf, such as accounting firms, payment processors and/or credit agencies, solely for the purposes of checking credit, effecting payment to Chroma and servicing your account. **5.3 Refunds & Cancellation** Customer may cancel and receive a full refund of fees paid within the first thirty (30) days of the initial service provisioning date for orders related to Chromatic. Chroma reserves the right, in its sole discretion, to issue any refunds in the form of credit towards future Chroma Services. After the aforementioned 30 days, any subsequent Chromatic orders associated to a Customer’s user account or previously associated web domains are not eligible for refund. Customer may only request a cancellation or refund via written notice to Chroma. In the event Customer terminates a Subscription Order without cause, Customer is responsible for all fees incurred unless a refund is expressly provided herein. **5.4 Taxes** All fees and expenses charged by Chroma under this Agreement are exclusive of any taxes, duties, or similar charges imposed by any government, and Customer agrees to pay for any and all federal, state, or local sales, use, excise, privilege, or other taxes, duties or assessments, however designated or levied, relating to this Agreement, exclusive of taxes based on Chroma’s net income. If Customer is required to pay any withholding tax, charge, or levy in respect of any payments due to Chroma hereunder, Customer agrees to gross up payments actually made to Chroma such that Chroma receives sums due hereunder in full and free of any deduction for any such withholding tax, charge, or levy. ## 6. Proprietary Rights **6.1 Customer Retained Property** Customer owns and retains all worldwide right, title, and interest in and to all of Customer’s Pre-existing Intellectual Property and Customer’s Confidential Information (together, the “Customer Retained Property”). Except as expressly set forth herein, nothing in this Agreement conveys any right, title, or interest in or to the Customer Retained Property to Chroma or any other third party. Chroma acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Applications or data that you create, submit, post, transmit or display on, or through, the Chroma Services, including any intellectual property rights which subsist in that Application (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with Chroma, you agree that you are responsible for protecting and enforcing those rights and that Chroma has no obligation to do so on your behalf. By creating an Application and associated Data through use of the Chroma Services, you give Chroma a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute such Application and Data for the sole purpose of enabling Chroma to provide you with the Chroma Services. **6.2 Chroma Retained Property** Chroma owns and retains all worldwide right, title and interest in and to all: - (a) Chroma’s Pre-Existing Intellectual Property, - (b) General Enhancements, - (c) Services Materials, - (d) Training Materials, - (e) Documentation, and - (f) Implementation Architectures (together, the “Chroma Retained Property”), including any and all Intellectual Property therein and thereto. Except as expressly set forth herein, nothing in this Agreement conveys any right, title, or interest in or to the Chroma Retained Property or Chromatic (including General Enhancements thereto) to Customer or any other third party. **6.3 Feedback** Customer may, in its sole discretion or at the invitation by Chroma, provide Chroma with suggestions, enhancement requests, comments, recommendations, or other feedback related to Services provided by Chroma (“Feedback”). By submitting any Feedback, Customer agrees that Customer’s disclosure is gratuitous and without restriction, and will not place Chroma under any fiduciary or other obligation, and Chroma is free to use such Feedback without any additional compensation to Customer, and/or to disclose such Feedback on a non-confidential basis or otherwise to anyone. **6.4 Residual Rights** The parties acknowledge and agree that Chroma is in the business of providing training, and support services to third parties that are or may be substantially similar to the Services and Support being provided to Customer. Customer agrees that Chroma, its employees, and agents will be free to use and employ their general skills, know-how, and expertise, and to use, disclose, and employ any generalized ideas, concepts, know-how, methods, techniques, or skills gained or learned during the course of any Services or Support performed under this Agreement and retained in the unaided memory of Chroma’s employees or agents, subject to its obligations respecting Customer’s Confidential Information pursuant to [Section 7](#confidentiality). **6.6 Reservation of Rights** Chroma reserves all rights not expressly granted to Customer in this Agreement. Except as expressly stated, nothing herein shall be construed to 1. Directly or indirectly grant to a receiving party any title to or ownership of a providing party’s intellectual property rights in services or materials furnished by such providing party hereunder, or 2. Preclude such providing party from developing, marketing, using, licensing, modifying or otherwise freely exploiting services or materials that are similar to or related to the Support, services, or materials provided hereunder. **6.6 Copyright Policy** Customer agree to set up a process to respond to notices of alleged infringement that comply with the United States' Digital Millennium Copyright Act ("DMCA notices"). It is Chroma's policy to respond to DMCA notices or other applicable copyright laws and to terminate the accounts of repeat infringers. Chroma reserves the right to take down content in Customer’s Application or, if necessary, the Application itself upon receipt of a valid DMCA notice. ## 7. Confidentiality **7.1 Obligations** For a period of five (5) years from the date of disclosure of the applicable Confidential Information, the Receiving Party will (i) hold the Confidential Information of the Disclosing Party in trust and confidence and avoid the unauthorized disclosure or release thereof to any other person or entity by using the same degree of care as the Receiving Party uses to avoid unauthorized use, disclosure, or dissemination of its own confidential information of a similar nature, but, in no event, less than a reasonable degree of care, and (ii) not use Confidential Information for any purpose except as expressly contemplated under this Agreement or any Subscription Order; provided that, to the extent, Confidential Information constitutes a trade secret under applicable law, the Receiving Party agrees to protect such information for so long as it qualifies as a trade secret. Notwithstanding any other provision of this Agreement, the Receiving Party may disclose Confidential Information to those of the Receiving Party’s employees and contractors having a need to know such Confidential Information, provided that the Receiving Party takes reasonable measures to ensure that such employees and contractors are bound by non-use and non-disclosure obligations at least as restrictive