GoDaddy - DATA PROCESSING ADDENDUM

Last Revised: 10/10/2023

This Data Processing Addendum (the “Addendum”) is executed by and between you (“Customer”) and the GoDaddy entity that is a party to the Universal Terms of Service, and any other agreements between you and GoDaddy (collectively, the "Agreement"). GoDaddy and Customer are referred to herein, individually, as a "Party", and collectively as the "Parties". This DPA is effective as of the effective date of the Agreement ("Effective Date") and governs all Processing of Customer Personal Data under the Agreement.

1. Definitions. Unless otherwise defined in applicable Data Protection Laws (as defined below), the capitalized terms listed in this Section have the following meanings:

1.1 “Affiliate” means any entity that controls or is under common control with a Party. “Control” means direct or indirect ownership or control of fifty percent (50%) or more of the voting interests of an entity.

1.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Customer Personal Data under the Agreement.

1.3 “Customer Personal Data” means any Personal Data (as defined below) processed by GoDaddy on Customer’s behalf in connection with Customer’s use of the Services. Customer Personal Data does not include GoDaddy Data.

1.4 “Data Protection Law” means any law or regulation applicable to processing of Customer Personal Data under the Agreement.

1.5 “Data Subject” means an identified or identifiable natural person to whom specific Personal Data relates.

1.6 “De-Identified Data” means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.

1.7 “GoDaddy Data” means (a) all information relating to GoDaddy’s business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer’s account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data.

1.8 “Personal Data” means information that relates to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information (“PII”) in any applicable Data Protection Laws. Personal Data does not include De-Identified Data.

1.9 "Processing” means any operation performed on Customer Personal Data, such as collection, use, storage, disclosure, analysis, deletion, or modification, whether by manual or automated means.

1.10 "Processor” means a natural or legal person, public authority, agency, or body that processes Customer Personal Data on behalf of a Controller under the Agreement.

1.11 “Sensitive Personal Data” means (a) social security number, passport number, driver’s license number, or similar identifier; (b) credit or debit card information, financial information, bank account numbers, or account passwords; (c) employment, financial, genetic, biometric, or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or orientation; (e) account passwords, mother’s maiden name, date of birth, and other similar information used to authenticate a user’s identity; (f) criminal history; (g) biometric data used to identify a specific person (e.g., fingerprints); or (h) any other information or combination of information that falls within the definitions of “special categories of data” under any applicable Data Protection Law.

1.12 "Services” means the products or services that GoDaddy has agreed to provide pursuant to the Agreement that involve processing of Customer Personal Data.

1.13 “Subprocessor” means any natural or legal person, public authority, agency, or body with whom GoDaddy contracts to process Customer Personal Data.

1.14 “Transfer” means (a) transfer of Customer Personal Data from Controller to Processor, whether by physical transfer or by granting access to Customer Personal Data held or otherwise controlled by Controller or (b) an onward transfer of Customer Personal Data from a Processor to a Subprocessor (and any subsequent onward transfer by a Subprocessor to another Subprocessor).

2. Scope of Data Processing and Relationship of Parties

2.1 Customer as Controller or Processor

2.1.1 Where Customer is a Controller, Customer (a) is solely responsible for determining the purposes and means of processing Customer Personal Data, (b) has all necessary authority, grounds, rights, and permissions to provide Customer Personal Data to GoDaddy, and (c) will comply with its obligations as a Controller under applicable Data Protection Laws.

2.1.2 Where Customer is a Processor, Customer (a) is solely responsible for complying with its agreement(s) with the data Controller(s) on whose behalf Customer is processing Customer Personal Data; (b) has all necessary permissions from the Controller to provide Customer Personal Data to GoDaddy, and (c) will comply with its obligations as a Processor under applicable Data Processing Laws.

2.2 GoDaddy as Processor or Subprocessor.

2.2.1 GoDaddy will take all steps reasonably necessary to enable Customer to comply with Customer’s obligations as a Controller and/or Processor under the Data Protection Laws consistent with the character, nature, scope, and purpose of the Services provided by GoDaddy. For the avoidance of doubt, GoDaddy is not required to undertake any steps to alter or make GoDaddy's Services compliant for Customer’s specific use. Customer’s sole