This amendment (the “GDPR Amendment”) to the Partner NOC Agreement is entered into by and between cPanel, Inc. (“cPanel”) and Partner NOC, as that term is defined in the Partner NOC Agreement (“Partner NOC”). This GDPR Amendment shall be effective as of June 8, 2018 (the “Amendment Effective Date”). cPanel and Partner NOC may be referred to as a “Party” and collectively as the “Parties” for purposes of this GDPR Amendment.
WHEREAS, the Parties entered into a Partner NOC Agreement (the “Partner NOC Agreement”);
WHEREAS, the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") is effective on May 25, 2018;
WHEREAS, the Parties seek to amend the Partner NOC Agreement to incorporate the GDPR; and
NOW, THEREFORE, in consideration of the promises and mutual covenants contained herein, the Parties hereby agree as follows:
This Schedule 1 includes certain details of the Processing of Partner Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Partner Personal Data
The subject matter and duration of the Processing of the Partner Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Partner Personal Data
The types of Partner Personal Data to be Processed
The categories of Data Subject to whom the Partner Personal Data relates
The obligations and rights of Partner NOC
The obligations and rights of Partner NOC are as set out in this DPA.
cPanel maintains a breach response plan that is tested annually. Employee access to information containing personal data is limited in scope and by job functionality. This access limitation is imposed both by policy and by technical limitations on access throughout cPanel.
cPanel maintains dedicated information security teams. One team is responsible for the internal security of our network, the other is responsible for the security of the cPanel software products (“Products”). Our product development team includes employees who monitor our Products and software included in our Products for security issues and responsibly report issues upstream. Both the internal security team, and the product development security team, are responsible for identifying vulnerabilities and responding to security events.
Our security documentation, policies, and processes are frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats. We incorporate “agile” processes into our security processes resulting in continuous updating and revisions necessary to meet ongoing threats. Our security documentation is based on the NIST Cyber Security Framework. This Framework allows us to identify, score, protect, detect, respond and recover from security events.
All staff are subject to locally permissible background checks. Our employees are bound by obligations of confidentiality and non-disclosure that are strictly enforced. Outgoing employees receive detailed debriefings on exit. Portable devices provided by cPanel are monitored. All employees receive security awareness and security training. Additional training is provided based on employee function. Security team members attend security conferences to get outside training each year.
We store data in U.S. based colocation facilities. Our colocation providers are required by contract to meet industry standard security mandates and provide us with notice of a breach. Access to our colocation area is physically and logically controlled.
Access to our facilities is controlled in two or more places. Access is recorded and subject to review. Our facilities are monitored internally and externally by closed circuit video that is archived. Visitors to non-public areas of our facilities are required to be accompanied by an employee at all times. Facilities are patrolled by an independent security company.
The security of our internal network is tested continually. Access to the network is controlled and permissioned. Access to our internal management platform is secured, access is controlled, permissioned and monitored. Remote access is controlled, permissioned and monitored.
Excess equipment is reviewed to determine if data is present. Following inspection, this equipment is disposed of in a manner that meets industry standards for rendering the equipment and residual unusable. Only equipment that did not contain proprietary information is reused.
Security is considered at all stages of our Product design and engineering. We use a combination of regularly scheduled security tests of our Product and security review with each major version. We also sponsor a bug bounty program.
We follow a continuous integration methodology for our Product’s code. We consider security needs by undertaking code reviews as part of the code release process. All code is reviewed multiple times prior to being committed to the Product. New Product releases are deployed to a secure staging environment for testing before being deployed to production.
Employee access to the code underlying our Product is access restricted. Employees must undergo specific training related to Product code prior to gaining access. Employees without a specific job function requiring access to the code are prohibited from accessing the code. We maintain logical restrictions on such access, and monitor employee use and access.
cPanel uses strong encryption to secure the transmission of Personal Information across the Public Internet, provided that such a use is supported by the vendor. Use of encryption during transmission, and of the data at rest, is included in cPanel’s contracting process. Our Product facilitates use of encryption in transmission and at rest, to the extent the use of encryption is compatible with the function of the Product. We encrypt information containing personal data at rest when used internally, to the extent encryption is compatible with the use of that data internally.
When we access a customer’s data to provide technical support, this access is logged, and the internal use monitored. When cPanel accesses a customer’s live data, the customer provides express permission to such access and that access is authorized only as related to the customer inquiry and linked to that inquiry.
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer
software that facilitates the management and configuration of Internet web servers.