GDPR Amendment to Partner NOC Agreement

  • Amendments

    • This amendment (the “GDPR Amendment”) to the Partner NOC Agreement is entered into by and between cPanel, Inc. (“cPanel”) and Partner NOC, as that term is defined in the Partner NOC Agreement (“Partner NOC”). This GDPR Amendment shall be effective as of June 8, 2018 (the “Amendment Effective Date”). cPanel and Partner NOC may be referred to as a “Party” and collectively as the “Parties” for purposes of this GDPR Amendment.

    Print or Save

    WHEREAS, the Parties entered into a Partner NOC Agreement (the “Partner NOC Agreement”);

    WHEREAS, the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) is effective on May 25, 2018;

    WHEREAS, the Parties seek to amend the Partner NOC Agreement to incorporate the GDPR; and

    NOW, THEREFORE, in consideration of the promises and mutual covenants contained herein, the Parties hereby agree as follows:

      1. 1. Article 15 shall be incorporated into the Partner NOC Agreement as follows:

        ARTICLE 15

        Data protection

        Data Protection Addendum. To the extent that cPanel processes any personal data on behalf of the Partner NOC in connection with the supply of Software or the provision of the Services and (a) the personal data relates to individuals located in the EEA; or (b) the Partner NOC is located in the EEA, the Parties agree that such personal data will be processed in accordance with the Data Processing Addendum attached here as Exhibit 9, in Annex 1, and incorporated into to the Partner NOC Agreement by reference. For the purposes of this Article 15, the terms “personal data”, “process” and “EEA” have the meanings given in the Data Processing Addendum.

      2. 2. All provisions of the Partner NOC Agreement shall continue in full force and effect unless otherwise terminated pursuant to its terms or by operation of law.
      IN WITNESS WHEREOF, the Parties hereto have executed this GDPR Amendment as of the Amendment Effective Date.

    Exhibit 9 data processing addendum ("DPA")

