1.1 This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between DigitalOcean, LLC (“DigitalOcean”) and the Customer. DigitalOcean and Customer are individually a “party” and, collectively, the “parties.”
1.2 Unless expressly indicated in the Agreement otherwise, this DPA applies where and only to the extent that DigitalOcean processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement.
2.1 The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
2.2 The following terms have the definitions given to them in the CCPA: “Business,” “Sell,” “Service Provider,” and “Third Party.”
2.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires.
2.4 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement as it relates to the Customer, including Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”).
2.5 “Data Subject” means an identified or identifiable natural person.
2.6 “De-identified Data” means data that cannot be reasonably linked to a person and is excluded from the definition of Personal Data under applicable Data Protection Law. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from Personal Data.
2.7 “EEA” means the European Economic Area.
2.8 “Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.9 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject or their household or device in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Personal Information,” as context requires.
2.10 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2.11 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.12 “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.
2.13 “Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health; data concerning a natural person’s sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s license); payment card information; nonpublic personal information governed by the Gramm Leach Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.
2.14 “Subprocessor” means a Processor engaged by a party who is acting as a Processor.
2.15 “UK Addendum” means the United Kingdom International Data Transfer Agreement Addendum to the EU Standard Contractual Clauses issued by the United Kingdom Information Commissioner on March 21, 2022.
3.1 Schedules 1-3 attached hereto describe the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.
3.2 Schedules 1-3 list the parties’ statuses under relevant Data Protection Law.
4.1 If DigitalOcean processes Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom in a country that has not received an adequacy decision from the European Commission or Swiss or UK authorities, as applicable, such transfer shall take place on the basis of DigitalOcean’s certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as applicable.
4.2 If the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF is declared invalid, or if DigitalOcean does not remain certified for the EU-U.S. DPF, then the transfer of Personal Data will be subject to the Standard Contractual Clauses or UK Addendum, as applicable, which the parties agree will be incorporated by reference into this DPA. The parties agree that, with respect to the elements of the Standard Contractual Clauses and the UK Addendum that require the parties’ input, Schedules 1-3 contain all the relevant information.
5.1 Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices.
5.2 Customer Processing of Personal Data. Customer represents and warrants that it has the consent or other lawful basis necessary to collect Personal Data in connection with the Services.
5.3 Cooperation.
5.3.1 Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to Data Subjects’ requests to exercise rights that those Data Subjects may be entitled to under Data Protection Law.
5.3.2 Governmental and Investigatory Requests. Customer will promptly notify DigitalOcean if Customer receives a complaint or inquiry from a regulatory authority indicating that DigitalOcean or the Services is alleged to, has or is violating Data Protection Law.
5.3.3 Other Requirements of Data Protection Law. The parties will provide relevant information as reasonably requested to each other to fulfill their respective obligations (if any) under Data Protection law, including, if applicable, to conduct data protection impact assessments or prior consultations with data protection authorities.
5.4 Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are subject to an obligation to keep Personal Data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the Personal Data.
5.5 De-identified, Anonymized, or Aggregated Data. DigitalOcean may create De-identified Data from any data Processed by the Services and Process the De-identified Data for any purpose.
6.1 Security Controls. DigitalOcean will maintain a written information security policy that defines security controls that are based on it’s assessment of risk to Personal Data that it Processes and its information systems. DigitalOcean’s then-current security controls are described in Schedule 2.4.
7.1 DigitalOcean will have the obligations set forth in this Section 7 if it Processes Personal Data in its capacity as Customer’s Processor or Service Provider; for clarity, these obligations do not apply to DigitalOcean in its capacity as a Controller, Business, or Third party.
7.2 Scope of Processing.
7.2.1 DigitalOcean will Process Personal Data only in accordance with Customer’s instructions, which instructions comprise: (i) to provide Services to Customer under the Agreement and (ii) comply with applicable law. Notwithstanding the foregoing, DigitalOcean will notify Customer if, in DigitalOcean’s sole discretion it determined it is unable to comply with such instructions owing to (i) Customer’s instruction infringes upon applicable Data Protection Law or (ii) the law changes and those changes cause DigitalOcean not to be able to comply with Customer’s instructions or the Agreement, which in either case will not be deemed a breach of the Agreement on the part of DigitalOcean.