as those contained in this Agreement. Each party shall be liable for all violations of this Section 7 by its employees and contractors. **7.2 Exclusions** The obligations of the Receiving Party under this Section 7 will not apply to information of the Disclosing Party that the Receiving Party can demonstrate - (i) was in the possession of the Receiving Party at the time of disclosure without any restrictions as to confidentiality of such information, - (ii) was generally available to the public at the time of disclosure or became generally available to the public after disclosure through no breach of this Agreement or other wrongful act by the Receiving Party, - (iii) was rightfully received by the Receiving Party from a third party without restriction on disclosure, or - (iv) is independently developed by the Receiving Party without use of or reference to the Confidential Information. The Receiving Party may disclose Confidential Information to the extent required to comply with binding orders of governmental entities that have jurisdiction over it; provided that, to the extent legally permitted, the Receiving Party gives the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or other appropriate remedies, discloses only such Confidential Information as is required by the governmental entity, and uses commercially reasonable efforts to obtain confidential treatment for any Confidential Information disclosed. **7.3 Return and Destruction** Upon the written request of the Disclosing Party, the Receiving Party shall promptly return or destroy the Confidential Information, including all copies thereof (certifying the fact of such destruction to the Disclosing Party), with the exception that the Receiving Party - (a) may retain an archival copy of the Confidential Information and - (b) is not required to destroy or alter computer-based back-up files generated in the normal course of its business. Any Confidential Information contained in such archival copies or backup files shall, however, remain subject to the confidentiality obligations of this Section 7. **7.4 Equitable Relief** The parties acknowledge and agree that any breach of the obligations of this Section 7 may cause the non-breaching party irreparable harm for which an adequate remedy at law may not be available and that, therefore, the non-breaching party shall be entitled to seek injunctive relief, in addition to all other remedies available at law. ## 8. Term and Termination **8.1 Term** The term of this Agreement will commence on the Effective Date of the applicable order and will continue until terminated as set forth herein. The term for the provision of Support or Services provided under individual Subscription Orders will be as set forth in such Subscription Order; provided, however, that if a Subscription Order for Support does not specify the term for such Support, Support will be deemed to have commenced upon execution of the Subscription Order. **8.2 Termination** If there are no active Subscription Orders in place, either party may terminate this Agreement for convenience by providing written notice to the other party. Each party will have the right to terminate this Agreement or any individual Subscription Order for cause upon written notice to the other party: - (a) If the other party breaches any material term of this Agreement or the applicable Subscription Order, and, if such breach is capable of cure, the breaching party fails to cure such breach within thirty (30) days of its receipt of notice of the breach from the non-breaching party, or - (b) If - (i) the other party becomes insolvent or makes an assignment for the benefit of creditors, - (ii) a trustee or receiver is appointed for such other party or for a substantial portion of its assets or - (iii) bankruptcy, reorganization or insolvency proceedings are instituted by or against such other party. Termination of a specific Subscription Order will not result in the termination of any other Subscription Orders. Termination of this Agreement for cause will result in the immediate termination of all active Subscription Orders. **8.3 Effects of Termination** Upon any termination, Chroma will be entitled to payment for all Services and Support rendered, and expenses incurred, through the effective date of termination, including for work in progress. Sections [1](#definitions), [5](#fees-payment-and-terms-audit), [6](#proprietary-rights), [7](#confidentiality), [8.3](#term-and-termination), [9.2](#warranty), [10](#indemnification), [11](#limitation-of-liability) and [12](#general)) will survive any termination of this Agreement. ## 9. Warranty **9.1 Limited Warranties** - Each party represents and warrants that it has the right, power, and authority to enter into, and perform its obligations under, this Agreement and each Subscription Order. - Chroma warrants that the Services and Support will be performed by qualified personnel in a professional and workmanlike manner consistent with applicable industry standards. Customer must notify Chroma in writing of any alleged failure by Chroma to perform Support or Services in accordance with the foregoing warranty within thirty (30) days of the delivery of the affected Services or Support. Chroma’s entire liability and Customer’s sole remedy for Chroma’s failure to perform in accordance with the above warranty shall be for Chroma to: - (i) use commercially reasonable efforts to cure or correct such failure, or - (ii) if Chroma is unable to cure or correct such failure, terminate the affected Services or Support and refund that portion of fees paid by Customer to Chroma that corresponds to such failure to perform. **9.2 Disclaimer** EXCEPT AS EXPRESSLY PROVIDED IN SECTION [9.1](#warranty), CHROMA DOES NOT MAKE OR GIVE ANY REPRESENTATION, WARRANTY, OR COVENANT OF ANY KIND, WHETHER EXPRESS OR IMPLIED, IN CONNECTION WITH THE SUPPORT OR SERVICES PROVIDED HEREUNDER. WITHOUT LIMITING THE FOREGOING, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CHROMA EXPRESSLY DISCLAIMS ANY AND ALL IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, QUALITY, NON-INFRINGEMENT, TITLE, OR FITNESS FOR A PARTICULAR PURPOSE AND ANY REPRESENTATION, WARRANTY, OR COVENANT BASED ON COURSE OF DEALING OR USAGE IN TRADE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY CUSTOMER FROM CHROMA OR THROUGH THE CHROMATIC WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED HEREIN. WITHOUT LIMITING THE FOREGOING, CHROMATIC, ITS SUBSIDIARIES, ITS AFFILIATES, AND ITS LICENSORS DO NOT WARRANT THAT THE CONTENT IS ACCURATE, RELIABLE OR CORRECT; THAT CHROMATIC WILL MEET CUSTOMER’S REQUIREMENTS; THAT CHROMATIC WILL BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION, UNINTERRUPTED OR SECURE; OR THAT ANY DEFECTS OR ERRORS WILL BE CORRECTED, INCLUDING WITHOUT LIMITATION BY ANY CHROMA SUPPORT. CHROMA SHALL HAVE NO OBLIGATION TO IDENTIFY OR CORRECT ANY DEFECTS OR ERRORS, OR TO MODIFY CHROMATIC OR PERFORM ANY SOFTWARE DEVELOPMENT SERVICES AS PART OF THE CHROMA SUPPORT. ## 10. Indemnification **10.1 General** Each party (the “Indemnitor”) agrees, at its own expense, to - (a) Defend the other party, its Affiliates, and their respective