CleanDNS Controller to Processor Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) forms part of and is incorporated into the Terms of Service or other written or electronic agreement governing Client’s use of the CleanDNS Platform and Services (“Agreement”) between you,(‘Client’) and CleanDNS, Inc.(“Service Provider”) (each a “party” and together the “parties”).
In the course of providing the Service to Client, Service Provider may process Client Data (defined below) and the parties agree to comply with the following provisions with respect to any processing of Client Data by Service Provider as a processor or service provider to Client.
- Capitalized terms used in this DPA shall have the meanings given to them in the Agreement unless otherwise defined herein. The following definitions are used in this DPA:
- “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
- “Authorized Affiliate” means any Client Affiliate permitted to access/use the Service pursuant to the Agreement but have not signed their own “Main Agreement” and are not a “Client” as defined under the Main Agreement.
- “CPRA” means the California Privacy Rights Act (CPRA) which amends and expands the existing California Consumer Privacy Act (CCPA)(Sections 1798.100 et seq. of the California Civil Code) and any attendant regulations issued thereunder as may be amended from time to time.
- “Client” as identified in the MSA as entered into between CleanDNS and Client.
- “Client Data” means any Client data that is Personal Data and that Service Provider processes on behalf of Client in the course of providing the Service, as more particularly described in Schedule A of this DPA.
- “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term “Controlled” will be construed accordingly.
- “Data Protection Laws” means all data protection and privacy laws or regulations applicable to a party and its processing of Personal Data under the Agreement, including, where applicable: (a) the GDPR, (b) all applicable implementations of the GDPR into national law, (c) in respect of the United Kingdom, the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), (d) the Swiss Federal Data Protection Act (“Swiss DPA”), and (e) the CCPA; in each case, as may be amended, superseded or replaced.
- “Europe” means for the purposes of this DPA the European Economic Area (“EEA”), United Kingdom and Switzerland.
- “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
- “MSA” means the Master Services Agreement.
- “Personal Data” means any information identified as “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws.
- “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Client Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission (“EEA Restricted Transfer”); (ii) where the UK GDPR applies, a transfer of Client Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (“UK Restricted Transfer”); and (iii) where the Swiss DPA applies, a transfer of Client Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable) (“Swiss Restricted Transfer”).
- “Standard Contractual Clauses” means the standard contractual clauses between controllers and processors (Module 2) adopted by European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 and currently located at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as amended, superseded or replaced from time to time.
- “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Client Data, stored or otherwise processed by Service Provider in connection with the provision of the Service. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.
- “Subprocessor” means any Processor having access to Client Data and engaged by Service Provider to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement (excluding any employee, consultant or independent contractor of Service Provider).The terms “controller”, “data subject”, “processor”, “processing”, “personal data” and “sensitive data” shall have the meanings given to them in Data Protection Laws or if not defined therein, the GDPR, and the terms “service provider” and “business” have the meaning set forth in the CCPA.
- “UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.
- Roles and Scope of Processing
- Data Processing Roles. Service Provider shall process Client Data for the Permitted Purpose as a processor on behalf of Client as the controller. For the purposes of the CCRA (where applicable), Service Provider shall process Client Data as a service provider for the Client as a business.
- Compliance with Laws. Each party shall comply with its obligations under Data Protection Laws in respect of any Client Data it processes under this DPA.
- Processing Instructions. Service Provider shall process Client Data in accordance with Client’s documented lawful instructions, unless obligated to do otherwise by applicable law, in which case Service Provider will notify Client (unless that law prohibits Service Provider from doing so on important grounds of public interest). For these purposes, Client instructs Service Provider to process Client Data for the purposes described in Schedule A (the “Permitted Purpose(s)”). The DPA and the Agreement are Client’s complete and final instructions. Any additional or alternate instructions must be consistent with the terms of the DPA and the Agreement. Without prejudice to Section 2.4 (Client Responsibilities), Service Provider shall promptly notify Client in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Client violates Data Protection Laws (but without obligation to actively monitor Client’s compliance with Data Protection Law) and in such event, Service Provider shall not be obligated to undertake such processing until such time as the Client has updated its processing instructions and Service Provider has determined that the incidence of non-compliance has been resolved.
