Data Processing Addendum (Form)
This Data Processing Addendum (“DPA”), forms part of the StackPath Master Service Agreement (available at https://www.stackpath.com/legal/), or other written or electronic agreement by and between StackPath, LLC (“StackPath”) and the undersigned customer of StackPath (“Customer”) and shall be effective on the date Customer accepts this DPA (“Effective Date”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with StackPath or Customer.
“Agreement” means the StackPath Master Service Agreement or other written or electronic agreement with StackPath, LLC which govern the provision of the Services to Customer, as such terms may be updated by StackPath from time to time.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Customer Data” means any Personal Data that originates from the EEA, Switzerland, or a California resident and/or that is otherwise subject to Data Protection Laws, which StackPath Processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
“Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by StackPath or a Sub-processor.
“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
“Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable, GDPR and CCPA.
“EEA” means, for the purposes of this DPA, the European Economic Area and Switzerland.
“EEA Restricted Transfer” means a transfer (or onward transfer) to a third country of Customer Data originating in the EEA or Switzerland that is subject to GDPR or the Swiss Federal Act on Data Protection, where any required adequacy means can be met by entering into the Standard Contractual Clauses (2021).
“Standard Contractual Clauses (2021)” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament of the Council, as entered into by the parties under this DPA.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any Member State law implementing the same.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Services” means any product or service provided by StackPath to Customer pursuant to the Agreement.
“Standard Contractual Clauses (2010)” means the contractual language approved by 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).
“Sub-processor” means any Data Processor engaged by StackPath to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or StackPath Affiliates.
“UK GDPR” means the GDPR as it forms part of the laws of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
“UK Restricted Transfer” means a transfer (or onward transfer) to a third country of Customer Data originating in the United Kingdom that is subject to UK GDPR.
“UK SCC Addendum” means the template addendum issued by the UK’s Information Commissioner’s Office and proposed to Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
2. Relationship with the Agreement
2.1 The parties agree that DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Any claims against StackPath or its Affiliates regarding matters addressed by this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer shall indemnify StackPath or its Affiliates, as applicable against any and all such claims or costs of any kind that exceed the exclusions and limitations set forth in the Agreement.
2.5 Except as may be otherwise provided pursuant to StackPath’s compliance with applicable data transfer mechanisms addressed in Section 6, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Roles and Scope of Processing
3.1 Role of the Parties. As between StackPath and Customer, Customer is the Data Controller of Customer Data, and StackPath is the Processor of Customer Data. StackPath shall Process Customer Data only as a Data Processor acting at Customer’s direction.
3.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Customer Data and any Processing instructions it issues to StackPath; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for StackPath to Process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 StackPath Processing of Customer Data. StackPath shall Process Customer Data only for the purposes described in this DPA or in accordance with Customer’s documented lawful instructions. StackPath shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of performing the Services as described in the Agreement and this DPA, including retaining, using, or disclosing Customer Data for a commercial purpose other than providing the Services. Customer acknowledges that StackPath shall have a right to Process Customer Data in order to provide Services to Customer, fulfill its obligations under the Agreement and this DPA, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical support, fraud prevention, and product development.
4.1 Authorized Sub-processors. Customer agrees that this DPA constitutes Customer’s written authorization for StackPath to engage Sub-processors to Process Customer Data on Customer’s behalf. StackPath shall inform Customer of Sub-processor engagements in accordance with the general authorization provisions of GDPR Article 28(2). Customer may object in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable, documented grounds relating to data protection. Customer’s failure to timely respond or to document the basis of the objection will constitute Customer’s authorization of the proposed changes. In the event of a timely, reasonable and documented objection, the parties shall discuss Customer’s concerns in good faith with a view to achieving resolution.
4.2 Sub-processor Obligations. StackPath shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Customer Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause StackPath to breach any of its obligations under this DPA.
5.1 Security Measures. StackPath shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems, in accordance with StackPath’s security standards. The specific security measures applicable to Customer Data, regardless of the transfer mechanism relied upon as provided by Section 6, are further described in Appendix 2 (all collectively “Security Measures”).