directors, officers, employees, and agents (the 'Indemnitees') from and against any third party claim, suit, or action brought against any of the Indemnitees for death, bodily injury, or damage to or loss of any real or tangible personal property to the extent arising out of the Indemnitor's (including its employees and agents) gross negligence or willful misconduct in the performance of this Agreement (each a “General Claim”), and - (b) Indemnify the Indemnitees against any and all liabilities, losses, damages, costs, and expenses finally awarded to an unaffiliated third party by a court of competent jurisdiction or agreed by the Indemnitor in settlement with regard to any such General Claim. Further, Chroma will defend, indemnify, and hold harmless at its expense, any third-party claim, action or proceeding (including resulting liabilities, losses, damages, costs, and expenses finally awarded to an unaffiliated third party) against Customer, and its Indemnitees, that the Services infringe, misappropriate, or violate a third-party’s proprietary rights (a “Customer Infringement Claim”). Customer will defend, indemnify, and hold harmless at its expense, any third-party claim, action or proceeding (including resulting liabilities, losses, damages, costs, and expenses finally awarded to an unaffiliated third party) against Chroma, and its Indemnitees, that any Customer technology related to this Agreement infringes, misappropriates, or violates a third-party’s proprietary rights (a “Chroma Infringement Claim”). **10.2 Conditions to Indemnification** As conditions to indemnification under this Section 10, the indemnified party must (a) notify the indemnifying party promptly in writing of the General Claim, Customer Infringement Claim, or Chroma Infringement Claim, as applicable, for which the indemnified party is seeking indemnification, (ii) grant the indemnifying party sole control over the defense and settlement of each General Claim Customer Infringement Claim, or Chroma Infringement Claim, as applicable, and (iii) provide the indemnifying party with reasonable cooperation in response to such party’s requests for assistance. The indemnifying party may not settle or compromise a General Claim Customer Infringement Claim, or Chroma Infringement Claim, as applicable, without the prior written consent of indemnified party if such settlement includes an admission of liability on the part of the indemnified party. ## 11. Limitation of Liability EXCEPT (A) WITH REGARD TO EITHER PARTY’S BREACH OF CONFIDENTIALITY OBLIGATIONS UNDER [SECTION 7](#confidentiality) (“CONFIDENTIALITY”), OR (B) TO THE EXTENT THAT AN AMOUNT IS INCLUDED IN A COURT AWARD OR SETTLEMENT RELATED TO EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 10 (“INDEMNIFICATION”), IN NO EVENT WILL EITHER PARTY BE LIABLE UNDER THIS AGREEMENT FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING WITHOUT LIMITATION, LOST REVENUE, LOST PROFITS, LOSS OF INCOME, OR LOSS OF BUSINESS ADVANTAGE), WHETHER OR NOT FORESEEABLE, EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT WITH REGARD TO (A) EITHER PARTY’S BREACH OF CONFIDENTIALITY OBLIGATIONS UNDER [SECTION 5](#fees-payment-and-terms-audit) (“CONFIDENTIALITY”), OR (B) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER [SECTION 8](#term-and-termination) (“INDEMNIFICATION”), IN NO EVENT WILL EITHER PARTY’S CUMULATIVE AND AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED THE AMOUNTS PAID BY CUSTOMER UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE FIRST DATE ON WHICH LIABILITY AROSE. THESE LIMITATIONS OF LIABILITY WILL REMAIN IN FULL FORCE AND EFFECT, REGARDLESS OF WHETHER EITHER PARTY’S REMEDIES HEREUNDER ARE DETERMINED TO HAVE FAILED OF THEIR ESSENTIAL PURPOSE. THE ABOVE LIMITATIONS WILL NOT, HOWEVER, LIMIT CUSTOMER’S PAYMENT OBLIGATIONS UNDER THIS AGREEMENT. ## 12. General **12.1 Subcontractors** Chroma may engage third parties to furnish services in connection with Services or Support, provided that such third parties have executed appropriate confidentiality agreements with Chroma. In addition, Services and Support may be performed by Affiliates of Chroma. No engagement by Chroma of a subcontractor or an Affiliate will relieve Chroma of any of its obligations under this Agreement and Chroma shall be fully responsible for the actions or omissions of such subcontractor as they relate to the subject matter of this Agreement. **12.2 Assignment** Neither party may assign this Agreement or any of its rights or obligations hereunder without the prior written consent of the other party, which shall not be unreasonably withheld, except that - (i) either party may assign this Agreement or rights granted hereunder to its Affiliate without the consent of the other party, and - (ii) the transfer of this Agreement, or rights granted hereunder, by Chroma to a successor entity in the event of a merger, corporate reorganization, or acquisition of all or substantially all the assets of a party shall not constitute an assignment for purposes of this Section 12.2. Any attempted assignment or transfer in violation of this Section 12.2 shall be null and void. **12.3 Governing Law and Venue** This Agreement is governed by and will be construed in accordance with the laws of the State of California, without regard to conflict of law principles and the terms of this Section 12.3 apply. The parties acknowledge and agree that this Agreement relates solely to the performance of services (not the sale of goods) and, accordingly, will not be governed by the Uniform Commercial Code. In addition, the provisions of the Uniform Computerized Information Transaction Act and United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement. All Services and Support provided hereunder are “Commercial Items” as that term is defined in the Federal Acquisition Regulation (FAR) at 48 C.F.R. 2.101. Any legal action or proceeding arising under this Agreement will be brought exclusively in the state or federal courts located in San Francisco County, California, and the parties expressly consent to personal jurisdiction and venue therein. **12.4 Independent Contractors** The relationship between the parties established under this Agreement is that of independent contractors, and nothing in this Agreement or Subscription Orders shall be construed to create an employment, partnership, joint venture, or agency relationship between the parties. **12.5 Notices** All notices required or permitted under this Agreement must be in writing. Notices will be effective - (a) upon delivery, if delivered in person or through use of a reputable courier or overnight delivery service, or - (b) two (2) days after mailing, if sent by a form of certified mail. Notices must be sent to the addresses set forth in applicable Subscription Orders. Notices to Chroma must additionally be sent to the attention of the Chroma Legal Department, 548 Market St #26384, San Francisco, CA 94104. **12.6 Publicity** Customer agrees that Chroma may reference and use Customer’s name and trademarks in Chroma marketing and promotional materials, including, but not limited to, a list of Chroma customers, the Chroma and/or Chromatic