    1. DEFINITONS
      1. 1.1 The following capitalized terms used in this DPA shall be defined as follows:
        1. Controller ” has the meaning given in the GDPR.
        2. Partner Personal Data” means the “personal data” (as defined in the GDPR) described in Schedule 1 and any other personal data that cPanel processes on behalf of Partner NOC in connection with the provision of the Software and Services.
        3. Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”), any applicable national implementing legislation including, and in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Partner Personal Data.
        4. Data Subject” has the meaning given in the GDPR.
        5. EEA” means the European Economic Area, being the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
        6. Privacy Policy” shall mean the Privacy Policy implemented by cPanel and incorporated in to the Partner NOC Agreement as amended from time-to-time. The Privacy Policy is currently located at https://cpanel.com/privacy-policy.html.
        7. Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
        8. Processor” has the meaning given in the GDPR.
        9. Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Partner Personal Data.
        10. Subprocessor” means any Processor engaged by cPanel who agrees to receive from cPanel Partner Personal Data.
        11. Supervisory Authority” has the meaning given in the GDPR.
        12. Transparency Report” shall mean cPanel’s transparency report, as amended, currently located at https://cpanel.com/transparency-report.html
    2. DATA PROCESSING
      1. 2.1 Instructions for Data Processing. cPanel will only Process Partner Personal Data in accordance with Partner NOC’s written instructions. The Partner NOC Agreement (subject to any changes agreed between the parties) and this DPA shall be Partner NOC’s complete and final instructions to cPanel in relation to the Processing of Partner Personal Data.
      2. 2.2 Processing outside the scope of this DPA or the Partner NOC Agreement will require prior written agreement between Partner NOC and cPanel on additional instructions for Processing.
      3. 2.3 Required consents. Where required by applicable Data Protection Laws, Partner NOC will ensure that it has obtained/will obtain all necessary consents for the Processing of Partner Personal Data by cPanel in accordance with the Agreement.
    3. TRANSFER OF PERSONAL DATA
      1. 3.1 Partner NOC agrees that cPanel may use Subprocessors to fulfil its contractual obligations under the Partner NOC Agreement. cPanel shall notify Partner NOC from time-to-time of the identity of any new Subprocessors it engages. If Partner NOC (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Partner Personal Data only, Partner NOC may request that cPanel move the Partner Personal Data to another Subprocessor and cPanel shall, within a reasonable time following receipt of such request, use reasonable endeavors to ensure that the original Subprocessor does not Process any of the Partner Personal Data. If it is not reasonably possible to use another Subprocessor, and Partner NOC continues to object for a legitimate reason, either party may terminate the Agreement on thirty days written notice. If Partner NOC does not object within thirty days of receipt of the notice, Partner NOC is deemed to have accepted the new Subprocessor.
      2. 3.2 Except as set out in paragraph 3.1, cPanel shall not permit, allow or otherwise facilitate Subprocessors to Process Partner Personal Data without Partner NOC’s prior written consent and unless cPanel:
        1. (a) enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Partner Personal Data, as are imposed on cPanel under this DPA; and
        2. (b) at all times remains responsible for compliance with its obligations under the DPA and will be liable to Partner NOC for the acts and omissions of any Subprocessor as if they were cPanel’s acts and omissions.
      3. 3.3 Prohibition on International Transfers of Personal Data. Partner NOC acknowledges that cPanel or its Subprocessors may access the Partner Personal Data outside the EEA or Switzerland, provided that cPanel maintains its certifications to the EU-U.S. Privacy Shield and Swiss-US Privacy Shield frameworks respectively.
    4. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
      1. 4.1 Security Obligations. cPanel will implement and maintain the technical and organizational measures set out in Schedule 2. Partner NOC acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk.
      2. 4.2 Upon Partner NOC’s reasonable request, cPanel will make available all information reasonably necessary to demonstrate compliance with this DPA.
      3. 4.3 Security Incident Notification. If cPanel becomes aware of a Security Incident, cPanel will: (a) notify Partner NOC of the Security Incident within 72 hours, (b) investigate the Security Incident and provide Partner NOC (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
      4. 4.4 Employees and Personnel. cPanel will treat the Partner Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Partner Personal Data.
      5. 4.5 Audits. cPanel will, upon Partner NOC’s reasonable request, allow for and contribute to audits, including inspections, of its compliance with this DPA, conducted by Partner NOC (or a third party on Partner NOC’s behalf and mandated by Partner NOC) provided: (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (iii) are conducted in a manner that causes minimal disruption to cPanel’s operations and business.
    5. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
      1. 5.1 Government Disclosure. cPanel will notify Partner NOC of any request for the disclosure of Partner Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency, and subject to the terms of cPanel’s Transparency Report.
      2. 5.2 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, cPanel will use reasonable endeavors to assist Partner NOC by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Partner NOC’s obligation to respond to requests for exercising Data Subject rights set out in the GDPR.
    6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
      1. 6.1 To the extent required under applicable Data Protection Laws, cPanel will provide Partner NOC with reasonably requested information to enable Partner NOC to carry out data protection impact assessments or prior consultations with any Supervisory Authority, to the extent that either is solely in relation to Processing of Partner Personal Data and taking into account the nature of the Processing and information available to cPanel.
    7. TERMINATION
      1. 7.1 Deletion of data. Subject to 7.2 below, cPanel will, at Partner NOC’s election and within 90 days of the date of termination of the Partner NOC Agreement at cPanel’s election:
        1. return a copy of all Partner Personal Data Processed by cPanel by secure file transfer to Partner NOC (and securely delete all other copies of Partner Personal Data Processed by cPanel); or
        2. securely delete the Partner Personal Data Processed by cPanel.
      2. 7.2 cPanel and its Subprocessors may retain Partner Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that cPanel ensures the confidentiality of all such Partner Personal Data and shall ensure that such Partner Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
    8. GOVERNING LAW
      1. 8.1 This DPA shall be governed by, and construed in accordance with, the laws of Republic of Ireland.

    SCHEDULE 1

    DETAILS OF THE PROCESSING OF PARTNER PERSONAL DATA

    This Schedule 1 includes certain details of the Processing of Partner Personal Data as required by Article 28(3) of the GDPR.

    Subject matter and duration of the Processing of Partner Personal Data
    The subject matter and duration of the Processing of the Partner Personal Data are set out in the Agreement and this DPA.

    The nature and purpose of the Processing of Partner Personal Data
    The Partner Personal Data will be subject to basic Processing activities set out in the Privacy Policy including transmitting, collecting, storing and analyzing data, and any other activities related to the provision of the Software and Services or specified in the Agreement.

    The types of Partner Personal Data to be Processed
    The Partner Personal Data concern the categories of data set out in the Privacy Policy.

    The categories of Data Subject to whom the Partner Personal Data relates
    The categories of data applicable to this section are set out in the Privacy Policy.

    The obligations and rights of Partner NOC
    The obligations and rights of Partner NOC are as set out in this DPA.

    SCHEDULE 2

    Legal process should be served from an official government/law enforcement email address and sent to [email protected]. Law enforcement agents who are unable to include the legal process in an email may notify us via email of their limitations so we may coordinate service of process.

    Acceptance of legal process by any of these means is for convenience and does not waive any objections, including lack of jurisdiction or proper service.

    To prevent delays in processing your request, Law enforcement requests should be served on the Company at:

    cPanel, Inc.
    2550 North Loop W., Suite 4006 
    Houston, TX 77092 
    United States of America

    Please provide a courtesy copy to [email protected] to aid in our processing. By providing this email address, the Company does not consent to service of process by email or waive any objections to improper service or jurisdiction.

    05-15-2018