GoDaddy - DATA PROCESSING ADDENDUM

Last Revised: 10/10/2023

This Data Processing Addendum (the “Addendum”) is executed by and between you (“Customer”) and the GoDaddy entity that is a party to the Universal Terms of Service, and any other agreements between you and GoDaddy (collectively, the "Agreement"). GoDaddy and Customer are referred to herein, individually, as a "Party", and collectively as the "Parties". This DPA is effective as of the effective date of the Agreement ("Effective Date") and governs all Processing of Customer Personal Data under the Agreement.

1. Definitions. Unless otherwise defined in applicable Data Protection Laws (as defined below), the capitalized terms listed in this Section have the following meanings:

1.1 “Affiliate” means any entity that controls or is under common control with a Party. “Control” means direct or indirect ownership or control of fifty percent (50%) or more of the voting interests of an entity.

1.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Customer Personal Data under the Agreement.

1.3 “Customer Personal Data” means any Personal Data (as defined below) processed by GoDaddy on Customer’s behalf in connection with Customer’s use of the Services. Customer Personal Data does not include GoDaddy Data.

1.4 “Data Protection Law” means any law or regulation applicable to processing of Customer Personal Data under the Agreement.

1.5 “Data Subject” means an identified or identifiable natural person to whom specific Personal Data relates.

1.6 “De-Identified Data” means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.

1.7 “GoDaddy Data” means (a) all information relating to GoDaddy’s business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer’s account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data.

1.8 “Personal Data” means information that relates to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information (“PII”) in any applicable Data Protection Laws. Personal Data does not include De-Identified Data.

1.9 "Processing” means any operation performed on Customer Personal Data, such as collection, use, storage, disclosure, analysis, deletion, or modification, whether by manual or automated means.

1.10 "Processor” means a natural or legal person, public authority, agency, or body that processes Customer Personal Data on behalf of a Controller under the Agreement.

1.11 “Sensitive Personal Data” means (a) social security number, passport number, driver’s license number, or similar identifier; (b) credit or debit card information, financial information, bank account numbers, or account passwords; (c) employment, financial, genetic, biometric, or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or orientation; (e) account passwords, mother’s maiden name, date of birth, and other similar information used to authenticate a user’s identity; (f) criminal history; (g) biometric data used to identify a specific person (e.g., fingerprints); or (h) any other information or combination of information that falls within the definitions of “special categories of data” under any applicable Data Protection Law.

1.12 "Services” means the products or services that GoDaddy has agreed to provide pursuant to the Agreement that involve processing of Customer Personal Data.

1.13 “Subprocessor” means any natural or legal person, public authority, agency, or body with whom GoDaddy contracts to process Customer Personal Data.

1.14 “Transfer” means (a) transfer of Customer Personal Data from Controller to Processor, whether by physical transfer or by granting access to Customer Personal Data held or otherwise controlled by Controller or (b) an onward transfer of Customer Personal Data from a Processor to a Subprocessor (and any subsequent onward transfer by a Subprocessor to another Subprocessor).

2. Scope of Data Processing and Relationship of Parties

2.1 Customer as Controller or Processor

2.1.1 Where Customer is a Controller, Customer (a) is solely responsible for determining the purposes and means of processing Customer Personal Data, (b) has all necessary authority, grounds, rights, and permissions to provide Customer Personal Data to GoDaddy, and (c) will comply with its obligations as a Controller under applicable Data Protection Laws.

2.1.2 Where Customer is a Processor, Customer (a) is solely responsible for complying with its agreement(s) with the data Controller(s) on whose behalf Customer is processing Customer Personal Data; (b) has all necessary permissions from the Controller to provide Customer Personal Data to GoDaddy, and (c) will comply with its obligations as a Processor under applicable Data Processing Laws.

2.2 GoDaddy as Processor or Subprocessor.

2.2.1 GoDaddy will take all steps reasonably necessary to enable Customer to comply with Customer’s obligations as a Controller and/or Processor under the Data Protection Laws consistent with the character, nature, scope, and purpose of the Services provided by GoDaddy. For the avoidance of doubt, GoDaddy is not required to undertake any steps to alter or make GoDaddy's Services compliant for Customer’s specific use. Customer’s sole remedy in the event the Services are determined to be not compliant for Customer’s specific use is termination of any portion of the Agreement that relates to processing of Customer Personal Data.

2.2.2 GoDaddy will process Customer Personal Data only upon documented instructions for the limited and specific purposes described in the Agreement, this DPA, or as required by law.

2.2.3 GoDaddy will not sell, retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services.

2.2.4 GoDaddy will not Process Customer Personal Data outside of the Parties’ direct business relationship described in the Agreement and this DPA.

2.2.5 GoDaddy will not combine Customer Personal Data with any other data GoDaddy collects (directly or via any third party) other than as expressly permitted under the Agreement.

2.2.6 GoDaddy will stop all Processing and will notify Customer within three (3) business days if GoDaddy: (a) believes that a Customer instruction violates any applicable Data Processing Laws or (b) determines GoDaddy is unable to comply with any applicable Data Processing Laws or its obligations under this DPA.

2.3 Affiliates.

2.3.1 Customer Affiliates. For purposes of this DPA, any Personal Data provided to GoDaddy or GoDaddy's Affiliates by a Customer Affiliate for processing on Customer’s and/or Customer’s Affiliate’s behalf shall be deemed to be Customer Personal Data and to have been provided by Customer. Customer represents that it will take all measures reasonably necessary to ensure its Affiliates comply with all Customer obligations with respect to this DPA. Customer is responsible for its Affiliates’ compliance with all terms of this DPA.

2.3.2 GoDaddy Affiliates. For purposes of this DPA, any Customer Personal Data received by GoDaddy's Affiliates shall be deemed to have been received by GoDaddy. GoDaddy represents that it will take all measures reasonably necessary to ensure that its Affiliates comply with GoDaddy