This Data Processing Addendum (the "Addendum") is executed by and between Name.com, a Delaware limited liability company and its Affiliates ("Name.com") and you ("Customer") and is, where necessary, deemed annexed to and supplements the Web Hosting Service Agreement and any and all agreements governing an Applicable Service (collectively, the "Terms of Service"). Unless otherwise defined this Addendum, all capitalized terms not defined in this Addendum will have the meanings given to them in the Terms of Service.
"Affiliates" means any entity, which is controlled by, controls or is in common control with Name.com.
"Applicable Services" means the Name.com hosted services we offer you that could involve our Processing of Personal Data as provided by you, as Data Controller.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. This shall include any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum.
"Customer Data" means the Personal Data of any Data Subject Processed by Name.com within the Name.com Network on behalf of Customer pursuant to or in connection with the Terms of Service.
"Data Controller" means the Customer i.e. the entity and/or person which determines the purposes and means of the Processing of Personal Data.
"Data Processor" means Name.com. i.e. the entity which Processes Personal Data on behalf of and on the instructions of the Data Controller, or as defined in other applicable legislation.
"Data Protection Laws" means all data protection or privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including, (i) the CCPA, (ii) the GDPR, (iii) the EU e-Privacy Directive (Directive 2002/58/EC), (iv) any national data protection laws made under or pursuant to (i) or (ii), (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance, and (vi), in respect of the United Kingdom the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced.
"Data Subject" means the individual to whom Personal Data relates.
"EEA" means the European Economic Area.
"General Data Protection Regulation" or "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
"Name.com Network" means Name.com's service providers and their data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls), as applicable, which are used to provide the Applicable Services.
"Personal Data" means any information relating to an identified or identifiable person or household as defined under applicable Data Protection Laws.
"Privacy Shield" means Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176).
"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, to include, but not limited to; collection, recording, organization, structuring, storage, security, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, rectification, erasure or destruction. "Process", "processes" and "processed" will be interpreted accordingly. Details of Processing are set forth in Annex 1.
"Security Incident" either (a) a breach of security of the Name.com Technical and Organizational Measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Data; or (b) any unauthorized access to Name.com equipment or facilities, where in either case such access results in destruction, loss, unauthorized disclosure, or alteration of Customer Data.
"Technical and Organizational Measures" means the listed measures relating to the security of data at Name.com, attached to this Addendum as Annex 2.
"Standard Contractual Clauses" or "SCCs" means Annex 3, attached to and forming part of this Addendum pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under the Directive and any amendments or changes to any other law relating to data and privacy as may be amended, superseded or replaced.
"Sub-processor" means any Data Processor engaged by Processor to Process data on behalf of Data Controller under the Terms of Service.
- Data Processing
- Scope and Roles. This Addendum applies when Customer Data is processed by Name.com in the provision of Applicable Services under the Terms of Service. In this context, Name.com (Data Processor) shall only act on instructions of the Customer (Data Controller) with respect to Customer Data, unless directed by a legal or regulatory requirement by a competent body or authority.
- Details of Data Processing. The subject matter of processing of Customer Data by Name.com is the performance of the Applicable Services pursuant to the Terms of Service and product-specific agreements. Name.com shall only Process Customer Data on behalf of and in accordance with Customer's documented instructions (limited to those instructions as contained in the Terms of Service) for the following purposes:
- Processing in accordance with the Terms of Service or applicable product-specific agreement;
- Processing initiated by customer in their use of the Applicable Services;
- Processing to comply with other documented, reasonable instructions provided by Customers where such instructions are consistent with the terms of the Agreement.
Name.com shall not:
- process, retain, use, sell, or disclose Customer Data except as necessary to provide Applicable Services pursuant to the Terms of Service, or as required by law;
- sell such Customer Data to any third party;
- retain, use, or disclose such Customer Data outside of the direct business relationship between Name.com and Customer save as is required or permitted under applicable legislation.
For the avoidance of doubt, Customer's instructions for the Processing of Personal Data must comply with all applicable data privacy laws. Customer shall have sole responsibility to understand and be aware of all applicable data privacy laws for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Name.com shall not be required to comply with or observe Customer's instructions if such instructions would violate Data Protection Laws or any other applicable laws and legislation. The duration of the Processing, the nature and purpose of the Processing, the types of personal data and categories of Data Subjects Processed under this Addendum are set out in Annex 1 ( 'Details of the Processing') to this Addendum.
- Confidentiality of Customer Data
- Name.com will not disclose Customer Data to any government or any other third party, except as necessary to comply with our legal obligations, the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). In the event Name.com receives a valid civil subpoena, and to the extent permitted, Name.com will endeavor to provide Customer with reasonable notice of the demand via email or postal mail to allow Customer to seek a protective order or other appropriate remedy as they deem appropriate.
- Name.com has implemented and will maintain the technical and organizational measures for the Name.com Network as described herein this Section and as further described in Annex 2 to this Addendum, Security Standards. In particular, Name.com has implemented and will maintain these technical and organizational measures so as to address the:
- security of the Name.com Network;
- physical security of the Name.com facilities;
- controls around employee and contractor access to (i) and/or (ii); and
- processes for testing, assessing and evaluating the effectiveness of technical and organizational measures implemented by Name.com.
In the event that we are not able to meet any of our obligations set forth herein, we will endeavor to provide written notice (via our website and email) as soon as practically feasible.
- Name.com makes available a number of security features and functionalities that Customer may elect to use in relation to the Applicable Services, including two-factor authentication for your Name.com account, as well as the ability to change and update your passwords, and Name.com account-level IP address access restrictions,. Customer is responsible for (a) properly configuring the Applicable Services, (b) using the controls available in connection with the Applicable Services (including the security controls) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (c) using the controls available in connection with the Applicable Services (including the security controls) to allow the Customer to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (e.g. backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorized access and measures to control access rights to Customer Data.
- Data Subject Rights
- As sole Controller, all Data Subject Requests, as defined herein, are the responsibility of the Customer. As commercially reasonable, and to the extent lawfully required or permitted, Name.com shall endeavor to use best efforts to promptly notify Customer if Name.com directly receives a request from a Data Subject to exercise such rights under any applicable data privacy laws ("Data Subject Request"). In addition, where Customer's use of the Applicable Services limits its ability to address a Data Subject Request, Name.com may, where legally permitted and appropriate and upon Customer's specific request, provide commercially reasonable assistance in addressing the request, at Customer's cost (if any).
- Authorized Sub-processors. Customer agrees that Name.com may use Sub-processors to fulfil its contractual obligations under its Terms of Service and this Addendum or to provide certain services on its behalf, such as providing support services. Customer hereby consents to Name.com's use of Sub-processors as described in this section. Except as set forth in this Section or as otherwise explicitly authorized by you, Name.com will not permit any other sub-processing activities.
- Sub-processor Obligations. Where Name.com uses any authorized Sub-processor as described in Section 6.A:
- Name.com will restrict the Sub-processor's access to Customer Data to only that what is necessary and required to maintain the Applicable Services or that which is necessary to provide the Applicable Services to Customer in accordance with the Applicable Services.
- Name.com will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor is performing the same data processing services that are being provided by Name.com under this Addendum, the appointment of that subcontractor by Name.com shall be conditional on the sub-processor being subject to equivalent obligations envisaged under this Data Protection Addendum; and
- Name.com will remain responsible for its compliance with the obligations of this Addendum including any acts or omissions of the Sub-processor that cause Name.com to breach our obligations under this Addendum.
- Engaging New Sub-processors. From time to time, Name.com may engage new Sub-processors in order to provide the Name.com services to Customer. In such case, we will endeavor to provide 60 days advance notice (via our website and email) prior to any new Sub-processor obtaining any Customer Data.
- If you, the Customer, do not approve of a new Sub-processor, then you may terminate any Applicable Services, without penalty, by providing Name.com, within 10 days ofthe issuance of the notice, a written notice of termination that must include an explanation of the reasons for your non-approval of the new Sub-processor.
- If the Applicable Services are part of a bundle or bundled purchase, then any termination will apply in its entirety.
- Security Breach Notification
- Security Incident. Where Name.com confirms that a Security Incident occurred, Name.com will, without undue delay:
- notify Customer of the Security Incident in their capacity as Data Controller; and
- take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
- Name.com Assistance. To assist Customer in relation to any personal data breach notifications Customer is required to make under any applicable privacy laws, Name.com will include in the notification such information about the Security Incident as Name.com is reasonably able to disclose to Customer, taking into account the nature of the Applicable Services, the information available to Name.com, and any restrictions on disclosing the information, such as legal requirements and confidentiality.
- Failed Security Incidents. Customer agrees that:
- A failed Security Incident will not be subject to the terms of this Addendum. A failed Security Incident is one that results in no unauthorized access to Customer Data or to any of Name.com's Network, equipment, or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
- Name.com's obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Name.com of any fault or liability of Name.com with respect to the Security Incident.
