CCPA Data Processing Addendum

Last Updated on February 13, 2024

This CCPA Data Processing Addendum (the “Addendum”) reflects the requirements of the California Consumer Privacy Act of 2018 and its implementing regulations, as amended or superseded from time to time (California Civil Code §§ 1798.100 to 1798.199) (the “CCPA”). This Addendum makes clear that DigitalOcean is acting as a Service Provider for CCPA purposes.

This Addendum is an addendum to the Customer Terms of Service (“Agreement”) and its incorporated Customer Data Processing Agreement (the “DPA”) between DigitalOcean, LLC (“DigitalOcean”) and the Customer (each a “Party”; collectively the “Parties”) and is in effect for so long as DigitalOcean Processes personal information (as defined in the CCPA) on behalf of Customer under the Agreement as a Service Provider (as defined under the CCPA) (hereinafter, the “Personal Information”). This Addendum shall only apply and bind the Parties if and to the extent Customer is a Business under the CCPA. This Addendum prevails over any conflicting terms of the Agreement or DPA, but does not otherwise modify the Agreement or DPA. All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement, the DPA, or the CCPA, as applicable. Customer enters into this Addendum on behalf of itself and, to the extent required under the CCPA, in the name and on behalf of its Authorized Affiliates (defined below).

The parties agree as follows:

1. Definitions

1.1. “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

1.2. “Authorized Affiliate” means any of Customers’ Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.

2. Scope and Applicability of this Addendum

2.1. This Addendum applies to the collection, retention, use, and disclosure of the Personal Information to provide Services to Customer pursuant to the Agreement or to perform a Business Purpose.

2.2. Customer is a Business and appoints DigitalOcean as a Service Provider to process the Personal Information on behalf of Customer. Customer is responsible for compliance with the requirements of the CCPA applicable to Businesses.

3. Restrictions on Processing.

3.1. DigitalOcean is prohibited from retaining, using, or disclosing the Personal Information (i) outside of the direct business relationship between Customer and Digital Ocean or (ii) for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer or as set out in this Addendum, or as otherwise permitted by applicable law.

3.2. DigitalOcean shall not Sell or Share the Personal Information.

3.3. DigitalOcean shall not combine Personal Information received from or on behalf of Company with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject, except where (i) required to perform the Services or (ii) permitted by applicable law. For the avoidance of doubt, DigitalOcean may combine Personal Information received from one or more entities to the extent necessary to achieve the Business Purpose of detecting data security incidents, or protecting against fraudulent or illegal activity.

3.4. DigitalOcean shall, in performing the Services, implement measures designed to the security of Personal Information including by providing the same level of privacy protection as is required by the CCPA for Personal Information.

3.5. DigitalOcean shall make reasonable information in its possession available to Customer necessary to demonstrate compliance with the obligations of this Addendum and permit Customer to take reasonable and appropriate steps to help ensure the Processing of Customer’s Personal Information is consistent with the obligations herein. This includes reasonable audits or assessments in accordance with Section 7.7 of the DPA. Any audits or assessments conducted in accordance with this Section 3.5 shall be limited to one per calendar year upon 30 days prior notice to DigitalOcean.

3.6. DigitalOcean shall notify Customer promptly in writing if it makes a determination that it can no longer meet its obligations under the CCPA.

3.7. To the extent that Customer determines that DigitalOcean is not in compliance with the requirements of the CCPA or the terms of this Addendum, Customer shall have the right to (i) stop the transmission of Personal Information to DigitalOcean; (ii) request that DigitalOcean not further process Personal Information received from Customer, and (iii) terminate the Agreement consistent with its terms.

4. Notice.

4.1. Customer represents and warrants that it has provided notice to its end users that the Personal Information is being used or shared consistent with Cal. Civ. Code 1798.130.

5. Consumer Rights.

5.1. DigitalOcean shall provide reasonable assistance to Customer in facilitating compliance with Consumer rights requests under the CCPA.

5.2. Upon direction by Customer and within a commercially reasonable amount of time, DigitalOcean shall delete or, upon Customer’s written request, return the Personal Information, except that DigitalOcean may retain Personal Information as permitted by Section 7.6 of the DPA.

6. Deidentified Information.

6.1. In the event that either Party shares Deidentified Information with the other Party, the receiving Party warrants that it: (i) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit reidentification of the information; (iii) has implemented business processes to prevent inadvertent release of Deidentified Information; (iv) will make no attempt to reidentify the information; and (v) has publicly committed to maintain and use the Deidentified Information in a Deidentified form.

7. As required by law.

7.1. Notwithstanding any provision to the contrary of the Agreement, the DPA or this Addendum, DigitalOcean may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate international, federal, state, or local law.

8. No Sale of Personal Information.

8.1. The Parties acknowledge and agree that the exchange of Personal Information between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement, the DPA or this Addendum.

Prior Versions of our CCPA Data Processing Addendum