Current Version: 1.1

Data Processing Addendum

This Data Processing Addendum (the “DPA”) is attached to, and incorporates in the entirety, the Master Services Agreement by and between you and Linode (the “MSA”) and  is immediately effective upon your use of any Service (the “Effective Date”). Capitalized terms not expressly defined in this DPA shall have the meaning found in the MSA.

1. Definitions. Capitalized terms which are used throughout this DPA are defined in the section in which they are first used or expressly modified as follows:
   1. “Covered Data Breach” means a breach of Linode’s security that (i) directly results in the unintended loss or unauthorized disclosure of Covered PII on systems managed or controlled by Linode and (ii) does not arise from any negligent, reckless, or intentional act or omission by any Covered User. 
   2. “Covered PII” means any PII Processed as a result of the Services. 
   3. “Data Subject” means any natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to such natural person’s cultural, digital, economic, financial, mental, physical, physiological, or social identity. 
   4. “Personal Identifiable Information” or “PII” means data that identifies, makes relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject but excluding any Data that is (i) publicly and lawfully made available from federal, state, or local government records, (ii) publically and lawfully made available by the applicable Data Subject, (iii) is reasonably de-identified or obfuscated; or (iv) aggregated. 
2. Instructions. You instruct Linode to Process Covered PII consistent with the provisions of the Agreement. You shall be required to provide written, supplemental instructions to to Linode, with at least thirty (30) calendar days Notice, if you wish for Linode to Process Covered PII in a manner that is inconsistent or supplemental to the terms of the Terms of Service. You shall be solely responsible and liable for determining if your instructions to Linode for the Processing of Covered PII are consistent with the Terms of Service and applicable law. 
3. Authority. Linode shall be permitted to Process Covered PII as instructed by you, provided that Linode: 
   1. implements and continues to implement technical and organizational measures in such a manner that Linode’s provision of the Services complies, at a minimum, with the requirements of this DPA; 
   2. engages TSPs to Process Covered PII after obtaining assurances of compliance with applicable law; and
   3. in the event of a Covered Data Breach, communicates to you (i) a written Notice promptly and without undue delay upon Linode’s validation of the Covered Data Breach; and (ii) information reasonably necessary for your compliance with your data breach notification obligations.
4. General Processing of PII. The Processing of Covered PII by Linode will be used in furtherance of providing the Services to you and as otherwise permitted by the Terms of Service. Linode is prohibited from disclosing or transferring Covered PII to any non-Linode entity or party, except (i) in connection to the ordinary and necessary Processing of Covered PII by a Linode Representative or TSP that has executed an agreement to comply with the material terms of this DPA prior to any such Processing or (ii) where required by law. 
5. Processing European Covered PII 
   1. Applicability. This §5 shall only apply to the Processing of European Covered PII arising out of or relating to this DPA. 
   2. Additional Definitions. 
      1. “Data Controller” and “Data Exporter” shall have the meanings defined in the EU Model Contract. 
      2. “Data Importer” and “Data Processor” shall have the meanings defined in the EU Model Contract. 
      3. “EU Model Contract” means the Data Processor Agreement and the Standard Contractual Clause EU(2021)914 issued by the European Union European Commission, Directorate of General Justice as provided by Linode to you during your onboarding process.    
      4. “European Covered PII” means any Covered PII is sourced from (i) any of the following countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom; or (ii) otherwise in the European Union. 
      5. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data found here (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union), and the implementing regulations therein. 
      6. “Subprocessor” shall have the meaning prescribed by the GDPR. 
   3. Privacy Shield.  Linode complies and operates under the Privacy Shield agreement between the (i) United States of America and the European Union and (ii) United States of America and Switzerland, as detailed in the Linode privacy SUP.
   4. EU Model Contract. You shall be required to review and consent to the EU Model Contract found here if the use of the Services by any Covered User requires Linode or any Covered User to Process European Covered PII.
   5. Relationship of Covered Users and Linode. The following table shall be deemed to identify and establish the legal and transactional status of Covered Users and Linode, with respect to the Processing of European Covered PII, as between: 
      

