Overview

This Reseller Data Processing Addendum (“DPA”) forms part of the Agreement executed between GoDaddy.com, LLC (inclusive of its affiliated entities if contemplated under the Agreement) (“GoDaddy”) and you (“Reseller”) for the purpose of selling GoDaddy’s product and services (“Services”) through GoDaddy’s Reseller Program, and shall govern with regard to the processing of any Personal Information by Reseller on behalf of GoDaddy. Reseller enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its authorized affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. The terms “we”, “us” or “our” shall refer to GoDaddy. The terms “you”, “your”, or “Reseller” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits. This DPA shall become effective and binding as of the date of your electronic acceptance.

This DPA consists of two (2) distinct parts, which are applicable as explained below:

• Data Privacy and Security Standards and Requirements: Application of Data Privacy and Security Standards and Requirements. Applicable to all Resellers that have access to and process PII (as “herein defined”) within the nature and scope of their participation in the Reseller Program.
• Standard Contractual Clauses (and its Appendices 1 & 2): Application of Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA, such as the EU-US and Swiss-U.S Privacy Shield Frameworks.

*******************************************************************************************************************************************************
Data Privacy and Security SLA

1. Subject Matter and Scope

This Data Privacy and Security SLA (“Security SLA”) is attached and incorporated into the Agreement for the purpose of ensuring any PII (as defined below) collected or utilized by you is handled in a manner that is secure and otherwise in accordance with the terms of the Agreement, this Security SLA, and applicable laws and regulations.

2. Order of Precedence.

This Security SLA is incorporated into and forms part of the Agreement. For matters not addressed under this Security SLA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this Security SLA, the terms of this Security SLA will control. In the event of a conflict between the terms of the Security SLA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

3. Personal Information.

1. “PII” or “Personal Information,” shall mean information in any medium or form of any kind pertaining to an identified or identifiable natural person or household; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, Social Security number or other identification number, e-mail address, telephone number, financial profile, credit card information, driver’s license number, or other information that can be reasonably linked to a particular person, computer, or device (e.g., information collected via tracking technologies, such as IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

2. Processing for the purposes of this DPA shall include collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, combining, restricting, erasing or destroying PII.
3. GoDaddy discloses PII to You solely and exclusively for Your performance of the Services on GoDaddy's behalf and You may only process the PII for the limited and specific purpose(s) described in the Agreement and at our written instructions, and for no other purpose, including with regard to transfers of EU individuals’ PII outside of the European Union, unless required to do so by European Union or European Union Member State law (in which case you must immediately notify us before doing so, unless prohibited from informing us by law).
4. You are prohibited from:(i) selling PII; (ii) retaining, using, or disclosing PII for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the PII outside of the Agreement between You and GoDaddy.

5. You acknowledge and confirm that PII is not disclosed as consideration for any Services that are provided to GoDaddy under the Agreement. You must not sell any PII, as the term “sell” is defined under California Consumer Privacy Act of 2018, as amended (“CCPA”), and You hereby certify that You understand the rules, requirements and definitions of the CCPA, and all restrictions in this DPA. You agree to refrain from taking any action that would cause any transfers of PII to or from You to qualify as “selling personal information” under the CCPA and any other applicable laws.
6. You may only transfer PII relating to EU individuals to outside of the EU (or if such PII is already outside of the EU, to any third party also outside the EU), in compliance with the terms of this DPA and the requirements of Articles 44 to 49 of the GDPR (as defined below).
7. You must immediately notify us if, in your opinion, our instruction infringes any applicable data protection laws and regulations, including EU Data Protection Law (as defined below) at privacy@godaddy.com.

8. You must treat all PII as strictly confidential and it must inform all its employees or approved agents engaged in processing the PII of the confidential nature of the PII, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the PII.
9. To the extent you receive, maintain, process or otherwise have access to PII in connection with the Reseller Program under the Agreement, you acknowledge and agree that you are responsible for maintaining appropriate organizational and security measures to protect such PII. You must protect and secure such PII in accordance with all applicable privacy and data protection laws, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) and associated European Union Member State legislation or regulations (together “EU Data Protection Law”) and CCPA.

10. The appropriate organizational and security measures referenced in Section 3.7 shall include as appropriate (but are not limited to):
    1. Those measures listed below at Sections 3 and 4;
    2. Measures to ensure that only authorized individuals for the purposes described in the Agreement can access the PII;
    3. The pseudonymisation and encryption of the PII;
    4. The ability to ensure continued confidentiality, integrity, availability and resilience of your processing systems and services;
    5. The ability to restore the availability and access to PII in a timely manner;
    6. A process for regularly testing, assessing, and evaluating the effectiveness of technical and or