GoDaddy - DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “DPA”) is executed by and between you (“Customer”) and the GoDaddy legal entity that is a party to the Universal Terms of Service and any other agreements between you and GoDaddy (collectively, the "Agreement"). GoDaddy and Customer are referred to herein, individually, as a "Party", and collectively as the "Parties". This DPA is effective as of the effective date of the Agreement ("Effective Date") and governs all Processing of Customer Personal Data under the Agreement.
1. Definitions. Unless otherwise defined in applicable Data Protection Laws (as defined below), the capitalized terms listed in this Section have the following meanings:
1.2. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Customer Personal Data under the Agreement.
1.3 “Customer Personal Data” means any Personal Data (as defined below) processed by GoDaddy on Customer’s behalf in connection with Customer’s use of the Services. Customer Personal Data does not include GoDaddy Data.
1.4 “Data Protection Law” means any law or regulation applicable to processing of Customer Personal Data under the Agreement.
1.5 “Data Subject” means an identified or identifiable natural person to whom specific Personal Data relates.
1.6 “De-Identified Data” means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.
1.7 “GoDaddy Data” means (a) all information relating to GoDaddy’s business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer’s account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data.
1.8 “Personal Data” means information that relates to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information (“PII”) in any applicable Data Protection Laws. Personal Data does not include De-Identified Data.
1.9 "Processor” means a natural or legal person, public authority, agency, or body that processes Customer Personal Data on behalf of a Controller under the Agreement.
1.10 "Processing” means any operation performed on Customer Personal Data, such as collection, use, storage, disclosure, analysis, deletion, or modification, whether by manual or automated means.
1.11 “Sensitive Personal Data” means (a) social security number, passport number, driver’s license number, or similar identifier; (b) credit or debit card information, financial information, bank account numbers, or account passwords; (c) employment, financial, genetic, biometric, or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or orientation; (e) account passwords, mother’s maiden name, date of birth, and other similar information used to authenticate a user’s identity; (f) criminal history; (g) biometric data used to identify a specific person (e.g., fingerprints); or (h) any other information or combination of information that falls within the definitions of “special categories of data” under any applicable Data Protection Law.
1.12 "Services” means the products or services that GoDaddy has agreed to provide pursuant to the Agreement that involve processing of Customer Personal Data.
1.13 “Subprocessor” means any natural or legal person, public authority, agency, or body with whom GoDaddy contracts to process Customer Personal Data.
1.14 “Transfer” means (a) transfer of Customer Personal Data from Controller to Processor, whether by physical transfer or by granting access to Customer Personal Data held or otherwise controlled by Controller or (b) an onward transfer of Customer Personal Data from a Processor to a Subprocessor (and any subsequent onward transfer by a Subprocessor to another Subprocessor).
2.1.2 Where Customer is a Processor, Customer (a) is solely responsible for complying with its agreement(s) with the data Controller(s) on whose behalf Customer is processing Customer Personal Data; (b) has all necessary permissions from the Controller to provide Customer Personal Data to GoDaddy, and (c) will comply with its obligations as a Processor under applicable Data Processing Laws.
2.1.3 Customer expressly acknowledges that GoDaddy is not responsible for determining which laws or regulations are applicable to Customer’s business. Customer is solely responsible for determining that the Services provided by GoDaddy and the terms of the Agreement and this DPA meet Customer’s business, contractual, and legal obligations. Customer also will ensure that Customer’s Processing instructions to GoDaddy do not violate any applicable Data Protection Laws.
2.2.2 GoDaddy will process Customer Personal Data only upon documented instructions for the limited and specific purposes described in the Agreement, this DPA, or as required by law.
2.2.3 GoDaddy will not sell, retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services.
2.2.4 GoDaddy will not Process Customer Personal Data outside of the Parties’ direct business relationship described in the Agreement and this DPA.
2.2.5 GoDaddy will not combine Customer Personal Data with any other data GoDaddy collects (directly or via any third party) other than as expressly permitted under the Agreement.
