CloudLinux OS Legacy/CloudLinux OS Shared PRO/CloudLinux OS Solo/CloudLinux OS Admin LICENSE AGREEMENT

(Version January 2025) Download PDF

READ THIS LICENSE AGREEMENT BEFORE INSTALLING THESE PROGRAMS. THIS LICENSE AGREEMENT IS A LEGAL CONTRACT BETWEEN YOU, AS EITHER AN INDIVIDUAL OR AN ENTITY, AND CLOUD LINUX SOFTWARE, INC. (“CLOUDLINUX”) GOVERNING YOUR USE OF ANY PROGRAMS DOWNLOADED, INSTALLED, OR USED BY YOU (THE “PROGRAMS”). REFERENCES TO “YOU” HEREIN REFER TO BOTH YOU, THE INDIVIDUAL END USER, AND THE ENTITY ON WHOSE BEHALF YOU ARE ACCEPTING THIS LICENSE AGREEMENT. CLOUDLINUX IS UNWILLING TO LICENSE THE PROGRAMS EXCEPT ON THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. THE ACT OF DOWNLOADING, INSTALLING, OR USING THE PROGRAMS SHALL CONSTITUTE AN ACCEPTANCE BY YOU OF THE TERMS OF THIS LICENSE AGREEMENT, INCLUDING THE DATA PROTECTION ADDENDUM WITH ALL ANNEXES AND APPENDICES (“DPA”) ATTACHED AS SCHEDULE A, WHICH IS INTEGRATED AND MADE A PART OF THIS LICENSE AGREEMENT. IF YOU DO NOT WISH TO AGREE TO THE TERMS OF THIS LICENSE AGREEMENT, PROMPTLY EXIT THE INSTALLATION NOW AND REMOVE IT FROM YOUR SYSTEM.

THIS LICENSE AGREEMENT IS THE COMPLETE AND EXCLUSIVE STATEMENT OF CLOUDLINUX’S OBLIGATIONS AND RESPONSIBILITIES TO YOU AS LICENSEE, AND SUPERSEDES ANY OTHER PROPOSAL, REPRESENTATION, OR OTHER COMMUNICATION BY OR ON BEHALF OF CLOUDLINUX RELATING TO THE SUBJECT.

1. GRANT OF LICENSE.

CloudLinux hereby grants to you, and you accept, a limited, nonexclusive license to use the Programs in machine-readable, object code form only, and the user manuals accompanying the Programs (the “Documentation”), only as authorized in this License Agreement. For purposes of this License Agreement, the “Programs” include any updates, enhancements, modifications, revisions, or additions to the Programs made by CloudLinux and made available to end-users. Notwithstanding the foregoing, CloudLinux shall be under no obligation to provide any updates, enhancements, modifications, revisions, or additions to the Programs.

The authorized use of the Programs is strictly limited to running the Programs as a security suite for Linux web servers. In no event may you use the Programs for any other purpose, including, but not limited to, using the Programs to create or enhance competing software or services.

You may use one copy of the Programs only on systems, including servers, work stations, virtual machines, blades, nodes, or disk partitions for which you have purchased Subscription Services from CloudLinux or its resellers. For purposes of this License Agreement, “use” of the Programs means loading the Programs into the temporary or permanent memory of a computer. Installation of the Programs on a network server solely for distribution to other computers is not “use” of the Programs, and is permitted, as long as you have purchased Subscription Services for the systems being accessed by the Programs.

Your installation or use of the Programs grants CloudLinux limited access to your system information, programs, and applications for the purpose of security analysis, diagnostic, performance analysis, reporting, and collecting performance metrics. Such access and information collected include collecting crash and error information, reviewing installed packages and applications, the names, sizes, and attributes of files, the server or system uptime, load, and running processes, the server ID, metadata of HTTP(S) requests, server internal/external IP, the hostnames, usernames, domains, SQL queries, metadata of HTTP requests, PHP stack traces, executed functions data inside PHP requests, external requests metadata (such as request URLs, data, headers, and response data, etc.), CMS plugins data, server performance data, user performance data, and other diagnostic information. Web performance metrics are collected through the use of tracking JS and PHP code that is added when the Program is enabled. 