- Client Responsibilities. Client shall, in its use of the Service and provision of instructions, process Client Data in accordance with Data Protection Laws. Client is solely responsible for: (i) the accuracy, quality, and legality of the Client Data, (ii) the means by which Client acquired such Client Data; and (iii) the instructions it provides to Service Provider regarding the processing of such Client Data. Client shall ensure (i) that it has provided notice and obtained (or will obtain) all consents and rights necessary for Service Provider to process Client Data pursuant to the Agreement and this DPA, (ii) its instructions are lawful and that the processing of Client Data in accordance with such instructions will not violate applicable Data Protection Laws, and (iii) where the CCPA applies, that the Client Data is provided to Service Provider in order to perform the Service for a valid “business purpose” (as defined in CCPA) only.
- Subprocessing
- Authorized Subprocessors. Client provides a general prior authorization for Service Provider to engage Sub-processors in order to provide the Service with the understanding that they act in accordance with applicable data legislation, and that those Subprocessors are subject to the same data protection obligations as set out in this DPA, by way of contract or other legal act. The Subprocessors currently engaged by Service Provider are attached hereto as Appendix 1. Service Provider will remain responsible for any acts or omissions of any Subprocessor that cause Service Provider to breach any of its obligations under this DPA.
- Notification of New Subprocessors. Service Provider will maintain a listing of sub processors at http://trust.cleandns.com and provide Client with a mechanism to obtain notice, including the option to subscribe to notifications, of any updates to the Subprocessor Site at least ten (10) days prior to authorizing any new Subprocessor to process Client Data, Service Provider will provide notice to Client by updating the Subprocessor Site.
- Security Measures and Security Incident Response
- Security Measures. Service Provider will implement and maintain appropriate and reasonable technical and organizational security measures designed to protect Client Data from Security Incidents and to preserve the security and confidentiality of the Client Data in accordance with the security measures described in Schedule B (“Security Measures”). Client acknowledges that the Security Measures are subject to technical progress and development and that Service Provider may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Client. Where a material change is envisaged that may affect the agreed security measures as agreed at the time of signature, such a material change must be notified in writing to the Client, in advance of any such change, who must agree to the changes in writing. Such agreement shall not be unreasonably withheld.
- Personnel. Service Provider restricts its personnel from processing Client Data without authorization by Service Provider as set forth in the Security Measures and shall ensure that any person who is authorized by Service Provider to process Client Data is under an appropriate obligation of confidentiality.
- Client Responsibilities. Where a service use is envisaged (see Schedule A), Client agrees that except as provided by this DPA, Client is responsible for its secure use of the Service, including, if applicable, securing its account authentication credentials, protecting the security of Client Data transmitted via the systems it administers and maintains (i.e. email encryption), and taking any appropriate steps to securely encrypt or back up any Client Data uploaded to the Service.
- Security Incident Response. Upon confirmation of a Security Incident, Service Provider will notify Client without undue delay and, in any case within twenty-four (24) hours of such confirmation. Service Provider will provide information relating to the Security Incident to Client promptly as it becomes known or as is reasonably requested by Client to fulfill Client’s obligations as controller. Service Provider will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.
- Audit and Records.
- Audit Rights. Service Provider shall make available to Client all information in Service Provider’s possession or control and provide all assistance in connection with audits of Service Provider’s premises, systems, and documentation as Client may reasonably request to enable Client to assess Service Provider’s compliance with this DPA. Client acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5 and where applicable, the Standard Contractual Clauses) by instructing Service Provider to comply with the audit measures described in the Security Measures and Section 5.2 (Audit Procedures) below.