7.3 Data Subjects’ Requests to Exercise Rights. DigitalOcean will promptly inform Customer if DigitalOcean receives a request from a Data Subject to exercise their rights with respect to their Personal Data Processed on behalf of Customer under applicable Data Protection Law. Customer will be solely responsible for responding to such requests. DigitalOcean shall have no obligation to respond to such Data Subjects except to acknowledge their requests or as otherwise required by applicable law. DigitalOcean will provide Customer with commercially reasonable assistance, upon request, by providing to Customer reasonably requested information in support of Customer responding to a Data Subject’s request. Notwithstanding anything contrary to the foregoing, if Customer fails to respond in a timely manner to such requests it is responsible for, Customer agrees that DigitalOcean may - but is not required to - respond to such requests by providing Customer’s email address to a requesting Data Subject to enable the submission of such request to Customer more directly.
7.4 DigitalOcean’s Subprocessors.
7.4.1 List of Subprocessors. Customer agrees that DigitalOcean may use the Subprocessors as disclosed at DigitalOcean Subprocessors, and authorizes DigitalOcean to use these Subprocessors for purposes of DigitalOcean providing the Services to Customer, and as otherwise instructed by Customer.
7.4.2 General Authorization. Customer grants DigitalOcean general authorization to engage Subprocessors provided DigitalOcean and a Subprocessor enter into an agreement that requires the Subprocessor to comply with obligations that are no less protective than this DPA.
7.4.3 Notification of Additions or Changes to Subprocessors. DigitalOcean will notify Customer of any additions to or replacements of its Subprocessors via email or other contact methods and make that list available at DigitalOcean Subprocessors or as DigitalOcean may otherwise provide in writing. DigitalOcean will provide Customer with at least 14 days upon being notified to object to the addition or replacement of Subprocessors. In the event Customer has a commercially reasonable objection to the addition or replacement of DigitalOcean’s Subprocessor, DigitalOcean will use reasonable efforts to make available to Customer a change in the DigitalOcean Services to avoid Processing of Personal Data by the objected-to Subprocessor without a material change to Customer’s use of the affected DigitalOcean services. Customer may terminate the Agreement and/or any statement of work, purchase order, or other written agreements in the event DigitalOcean is not able to provide a reasonable change to cure Customer’s Subprocessor objection. The parties agree that DigitalOcean has sole discretion to determine whether Customer’s objection is reasonable.
7.4.4 Liability for Subprocessors. DigitalOcean will be liable for the acts or omissions of its Subprocessors to the same extent as DigitalOcean would be liable if performing the services of the Subprocessor directly under the DPA, except as otherwise set forth in the Agreement.
7.5 Personal Data Breach. DigitalOcean will notify Customer without undue delay of a Personal Data Breach affecting Personal Data DigitalOcean Processes on behalf of Customer in connection with the Services. Upon request, DigitalOcean will provide reasonable information to Customer about the Personal Data Breach to the extent necessary for Customer to fulfill any obligations it has to investigate or notify authorities under applicable law. Notifications will be delivered to the email address Customer provides in Customer’s account. Customer agrees that email notification of a Personal Data Breach is sufficient. DigitalOcean agrees that it will notify Customer if it changes its contact information. Customer agrees that DigitalOcean has no obligation to notify Customer of security-related events that are not a Personal Data Breach.
7.6 Deletion of Personal Data. Customer may at any time port or delete its Personal Data using the self-service features of the Services as set forth in the applicable documentation for the Service available at https://www.digitalocean.com/trust/data-portability/. Additionally, upon deactivation of Customer’s Service account, DigitalOcean will delete all Personal Data no later than 30 days following the date of de-activation provided Customer does not undertake any action to interrupt such processing such as attempting to log back into the Service account after deactivation. Notwithstanding the foregoing, DigitalOcean may retain Personal Data as required by applicable law, or retain Personal Data it has archived on back-up systems subject to automated retention and disposal configured with such system, which such Personal Data DigitalOcean shall securely isolate and protect from any further active processing by the Services otherwise.
7.7 Audits.
7.7.1 DigitalOcean will maintain records of its security standards. Upon Customer’s written request, DigitalOcean will provide (on a confidential basis) copies of relevant external ISMS certifications, audit report summaries and/or other documentation and information reasonably requested by Customer to audit DigitalOcean’s compliance with this DPA. Customer shall not exercise the foregoing right more than once per year.
