This Reseller Data Processing Addendum (“DPA”) forms part of the Agreement executed between GoDaddy.com, LLC (inclusive of its affiliated entities if contemplated under the Agreement) (“GoDaddy”) and you (“Reseller”) for the purpose of selling GoDaddy’s product and services (“Services”) through GoDaddy’s Reseller Program, and shall govern with regard to the processing of any Personal Information by Reseller on behalf of GoDaddy. Reseller enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its authorized affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. The terms “we”, “us” or “our” shall refer to GoDaddy. The terms “you”, “your”, or “Reseller” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits. This DPA shall become effective and binding as of the date of your electronic acceptance.
This DPA consists of two (2) distinct parts, which are applicable as explained below:
- Data Privacy and Security Standards and Requirements: Application of Data Privacy and Security Standards and Requirements. Applicable to all Resellers that have access to and process PII (as “herein defined”) within the nature and scope of their participation in the Reseller Program.
- Standard Contractual Clauses (and its Appendices 1 & 2): Application of Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA, such as the EU-US and Swiss-U.S Privacy Shield Frameworks.
Data Privacy and Security SLA
1. Subject Matter and Scope
This Data Privacy and Security SLA (“Security SLA”) is attached and incorporated into the Agreement for the purpose of ensuring any PII (as defined below) collected or utilized by you is handled in a manner that is secure and otherwise in accordance with the terms of the Agreement, this Security SLA, and applicable laws and regulations.
2. Order of Precedence.
This Security SLA is incorporated into and forms part of the Agreement. For matters not addressed under this Security SLA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this Security SLA, the terms of this Security SLA will control. In the event of a conflict between the terms of the Security SLA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
3. Personal Information.
- “PII” or “Personal Information,” shall mean information in any medium or form of any kind pertaining to an identified or identifiable natural person or household; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, Social Security number or other identification number, e-mail address, telephone number, financial profile, credit card information, driver’s license number, or other information that can be reasonably linked to a particular person, computer, or device (e.g., information collected via tracking technologies, such as IP address), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Processing for the purposes of this DPA shall include collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, combining, restricting, erasing or destroying PII.
- GoDaddy discloses PII to You solely and exclusively for Your performance of the Services on GoDaddy's behalf and You may only process the PII for the limited and specific purpose(s) described in the Agreement and at our written instructions, and for no other purpose, including with regard to transfers of EU individuals’ PII outside of the European Union, unless required to do so by European Union or European Union Member State law (in which case you must immediately notify us before doing so, unless prohibited from informing us by law).
- You are prohibited from:(i) selling PII; (ii) retaining, using, or disclosing PII for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the PII outside of the Agreement between You and GoDaddy.
- You acknowledge and confirm that PII is not disclosed as consideration for any Services that are provided to GoDaddy under the Agreement. You must not sell any PII, as the term “sell” is defined under California Consumer Privacy Act of 2018, as amended (“CCPA”), and You hereby certify that You understand the rules, requirements and definitions of the CCPA, and all restrictions in this DPA. You agree to refrain from taking any action that would cause any transfers of PII to or from You to qualify as “selling personal information” under the CCPA and any other applicable laws.
- You may only transfer PII relating to EU individuals to outside of the EU (or if such PII is already outside of the EU, to any third party also outside the EU), in compliance with the terms of this DPA and the requirements of Articles 44 to 49 of the GDPR (as defined below).
- You must immediately notify us if, in your opinion, our instruction infringes any applicable data protection laws and regulations, including EU Data Protection Law (as defined below) at privacy@godaddy.com.
- You must treat all PII as strictly confidential and it must inform all its employees or approved agents engaged in processing the PII of the confidential nature of the PII, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the PII.
- To the extent you receive, maintain, process or otherwise have access to PII in connection with the Reseller Program under the Agreement, you acknowledge and agree that you are responsible for maintaining appropriate organizational and security measures to protect such PII. You must protect and secure such PII in accordance with all applicable privacy and data protection laws, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) and associated European Union Member State legislation or regulations (together “EU Data Protection Law”) and CCPA.
- The appropriate organizational and security measures referenced in Section 3.7 shall include as appropriate (but are not limited to):
- Those measures listed below at Sections 3 and 4;
- Measures to ensure that only authorized individuals for the purposes described in the Agreement can access the PII;
- The pseudonymisation and encryption of the PII;
- The ability to ensure continued confidentiality, integrity, availability and resilience of your processing systems and services;
- The ability to restore the availability and access to PII in a timely manner;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of PII; and
- Measures to identify vulnerabilities with regard to the processing of PII in your systems.
- To the extent that You contract with any subcontractor, vendor or other third-party to facilitate its performance under the Agreement, You must (i) obtain prior written consent from us; and (ii) enter into a written agreement with such third party to ensure such party also complies with the terms of this DPA and the Agreement.
- Notwithstanding any authorization given by us in accordance with Section 1.11, you will remain fully liable for any such subcontractor, vendor or other third party’s acts where such party fails to fulfill its obligations under this DPA (or similar contractual arrangement put in place to impose equivalent obligations on the third party to those incumbent on you under this DPA) or under applicable privacy law(s).