- Audit Procedures. Where required under Data Protection Laws or where a data protection authority requires, Client may, on giving at least thirty (30 days) prior written notice, request that Client’s personnel or a third party (at Client’s expense) conduct an audit of Service Provider’s facilities, equipment, documents and electronic data relating to the processing of Client Data under the Agreement to the extent necessary to inspect and/or audit Service Provider’s compliance with this DPA, provided that: (i) Client shall not exercise this right more than once per calendar year; (ii) such additional audit enquiries shall not unreasonably impact in an adverse manner Service Provider’s regular operations and do not prove to be incompatible with applicable Data Protection Laws or with the instructions of the relevant data protection authority; (iii) before the commencement of such additional audit, the parties shall mutually agree upon the scope, timing, and duration of the audit, and (iv) at all times during the scope of the audit, Client and any appointed third party will comply with Service Provider’s policies, procedures, and reasonable instructions governing access to its systems and facilities, including limiting or prohibiting access to information that is confidential information. Without prejudice to the foregoing, Service Provider will provide all assistance reasonably requested by Client to accommodate Client’s request.
- If the requested audit scope referred to in Clause 5.1 is addressed in an SSAE 16/ISAE 2403 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of the Client audit request and the Service Provider confirms there are no known material changes in the controls audited, the Client agrees to accept those finding in lieu of requesting an audit of the controls covered by the report.
- Data Transfers. Client acknowledges and agrees that Service Provider may transfer and process Client Data to and in the United States and other locations in which Service Provider, its Affiliates, or its Subprocessors maintain data processing operations as more particularly described in the Subprocessor Site (defined above). Service Provider shall ensure that such transfers are made in compliance with Data Protection Laws and this DPA.
- Return or Deletion of Data. Promptly upon Client’s request, or within one hundred eighty (180) days after the termination or expiration of the Agreement, Service Provider shall delete or return Client Data in its possession or control. This requirement shall not apply to the extent Service Provider is required by applicable law to retain some or all of the Client Data, or to Client Data it has archived on back-up systems, which Client Data Service Provider shall securely isolate and protect from any further processing, except to the extent required by such laws.
- Cooperation
- Data Subject Rights Requests. Service Provider shall, taking into account the nature of the processing, reasonably assist Client in responding to any requests from individuals or applicable data protection authorities relating to the processing of Client Data for the Permitted Purposes. In the event that any such request is made to Service Provider directly, Service Provider will not respond to such communication directly (except to direct the data subject to contact Client) without Client’s prior authorization, unless legally compelled to do so. If Service Provider is required to respond to such a request, Service Provider will promptly notify Client and provide it with a copy of the request unless legally prohibited from doing so.
- Data Protection Impact Assessments (DPIAs). To the extent required under Data Protection Laws applicable to Europe, Service Provider will provide requested information regarding the Service necessary to enable Client to carry out data protection impact assessments and prior consultations with data protection authorities.
- Europe, UK and Swiss Transfers
- Scope. The terms in this Section 9 apply only if and to the extent Client is established in Europe or the Client Data is otherwise subject to Data Protection Laws applicable to Europe.
- Subprocessor Obligations. Service Provider will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Client Data as this DPA or the Data Protection Laws to the extent applicable to the nature of the services provided by such Subprocessor.