You acknowledge and agree that, should You enable these Programs on behalf of an end user in Your capacity as a server administrator, You are thereby affirming the acceptance of the License Agreement on the end user’s behalf. Further, You are obligated to present the License Agreement to the end user and secure their acceptance prior to enabling the Program.

As a condition of the license granted to You pursuant to this License Agreement, You shall pay CloudLinux the amount(s) of all applicable license fees. You shall, in addition to the license fees, pay all applicable sales, use, transfer, or other taxes and all duties, whether national, state, or local, however designated, that are levied or imposed by reason of the transaction contemplated under this License Agreement. You shall reimburse CloudLinux for the amount of any such taxes or duties paid or incurred directly by CloudLinux as a result of this transaction, and you agree that CloudLinux may charge any such reimbursable taxes to the payment instrument you used for Your initial payment. 

2. PROTECTION OF PROPRIETARY RIGHTS; CONFIDENTIALITY.

You acknowledge that the Programs and each of their components are owned by CloudLinux and others, and are protected under copyright law and other laws as applicable. Title to the Programs, or to any copy, modification, or merged portion thereof, shall remain with their respective owners, subject to the applicable license. You may commercially redistribute the Programs only if, you have entered into a separate agreement with CloudLinux authorizing such commercial redistribution or CloudLinux has otherwise granted you permission, in writing.

You agree not to remove any confidential or proprietary legends from the Programs.

You acknowledge that, in the event of your breach of any of the provisions of this Section 2, CloudLinux will not have an adequate remedy in money or damages. CloudLinux shall therefore be entitled to obtain an injunction against such breach from any court of competent jurisdiction immediately upon request. CloudLinux’s right to obtain injunctive relief shall not limit its right to seek further remedies. This Section 2 shall survive termination for any reason.

Your obligations hereunder shall remain in effect for as long as you continue to possess or use the Programs, or any proprietary interests therein.

You further agree not to, and you will not permit others to, (a) license, sell, rent, lease, assign, distribute, transmit, host, outsource, disclose or otherwise commercially exploit the Programs, (b) copy or use the Programs for any purpose other than as permitted in this License Agreement, (c) remove or alter any trademark, logo, copyright or, patent marking(s), other proprietary notices, legends, symbols or labels in the Programs, or (d) modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Programs, including, but not limited to, its license keys, to the fullest extent of the law.

All Programs are and remain the confidential information of, and a trade secret of, CloudLinux.  The Programs does not include any rights to the underlying source code of the Programs, but only a right to use the object/binary code as set forth and restricted herein. You shall not rent, sell, lease, license, sublicense, assign, transfer, publish, disclose, distribute, display, or transcribe in any fashion any of the Programs to others or for any use other than as provided by this EULA, and any such attempted rental, selling, leasing, licensing, sublicensing, assignment, transfer, publishing, disclosure, distribution, display or transcription shall be null and void.

“Confidential Information” shall mean the Programs, any intellectual property of CloudLinux or any other information that characterizes as confidential at the time of its disclosure either in writing or orally, except for information which you can demonstrate: (a) is previously rightfully known to you without restriction on disclosure; or (b) is or becomes, from no act or failure to act on your part, generally known in the relevant industry or public domain. You shall use your best efforts to preserve and protect the confidentiality of the Confidential Information at all times, both during the term hereof and for a period of at least 3 years after termination of this License Agreement, provided, however, that any source code or trade secrets you receive shall be held in confidence in perpetuity. You shall not disclose, disseminate or otherwise publish or communicate Confidential Information to any person, firm, corporation or other third party without the prior written consent of CloudLinux. You shall not use any Confidential Information other than in the as expressly required to use the Programs in accordance with its standard use and in accordance with all Product Information. You are required to notify CloudLinux in writing immediately upon discovery of any unauthorized use or disclosure of Confidential Information or any other breach of this License Agreement, and to cooperate with CloudLinux in every reasonable way to regain possession of Confidential Information and prevent any further unauthorized use. If you are legally compelled to disclose any of the Confidential Information, then, prior to such disclosure, you will (i) immediately notify CloudLinux prior to such disclosure to allow CloudLinux an opportunity to contest the disclosure, (ii) assert the privileged and confidential nature of the Confidential Information, and (iii) cooperate fully with CloudLinux in protecting against any such disclosure and/or obtaining a protective order narrowing the scope of such disclosure and/or use of the Confidential Information. In the event such protection is not obtained, you shall disclose the Confidential Information only to the extent necessary to comply with the applicable legal requirements. 