2.2.6 GoDaddy will stop all Processing and will notify Customer within three (3) business days if GoDaddy: (a) believes that a Customer instruction violates any applicable Data Processing Laws or (b) determines GoDaddy is unable to comply with any applicable Data Processing Laws or its obligations under this DPA.
2.3.2 GoDaddy Affiliates. For purposes of this DPA, any Customer Personal Data received by GoDaddy's Affiliates shall be deemed to have been received by GoDaddy. GoDaddy represents that it will take all measures reasonably necessary to ensure that its Affiliates comply with GoDaddy's obligations with respect to processing of Customer Personal Data under this DPA. GoDaddy is responsible for GoDaddy's Affiliates’ compliance with all terms of this DPA.
3.2 GoDaddy maintains information concerning its current Subprocessors in the following Subprocessor List
3.3 Before transferring Customer Personal Data to a Subprocessor, GoDaddy will: (a) enter into a written agreement with the Subprocessor that is at least as protective of Customer Data as this DPA; (b) conduct due diligence to confirm the Subprocessor can comply with the material terms of this DPA and the Data Protection Laws as they relate to GoDaddy’s processing of Customer Data, including the information security requirements of Sections 5, 6, and 8, and of Schedule 2 of this DPA.
3.4 GoDaddy is liable for its Subprocessors’ acts and omissions, including any acts or omissions of its Subprocessors’ subprocessors. 3.5 New Subprocessors; Right to Object.
4.2 Unless prohibited by law, GoDaddy will notify Customer promptly if it receives any Legal Process that requires GoDaddy to provide access to or disclose Customer Personal Data.
4.3 Unless otherwise required by law, GoDaddy will cooperate with Customer (at Customer’s reasonable expense) in any efforts by Customer to prevent disclosure of Customer Personal Data in response to Legal Process.
5.2 Customer expressly acknowledges that GoDaddy provides security features and functionality that Customer can use to protect Customer Personal Data. Customer is solely responsible for taking appropriate risk-based steps to protect the security of Customer’s account and Customer Personal Data within Customer’s control, including by using security features and functionality provided by GoDaddy. Customer also is solely responsible for ensuring that all content that Customer places or causes to be placed within the Services is free of vulnerabilities that could result in the compromise of Customer Personal Data and GoDaddy’s systems, including but not limited to malicious software. GoDaddy is not responsible for backing up Customer Personal Data.
5.3 Customer is required to comply with all Payment Card Industry Data Security Standard Requirements (“PCI-DSS”) and may only provide GoDaddy with Customer Personal Data containing credit, debit or other payment cardholder information (“PCI-DSS Data”) in connection with GoDaddy Services specifically designed to Process such PCI-DSS Data. Customer is solely responsible for any violation of PCI-DSS requirements if Customer uses GoDaddy Services to process or store PCI-DSS Data outside of GoDaddy's PCI-DSS compliant Service offerings.
5.4 In addition to any measures required for GoDaddy to comply with its obligations under applicable Data Protection Laws and PCI-DSS Requirements for GoDaddy's PCI-DSS complaint Services, GoDaddy will implement the specific technical and organizational measures identified in Schedule 2 of this DPA.
6.2 GoDaddy will use commercially reasonable efforts to notify Customer of a breach of security of GoDaddy’s systems leading to the accidental or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Incident”) within the time period required under applicable law.
6.3 GoDaddy will take appropriate, risk-based steps that are reasonably necessary to contain, mitigate, and remediate a Security Incident without unreasonable delay.
6.4 GoDaddy will provide information reasonably requested by Customer to assess the impact of a Security Incident on Customer Personal Data and for Customer to provide notice of the Security Incident to governmental authorities, affected Data Subjects, or any other person.
6.5 GoDaddy’s acknowledgement of a Security Incident or decision to notify Customer of a Security Incident is not an admission of fault or liability.
7.2 GoDaddy will not respond to a Data Subject Request except on documented instructions from Customer or as otherwise required under applicable law.