5.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that StackPath may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
5.4 Confidentiality of Data Processing. StackPath shall ensure that any person who is authorized by StackPath to Process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.5 Data Breach Response. StackPath shall notify Customer without undue delay and, where feasible, no later than 48 hours after becoming aware, of any Data Breach. StackPath shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as StackPath deems necessary and reasonable in order to remediate the cause of such Data Breach. StackPath shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with Data Protection Laws. The obligations herein shall not apply to incidents that are caused by Customer, including Customer’s employees or agents.
5.6 Reports and Audits. Customer acknowledges that StackPath is regularly audited against SSAE 18 or its successor standards by independent third party auditors and internal auditors, respectively. Upon request, StackPath shall supply (on a confidential basis) a summary copy of its audit report(s) (“Report”) to Customer, so that Customer can verify StackPath’s compliance with the audit standards against which it has been assessed, and this DPA.
6. International Transfers
6.1 Data Transfers. StackPath may Process Customer Data anywhere in the world where StackPath or its Sub-processors maintain data Processing operations. StackPath shall at all times provide an adequate level of protection for the Customer Data Processed, in accordance with the requirements of Data Protection Laws. The parties agree that this DPA and the data transfer methods required by this Section 6 constitute appropriate safeguards to transfer Customer Data to a third country pursuant to Article 46 of GDPR.
6.2 EEA Restricted Transfers. If and to the extent StackPath’s performance of the Services involve an EEA Restricted Transfer, the terms of this Section 6.2 will apply with respect to such EEA Restricted Transfer(s).
StackPath hereby enters into the Standard Contractual Clauses (2021), which are incorporated by reference herein, with Customer. The Standard Contractual Clauses (2021) shall constitute a separate agreement between each Customer Affiliate, if applicable, acting as a data exporter and StackPath acting as data importer.
For the purpose of any such EEA Restricted Transfer, the Standard Contractual Clauses (2021) will be completed as follows:
- Module Two (Transfer Controller to Processor) will apply when Customer is a Controller.
- Module Three (Transfer Processor to Processor) will apply when Customer is a Processor.
- For the purpose of Section II, Clause 8.1 (Modules Two and Three), the Agreement and this DPA constitute the final and complete instructions to StackPath for the Processing of Customer Data as of the date of this DPA. Any additional or alternate instructions must be mutually agreed upon separately in writing and signed by both parties.
- For the purpose of Section II, Clause 8.9 (Modules Two and Three), the parties agree that any audits or inspections be conducted in accordance with the “Reports and Audits” Section of this DPA.
- For the purpose of Section II, Clause 9 (Modules Two and Three), the parties select Option 2 and agree that StackPath may engage Subprocessors in accordance with the “Subprocessing” section of this DPA.
- For the purpose of Section IV, Clause 17 (Modules Two and Three), the parties select Option 1. The Parties agree that this shall be the law of the Netherlands.
- For the purpose of Section IV, Clause 18 (Modules Two and Three), the parties agree that disputes arising from the Standard Contractual Clauses shall be resolved by the courts of the Netherlands.
- Annex I is deemed to be completed with the details set out in Appendix 1 to this DPA.
- Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data) is deemed to be completed with the Technical and Organizational Security Measures set out in Appendix 2 to this DPA.
- If and to the extent an EEA Restricted Transfer involves Customer Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the Standard Contractual Clauses (2021) are deemed to be supplemented with an additional annex that provides as follows:
- for purposes of Clause 13 and Annex I.C of the Standard Contractual Clauses (2021), the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;
- the term “member state” as used in the Standard Contractual Clauses (2021) must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18.c;
- references in the Standard Contractual Clauses (2021) to the GDPR should be understood as references to the FADP; and
- until entry into force of the revised FADP of 25 September 2020, the Standard Contractual Clauses (2021) also protect the data of legal entities.
6.3 UK Restricted Transfers. If and to the extent StackPath’s performance of the Services involve a UK Restricted Transfer, the terms of this Section 6.3 will apply with respect to such UK Restricted Transfer(s).