3. LIMITED WARRANTY; EXCLUSIVE REMEDIES.

Limited Warranty: CloudLinux warrants that (i) the media on which the Programs are furnished will be free from defects in materials and manufacture under normal use of a period of 30 days from the date of delivery to you; and (ii) CloudLinux is the owner or authorized licensee of the Programs, or has the rights to license the Programs to you.

No person other than CloudLinux, in writing, is authorized to make any representation or warranty to you regarding the Programs.

Exclusive Remedy: In the event of a breach of the limited warranty above, your exclusive remedy relative to the Programs shall be for CloudLinux, at CloudLinux’s option, to either: (i) replace the Programs that does not meet the limited warranty; or (ii) refund to you the Programs license fees (and no other fees) paid by you, during the 12 month period immediately preceding the breach of the limited warranty, for the Programs which fails to comply with the limited warranties.

4. DISCLAIMER; LIMITATION ON LIABILITY

Disclaimer: THE LIMITED WARRANTY ABOVE IS THE SOLE WARRANTY MADE BY CLOUDLINUX. CLOUDLINUX MAKES NO OTHER WARRANTY OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED. ANY AND ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE EXPRESSLY DISCLAIMED AND EXCLUDED BY CLOUDLINUX.

Limitation on Consequential Damages: IN NO EVENT SHALL CLOUDLINUX BE LIABLE TO YOU, AS LICENSEE, OR ANY OTHER PERSON FOR ANY INDIRECT, CONSEQUENTIAL OR INCIDENTAL DAMAGES (INCLUDING DAMAGES FOR BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION OR SIMILAR LOSSES) EVEN IF CLOUDLINUX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CLOUDLINUX SHALL HAVE NO LIABILITY OF ANY KIND RELATED TO YOUR DATA, INCLUDING, BUT NOT LIMITED TO, THE LOSS OR DAMAGE THEREOF.

Limitation on Liability: THE CUMULATIVE LIABILITY OF CLOUDLINUX TO YOU FOR ALL CLAIMS RELATED TO THE PROGRAMS AND THIS LICENSE AGREEMENT, INCLUDING ANY CAUSE OF ACTION SOUNDING IN CONTRACT, TORT, OR STRICT LIABILITY SHALL NOT EXCEED THE TOTAL AMOUNT OF ALL LICENSE FEES (AND NO OTHER FEES) PAID TO CLOUDLINUX FOR THE PROGRAMS DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE INITIAL EVENT GIVING RISE TO THE CLAIM.

All limitations on liability, damages and claims are intended to apply without regard to whether other provisions of this License Agreement have been breached or have proven ineffective.

5. TERMINATION.

The license granted herein is effective until terminated. The license will automatically terminate, without notice, if you fail to comply with any provision of this License Agreement. Upon termination of this License Agreement, all rights granted to you pursuant to this License Agreement will terminate and revert to CloudLinux. This license may be terminated at any time, for any reason, by CloudLinux. CloudLinux’s maximum liability for any such termination is to refund to you any prepaid fees.

6. PERSONAL INFORMATION CONTROL.

You agree to comply with all applicable laws, regulations, rulings and orders of the EU, US and other countries (including but not limited to the EU’s GDPR) in which you have operations relating to the protection, use, and distribution of personal information of your users or visitors on any devices which have the Program installed or stored.  Further, you shall indemnify CloudLinux for any and all claims resulting from your violation of any such laws, regulations, rulings, or orders.

7. EXPORT CONTROL.

You agree to comply with all applicable laws, regulations, rulings and executive orders of the United States relating to the exportation or importation of any copies of the Programs (including but not limited to the export and destination control regulations of the Commerce and Treasury Department) and with all applicable foreign laws relating to the use, importation, licensing or distribution of copies of the Programs.

