This Data Processing Addendum ("DPA"), forms part of the StackPath Master Service Agreement (available at https://www.stackpath.com/legal/), or other written or electronic agreement by and between StackPath, LLC ("StackPath") and the undersigned customer of StackPath ("Customer") and shall be effective on the date Customer accepts this DPA ("Effective Date"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with StackPath.
"Agreement" means the StackPath Master Service Agreement or other written or electronic agreement with StackPath, LLC which govern the provision of the Services to Customer, as such terms may be updated by StackPath from time to time.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
"Customer Data" means any Personal Data that originates from the EEA and/or that is otherwise subject to Data Protection Laws, which StackPath Processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
"Data Breach" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by StackPath or a Sub-processor.
"Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.
"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.
"Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable, GDPR.
"EEA" means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
"GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any Member State law implementing the same.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.
"Services" means any product or service provided by StackPath to Customer pursuant to the Agreement.
"Standard Contractual Clauses" means the contractual language approved by 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).
"Sub-processor" means any Data Processor engaged by StackPath to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates.
2. Relationship with the Agreement
2.1 The parties agree that DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Any claims against StackPath or its Affiliates regarding matters addressed by this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Customer shall indemnify StackPath or its Affiliates, as applicable against any and all such claims or costs of any kind that exceed the exclusions and limitations set forth in the Agreement.
2.5 5 Except as may be otherwise provided pursuant to StackPath’s compliance with applicable data transfer mechanisms addressed in Section 6, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Roles and Scope of Processing
3.1 Role of the Parties. As between StackPath and Customer, Customer is the Data Controller of Customer Data, and StackPath is the Processor of Customer Data. StackPath shall Process Customer Data only as a Data Processor acting at Customer’s direction.
3.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Customer Data and any Processing instructions it issues to StackPath; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for StackPath to Process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 StackPath Processing of Customer Data. StackPath shall Process Customer Data only for the purposes described in this DPA or in accordance with Customer’s documented lawful instructions. Customer acknowledges that StackPath shall have a right to Process Customer Data in order to provide Services to Customer, fulfill its obligations under the Agreement and this DPA, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical support, product development, and sales and marketing.
4.1 Authorized Sub-processors. Customer agrees that this DPA constitutes Customer’s written authorization for StackPath to engage Sub-processors to Process Customer Data on Customer's behalf. The Sub-processors currently engaged by StackPath and authorized by Customer will be provided to Customer by StackPath. StackPath shall notify Customer in writing if it intends to add or replace Sub-processors. Customer may object in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable, documented grounds relating to data protection. Customer’s failure to timely respond or to document the basis of the objection will constitute Customer’s authorization of the proposed changes. In the event of a timely, reasonable and documented objection, the parties shall discuss Customer’s concerns in good faith with a view to achieving resolution.
4.2 Sub-processor Obligations. StackPath shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Customer Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause StackPath to breach any of its obligations under this DPA.
5.1 Security Measures. StackPath shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems, in accordance with StackPath's security standards. The specific security measures applicable to Customer Data, regardless of the transfer mechanism relied upon as provided by Section 6, are further described in Appendix 2 (all collectively "Security Measures").
5.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that StackPath may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
5.4 Confidentiality of Data Processing. StackPath shall ensure that any person who is authorized by StackPath to Process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.5 Data Breach Response. StackPath shall notify Customer without undue delay and, where feasible, no later than 48 hours after becoming aware, of any Data Breach. StackPath shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as StackPath deems necessary and reasonable in order to remediate the cause of such Data Breach. StackPath shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with Data Protection Laws. The obligations herein shall not apply to incidents that are caused by Customer, including Customer’s employees or agents.
5.6 Reports and Audits. Customer acknowledges that StackPath is regularly audited against SSAE 16 or its successor standards by independent third party auditors and internal auditors, respectively. Upon request, StackPath shall supply (on a confidential basis) a summary copy of its audit report(s) ("Report") to Customer, so that Customer can verify StackPath's compliance with the audit standards against which it has been assessed, and this DPA.]
6. International Transfers
6.1 Data Transfers. StackPath may Process Customer Data anywhere in the world where StackPath or its Sub-processors maintain data Processing operations. StackPath shall at all times provide an adequate level of protection for the Customer Data Processed, in accordance with the requirements of Data Protection Laws. The parties agree that this DPA and the data transfer methods required by this Section 6 constitute appropriate safeguards to transfer Customer Data to a third country pursuant to Article 46 of GDPR.
