Current Version: 1.1
Provider Data Processing Addendum
Last Updated: 01 September 2021
Effective Date: 27 September 2021
This Data Processing Addendum (the “DPA”) is (i) attached to, and incorporates in the entirety, the Master Provider Agreement and (ii) applies to and if effective upon execution of a Project Addenda between Linode and Provider. Capitalized terms not expressly defined in this DPA shall have the meaning found in the MPA.
- Definitions. Capitalized terms which are used throughout this DPA are defined in the section in which they are first used or expressly modified as follows:
- “Covered Data Breach” means a breach of Provider’s security that directly results in the unintended loss or unauthorized disclosure of Covered PII on systems managed or controlled by Provider.
- “Covered PII” means any PII developed, collected, or transferred as a result of the Provider Services.
- “Covered Service” means any Provider Service provided to Linode as a result of an applicable Project Addenda.
- “Data Subject” means any natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to such natural person’s cultural, digital, economic, financial, mental, physical, physiological, or social identity.
- “Personal Identifiable Information” or “PII” means data that identifies, makes relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject but excluding any Data that is: (i) publicly and lawfully made available from federal, state, or local government records; (ii) publicly and lawfully made available by the applicable Data Subject; (iii) reasonably de-identified or obfuscated from non-Linode parties; or (iv) aggregated.
- “Process” and “Processed” and “Processing” collectively means any (i) direct or indirect and (ii) manual or automated (iii) access, acquisition, collected, development, implementation, maintenance, transmission, use and otherwise performance of any operation or set of operations upon Covered PII.
- “Third Party Service Provider” or “TSP” means any contractor, subcontractor, processor, subprocessor, and otherwise supplier of a Party in the ordinary course of such Party’s business.
- Instructions. Linode instructs Provider to Process Covered PII consistent with the provisions of the applicable Project. Linode shall be required to provide written, supplemental instructions to to Provider, with at least thirty (30) calendar days Notice, if Linode wishes for Provider to Process Covered PII in a manner that is inconsistent or supplemental to the terms of the applicable Project Addenda. Provider shall be solely responsible and liable for determining if Linode’s instructions to Provider for the Processing of Covered PII are consistent with the applicable Project Addenda and applicable law.
- Authority. Provider shall be permitted to Process Covered PII provided that Provider:
- implements and continues to implement technical and organizational measures in such a manner that Provider’s provision of the Provider Services complies, at a minimum, with the requirements of the GDPR and CCPA;
- engages TSPs to Process Covered PII after obtaining assurances of compliance with applicable law; and
- in the event of a Covered Data Breach, communicates to Linode (i) a written Notice promptly and without undue delay upon Provider validation of the Covered Data Breach; and (ii) information reasonably necessary for Linode’s compliance with Linode’s data breach notification obligations.
- General Processing of PII. The Processing of Covered PII by Provider will be used in furtherance of providing Provider Services to Linode and as otherwise permitted by the applicable Project Addenda. Provider is prohibited from disclosing or transferring Covered PII to any non-Provider entity or party, except (i) in connection to the ordinary and necessary Processing of Covered PII by a TSP that has executed an agreement to comply with the material terms of this DPA prior to any such Processing.
- Processing European Covered PII
- Applicability. This §5 shall only apply to the Processing of European Covered PII arising out of or relating to this DPA.
- Additional Definitions.
- “Data Controller” and “Data Exporter” shall have the meanings defined in the EU Model Contract.
- “Data Importer” and “Data Processor” shall have the meanings defined in the EU Model Contract.
- “EU Model Contract” means the Data Processor Agreement and the Standard Contractual Clause EU(2021)914 issued by the European Union European Commission, Directorate of General Justice.
- “European Covered PII” means any Covered PII is sourced from any country or countries located (i) in the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom or (ii) otherwise in the European Union.
- “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union), and the implementing regulations therein.
- “Subprocessor” shall have the meaning prescribed by the GDPR.
- Privacy Shield. Provider complies and operates under the Privacy Shield agreement between the (i) United States of America and the European Union and (ii) United States of America and Switzerland.
- Relationship of the Parties. The following table shall be deemed to identify and establish the legal and transactional status of Provider, Linode, and Provider’s TSPs, with respect to the Processing of European Covered PII, as between:
Provider and Linode Provider and Provider's TSPs Data Exporter Linode Provider Data Controller Linode Provider Data Importer Provider Provider's TSPs Data Processor Provider Provider's TSPs Subprocessor Provider's TSPs N/A
- Conditions Precedent. Provider represents, warrants, and certifies that: (i) the Provider Services may require Provider to Process Covered PII subject to the GDPR; (ii) Provider has reviewed and understands the obligations of Provider as Data Controller, Processor and/or Subprocessor under the GDPR; and (iii) Provider shall provide the Provider Services in a manner which complies with the GDPR, including without limitation, confidentiality, notice, assistance with responses to data disclosure requests, and data transfer restrictions therein.
- Processing California Covered PII.
- Applicability. This §6 shall only apply to the Processing of California Covered PII arising out of or relating to this DPA.
- Additional Definitions.
- “California Covered PII” means any Covered PII is sourced from the State of California, United States of America.
- “CCPA” means the California Consumer Protection Act, Cal. Civ. Code § 1798.100 et seq., and the implementing regulations therein.
- “Data Controller” shall have the meaning assigned to a “business” as defined by the CCPA.
- “Data Processor” shall have the meaning assigned to a “service provider” as defined by the CCPA.
- “Subprocessor” means any Data Processor that Processes California Covered PII on behalf of a non-consumer Data Processor for a business purpose in the context of the CCPA.
- Relationship of the Parties. The following table shall be deemed to identify and establish the legal and transactional status of Provider, Linode, and Provider’s TSPs, with respect to the Processing of California Covered PII, as between:
Provider and Linode Provider and Provider’s TSPs Data Controller Linode Provider Data Processor Provider Provider’s TSPs Subprocessor Provider’s TSPs N/A
- Conditions Precedent. Provider, represents, warrants, and certifies that: (i) Provider has read, understands, and consents to the CCPA with respect to the Processing of California Covered PII; (ii) Provider is deemed to solely be in control, responsible, and liable for the Processing of California Covered PII by Provider; (iii) Provider is deemed to be a Subprocessor of Company with respect to the Processing of any California Covered PII arising out of or relating to Provider Services; (iv) Provider shall be required to secure and maintain the confidentiality of California Covered PII in Provider’s possession consistent with the CCPA; and (v) Provider shall provide the Provider Services in a manner which complies with the CCPA, including without limitation, confidentiality, notice, assistance with responses to data disclosure requests, and data transfer restrictions therein.
- Amendment. This DPA is attached to amends the Provider Terms solely with respect to the subject matter herein. In the event of any conflict of terms between (i) this DPA and (ii) the MPA, and/or any mutually executed Project Addenda, the DPA shall be deemed controlling and prevailing without exception.