- You will, at your expense, defend, indemnify and hold us harmless from and against all liability, costs, and loss in connection with any temporary or permanent, accidental or unlawful, unavailability, loss, destruction, unauthorized disclosure of or access to, theft, or compromise of PII, and any other breach of applicable data protection legislation, and any breach of this DPA.
- In the event you becomes aware that you have received our Confidential Information or PII that was not intended for receipt by you or authorized to be received by you under this Agreement, you must (i) promptly notify us at privacy@godaddy.com, and (ii) unless otherwise instructed in writing, retain the information until you are contacted by privacy@godaddy.comwith instructions on what to do with such information.
4. Impact Assessments & Security Audits
- Data Protection Impact Assessments. You must assist us in conducting data protection impact assessments to identify and minimize any privacy or security risks related to the Reseller Program under the Agreement.
- Periodic Audits. We reserve the right to periodically audit (or have a third party, at our direction, audit) your compliance with this DPA.
- Audit after an Incident. In the event of a Reseller security breach, we may conduct a security audit to ensure no PII was impacted. You will be granted 90 days to respond to any issues identified through the audit. Once identified issues have been resolved, we may conduct a security audit to ensure the completion of the resolution.
- Notice of Non-Compliance. Should you become unable to meet any of the commitments in this DPA for any reason, you must notify us immediately. In such case, you must advise whether it is capable of remedying any issue quickly and without jeopardy to the security of any PII. If not, then we may elect to terminate the Agreement without delay, penalty or further liability to you.
5. Security Incident Response
- Notification Timing. You will communicate any security incident related to your services and/or PII to us immediately after discovery thereof and will provide immediate feedback about any impact this incident may/will have on us or PII. You will give its best effort to notify us of the security incident immediately after detecting such incident, but in any event no later than 1 hour after you have detected the incident. An incident for the purposes of this DPA shall also include:
- A complaint or request with respect to the exercise of an individual’s rights under applicable laws including EU Data Protection Law;
- An investigation into or seizure of PII by government officials, regulatory or law enforcement agency, or indications that such investigation or seizure is contemplated;
- Any temporary or permanent, accidental or unlawful, unavailability, loss, destruction, unauthorized disclosure of or access to, theft, or compromise of PII; and
- Any breach of the security and/or confidentiality obligations set out in this DPA.
- Notification Format and Content. Notification of a security breach will take the form of a phone call to our Network Operations Center (NOC) at (480) 505-8809, followed by a written notification to securitybreach@godaddy.com. You must provide the following information during the notification phone call, and in the written notice, to the greatest extent possible with further updates as additional information comes to light:
- A description of the nature of the incident and likely consequences of the incident;
- Expected resolution time (if known);
- A description of the measures taken or proposed to address the incident including, measures to mitigate its possible adverse effects on us, PII or associated individuals;
- If the resolution path is unknown at the time of the phone call, you must clarify it is yet undetermined;
- The categories and approximate volume of PII and individuals potentially affected by the incident, and the likely consequences of the incident on that PII and associated individuals; and
- The name and phone number of a Reseller representative we can contact to obtain incident updates.
- Security Resources. We may, upon mutual agreement with you, provide resources from our security group to assist with an identified security breach. You agree to assist us in meeting its obligations in relation to the notification of a security breach under EU Data Protection Law or any other statutory, regulatory, administrative, or contractual breach notification obligations.
6. Cryptography
- Proprietary Encryption. Secured transactions between you and subcontractor, vendor or other third party, as well as storage of our Confidential Information or PII may not utilize any cryptography algorithms developed internally by you. Any symmetric, asymmetric or hashing algorithm utilized by the application infrastructure will utilize algorithms that have been published and evaluated by the general cryptographic community.
- Encryption Strength. Encryption algorithms must be current industry standard technology and of sufficient strength, such as AES. SHA-256 or RSA public key encryption.
- Hashing Functions. Hashing functions will be a combination of SHA-256 and at least one of MD-5, SHA-2, SHA-3 or similar, not including SHA-1. If alternate hashing functions are to be utilized, they will have explicit approval from our Information Security Team and must be accompanied by at least one approved algorithm.
7. Processing PII
- Compliance with Law. To the extent applicable, you will assist us in our obligations to respond to requests of an individual who’s PII is being processed under the Agreement and who wishes to exercise any of their rights under EU Data Protection Law, including (but not limited to): (i) right of access; (ii) right to data portability; (iii) right to erasure; (iv) right to rectification; (v) right to object to automated decision-making; or (vi) right to object to processing.
- Delete/Destroy. You must securely delete/destroy or return all PII and overwrite physical drives used for its storage using Cryptographic Erase (NIST SP-800-88r1) or equivalent method at any time upon our request or, absent our request, after -termination of the Agreement and destroy or return any existing copies of the same to us.
STANDARD CONTRACTUAL CLAUSES
For the purpo