6.2 Privacy Shield. To the extent that StackPath Processes any Customer Data protected by GDPR under the Agreement in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that StackPath shall be deemed to provide adequate protection (within the meaning of GDPR) for any such Customer Data that StackPath Processes pursuant to its current self-certification to and compliance with Privacy Shield and this DPA. StackPath agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles.
6.3 Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 6.2 shall not apply if and to the extent that StackPath’s Processing of Customer Data is not undertaken pursuant to its current self-certification to and compliance with Privacy Shield, including in the event Privacy Shield is invalidated by a competent governmental authority. In any such case, to the extent StackPath Processes any Customer Data protected by GDPR under the Agreement in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that StackPath shall be deemed to provide adequate protection (within the meaning of GDPR) by applying the terms of this DPA and the Standard Contractual Clauses. In all such cases, for the purposes of implementing the Standard Contractual Clauses: (i) Customer is the data exporter and StackPath is the data importer; (ii) Customer directs StackPath to Process Personal Data in accordance with the Agreement and this DPA pursuant to Clause 5(a); (iii) Customer acknowledges and expressly agrees that StackPath may engage third-party Sub-processors as provided by this DPA pursuant to Clause 5(h); (iv) Customer acknowledges that StackPath’s obligations and cooperation pursuant to Clause 5(f), Clause 11 and Clause 12 shall be limited to the extent provided by the terms of this DPA; (v) Appendix 1 of this DPA shall serve as Appendix 1 of the Standard Contractual Clauses, and Appendix 2 of this DPA shall serve as Appendix 2 of the Standard Contractual Clauses.
7. Return or Deletion of Data.
Upon termination or expiration of the Agreement, StackPath shall (at Customer's election) delete or return, if feasible, to Customer all Customer Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent StackPath is required by applicable law to retain some or all of the Customer Data; (ii) if StackPath is reasonably required to retain some or all of the Customer Data for limited operational and compliance purposes; or (iii) to Customer Data StackPath has archived on back-up systems. In all such cases, StackPath shall maintain the Customer Data securely and protect from any further Processing. The terms of this DPA shall survive for so long as StackPath continues to retain any Customer Data.
8.1 Data Protection Authority Inquiries. StackPath shall (at Customer's expense) provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to StackPath, StackPath shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If StackPath is required to respond to such a request, StackPath shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
8.2 Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Data, or block or restrict Processing of Customer Data, then at Customer’s written direction and to the extent required by Data Protection Laws, StackPath shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, Customer shall be responsible for any costs arising from StackPath’s or its Sub-processors’ provision of such assistance. StackPath shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. StackPath shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. To the extent legally permitted, Customer shall be responsible for any costs arising from StackPath’s provision of such assistance.
8.3 Assessments and Data Protection Impact Assessments. StackPath shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Customer Data, including responses to information security reviews, that are reasonably necessary to confirm StackPath's compliance with this DPA. Customer shall not exercise this right more than once per year, including with respect to any support required to perform a data protection impact assessment.
8.4 Law Enforcement Requests. If a law enforcement agency sends StackPath a demand for Customer Data (for example, through a subpoena or court order), StackPath may attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, StackPath may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then StackPath shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless StackPath is legally prohibited from doing so.
Appendix 1 to the Standard Contractual Clauses
The data exporter is (please specify briefly your activities relevant to the transfer):
Customer, which purchases services from StackPath pursuant to the Agreement and authorizes StackPath to Process Customer Data for purposes of providing the services.
The data importer is (please specify briefly activities relevant to the transfer):
StackPath, which Processes Customer Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.
The personal data transferred concern the following categories of data subjects (please specify):
The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that data subjects may include, but may not be limited to, natural persons who are prospective customers, customers, resellers, referrers, business partners, vendors, employees, contractors, agents, or advisors of data exporter, or natural persons authorized to use the services by data exporter.
Categories of data
The personal data transferred concern the following categories of data (please specify):
The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that categories of data may include, but may not be limited to, names, titles, position, employer, contact information (email, phone, fax, physical address, etc.), and data indicating geographic location (e.g., IP address).
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that sensitive personal data may be included, such as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, and data concerning a person’s health or sex life.
The personal data transferred will be subject to the following basic processing activities (please specify):
Processing will be undertaken to the extent necessary for StackPath to provide services to data exporter and as otherwise authorized by the Agreement or the DPA.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
StackPath has implemented and shall maintain a security program that includes appropriate administrative, physical, and technical safeguards designed to protect Customer Data from Data Breaches and to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems. These safeguards include: