GDPR Amendment to Partner NOC Agreement
Print or Save
This amendment (the “GDPR Amendment”) to the Partner NOC Agreement is entered into by and between cPanel, L.L.C. (“cPanel”) and Partner NOC, as that term is defined in the Partner NOC Agreement (“Partner NOC”). This GDPR Amendment shall be effective as of June 8, 2018 (the “Amendment Effective Date”). cPanel and Partner NOC may be referred to as a “Party” and collectively as the “Parties” for purposes of this GDPR Amendment.
WHEREAS, the Parties entered into a Partner NOC Agreement (the “Partner NOC Agreement”);
WHEREAS, the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") is effective on May 25, 2018;
WHEREAS, the Parties seek to amend the Partner NOC Agreement to incorporate the GDPR; and
NOW, THEREFORE, in consideration of the promises and mutual covenants contained herein, the Parties hereby agree as follows:
- 1. Article 15 shall be incorporated into the Partner NOC Agreement as follows:
Data Protection Addendum. To the extent that cPanel processes any personal data on behalf of the Partner NOC in connection with the supply of Software or the provision of the Services and (a) the personal data relates to individuals located in the EEA; or (b) the Partner NOC is located in the EEA, the Parties agree that such personal data will be processed in accordance with the Data Processing Addendum attached here as Exhibit 9, in Annex 1, and incorporated into to the Partner NOC Agreement by reference. For the purposes of this Article 15, the terms "personal data", "process" and "EEA" have the meanings given in the Data Processing Addendum.
- 2. All provisions of the Partner NOC Agreement shall continue in full force and effect unless otherwise terminated pursuant to its terms or by operation of law.
IN WITNESS WHEREOF, the Parties hereto have executed this GDPR Amendment as of the Amendment Effective Date.
DATA PROCESSING ADDENDUM ("DPA")
2. DATA PROCESSING
- 1. DEFINITIONS
- 1.1 The following capitalized terms used in this DPA shall be defined as follows:
- (a) "Controller" has the meaning given in the GDPR.
- (b) "Partner Personal Data" means the "personal data" (as defined in the GDPR) described in Schedule 1 and any other personal data that cPanel processes on behalf of Partner NOC in connection with the provision of the Software and Services.
- (c) "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"), any applicable national implementing legislation including, and in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Partner Personal Data.
- (d) "Data Subject" has the meaning given in the GDPR.
- (e) "EEA" means the European Economic Area, being the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- (g) "Processing" has the meaning given in the GDPR, and "Process" will be interpreted accordingly.
- (h) "Processor" has the meaning given in the GDPR.
- (i) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Partner Personal Data.
- (j) "Subprocessor" means any Processor engaged by cPanel who agrees to receive from cPanel Partner Personal Data.
- (k) "Supervisory Authority" has the meaning given in the GDPR.
- (l) "Transparency Report” shall mean cPanel’s transparency report, as amended, currently located at https://cpanel.com/transparency-report.html
3. TRANSFER OF PERSONAL DATA
- 2.1 Instructions for Data Processing. cPanel will only Process Partner Personal Data in accordance with Partner NOC’s written instructions. The Partner NOC Agreement (subject to any changes agreed between the parties) and this DPA shall be Partner NOC’s complete and final instructions to cPanel in relation to the Processing of Partner Personal Data.
- 2.2 Processing outside the scope of this DPA or the Partner NOC Agreement will require prior written agreement between Partner NOC and cPanel on additional instructions for Processing.
- 2.3 Required consents. Where required by applicable Data Protection Laws, Partner NOC will ensure that it has obtained/will obtain all necessary consents for the Processing of Partner Personal Data by cPanel in accordance with the Agreement.
4. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
- 3.1 Partner NOC agrees that cPanel may use Subprocessors to fulfil its contractual obligations under the Partner NOC Agreement. cPanel shall notify Partner NOC from time-to-time of the identity of any new Subprocessors it engages. If Partner NOC (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Partner Personal Data only, Partner NOC may request that cPanel move the Partner Personal Data to another Subprocessor and cPanel shall, within a reasonable time following receipt of such request, use reasonable endeavors to ensure that the original Subprocessor does not Process any of the Partner Personal Data. If it is not reasonably possible to use another Subprocessor, and Partner NOC continues to object for a legitimate reason, either party may terminate the Agreement on thirty days written notice. If Partner NOC does not object within thirty days of receipt of the notice, Partner NOC is deemed to have accepted the new Subprocessor.
- 3.2 Except as set out in paragraph 3.1, cPanel shall not permit, allow or otherwise facilitate Subprocessors to Process Partner Personal Data without Partner NOC’s prior written consent and unless cPanel:
- (a) enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Partner Personal Data, as are imposed on cPanel under this DPA; and
- (b) at all times remains responsible for compliance with its obligations under the DPA and will be liable to Partner NOC for the acts and omissions of any Subprocessor as if they were cPanel’s acts and omissions.
- 3.3 Prohibition on International Transfers of Personal Data. Partner NOC acknowledges that cPanel or its Subprocessors may access the Partner Personal Data outside the EEA or Switzerland.
5. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
- 4.1Security Obligations. cPanel will implement and maintain the technical and organizational measures set out in Schedule 2. Partner NOC acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk.
- 4.2 Upon Partner NOC’s reasonable request, cPanel will make available all information reasonably necessary to demonstrate compliance with this DPA.
- 4.3 Security Incident Notification. If cPanel becomes aware of a Security Incident, cPanel will: (a) notify Partner NOC of the Security Incident within 72 hours, (b) investigate the Security Incident and provide Partner NOC (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
- 4.4 Employees and Personnel. cPanel will treat the Partner Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Partner Personal Data.
- 4.5 Audits. cPanel will, upon Partner NOC’s reasonable request, allow for and contribute to audits, including inspections, of its compliance with this DPA, conducted by Partner NOC (or a third party on Partner NOC’s behalf and mandated by Partner NOC) provided: (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (iii) are conducted in a manner that causes minimal disruption to cPanel’s operations and business.
6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- 5.1 Government Disclosure. cPanel will notify Partner NOC of any request for the disclosure of Partner Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency, and subject to the terms of cPanel’s Transparency Report.
- 5.2 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, cPanel will use reasonable endeavors to assist Partner NOC by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Partner NOC’s obligation to respond to requests for exercising Data Subject rights set out in the GDPR.
- 6.1 To the extent required under applicable Data Protection Laws, cPanel will provide Partner NOC with reasonably requested information to enable Partner NOC to carry out data protection impact assessments or prior consultations with any Supervisory Authority, to the extent that either is solely in relation to Processing of Partner Personal Data and taking into account the nature of the Processing and information available to cPanel.
8. GOVERNING LAW
- 7.1 Deletion of data. Subject to 7.2 below, cPanel will, at Partner NOC’s election and within 90 days of the date of termination of the Partner NOC Agreement at cPanel’s election:
- (a) return a copy of all Partner Personal Data Processed by cPanel by secure file transfer to Partner NOC (and securely delete all other copies of Partner Personal Data Processed by cPanel); or
- (b) securely delete the Partner Personal Data Processed by cPanel.
- 7.2 cPanel and its Subprocessors may retain Partner Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that cPanel ensures the confidentiality of all such Partner Personal Data and shall ensure that such Partner Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
- 8.1 This DPA shall be governed by, and construed in accordance with, the laws of Republic of Ireland.
DETAILS OF THE PROCESSING OF PARTNER PERSONAL DATA
This Schedule 1 includes certain details of the Processing of Partner Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Partner Personal Data
The subject matter and duration of the Processing of the Partner Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Partner Personal Data
The types of Partner Personal Data to be Processed
The categories of Data Subject to whom the Partner Personal Data relates
The obligations and rights of Partner NOC
The obligations and rights of Partner NOC are as set out in this DPA.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
cPanel maintains a breach response plan that is tested annually. Employee access to information containing personal data is limited in scope and by job functionality. This access limitation is imposed both by policy and by technical limitations on access throughout cPanel.
cPanel maintains dedicated information security teams. One team is responsible for the internal security of our network, the other is responsible for the security of the cPanel software products (“Products”). Our product development team includes employees who monitor our Products and software included in our Products for security issues and responsibly report issues upstream. Both the internal security team, and the product development security team, are responsible for identifying vulnerabilities and responding to security events.
Our security documentation, policies, and processes are frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats. We incorporate “agile” processes into our security processes resulting in continuous updating and revisions necessary to meet ongoing threats. Our security documentation is based on the NIST Cyber Security Framework. This Framework allows us to identify, score, protect, detect, respond and recover from security events.
All staff are subject to locally permissible background checks. Our employees are bound by obligations of confidentiality and non-disclosure that are strictly enforced. Outgoing employees receive detailed debriefings on exit. Portable devices provided by cPanel are monitored. All employees receive security awareness and security training. Additional training is provided based on employee function. Security team members attend security conferences to get outside training each year.
We store data in U.S. based colocation facilities. Our colocation providers are required by contract to meet industry standard security mandates and provide us with notice of a breach. Access to our colocation area is physically and logically controlled.
Access to our facilities is controlled in two or more places. Access is recorded and subject to review. Our facilities are monitored internally and externally by closed circuit video that is archived. Visitors to non-public areas of our facilities are required to be accompanied by an employee at all times. Facilities are patrolled by an independent security company.
The security of our internal network is tested continually. Access to the network is controlled and permissioned. Access to our internal management platform is secured, access is controlled, permissioned and monitored. Remote access is controlled, permissioned and monitored.
Excess equipment is reviewed to determine if data is present. Following inspection, this equipment is disposed of in a manner that meets industry standards for rendering the equipment and residual unusable. Only equipment that did not contain proprietary information is reused.
Security is considered at all stages of our Product design and engineering. We use a combination of regularly scheduled security tests of our Product and security review with each major version. We also sponsor a bug bounty program.
We follow a continuous integration methodology for our Product’s code. We consider security needs by undertaking code reviews as part of the code release process. All code is reviewed multiple times prior to being committed to the Product. New Product releases are deployed to a secure staging environment for testing before being deployed to production.
Employee access to the code underlying our Product is access restricted. Employees must undergo specific training related to Product code prior to gaining access. Employees without a specific job function requiring access to the code are prohibited from accessing the code. We maintain logical restrictions on such access, and monitor employee use and access.
cPanel uses strong encryption to secure the transmission of Personal Information across the Public Internet, provided that such a use is supported by the vendor. Use of encryption during transmission, and of the data at rest, is included in cPanel’s contracting process. Our Product facilitates use of encryption in transmission and at rest, to the extent the use of encryption is compatible with the function of the Product. We encrypt information containing personal data at rest when used internally, to the extent encryption is compatible with the use of that data internally.
When we access a customer’s data to provide technical support, this access is logged, and the internal use monitored. When cPanel accesses a customer’s live data, the customer provides express permission to such access and that access is authorized only as related to the customer inquiry and linked to that inquiry.
Print or Save