websites, or verbal reference, solely for purposes of identifying Customer as a customer of Chroma Services. **12.7 Severability** If any provision of this Agreement is held to be invalid or unenforceable, the remaining portions will remain in full force and effect and such provision will be enforced to the maximum extent possible so as to achieve the intent of the parties and will be reformed to the extent necessary to make such provision valid and enforceable. **12.8 No Waiver** The failure of a party to enforce any provision or exercise any right under this Agreement shall not constitute a waiver of such provision or right and shall not preclude such party from enforcing such provision or exercising such right at any later time. **12.9 Force Majeure** Except for the obligation to pay sums due hereunder, neither party will be liable to the other for any delay or failure to perform due to causes beyond its reasonable control. **12.10 No Third Party Beneficiaries** The terms of this Agreement are intended to be, and are solely for the benefit of, Chroma and Customer and do not create any right in favor of any third party. **12.11 Compliance with Export and Other Laws** Customer acknowledges that items provided hereunder are of United States origin, are provided subject to the U.S. Export Administration Regulations, and may be subject to other applicable national and international laws. Diversion or distribution contrary to applicable export control laws is prohibited. Customer represents that - (1) it is not, and is not acting on behalf of, - (a) any person who is a citizen, national, or resident of, or who is controlled by the government of any country to which the United States has prohibited export transactions, or - (b) any person or entity listed on the U.S. Treasury Department list of Specially Designated Nationals and Blocked Persons or the U.S. Commerce Department’s Denied Persons List or Denied Entity List; and - (2) it will not permit items delivered under this Agreement to be used for any purposes prohibited by law, including, but not limited to, any prohibited development, design, manufacture, or production of missiles or nuclear, chemical, or biological weapons. Additionally, each of the parties agrees that it will not engage in any illegal, unfair, deceptive, or unethical business practices whatsoever, including, but not limited to, any act that would constitute a violation of the U.S. Foreign Corrupt Practices Act. **12.12 Counterparts and Signatures** Subscription Orders may be executed in counterparts, each of which shall be deemed an original and all of which, when taken together, shall constitute one and the same instrument. Facsimile and electronic copies of signatures shall have the same effect as originals. If a party elects to sign Subscription Orders electronically, it expressly acknowledges and agrees that such electronic signature is the legal equivalent of, and has the same force and effect as, a manual signature. **12.13 Entire Agreement** This Agreement, together with any Subscription Orders, constitutes the entire agreement between the parties concerning the subject matter hereof. Any additional or conflicting terms contained in subscription orders issued by Customer with respect to Services or Support provided hereunder are hereby expressly rejected and shall have no force or effect on the terms of this Agreement or any Subscription Order. This Agreement supersedes all prior or contemporaneous discussions, proposals, and agreements between the parties, whether written or oral, relating to the subject matter hereof. No amendment, modification, or waiver of any provision of this Agreement will be effective unless in writing and signed by both parties. **12.14 Precedence** In the event of a conflict between the terms of any Subscription Order with the terms of this Agreement, the terms of the Subscription Order shall control but - (a) only with respect to the specific Services or Support purchased under such Subscription Order, and - (b) only if the Subscription Order specifically references the conflicting provision(s) of this Agreement with the intention to supersede such provision(s). --- --- title: Access control description: Learn how to control who has access to your Chromatic project sidebar: { order: 2 } --- # Access control Learn how to manage access to your Chromatic account and projects. ## Authentication Sign in to Chromatic via OAuth, email, or SSO. #### OAuth Chromatic supports the cloud versions of GitHub, GitLab, or Bitbucket on our [self-serve plans](https://www.chromatic.com/pricing). If you use the on-premise or self-managed versions of GitHub, GitLab, or Bitbucket, we can support you via our [enterprise plan](https://www.chromatic.com/pricing). We recommend trialing Chromatic first by following these [instructions](/docs/faq/chromatic-sso-on-premises-other-git).
What OAuth scopes does Chromatic request? Depending on your Git provider, Chromatic will request a set of OAuth scopes when you first sign in. Chromatic uses these permissions to enumerate your list of repositories, set PR statuses, and retrieve users for assignment to review. Chromatic will never read/write source code. | Git provider | OAuth Scopes | | ---------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | | [GitHub](https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes) | `['user:email', 'read:user', 'read:org', 'repo:status']` | | [GitLab](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#limiting-scopes-of-a-personal-access-token) | `['api']` | | [Bitbucket](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html#OAuthonBitbucketCloud-Scopes) | `['account', 'repository', 'pullrequest', 'webhook']` |
What do you need to link a project to a Git provider repository? To link a project to a Git provider repository, you need: - Membership in the organization that owns the repository. - Write access to the repository, via one of the following roles: | Git provider | Role | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------- | | [GitHub](https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#repository-roles-for-organizations) | `write`, `maintain`, or `admin` | | [GitLab](https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions) | `developer`, `maintainer`, or `owner` | | [Bitbucket](https://support.atlassian.com/bitbucket-cloud/docs/grant-repository-access-to-users-and-groups/) | `admin`, or `write` |
What permissions does the GitHub App request? Chromatic's GitHub App enables [UI Review](/docs/review) for pull requests. We need additional permissions to access pull request information and add PR checks. - ✅ Read access to metadata - ✅ Read and write access to checks and pull requests - ✅ Read access to organization members (for collaborators) - 🔒 We do not request access to your code
ℹ️ We recommend teams create a Chromatic “bot” or IT Service Account user on your Git provider. You can grant write permissions to that account for the repositories you want to link to Chromatic projects. This way, tokens aren’t tied to an individual user. And if a token expires, it’s straightforward for anyone on the team to validate a new one.