7.7.2 To the extent the Standard Contractual Clauses apply, and subject to the Customer having completed an audit in good faith pursuant to the foregoing section, the Customer may exercise its additional audit right under Clause 8.9 of the Standard Contractual Clauses, provided that in such an event, the parties agree: (a) Customer is responsible for all costs and fees relating to such audit (including for time, cost and materials expended by DigitalOcean); (b) a third party auditor must be mutually agreed upon between the parties to follow industry standard and appropriate audit procedures; ( c ) such audit must not unreasonably interfere with DigitalOcean’s business activities, must be reasonable in time and scope, and must not cause DigitalOcean to breach its confidentiality or other obligations to other customers regarding the confidentiality, privacy, and security of such other customers’ confidential information and data; (d) the parties must agree to a specific audit plan, including confidentiality obligations, prior to any such audit, which must be negotiated in good faith between the parties; and (e) Customer keeps all results of the audit confidential. For avoidance of doubt, nothing in this Section 7.7.2 modifies or varies the Standard Contractual Clauses, and to the extent a competent authority finds otherwise or any portion of Section 7.7.2 is otherwise prohibited or unenforceable in view of the Standard Contractual Clauses, the relevant portion shall be severed and the remaining provisions hereof shall not be affected.
| Processing Activity | Status of the Parties | Categories of Personal Data Processed | Categories of Sensitive Data Processed | Frequency of Transfer | Applicable SCCs Module |
|---|---|---|---|---|---|
| Customer discloses Personal Data to DigitalOcean to provide, operate, and maintain DigitalOcean Services. | Customer is a Controller. DigitalOcean is a Controller. |
Account registration, payment information, user content, communications, cookies and other tracking technologies, usage of Services, and third party accounts. | None | Continuous | Module 1 |
| Customer discloses Personal Data to improve, analyze, personalize, and DigitalOcean Services. | Customer is a Controller. DigitalOcean is a Controller. |
Account registration, payment information, user content, communications, cookies and other tracking technologies, usage of Services, and third party accounts. | None | Continuous | Module 1 |
| Customer contacts DigitalOcean for support. | Customer is a Controller. DigitalOcean is a Controller. |
Account registration, payment information, user content, communications, usage of Services, and third party accounts. | None | Continuous | Module 1 |
| Customer stores end-user data on DigitalOcean Services. | DigitalOcean is a Processor. Customer is a Controller or processor to a controller. |
As determined by Customer. | As determined by Customer. | As determined by Customer. | Module 2 or Module 3 (if Customer is a processor to another controller) |
1. Subprocessors
DigitalOcean uses Subprocessors when it acts as a Processor. Customer authorizes DigitalOcean to use these Subprocessors consistent with Section 7.4. Subprocessors are as identified on our Subprocessors Page.
2. Retention Periods
DigitalOcean retains Personal Data it collects or receives from Customer as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.
3. Information for International Transfers
3.1. For the purposes of the Standard Contractual Clauses:
3.2. For purposes of the UK Addendum:
4. Technical and Organizational Measures
| Technical and Organizational Security Measure | Evidence of Technical and Organizational Security Measure | ||||
|---|---|---|---|---|---|
| Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
Customer responsibility. Please see DigitalOcean’s Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.digitalocean.com/trust/faq/. | ||||
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Customer responsibility: It is the responsibility of the customer to backup and utilize redundancy mechanisms to protect their content data. | ||||
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing Measures for user identification and authorization Measures for the protection of data during transmission Measures for the protection of data during storage |
Customer responsibility. Please see DigitalOcean’s Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.digitalocean.com/trust/faq/. | ||||
| Measures for ensuring physical security of locations at which personal data are processed | DigitalOcean data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates. CCTV is used to monitor physical access to data centers and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities. |
||||
| Measures for ensuring events logging Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability |
Customer responsibility. Please see DigitalOcean’s Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.digitalocean.com/trust/faq/. | ||||
| Measures for allowing data portability and ensuring erasure | Customer is able to export or delete Customer Content using the self-service features of the Services as set forth in the applicable documentation for the Services available at https://www.digitalocean.com/trust/data-portability/ | ||||
| Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer. | Customer responsibility. Please see DigitalOcean’s Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.digitalocean.com/trust/faq/. |