- Communication. Notification(s) of Security Incidents, if any, will be delivered to Customers contact details as advised to us, including via email, or as requested. It is Customer's sole responsibility to ensure Customer's administrators maintain accurate contact information on the Name.com management console and secure transmission at all times.
- Customer Rights
- Independent Determination. Customer is responsible for reviewing the information made available by Name.com relating to data security and its Security Standards and making an independent determination as to whether the Applicable Services meets Customer's requirements and legal obligations as well as Customer's obligations under this Addendum. The information made available is intended to assist Customer in complying with Customer's obligations under applicable Data Protection Laws, including the GDPR and CCPA, in respect of data protection impact assessments and prior consultation.
- Audit Rights. Upon Customer's request, and provided that the parties have an applicable non-disclosure agreement in place, Name.com will provide to Customer a list of administrative and technical controls utilized to ensure the protection of systems and data. Name.com will make this documentation available to Customer via secure file share and this documentation will be treated as Confidential Information under the applicable non-disclosure agreement. Additionally, such requests may only be made on an annual basis. If the requested audit scope is address in an SSAE 16/ISAE 2403 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer's request and Name.com confirms there are no known material changes in the controls audited, the Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
- Transfers of Personal Data
- U.S. Based Processing. Except where specifically noted in the Terms of Service, Customer Data is required to be transferred outside the EEA and processed in the United States to ensure that the Terms of Service can be fully implemented.
- Privacy Shield. Name.com, as part of Donuts Inc., complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. Transfers shall ordinarily be carried out in line with our undertakings and obligations under Privacy Shield; however, notwithstanding this, and in the event that Privacy Shield is considered not applicable or invalid, the Parties shall rely on the application of Standard Contractual Clauses, and any amendments or changes to any other law relating to data and privacy as may be amended, superseded or replaced (incorporated at Annex 3) . Where applicable, the Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an equivalent and adequate level of protection for Personal Data. The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of Personal Data outside the EEA, such as when necessary for the performance of Applicable Services pursuant to the Terms of Service or with your consent.
- In all other circumstances for the avoidance of any doubt, the Customer shall undertake that the transfer is necessary for the conclusion or performance of a contract, concluded in the interest of the Data Subject, between the controller and the processor.
- Termination of the Addendum
- This Addendum will continue in force until the termination of our processing in accordance with the Terms of Service (the "Termination Date").
- Return or Deletion of Customer Data
- As described in the Applicable Services, the Customer may be provided with controls that maybe used to retrieve or delete Customer Data. Any deletion of Customer Data will be governed by the terms of the particular Applicable Services and in accordance with applicable legislation.
- Limitations of Liability
- The liability of each party under this Addendum will be subject to the exclusions and limitations of liability set out in the Terms of Service. Customer agrees that any regulatory penalties incurred by Name.com in relation to the Customer Data that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this Addendum and any applicable Data Privacy Laws will be the sole responsibility of Customer and will count towards and reduce Name.com's liability under the Terms of Service as if it were liability to the Customer under the Terms of Service.
- Entire Terms of Service; Conflict
- This Addendum supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Name.com, whether written or oral, regarding the subject matter of this Addendum, including any data processing addenda entered into between Name.com and Customer with regard to the processing of personal data and on the free movement of such data. Except as amended by this Addendum, the Terms of Service will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Terms of Service and this Addendum, the terms of this Addendum will control.
- Technical and Organizational Measures
We are committed to protect our customers' information. Taking into account the best practices, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons we have implemented the following technical and organizational measures. When selecting the measures the confidentiality, integrity, security, availability and resilience of the systems are evaluated. A quick and efficient recovery after a physical or technical incident is a priority requirement we endeavor to complete.
The following technical and organizational measures are in place as relates to Name.com owned and operated infrastructure:
- Information security policies;
- Security awareness training for all applicable employees;
- Physical security measures, including limited authorized access and access logging;
- Detection and response measures;
- Company-wide Document Retention Policy;
- Patch and vulnerability management;
- Role-based access control systems; and
- Incident management.
- Data Privacy Program
Our chosen partners, listed below, have established and maintain, a global data governance structure and secure information throughout its lifecycle. Where we engage third parties hosting providers, we will ensure there are adequate data processing agreement and procedures in place to ensure the security of your data. We regularly assess and evaluate or test the effectiveness of their Data Privacy Program and Security Standards by reviewing and confirming that our partners industry security certifications (SOC 2 Type, ISO 27001, etc.) are in compliance annually.
Our partners use a variety of physical and logical measures to protect the confidentiality of customer personal data. Those measures can be found here: https://www.ibm.com/support/customer/csol/terms/?cat=data-security#detail-document .