Does Chromatic access my source code? No, Chromatic only uses the static Storybook build or Storybook source code (if the static build is not being used). The static build refers to a static web application that is generated from your Storybook that can be hosted by any web server. **For unlinked projects:** Chromatic does not have access to your git provider **For linked projects:** Chromatic requests data from your git provider without accessing your source code. For GitHub, Chromatic only has access to repository metadata and merge request information. However, GitLab and Bitbucket don't offer repository metadata and merge request information without full API access. Therefore, Chromatic has permission to access the source code on GitLab, but it doesn't actually access it.
How do I request access from my GitHub organization admin? Chromatic requests the minimum permissions needed to use the tool. With GitHub, we request permissions for "OAuth" and "GitHub app" respectively. This allows organizations to expand permissions incrementally as they use more features. If your GitHub organization requires an admin to approve apps, you'll need to request access inside of Chromatic and track their status inside of GitHub (below). 1. **Chromatic OAuth app**: Enables GitHub sign-in. Track your access request [here](https://github.com/settings/connections/applications/495b5c3cb5ae140436a0). 2. **Chromatic.com app**: Enables [UI Review](/docs/review). Track your access request [here](https://github.com/apps/chromatic-com).
Does Chromatic support custom GitHub roles? **No, Chromatic doesn't support custom GitHub roles.** Chromatic only receives the role name from GitHub, not the specific permissions associated with it. Custom role names prevent Chromatic from accurately determining permissions.
Is my forked repository subject to access restrictions? When you have a fork of a private organization owned repository, that forked repository is going to be subject to that organization's access restrictions. For example, `org1/my-repo` is the original repository and you fork it to `org2/my-repo`. In this situation, the original repo `org1/my-repo` would need to approve Chromatic's OAuth App on their end. Once they do, you'll be able to use the forked repo `org2/my-repo` with Chromatic.
#### Email Email and password authentication is available on all accounts. It's a popular authentication method for [external collaborators](/docs/collaborators#external-collaborators) like designers, PMs, and other stakeholders. If you're setting up Chromatic for your team as the account owner or administrator, there are some boundaries to be aware of: - Email accounts can use Chromatic as normal - [Collaborators](/docs/collaborators) are manually managed - [Pull request checks](/docs/ci#pull-request-checks) are manually setup via your CI system We recommend signing up with email for projects that **are not** on GitHub, Bitbucket, or GitLab. For example, projects on services like Azure DevOps, AWS, etc. Read the setup instructions for these types of projects [here](/docs/faq/chromatic-sso-on-premises-other-git). #### Single Sign-On (SSO) Single Sign-On (SSO) is available to enterprise customers. To sign-in, make sure to navigate to your team's custom Chromatic URL, for example, `mycompany.chromatic.com`. If you don't know the Chromatic URL for your team, you may need to ask the account or project owner.
What SSO providers are supported? OneLogin, Okta, Google Workspace, PingOne, Keycloak, SimpleSAMLphp-based Identity Providers, and Active Directory Federation Services. If your provider is not on the list, please reach out to us at support@chromatic.com or use our **in-app chat**, and we will determine if it is possible to integrate with it.
How do you log in with SSO? Once SSO is enabled, you have two primary ways to log in: 1. **Direct subdomain link:** If a subdomain is enabled, the most straightforward method is to use your organization's unique login URL: `https://{YOUR-SUBDOMAIN}.chromatic.com/start` 2. **SSO provider dashboard:** Simply find and click the Chromatic application tile, and you'll be redirected and logged in automatically. If you're having trouble logging in: 1. Ensure your user has been provisioned to the Chromatic application within your SSO provider. Confirm your user group has the necessary permissions. 2. Double-check that you are using the correct subdomain in the login URL. It must exactly match the one assigned to your organization. 3. Login issues are often caused by stale cookies or cached data. Try clearing your browser's cache and cookies or using a private/incognito window to log in. 4. If your organization has enabled IP restrictions, ensure you are connected to your corporate network (e.g., via a VPN) as required by your company's policy. 5. If your organization limits access by domain and you use a different email domain than your colleagues (e.g., you're a contractor), ask your team to issue you an email address on an approved domain or contact us to add your current domain to the company's allow list.
How do I update the SSO certificate? The fastest and most reliable method is to provide a metadata URL from your Identity Provider (IdP). This is typically a secure link found in your IdP's admin console. If your provider does not support a metadata URL, please send a new certificate to [priority-support@chromatic.com](mailto:priority-support@chromatic.com ) to schedule the change. This ensures a smooth transition and prevents authentication downtime for your users. Please include the following in your request: 1. The specific date, time, and timezone for the update. 2. A PEM-encoded X.509 certificate in one of these supported formats: - `.pem` - `.key` - `.crt` - `.cer` - `.cert`
How are roles managed with SCIM? SCIM (System for Cross-domain Identity Management) enables automatic user provisioning. After SSO is configured, SCIM allows you to add/remove users and manage roles directly from your IdP. You must configure groups in your IdP that correspond to Chromatic's four roles: `Owner`, `Developer`, `Reviewer`, and `Viewer`. The groups must contain a `roles` or `role` attribute with values "owner", "developer", "reviewer", or "viewer" for Chromatic to recognize them properly.
Can roles be set differently for different projects? No, SCIM currently sets standard roles across all projects - project-specific role assignment is not supported.
## Organizations A Chromatic organization mirrors its counterpart GitHub Organization, Bitbucket Group, or GitLab Team. Open the account menu to swap between organizations or add a new organization. ![Account menu](../../images/account-menu.png) ## Projects There are two types of Chromatic projects: linked and unlinked. #### Linked projects Linked projects are associated with a repository on GitHub, Bitbucket, or GitLab. That allows Chromatic to [sync collaborators](/docs/collaborators#project-collaborators), badge pull requests, get pull request metadata for [UI Review](/docs/review), and keep track of [UI Test](/docs) baselines. By creating a linked project in Chromatic, you automatically have at your disposal: - [Collaborators](/docs/collaborators) synched automatically based on your Git provider. - The [visibility](/docs/collaborators#visibility) of your published Storybook will be synced with the visibility of your GitHub repository - UI test notifications are enabled via automated webhooks for third-party integrations. - Automated PR badging is configured automatically via [OAuth permissions](#what-permissions-does-the-github-app-request) granted by the Git provider. - Chromatic's GitHub App provides a faster UI review process and PR metadata retrieval. - Improved handling of [rebasing](/docs/branching-and-baselines) and squash & merge commit strategies enabled with Chromatic's GitHub App. You can link a project during the project creation process or afterward on the project's Manage page within the Collaborators tab.