StackPath hereby enters into the UK SCC Addendum with Customer. The UK SCC Addendum shall constitute a separate agreement between each Customer Affiliate, if applicable, acting as a data exporter and StackPath acting as data importer.
For the purpose of any such UK Restricted Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:
- Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer Affiliate (as data exporter) and the details of StackPath (as data importer), as provided in the Agreement. The “start date” is the start date, effective date, or equivalent date of the Agreement. The “key contact” for Customer is “Chief Privacy Officer” or that individual’s delegate who will be communicated to StackPath from time to time and the “key contact” for StackPath will be the contact specified in elsewhere in this DPA.
- Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above.
- Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”
7. Return or Deletion of Data
Upon termination or expiration of the Agreement, StackPath shall (at Customer’s election) delete or return, if feasible, to Customer all Customer Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent StackPath is required by applicable law to retain some or all of the Customer Data; (ii) if StackPath is reasonably required to retain some or all of the Customer Data for limited operational and compliance purposes; or (iii) to Customer Data StackPath has archived on back-up systems. In all such cases, StackPath shall maintain the Customer Data securely and protect from any further Processing. The terms of this DPA shall survive for so long as StackPath continues to retain any Customer Data.
8.1 Data Protection Authority Inquiries. StackPath shall (at Customer’s expense) provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to StackPath, StackPath shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If StackPath is required to respond to such a request, StackPath shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
8.2 Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Data, or block or restrict Processing of Customer Data, then at Customer’s written direction and to the extent required by Data Protection Laws, StackPath shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, Customer shall be responsible for any costs arising from StackPath’s or its Sub-processors’ provision of such assistance. StackPath shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. StackPath shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. To the extent legally permitted, Customer shall be responsible for any costs arising from StackPath’s provision of such assistance.
8.3 Assessments and Data Protection Impact Assessments. StackPath shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Customer Data, including responses to information security reviews, that are reasonably necessary to confirm StackPath’s compliance with this DPA. Customer shall not exercise this right more than once per year, including with respect to any support required to perform a data protection impact assessment.
8.4 Law Enforcement Requests. If a law enforcement agency sends StackPath a demand for Customer Data (for example, through a subpoena or court order), StackPath may attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, StackPath may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then StackPath shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless StackPath is legally prohibited from doing so.
9. Appendix 1 to the Standard Contractual Clauses (2021)
A. List of Parties
Data exporter: The entity identified as the Customer on the Master Services Agreement or the entity identified in the web form below that is a Customer of StackPath.
Contact person’s name, position, and contact details: Data exporter’s name and contact details are identified in the Master Services Agreement or in the web form below.
Activities relevant to the data transferred under these clauses: Customer, which purchases services from StackPath pursuant to the Agreement and authorizes StackPath to Process Customer Data for purposes of providing the services.
Role (controller/processor): Controller or Processor
Data importer: StackPath LLC
Name: Michael Grannan
Address: 1950 North Stemmons Freeway, Suite 1001, Dallas, TX 75207
Contact person’s name, position, and contact details: VP Global Security and Compliance
Activities relevant to the data transferred under these clauses: StackPath, which Processes Customer Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.
Role (controller/processor): Processor
B. Description of Transfer
Categories of data subjects whose personal data is transferred: The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that data subjects may include, but may not be limited to, natural persons who are prospective customers, customers, resellers, referrers, business partners, vendors, employees, contractors, agents, or advisors of data exporter, or natural persons authorized to use the services by data exporter.
Categories of personal data transferred: The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that categories of data may include, but may not be limited to, names, titles, position, employer, contact information (email, phone, fax, physical address, etc.), and data indicating geographic location (e.g., IP address).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The data exporter may transmit Customer Data using StackPath’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that sensitive personal data may be included, such as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, and data concerning a person’s health or sex life. The safeguards applied to Customer Data are listed below in Appendix 2.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Transfers of Customer Data will be made as directed by Customer, potentially on a continuous basis.
