Legal
Data Processing Addendum
Last updated July 7, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Custom Domain("Processor") and the customer ("Controller") and applies whenever we process personal data on the Controller's behalf. It implements Article 28 of the EU/UK GDPR and equivalent U.S. state requirements. Customers who need a countersigned copy can request one (section 16).
1. Roles and application
For personal data that the Controller or its end-users submit to the Service ("Controller Personal Data"), the Controller is the controller and Custom Domain is the processor. Where the Controller is itself a processor for a third party, Custom Domain is a sub-processor and the same obligations flow down. This DPA applies to all such processing and prevails over any conflicting term in the Terms regarding the processing of Controller Personal Data.
2. Definitions
"GDPR" means Regulation (EU) 2016/679 and, as applicable, the UK GDPR and Swiss FADP. "Data Protection Laws" means all privacy and data-protection laws applicable to the processing, including the GDPR and U.S. state privacy laws such as the CCPA/CPRA. Terms such as "controller," "processor," "personal data," "processing," "data subject," and "personal data breach" have the meanings given in the Data Protection Laws. "Sub-processor" means a third party engaged by us to process Controller Personal Data.
3. Processing on instructions
We will process Controller Personal Data only on the Controller's documented instructions, including the instructions embodied in the Terms, this DPA, and the Controller's use and configuration of the Service, unless required otherwise by law (in which case we will inform the Controller unless legally prohibited). We will inform the Controller if, in our opinion, an instruction infringes Data Protection Laws. The Controller is responsible for the lawfulness of the data it submits and the instructions it gives.
4. Processing details (Annex I)
| Subject matter | Provision of custom-domain onboarding: DNS configuration, TLS/SSL issuance, edge proxying, monitoring, and (optionally) domain registration. |
|---|---|
| Duration | For the term of the Terms and until deletion or return under section 14. |
| Nature and purpose | Hosting, transmitting, configuring, verifying, and securing custom domains on the Controller's behalf. |
| Categories of data subjects | The Controller's personnel and administrators; the Controller's end-users who connect domains; and domain registrants (registrar feature). |
| Categories of personal data | Contact and account identifiers; end-user identifiers passed through the widget/API; domain names and DNS records; certificate and connection metadata; and, for the registrar feature, registrant contact details. Special-category data is not intended to be processed. |
| Frequency | Continuous, for the duration of the engagement. |
5. Our obligations
As processor, we will:
- process Controller Personal Data only as described in section 3;
- ensure persons authorized to process it are bound by confidentiality;
- implement the security measures in section 7;
- respect the sub-processor conditions in section 8;
- assist the Controller with data-subject requests (section 9) and with security, breach notification, DPIAs, and consultations (sections 10 and 11), taking into account the nature of the processing and the information available to us;
- make available information necessary to demonstrate compliance and allow for audits (section 13); and
- delete or return the data at the end of the engagement (section 14).
6. Confidentiality
We keep Controller Personal Data confidential and limit access to personnel who need it to provide the Service, all of whom are subject to confidentiality obligations.
7. Security (Annex II)
We implement appropriate technical and organizational measures to protect Controller Personal Data, taking into account the state of the art, costs, and the risk. These include encryption in transit, encryption of sensitive secrets at rest, tenant isolation, strict access controls and least privilege, secret handling that avoids storing bring-your-own DNS tokens, network hardening, rate limiting, structured logging that excludes secrets and payloads, and monitoring. Our current measures are described on the Security page, which forms Annex II to this DPA and may be updated as the Service evolves, provided the level of protection is not materially reduced.
8. Sub-processors (Annex III)
The Controller provides general authorization for us to engage the sub-processors listed on our Sub-processors page, which forms Annex III. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give the Controller advance notice (via the subscription mechanism on that page) before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds within 30 days of notice; if we cannot reasonably accommodate the objection, the Controller may terminate the affected part of the Service.
9. Data-subject requests
Taking into account the nature of the processing, we will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, and objection). If we receive a request directly from a data subject regarding Controller Personal Data, we will not respond to its substance and will forward it to the Controller without undue delay.
10. Breach notification
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data, and will provide information reasonably available to us to help the Controller meet its own notification obligations. Notification is not an acknowledgment of fault. Our security-reporting channel is on the Security page.
11. DPIA and prior consultation
Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities.
12. International transfers
Where processing involves transferring Controller Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on a valid transfer mechanism. To the extent required, the European Commission's Standard Contractual Clauses (module controller-to-processor, or processor-to-processor where we act as a sub-processor) are incorporated by reference, completed by the details in this DPA and its Annexes, together with the UK International Data Transfer Addendum and the Swiss adaptations as applicable. Where a data importer is certified under the EU-U.S. Data Privacy Framework (and its UK and Swiss extensions), that mechanism may be relied upon. We maintain SCCs as a fallback and support a transfer risk assessment on request.
13. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA, including third-party certifications or audit reports where available. Where that is insufficient to satisfy a Controller's audit obligation under Data Protection Laws, the Controller may conduct or mandate an audit on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not disrupt the Service or compromise other customers' data.
14. Return and deletion
On termination or expiry, and at the Controller's choice, we will delete or return Controller Personal Data and delete existing copies, unless retention is required by law. The Controller can export data during the term as supported by the Service. Backups are purged on our standard rotation.
15. U.S. state privacy terms
Where the CCPA/CPRA or another U.S. state privacy law applies, we act as the Controller's "service provider" or "processor." We will process personal information only to provide the Service (the "business purpose") and not: (a) sell or share it; (b) retain, use, or disclose it outside the direct business relationship or for any purpose other than the services specified; or (c) combine it with data from other sources except as permitted. We certify that we understand and will comply with these restrictions. We will assist the Controller with consumer rights requests and will honor applicable opt-out preference signals where relevant.
16. Liability, term, and signing
This DPA is subject to the limitations of liability in the Terms. It takes effect when the Controller accepts the Terms and continues for as long as we process Controller Personal Data. If there is a conflict between this DPA and the Terms regarding the processing of Controller Personal Data, this DPA controls; the SCCs control over both where they apply.
A countersigned copy of this DPA is available for customers who require one for their records. Request one at [email protected] with your account and legal-entity details. This template must be finalized with counsel — including the operating entity, SCC module elections, and signature process — before it is offered for signature.