Why is my linked project showing up as unknown? If you encounter an `` project, this means Chromatic can no longer connect it to your Git repository. To refresh the Git access token and reconnect the `` project, request one of the account owners to log out and log back into Chromatic. Alternatively, replace the Git token from the `Configure` tab on the `Manage` page of your project.
My token is missing or invalid In the Project's Manage tab, you may see that your repository details couldn't be synced due to the token. This typically occurs for one of two reasons: 1. For **GitHub**, an access token is required when you first set up your project to link Chromatic to your repository. If this step wasn’t completed, the token will be missing. 2. Tokens can expire or be deleted on your Git provider’s side, which revokes their permissions. Another team member can **replace** the token, or you can **unlink** and relink the repository to fix the issue. If this doesn’t help, contact us at support@chromatic.com or via our in-app live chat. If [IP restrictions](/docs/faq/allowlist-ips-for-git-providers) are set on your Git provider account but you haven’t added Chromatic’s IPs to the allowlist, the token may show as **invalid** or **missing** too. Setting the IPs will resolve this specific case.
Why am I getting Could not retrieve repository ID error when trying to link a repository? If your project is part of an organization, you need to have [your access request](#how-do-i-request-access-from-my-github-organization-admin) approved by an admin at the organization level. Approval from a repository-level admin alone will not be sufficient. The actual scopes that Chromatic requires are listed [here](#what-oauth-scopes-does-chromatic-request).
How do I migrate from one Git provider to another (e.g., GitLab → GitHub)? **For linked accounts** To migrate your Chromatic projects to the new Git provider: 1. Connect your user account to the new git provider via the [Profile page](https://www.chromatic.com/profile). Under “Connected accounts,” link your new git provider. Ensure that everyone on your team does the same. _Warning:_ do not disconnect the old git provider yet since you may lose access. ![Connect to Git provider](../../images/connect-profile-to-git.png) 1. In the upper-right corner of the dashboard, open the menu and click "Add" to create a new Chromatic organization account for your new Git provider. You'll now see both accounts in that list, each linked to different Git providers. 1. Unlink all existing projects from the old Git provider through the `Manage` tab. ![Unlink project](../../images/unlink-project.png) 1. Then link all projects to repositories from the new Git provider. Note that projects will automatically move to the new Chromatic organization level account. If you have a paid account, use our in-app chat to get in touch, or email us at support@chromatic.com to move your subscription to the new Chromatic entity. **For unlinked accounts** Follow steps 1, 3, and 4 from the guide above, but you don't need to create a new Chromatic organization level account. **Important** Connecting one Chromatic entity to multiple Git providers is not yet supported.
#### Unlinked projects An unlinked project is perfect for teams that self-host Git or have enterprise Git providers (that aren't on Chromatic's enterprise plan). Unlinked projects still require Git; they are just not linked to a repository on GitHub, Bitbucket, or GitLab. They do not automatically [sync collaborators](/docs/collaborators#project-collaborators) or badge pull requests. The characteristics of an unlinked project include: - Your code is in a local or self-hosted repository. - You're using an email/password account OR a personal OAuth account. - Chromatic runs as a [CI-only](/docs/ci) job. - Collaborators are [manually managed](/docs/collaborators#external-collaborators) via an invite list. - PR badging is manually configured in your CI provider. - Notifications are manually setup via Chromatic's [custom webhooks](/docs/integrations#custom-webhooks). Learn how to create an unlinked project [here](/docs/faq/chromatic-sso-on-premises-other-git). --- ### Troubleshooting
How do I create an unlinked project on my existing GitHub, Bitbucket, or GitLab account? - ❌ You can't create unlinked projects on GitHub org, Bitbucket workspace, or GitLab group connected accounts. - ✅ You can create unlinked projects on personal GitHub, Bitbucket, or GitLab accounts. - ✅ You can create unlinked projects on email/password accounts. If your account is currently connected to a GitHub org, Bitbucket workspace, or GitLab group, you'll need to create a new email/password account to set up an unlinked project. Your teammates can access this account by sharing credentials (for example, with a password manager). To share billing between an existing connected account and an email/password account, message us via in-app chat.
How do I link a project to a Git provider using my email/password account? Email accounts are not connected to a Git provider by default. This means you can only create [unlinked projects](#unlinked-projects). Follow these instructions to link your project to a Git provider: 1. Go to your profile (`/profile`) and connect to your Git provider. 2. Go to the project's Manage page » Collaborate tab. 3. Click to "sync collaborators with a Git repository". This connects your Chromatic email/password account with your Git provider account, allowing you to set up a [linked project](#linked-projects). Note: Your personal account must have access to the repository in order to connect in Chromatic. You may need to ask an administrator to grant you additional permissions.
How do I link my project to GitHub Enterprise Server or GitLab self-managed? For Enterprise plans, we support connecting on-premise versions of GitHub Enterprise and GitLab. Please reach out to us via Support to get access. You also need to have some information from your Git Provider setup ready 1. The URL to your Git Provider (e.g. https://chromatic.github.com, https://gitlab.custom.com) 2. The Name of Your Repository (e.g. chromatic/ux) 3. Access Token (See docs for [GitHub](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and [GitLab](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html)) Depending on your Git Provider, the relevant docs for creating an access token can be found below. When you create your token, please ensure that you enable the proper scopes. | Git provider | Permission Scopes | | ------------ | -------------------------------------------------------- | | GitHub | `['user:email', 'read:user', 'read:org', 'repo:status']` | | GitLab | `['api']` | Once you have access and the prerequisite details, follow these instructions to link your project to GitHub Enterprise Server or GitLab self-managed: 1. Go to the manage (`/manage`) page for the app that you want to connect. 2. Click the Configure tab. 3. In the Connected Application section, find the "Sync project with a Git repository" area and click "Add on-prem Git Provider" to enter the details for your repository. If your organization restricts IP addresses for git access, make sure to [add Chromatic's IP addresses to the allow list](/docs/faq/allowlist-ips-for-git-providers/#my-organization-restricts-ip-addresses-for-git-access-should-i-add-chromatic-to-the-allowlist).