You acknowledge that CloudLinux is subject to economic sanctions laws (“Economic Sanctions Laws”), including but not limited to those enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the European Union, and the United Kingdom. Accordingly, You shall comply with all Economic Sanctions Laws, including, but not limited to, those of the United States, the European Union, and the United Kingdom. You shall not provide access to the CloudLinux Products to any individuals identified on OFAC’s list of Specially Designated Nationals (“SDN List”), the UK’s HM Treasury’s Consolidated List of Sanctions Targets, or the EU’s Consolidated List of Persons, Groups, and Entities Subject to EU Financial Sanctions (collectively “Sanctioned Parties”). You shall not take any action which would place CloudLinux in a position of non-compliance with any such Economic Sanctions Laws. Furthermore, You represent and warrants that (i) you have not in the past been, and will not be in the future, be connected with any Sanctioned Parties, (ii) shall provide such information regarding any individual or entity which you do business within any location covered by Economic Sanction Laws upon request of CloudLinux, and (iii) shall promptly advise CloudLinux of any activities which increases the risk of your’s non-compliance with this Section 7 or CloudLinux’ compliance with Economic Sanctions Laws.

You agree to indemnify and hold CloudLinux harmless from any loss, damages, liability or expenses incurred by CloudLinux as a result of your failure to comply with any export regulations or restrictions or otherwise fails to comply with this Section 7.

8. GENERAL.

This License Agreement shall be governed by and construed in accordance with the laws of the State of Delaware and the United States, without regard to any conflict of laws provisions. The rights and obligations of the parties to this License Agreement shall not be governed by the United Nations Convention on the International Sale of Goods.

No modification of this License Agreement shall be binding unless it is in writing and is signed by an authorized representative of the party against whom enforcement of the modification is sought; or in the event of CloudLinux updating this License Agreement; you agree to the modified terms through use of a click through process.

Any notices required or permitted under this License Agreement shall be in writing and delivered in person or sent by registered or certified mail, return receipt requested, with proper postage affixed.

In the event that any term of this License Agreement is or becomes or is declared to be invalid or void by any court or tribunal of competent jurisdiction, such term shall be null and void and shall be deemed severed from this License Agreement, and all the remaining terms of this License Agreement shall remain in full force and effect.

SCHEDULE A

DATA PROCESSING ADDENDUM

(Version January 2025)

This Data Processing Addendum (“DPA”), forms part of the CloudLinux OS Legacy/CloudLinux OS Shared PRO/CloudLinux OS Solo/CloudLinux OS Admin EULA (available at https://www.cloudlinux.com/cloudlinuxos-eula/), or other written or electronic agreement, by and between Cloud Linux Software, Inc. (“CloudLinux”) and the undersigned customer of CloudLinux (“Customer”) for certain security services (collectively, the “Service”) provided by CloudLinux (the “Main Agreement”). All capitalized terms not defined herein shall have the meanings set forth in the Main Agreement. Each of Customer and CloudLinux may be referred to herein as a “Party” and together as the “Parties.”

In connection with the Service, the parties anticipate that CloudLinux may process outside of the European Economic Area (“EEA”), Switzerland, and United Kingdom (“UK”), certain Personal Data in respect of which the Customer or any Affiliate of Customer may be a data controller or data processor, as applicable, under Applicable Data Protection Laws.

The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by Applicable Data Protection Laws.

DATA PROCESSING TERMS

In the course of providing the Service to the Customer pursuant to the Main Agreement, CloudLinux may Process Personal Data on behalf of the Customer. CloudLinux agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to CloudLinux or collected and processed by or for Customer using CloudLinux’s Services.

• Definitions

The following definitions are used in this DPA:

1. “Adequate Country” means a country or territory that is recognized under the General Data Protection Regulation (EU) 2016/679 as providing adequate protection for Personal Data.
2. “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).
3. “Applicable Data Protection Laws” means all applicable data protection, data privacy, and cybersecurity laws, rules, and regulations anywhere in the world that are in force from time to time, including, but not limited to, the (i) EU General Data Protection Regulation 2016/679, (ii) Swiss Federal Act on Data Protection of 1st of September 2023, (iii) in respect of the United Kingdom, the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.
4. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.
5. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 25 May 2018 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
6. “Personal Data” means any information relating to an identified or identifiable natural person that relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular natural person and as defined by Applicable Data Protection Laws, and which is provided by the Customer to CloudLinux, and accessed, stored or otherwise processed by CloudLinux as part of its provision of the Service to Customer.
7. “Verified Technical Resource” means a category, in accordance with Article 13(1)(e) of the GDPR, of technical contractors verified by CloudLinux to be able to technically adhere to the security provisions of this DPA and the GDPR, have entered an agreement with CloudLinux at least as restrictive as this DPA; and may provide services to CloudLinux when requested.
8. “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” shall have the meanings described by the Applicable Data Protection Laws.
9. An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract, and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
10. “Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
11. “SCC” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, (“EU SCCs”); and (ii) where the UK GDPR applies standard data protection clauses adopted (“UK SCCs”); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority; (“Swiss SCCs”).
12. “UK Addendum” means the International Data Transfer Addendum to the EU SCC which is a legal instrument developed by the UK’s Information Commissioner’s Office (ICO).
13. “US State Privacy Laws” means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Online Privacy Protection Act (“DOPPA”).