- Subprocessor Objection Right. If Client objects on reasonable grounds relating to data protection to Service Provider’s use of a new Subprocessor, then Client shall promptly, and within ten (10) days following Service Provider’s notification pursuant to Section 3.2 (Notification of new Subprocessors) above, provide written notice of such objection to Service Provider. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree to a mutually acceptable resolution, Client shall as its sole and exclusive remedy have the right to terminate the relevant affected portion(s) of the service without liability to either party (but without prejudice to any fees incurred by Client prior to suspension or termination). Upon termination by Client pursuant to this Section, Service Provider shall refund Client any prepaid fees for the terminated portion(s) of the Service that would have been provided after the effective date of the termination
- Transfer Mechanism. To the extent the transfer of Client Data from Client to Service Provider is a Restricted Transfer and Data Protection Laws applicable to Europe require that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be incorporated by reference into and form an integral part of this DPA, as follows:
- In connection with an EEA Restricted Transfer: (i) Module Two (controller to processor transfers) shall apply and all other modules are deleted; (ii) in Clause 7, the optional docking clause will not apply; (ii) in Clause 9 of Module Two, Option 2 will apply and the time period for prior notice of Subprocessor changes is identified in Section 3.2 of this DPA; (iii) in Clause 11, the optional language shall not apply; (iv) in Clause 13 the Second paragraph shall apply and Data Importer confirms that it has an appointed representative in the Republic of Ireland (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex I shall be deemed completed with the information set out in Schedule A (Description of Processing/ Transfer) of this DPA; and (viii) Annex II shall be deemed completed with the information set out in Schedule B (Security Measures) (as applicable) of this DPA.
- In connection with a UK Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 9.5(a) above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Schedule A and Schedule B of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
- In connection with a Swiss Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 9.4.1 above, but with the following modifications: (i) any references in the Standard Contractual Clauses to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; (iii) any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and (iv) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
- The rights and obligations afforded by Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Data Transfer Arrangements. To the extent Service Provider adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Data Protection Laws) for the transfer of Personal Data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to Europe and extends to territories to which Personal Data is transferred).
- Notification of Government Access Requests: For the purposes of Clause 15(1)(a) of Standard Contractual Clauses, Service Provider shall notify Client and not the data subject(s) in case of government access requests. Client shall be solely responsible for promptly notifying the data subject, as necessary.
- Authorized Affiliates
- Affiliate Communications. Client is responsible for coordinating all communications with Service Provider on behalf of its Authorized Affiliates with regard to this DPA. Client represents that it is authorized to issue instructions as well as make and receive any communications in relation to this DPA on behalf of its Authorized Affiliates.
- Affiliate Enforcement. Authorized Affiliates may enforce the terms of this DPA directly against Service Provider, subject to the following provisions:
- Client will bring any legal action, suit, claim, or proceeding which the Affiliate would other have it if were a party to the Agreement (each an “Affiliate Claim”) directly against Service Provider on behalf of such Affiliate, except where Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate bring or be a party to such Affiliate Claim; and
- For the purpose of any Affiliate Claim brought directly against Service Provider by Client on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Client.
- Limitation of Liability
- In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
- Any claim or remedies Client or its Affiliates may have against Service Provider and its respective employees, agents, or Sub-processors arising under or in connection with this DPA including: i) for breach of this DPA (including the Standard Contractual Clauses or the UK Addendum, where applicable); (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Client; (iii) under GDPR, UK GDPR or Swiss DPA, including any claims relating to damages paid to a data subject; and (iv) breach of its obligations under the Standard Contractual Clauses or UK Addendum, will, to the maximum extent permitted by law, be subject to any limitation and exclusion of liability provisions (including any agreed aggregate financial cap) that apply under the Main Agreement.
- For the avoidance of doubt, Service Provider and its Affiliates’ total overall liability for all claims from Client and its Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under the Agreement and this DPA together, including by Client and its Affiliates.
- Miscellaneous
- For the purposes of the CCPA, Service Provider shall not:sell Client Data;
- retain, use, or disclose Client Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under Agreement and this DPA; or,
- retain, use or disclose Client Data outside the direct business relationship between Service Provider and Client.
- Notwithstanding the foregoing and anything to the contrary in the Agreement (including this DPA), Client acknowledges that Service Provider shall have a right to process Client Data for the purposes of creating anonymized, aggregate and/or de-identified information for its own legitimate business purposes, including where Client has requested a Service Provider Service.