Why am I getting an error when trying to access a GitHub SSO project that I see listed in Chromatic’s project list? This error can occur when Chromatic isn’t authorized for a GitHub organization that has SSO/SAML also configured. In order to grant access to a project, Chromatic uses that project’s token and your account’s GitHub token. During the login process for Chromatic you authenticate with GitHub and will be presented with a prompt inside of GitHub to authorize Chromatic for use in your organization. You must click the **Authorize** button. If you don’t click the **Authorize** button, but instead click the **Continue** button, you will not be able to access the project in Chromatic. If the person that set up the project previously logged into Chromatic with their GitHub credential but never authorized Chromatic for their organization, their teammates will also encounter this issue.
--- --- title: Collaborators description: Learn how to add and manage collaborators sidebar: { order: 3 } --- # Collaborators Chromatic keeps track of UI feedback and tests in one place so that collaborators stays aligned without you having to do extra work. ## Organization collaborators Manage organization collaborators via OAuth, email, or SSO. #### OAuth Chromatic mirrors access permissions with your GitHub Organization, Bitbucket Group, or GitLab Team. Users who have access to your organization will also have access to your Chromatic organization. | Permission level | What collaborators can do | | ---------------------- | --------------------------------------------------- | | Organization: `member` | View / change account settings, view / add projects | Organization collaborators can manage billing and account status but may not have access to projects. You need to be a [project collaborator](#project-collaborators) to view and manage projects. Go to your organization's Settings page to view collaborators. ![Settings page collaborators](../../images/collaborators-organization.png) #### Email Email and password accounts don't have the concept of organization-level collaborators. If you want other teammates to access an account, you'll need to sync the account with a [Git provider](#organization-collaborators) or share login credentials (for example, via a password manager). However, projects _within_ an organization do support [project-level collaborators](#project-collaborators). #### Single Sign-On (SSO) for organizations Single Sign-On (SSO) is available to enterprise customers. Chromatic syncs access permissions with your SSO provider. At the organization-level, contact us via in-app chat or email to manage or remove collaborators. When you add collaborators in your SSO provider, that access will be reflected in Chromatic automatically. ### Billing and usage Collaborate on billing, usage, and permissions by syncing your organization with GitHub, Bitbucket, or GitLab. For email and password accounts, only the account owner can login to access billing information. For SSO accounts, contact your company's SSO administrator to manage billing.
How can I give someone billing access? If you have an email/password user account (not linked to Git) and need access to billing, please email us at **support@chromatic.com** with your email address.
## Project collaborators #### OAuth Chromatic syncs access permissions with your GitHub, Bitbucket, or GitLab repository. Users who have access to your code will also have access to your project. | Permission level | What collaborators can do | | ---------------- | --------------------------------------------------------------------- | | Repo: `read` | View project, auto-assigned the [Viewer](#roles) role | | Repo: `write` | Review and manage project, auto-assigned the [Developer](#roles) role |
If your project is hosted in Bitbucket, ensure that you and your team members have the contributor role.
Project collaborators can view and manage the project based on their [role](#roles). Go to your project's Manage page to view collaborators and assign roles. ![Project collaborators](../../images/collaborators-project.png) You can add or remove a collaborator by adjusting their access in your Git repository. The permission changes in your upstream repository are mirrored downstream in Chromatic. Manually override the mirrored permissions by adjusting collaborator [roles](#roles) or [inviting external collaborators](#external-collaborators) on an ad hoc basis. ![Project manage page collaborators](../../images/collaborators-project-git.png) #### Email If you signed up via email and password, Chromatic won't have a Git repo to sync with. You'll need to manage project collaborators manually via external collaborators [below](#external-collaborators). #### Single Sign-On (SSO) for projects Chromatic syncs access permissions with your SSO provider. At the project-level, all collaborators who have access via SSO will also get access to every Chromatic project within your organization's account. When you add or remove collaborators in your SSO provider, that access will be reflected in Chromatic automatically. ### External collaborators Projects can also have external collaborators. These are stakeholders like PMs, designers, and consultants who don't commit code but contribute to the sign off process. They can also be fellow developers who don't have repo access or use a different Git provider. External collaborators are added and removed manually. Once they create an account, they'll get access to your project. There are two ways to add collaborators: - Invite link: Share a URL with stakeholders. They are auto-assigned a `developer` role. - Invite email: Send individual invites via email. You can fine tune roles before sending. ![Project manage page external collaborators](../../images/collaborators-project-external.png) #### Limitations of external collaborator accounts External collaborator accounts cannot link the project to a repository on GitHub, Bitbucket, or GitLab.
How can I invite external collaborators to my SAML account? SAML accounts do not directly support **external collaborators**. However, we have an allowlist of email domains that can access Chromatic with SSO. We can add any email domain to the allowlist, as long as it is not a generic email address with `@gmail` or `@yahoo`. For example, if you have a contractor with an email like `person@storybook.org`, we can add `storybook.org` to the allowlist for your SAML account. Many companies add contractors as external users by creating specific domains for them, such as `person@chromatic-ext.com`, and then adding `chromatic-ext.com` to the allowlist. Send us the list of external collaborators via our **in-app chat** or email us at [support@chromatic.com](mailto:support@chromatic.com).