• Status of the parties

1. The type of Personal Data processed pursuant to this DPA, the subject matter, duration, nature, and purpose of the processing, and the categories of data subjects, are described in Annex 1.
2. Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
3. In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that the Customer is the data controller or processor, and CloudLinux is the data processor or sub-processor, as applicable, and accordingly, CloudLinux agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
4. If Customer is an EU-based data processor, Customer warrants to CloudLinux that Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and concluding the SCC with all relevant Appendixes, have been authorized by the relevant controller.

If Customer is a UK-based data processor, Customer warrants to CloudLinux that Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and concluding the UK Addendum, have been authorized by the relevant controller.

If Customer is a Swiss-based data processor, the Customer warrants to CloudLinux that the Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and entering into the SCC required for international data transfers in compliance with Swiss FADP, have been authorized by the relevant controller.

1. Each party shall appoint a Data Privacy Officer within its organization authorized to respond from time to time to inquiries regarding Personal Data, the parties shall make the Data Privacy Officer known to the other party, and the Data Privacy Officer shall deal with such inquiries promptly.

• CloudLinux obligations

1. With respect to all Personal Data, CloudLinux warrants that it shall:

1. only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, (ii) the Customer’s written instructions as set forth in the Main Agreement and this DPA, and (iii) as required by Applicable Data Protection Laws;
2. upon becoming aware, inform the Customer if, in CloudLinux’s opinion, any instructions provided by the Customer under clause 3.1(a) are in conflict with the Applicable Data Protection Laws;
3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures commonly adopted in accordance with recognized security standards, such as SOC 2 Type II or ISO 27001, and as required by Applicable Data Protection Laws; 
4. take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality;
5. without undue delay after becoming aware, notify the Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by CloudLinux, its sub-processors, or any other identified or unidentified third party (a “Security Breach”);
6. promptly provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in CloudLinux’s possession concerning such Security Breach insofar as it affects the Customer, including, to the extent then known, the following:

• the possible cause and consequences for the Data Subjects of the Security Breach;
• the categories of Personal Data involved;
• a summary of the possible consequences for the relevant data subjects;
• a summary of the unauthorized recipients of the Personal Data; and
• the measures taken by CloudLinux to mitigate any damage.

1. not make any public announcement about a Security Breach (a “Breach Notice”) without the prior written consent of the Customer, unless required by Applicable Data Protection Laws;
2. promptly notify the Customer if it receives a request from a data subject of Customer to access, rectify, or erase that individual’s Personal Data, or if a data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (each a “Data Subject Request”). CloudLinux shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees. To the extent that the Customer does not have the ability to address a Data Subject Request, then upon the Customer’s request, CloudLinux shall provide reasonable assistance to the Customer to facilitate such Data Subject Request to the extent able and in line with Applicable Data Protection Laws. To the extent the Customer does not respond, CloudLinux may respond to the Data Subject Request in any manner it deems appropriate. Customer shall cover all costs incurred by CloudLinux in connection with its provision of such assistance or response;
3. other than to the extent required to comply with Applicable Data Protection Laws, following termination or expiry of the Main Agreement or completion of the Service, CloudLinux will delete all Personal Data (including copies thereof) processed pursuant to this DPA;
4. considering the nature of processing and the information available to CloudLinux, provide such assistance to the Customer as the Customer reasonably requests in relation to CloudLinux’s obligations under the Applicable Data Protection Laws:
1. data protection impact assessments (as such term is defined in the Applicable Data Protection Laws);
2. notifications to the supervisory authority under the Applicable Data Protection Laws and/or communications to data subjects by the Customer in response to any Security Breach; and
3. the Customer’s compliance with its obligations under the Applicable Data Protection Laws with respect to the security of processing;

provided that the Customer shall cover all costs incurred by CloudLinux in connection with its provision of such assistance.