- For the purposes of the CCPA, Service Provider shall not:sell Client Data;
- General
- The parties agree that this DPA shall replace any existing DPA the parties have previously entered into in connection with the Service.
- As between Client and Service Provider, this DPA is incorporated into and subject to the terms of the Agreement and shall be effective and remain in force for the term of the Agreement or the duration of the Service. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Client Data.
- Except as described in Section 10 (Authorized Affiliates), in no event shall this DPA benefit or create any right or cause of action on behalf of a third party, but without prejudice to the rights or remedies available to data subjects under Data Protection Laws or this DPA (including the Standard Contractual Clauses).
- Each party acknowledges that the other party may disclose the Standard Contractual Clauses, this DPA, and any privacy related provisions in the Agreement to any regulator or supervisory authority upon request.
- Other than as required by applicable Data Protection Laws or the Standard Contractual Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Agreement govern any dispute pertaining to this DPA.
* Signature Page Follows *
Controller | “Client” as per the Agreement | Processor | CleanDNS Inc. | |
Signature | Signature of the MSA is deemed signature of this DPA. | Signature | Signature of the MSA is deemed signature of this DPA. | |
Name : | Name is as per the signature section of the MSA. | Name | Name is as per the signature section of the MSA. | |
Title: | Title is as per the signature section of the MSA. | Title: | Title is as per the signature section of the MSA. | |
Date: | Date is as per the signature section of the MSA. | Date: | Date is as per the signature section of the MSA. |
Appendix 1
List of Subprocessors
The list of subprocessors are accessible at the CleanDNS Trust Center accessible via https://trust.cleandns.com/subprocessors. Any changes to this list shall be communicated as per section 3.2 of this DPA.
SCHEDULE A
Description of Processing/Transfer
Annex 1(A) List of Parties:
Data Exporter | Data Importer |
Name: “Client” as per the MSA | Name: CleanDNS Inc. |
Address: “Client” Address as per the MSA | Address: |
Post Office Box 364, | |
Yardley, | |
Pennsylvania, 19067 | |
Contact Person’s Name, position and | Contact Person’s Name, position and contact |
contact details: Contact of the Client as per the MSA. | Alan Woods – General Counsel |
privacy@cleandns.email | |
Activities relevant to the transfer: See | Activities relevant to the transfer: See Annex |
Annex 1(B) below. | 1(B) below |
Signature and Date: Signature of the Agreement, is deemed signature of this DPA. | Signature and Date: Signature of the Agreement, is deemed signature of this DPA. |
Role: CONTROLLER | Role: PROCESSOR |
Annex 1(B) Description of Transfer:
Description | |
Categories of Data Subjects: | • Contacts for Registrars, Registries and hosting companies for communication and escalation purposes. Domain name Registrants
• Note: the collection of registrant data from the Controller is only envisaged IF agreed to of the SOW. |
Categories of Personal Data: | As per the Agreement and applicable SOWs |
Special category data (if appropriate): | |
Frequency of the transfer (one-off or continuous): | Continuous |
Nature of processing: | The nature of the processing is the performance of the Service in accordance with the Agreement and applicable SOWs |
Purpose(s) of the data transfer and further processing: | As per the Agreement and applicable SOWs |
Retention period (or, if not possible to determine, the criteria used to determine that period): | Retention periods are in line with expectations relating to reasonable legal obligations and/or in reasonable contemplation of legal proceedings.
PII shall be retained for a period of no more than 6 years, (in a secure archived format) after the Termination of the Agreement and all relevant SOWs. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | As per the Agreement and applicable SOWs |
Annex 1(C): Competent supervisory authority
The competent supervisory authority shall be determined in accordance with Clause 13 of 2021 Controller-to-Processor Clauses and the GDPR, as referenced in section 9(4)(1) of the DPA.
SCHEDULE B
Technical and Organizational Security Measures
See: http://trust.cleandns.com for SOC2 Type 2 audit report for 2024