### Roles Roles give you fine-grained control over who can do what. There are four roles that can be assigned to any collaborator. Each project has a unique set of roles that are managed by the project owner. For example, you can be a "developer" in one project and a "viewer" in another. | Role | What you can do | | ------------------- | -------------------------------------------------------------------------------------------------------------- | | Owner | Can manage, delete the project, and manage/assign roles to collaborators. | | Developer (default) | Can manage the project, review tests, approve PRs, and assign reviewers. Cannot assign roles to collaborators. | | Reviewer | Can leave comments, review tests, and approve PRs they're assigned to. Cannot assign others or self-approve. | | Viewer | Read-only access to the project. | #### Project ownership Projects must have at least one owner. The `owner` role is automatically assigned to the first user in a Chromatic project. Transfer ownership by assigning another collaborator as an owner and then reassigning yourself another role. #### View your role Go to your project's Manage page to view your role and it's capabilities. ![Project manage page your role](../../images/collaborators-role.png) #### Roles for open source projects Open source projects are viewable to all users even if they're not listed as a collaborator or have a Chromatic account. But in order to manage or review the open source project, collaborators must have explicit access and the corresponding role. #### Roles for Single Sign-On (SSO) Chromatic syncs collaborators with your SSO provider. All collaborators are granted `developer` capabilities. ### Visibility By default, published Storybooks on Chromatic are private. They can only be accessed by collaborators who are signed in to Chromatic and have permission to view components and builds. However, published Storybooks for [linked projects](/docs/access#linked-projects) with public repositories will be set to public. When you set Storybook visibility to public, it will be accessible to visitors without signing in. Anyone with a link can access. Your private information like Chromatic library, tests, settings, Git provider, and any associated metadata will remain private. A public Storybook only shares information that is contained in that Storybook. ![Project manage page Storybook visibility](../../images/collaborators-visibility.png) --- ### Troubleshooting
Why can't my teammates access a project? Chromatic syncs permissions at the account _and_ repo level. Check that your teammates are listed as collaborators in your GitHub, GitLab, or Bitbucket repository. If they aren't listed, please add them and try accessing the Chromatic project again (you may have to sign in again). Learn more about [access control](/docs/access).
--- --- title: Composition description: Learn to combine Storybooks through composition sidebar: { order: 8 } --- # Storybook Composition Chromatic publishes your Storybook to a secure CDN. That means you can combine published Storybooks with your local Storybook using [Composition](https://storybook.js.org/docs/sharing/storybook-composition).
Chromatic does not snapshot externally composed Storybooks for UI Tests or UI Review.
## Compose published Storybooks Chromatic generates a [permalink](/docs/permalinks) for published Storybooks to use with Composition that includes: - Versioned endpoints, URLs that resolve to different published Storybooks depending on a version=x.y.z query parameter (where x.y.z is the released version of the package). - Support for /stories.json - Support for /metadata.json and the releases field. ### Setup In your local Storybook, add a `refs` key to [`.storybook/main.js|ts`](https://storybook.js.org/docs/configure#configure-story-rendering). Paste the permalink in the `url` field. ```js title="storybook/main.ts" // Replace your-framework with the framework you are using, e.g. react-vite, nextjs, vue3-vite, etc. import type { StorybookConfig } from "@storybook/your-framework"; const config: StorybookConfig = { framework: '@storybook/your-framework', stories: ["../src/**/*.stories.@(js|jsx|ts|tsx)"], refs: { // 👇 Upper-case characters not supported in the refs key "chromatic-published-storybook": { // The title of your Storybook title: "Design System", // The url provided by Chromatic when it was published url: "https://your-published-url.chromatic.com", }, }, }; export default config; ``` When your local Storybook starts, it will auto detect the `refs` and compose your published Storybook. You'll see both sets of stories side-by-side. ![Multiple Storybooks combined through composition](../../images/reference-external-storybooks-composition.png) ### Compose Storybook by branch or commit Depending on your use case, you may want to compose Storybook using a [permalink](/docs/permalinks) to a branch or a commit. #### Branch: `https://--.chromatic.com` If you want your local Storybook to compose the latest Storybook on `main`, use the branch permalink. This is useful for folks who work on multiple Storybooks simultaneously. - Building a component library in React and Vue at the same time - Monorepos with multiple inter-connected Storybook projects #### Commit: `https://--.chromatic.com` If you want your local Storybook to compose a specific version of Storybook, use the commit permalink. This is useful for folks who depend on a fixed version of a component library package. ### Access control Published Storybooks follow the [access rules](/docs/access) of your project. If you have a private project, you'll need sign in to Chromatic (via Storybook's UI) to load the private Storybook. --- ## Package Composition Design system and component library authors can automatically compose their Storybook inside their consumer’s Storybooks. Add a `storybook` property in the `package.json`. Use the [permalink to a commit](#compose-storybook-by-branch-or-commit) in the `url` field. ```json { "storybook": { "url": "https://your-published-url.chromatic.com" } } ``` Once the package is installed and Storybook starts, it scans for external Storybooks referenced by your packages and loads them into the UI. ### Versioning Chromatic supports automatic versioning for the following Git providers. | Git provider | Support | | --------------------------------------------------- | ---------------------------------------- | | GitHub | Public projects only via GitHub Releases | | GitLab | Public and private projects | | Bitbucket | Not supported | | [Unlinked projects](/docs/access#unlinked-projects) | Not supported |
How to manually query for versions? If automatic versioning isn't supported for your Git provider, you can still get version information by manually updating your `package.json` with the permalink of the current published Storybook (e.g. `https://--.chromatic.com`). Use the `/metadata.json` endpoint to get additional information about the deployed Storybook version. It will output a response similar to the example below: ```json { "versions": { "v0.1.1": "https://your-published-url.chromatic.com" } } ```
--- ### Resources - [Storybook composition](https://storybook.js.org/docs/sharing/storybook-composition) - [Package composition with Storybook](https://storybook.js.org/docs/sharing/package-composition) --- --- title: Embed stories description: Embed your Storybook on Medium, Notion, and other platforms sidebar: { order: 9, label: Embed } --- # Embed stories Embed stories published to Chromatic in Medium articles, Notion pages, and countless other platforms. Before we begin, you'll need to figure out which embed format your platform supports: oEmbed or standard ` ``` ``` ```