7.3 GoDaddy will notify Customer of any Data Subject Request. Customer is solely responsible for responding to any Data Subject request. If Customer has exhausted all means available to respond to a Data Subject Request – subject to Customer’s agreement to pay GoDaddy’s reasonable expenses in advance – GoDaddy will provide Customer with assistance reasonably necessary to allow Customer to respond to a Data Subject Request.
8.2 Compliance Inquiries. Customer may periodically request information reasonably necessary to confirm GoDaddy’s compliance with its obligations under applicable Data Protection Laws. If GoDaddy fails to respond to Customer’s request within forty-five (45) days, Customer may terminate the Agreement. For the avoidance of doubt, nothing in this DPA gives Customer the right to conduct an audit of GoDaddy’s business, systems, or services. GoDaddy’s obligation under this section is limited to providing Customer with information reasonably necessary to confirm that GoDaddy is in compliance with its obligations under applicable Data Protection Laws.
9.2 If Customer Personal Data originates from the United States, the terms relating to the U.S. Data Protection Laws specified in Schedule 3 (Section 1) to this DPA apply.
9.3 If Customer Personal Data originates from the European Union/European Economic Area (“EU/EEA”), the United Kingdom (“UK”), or Switzerland, or if Customer is established in one or more of those jurisdictions, the terms relating to applicable EU/EEA, UK and/or Swiss Data Protection Laws specified in Schedule 3 (Sections 2 to 4) to this DPA apply.
9.4 If a valid international data transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully Transfer Customer Personal Data, the terms specified in Schedule 4 to this DPA apply.
10.2 Amendment. This DPA may be modified or amended by GoDaddy in its sole discretion pursuant to the procedures set forth in the Agreement. If Customer disagrees with such amendment, Customer’s sole remedy is to terminate that portion of the Agreement relating to the Processing of Customer Personal Data on thirty (30) days’ notice. Unless expressly agreed by the Parties in writing, any amendment of this Agreement is effective only with respect to Processing that occurs after the date of such amendment.
10.3 Waiver. The waiver of any breach of this DPA is effective only if in writing by an authorized representative of the Party waiving such breach and no such waiver will be construed as a waiver of any subsequent breach.
10.4 Severance. If any provision of this DPA is found to be unenforceable, then that provision shall be modified to the extent necessary to make it enforceable and the remainder of this DPA shall remain in effect as written. However, if modifying any unenforceable provision would result the failure of the essential purpose of this DPA, the entire DPA shall be considered null and void unless amended pursuant to Section 10.2.
10.5 Notices. Except as expressly stated herein, notices required under this DPA will be provided in accordance with the Notice requirements set forth in the Agreement.
10.6 Liability. This DPA does not provide any basis for either Party or any other person to recover damages of any type other than those set forth in the Agreement and subject to all limitations set forth therein.
10.7 Enforcement. The terms of this DPA may only be enforced by the Parties on behalf of themselves and their respective Affiliates in accordance with the dispute resolution provisions set forth in the Agreement. This restriction on enforcement has no effect, however, on an individual Data Subject’s ability to enforce their rights under the Data Protection Laws.
10.8 Termination. Unless terminated earlier pursuant to the Agreement or any other applicable provision of this DPA or any applicable Data Protection Laws, this DPA shall terminate upon the completion of Processing or termination of the Agreement, whichever is later. Following termination of this DPA, GoDaddy will return, delete, or de-identify Customer Personal Data pursuant to the terms of the Agreement and this DPA, unless GoDaddy is required to maintain Customer Personal Data pursuant to applicable law. If GoDaddy is required to retain Customer Personal Data following termination of the Agreement, GoDaddy will continue to comply with its obligations relating to the Processing of Customer Personal Data under this DPA and will promptly return or delete any such Customer Personal Data after retention is no longer legally required.
10.9 Governing Law and Jurisdiction. This DPA is governed by the laws stipulated in the Agreement, except to the extent otherwise required by the Data Protection Laws, in which case the la