      Blank
      	You and Your End Users	You and Linode	Your End Users and Linode
      Data Exporter	End User	You and Your Representatives	None, direct transactions and interactions between End User and Linode prohibited.
      Data Controller	End User	You and Your Representatives
      Data Importer	You and Your Representatives	Linode
      Data Processor	You and Your Representatives	You and Your Representatives
      Subprocessor	Your TSPs	Linode
      Blank

   6. Conditions Precedent to Use. Each Party, individually and jointly, represents, warrants, and certifies that (i) such Party has read, understands, and consents to the EU Model Contract and GDPR with respect to the Processing of European Covered PII; (ii) you are deemed to solely be in control, responsible, and liable for the Processing of European Covered PII by Covered Users; (iii) Linode is deemed to be a Processor with respect to the Processing of your European Covered PII; (iv) Linode is deemed to be your Subprocessorwith respect to the Processing of any other Covered User’s European Covered PII; (v) Linode is deemed to have no direct legal relationship or transactional engagement with any End User; (vi) Linode shall be required to secure and maintain the confidentiality of European Covered PII in Linode’s possession consistent with the EU Model Contract and GDPR; (vii) Linode shall Process European Covered PII only as instructed by the Terms of Service; (viii) each Party shall reasonably cooperate with the other Party’s obligations to respond to valid data disclosure requests; (ix) each Party shall destroy, deliver, or return all European Covered PII to the applicable Party within thirty (30) days of the termination of this DPA except where otherwise permitted under the GDPR or the Terms of Service. 
6. Processing California Covered PII. 
   1. Applicability. This §6 shall only apply to the Processing of California Covered PII arising out of or relating to this DPA. 
   2. Additional Definitions. 
      1. “California Covered PII”  means any Covered PII is sourced from the State of California, United States of America.
      2. “CCPA” means the California Consumer Protection Act, Cal. Civ. Code § 1798.100 et seq., found here and the implementing regulations therein. 
      3. “Data Controller” shall have the meaning assigned to a “business” as defined by the CCPA. 
      4. “Data Processor” shall have the meaning assigned to a “service provider” as defined by the CCPA. 
      5. “Subprocessor” means any Data Processor that Processes California Covered PII on behalf of a non-consumer Data Processor for a business purpose in the context of the CCPA. 
   3. Relationship of Covered Users and Linode. The following table shall be deemed to identify and establish the legal and transactional status of Covered Users and Linode, with respect to the Processing of California Covered PII, as between: 
      

      Blank
      	You and Your End Users	You and Linode	Your End Users and Linode
      Data Controller	End User	You and Your Representatives	None, direct transactions and interactions between End User and Linode prohibited.
      Data Processor	You and Your Representatives	You and Your Representatives
      Subprocessor	Your TSPs	Linode
      Blank

   4. Conditions Precedent to Use. Each Party, individually and jointly, represents, warrants, and certifies that (i) such Party has read, understands, and consents to the CCPA with respect to the Processing of California Covered PII; (ii) Company is deemed to solely be in control, responsible, and liable for the Processing of California Covered PII by any Covered User; (iii) Linode is deemed to be a Subprocessor of Company with respect to the Processing of any California Covered PII arising out of or relating to your use of the Services; (iv) Linode is deemed to have no direct legal relationship or transactional engagement with any End User; (v) Linode shall be required to secure and maintain the confidentiality of California Covered PII in Linode’s possession consistent with the CCPA; (vi) Linode shall Process California Covered PII only as instructed by the Agreement; (vii) each Party shall reasonably cooperate with the other Party’s obligations to respond to valid data disclosure requests; (viii) each Party shall destroy, deliver, or return all California Covered PII to the applicable Party within thirty (30) days of the termination of this DPA except where otherwise permitted under the CCPA or the MSA.
7. Amendment. This DPA is attached to amends the Agreement solely with respect to the subject matter herein. In the event of any conflict of terms between (i) this DPA and (ii) the MSA, the NDA, and/or any mutually executed SLA, SPA, SUP, or Service Order, this DPA shall be deemed controlling and prevailing without exception.