Nature of the processing: Processing will be undertaken to the extent necessary for StackPath to provide services to data exporter and as otherwise authorized by the Agreement or the DPA.
Purpose(s) of the data transfer and further processing: The purpose of the Processing is for StackPath to provide services to data exporter and as otherwise authorized by the Agreement or this DPA.
The period for which the data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Data will be retained consistent with provision of Services, and no longer than the duration of the Agreement and subject to Section 7 (Return or Deletion of Data) of this DPA.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter, nature, and duration of processing undertaken by Subprocessors will be the same as set forth in the DPA and this Appendix 1.
C. Competent Supervisory Authority
The supervisory authority will be the competent supervisory authority of the Netherlands.
10. Appendix 2 to the Standard Contractual Clauses (2021)
Technical and Organization Measures for the Standard Contractual Clauses
With respect to Annex II of the Standard Contractual Clauses, StackPath shall apply the following technical and organizational measures. These safeguards are without prejudice to the measures required by the Addendum, which shall take precedence to the extent they require StackPath to implement more protective measures:
- Strong encryption of Personal Information in transit that meets industry best practices, is robust against cryptanalysis, is not susceptible to interference or unauthorized access, and for which key access is limited to specific authorized individuals with a need to access Personal Information in order to engage in Processing or, wherever practicable, such key access is limited solely to the exporter;
- Wherever practicable with respect to Processing, pseudonymization sufficient to cause Personal Information to no longer be attributable to a specific individual, provided safeguards are in place to prevent reidentification and the algorithmic process or key to re-establish identity is held only by the data exporter;
- If agreed by the Parties, or as otherwise practicable, physical locations in which Sensitive Personal Information are Processed will be limited to the applicable Restricted Country or countries deemed adequate to receive such Personal Information under the Data Protection Laws of the applicable Restricted Country;
- Access restrictions and procedures, including unique user identification, to limit Processing to authorized StackPath workforce and devices authorized explicitly by StackPath through proper separation of duties, role-based access, on a need-to-know and least privilege basis;
- Multi-factor authentication and use of a virtual private network for any remote access to StackPath systems or Personal Information;
- Physical security procedures, including the use of monitoring 24 hours /7 days a week, access controls and logs of access, and measures sufficient to prevent physical intrusions to any StackPath facility where Personal Information is Processed;
- Secure disposal of equipment and physical and electronic media that contain Personal Information;
- Ongoing vulnerability identification, management and remediation of systems including applications, databases, and operating systems used by StackPath to Process Personal Information;
- Logging and monitoring to include security events, all critical assets that Process Personal Information, and system components that perform security functions for StackPath’s network (e.g., firewalls, authentication servers) intended to identify actual or attempted access by unauthorized individuals and anomalous behavior by authenticated users;
- Monitoring, detecting, and restricting the flows of Personal Information on a multi-layered basis, including but not limited to the use of network segmentation, secure configuration of firewalls, intrusion detection and/or prevention systems, denial of service protections;
- Remote work procedures that require “clean desk” standards in place and a remote work management program that limits use to only devices authorized pursuant to StackPath’s security program;
- Data protection program elements, such as technical measures or documented procedures, to address data minimization and limited retention, data quality, and implementation of data subject rights, appropriate to the nature of the Processing and Services;
- Appropriate IT governance processes that address risk management, system configuration, and process assurance, including regular and periodic testing and evaluation of the sufficiency of StackPath’s data protection program and technical controls;
- Business continuity and disaster recovery plans intended to ensure integrity, resiliency, and availability of StackPath systems and Personal Information, as well as timely restoration of access to Personal Information; and
- StackPath shall, at the request of data exporter, promptly provide a copy of its most recent StackPath SOC2 Type II report, PCI Attestation of Compliance and/or industry certification such as ISO/IEC 27001 or any successor standards for information security management. If StackPath does not hold such certification, it must conduct, at its own expense no less than annually, an independent third-party audit of StackPath’s security program and systems, and facilities used to Process Personal Information, with a detailed summary of the report to be provided to data exporter.