1. provide to the Customer information about the region and country where the Personal Data is stored and processed by or on behalf of CloudLinux;

• communicate the exact address of the relevant facilities only in the event of an explicit request of a competent Supervisory Authority and if the aforementioned communication is suitable to discharge its obligation under Applicable Data Protection Laws.

• Sub-processing

1. The Customer grants a general authorization: (a) to CloudLinux to appoint current sub-processors listed in Annex 2, and (b) to CloudLinux and any Affiliate to appoint any Verified Technical Resource to act as third-party data center operators, and outsourced marketing, business, engineering, and customer support providers as sub-processors to support the performance of the Service.
2. CloudLinux will only use a Verified Technical Resource as sub-processors of any Personal Data. If CloudLinux is reasonably able to provide the Service to the Customer in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this clause 4.2 in respect of the proposed use of the sub-processor. If CloudLinux requires the use of a sub-processor at its discretion and Customer does not want CloudLinux to use a Verified Technical Resource as a sub-processor, Customer may provide written notification of any objections to CloudLinux. Within ninety (90) days from the Customer’s notification of objections, the Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the applicable Order Form without refund. If the Customer does not provide a timely objection to the use of a Verified Technical Resource in accordance with this clause 4.2, the Customer will be deemed to have consented to the use of any Verified Technical Resource as a sub-processor and waived its right to object. CloudLinux may use a new or replacement Verified Technical Resource as a sub-processor whilst the objection procedure in clause 4.2 is in process.
3. CloudLinux will ensure that any sub-processor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract that imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on CloudLinux in this DPA (the “Relevant Terms“). CloudLinux shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to the Customer for any breach by such person of any of the Relevant Terms.

• Audit and records

1. CloudLinux shall, in accordance with Applicable Data Protection Laws, make available to the Customer such information in CloudLinux’s possession or control as the Customer may reasonably request with a view to demonstrating CloudLinux’s compliance with the obligations of data processors under Applicable Data Protection Laws in relation to its processing of Personal Data.
2. The Customer may exercise its right of audit under Applicable Data Protection Laws in relation to Personal Data, through CloudLinux providing:

1. an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that CloudLinux’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard;
2. additional information in CloudLinux’s possession or control to the supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by CloudLinux under this DPA; and
3. A Customer shall cover all costs incurred by CloudLinux in connection with any such audit.

• Data transfers

1. To the extent any processing of Personal Data by CloudLinux takes place in any country outside the EEA, UK and Switzerland, the parties agree that it is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, the following applies:

The parties agree that the EU SCCs shall apply to Restricted Transfers from the EEA. The EU SCCs shall be deemed entered into (and incorporated into this DPA by reference) and completed as follows:

• Customer is the “data exporter” and CloudLinux is the “data importer”.
• Module One (Controller to Controller) shall apply where CloudLinux is processing Personal data for our own purposes.
• Module Two (Controller to Processor) shall apply where the Customer is a Controller of Personal Data and CloudLinux is a Processor.
• Module Three (Processor to Processor) shall apply where the Customer is a data processor that processes Personal Data on behalf of another data controller or data processor, and the CloudLinux is processing Personal Data as a data sub-processor.
• in Clause 7, the optional docking clause will apply.
• In Clause 9 of the EU SCCs Option 2 applies, and the time period for giving notice of Sub-processor changes shall be 60 days.
• In Clause 11 of the EU SCCs, the optional language shall not apply.
• In Clause 17 of the EU SCCs, Option 1 applies and the EU SCCs shall be governed by the law of the Netherlands.
• In Clause 18(b) of the EU SCCs, disputes shall be resolved by the courts of the Netherlands.
• Annex I of the EU SCCs is deemed completed with the information set out in Annex 1 of this DPA, and the competent supervisory authority will be determined in accordance with the GDPR and Clause 13 of the EU SCCs;
• Annex II of the EU SCCs is deemed completed with the information set out in Clause 3.1(c)  of this DPA.

1. In relation to transfers of Personal Data that is subject to the UK GDPR, the EU SCCs: (i) apply as completed in accordance with Clauses 6.1 above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in this DPA, as well as Annex 1 and Clauses 3.1(c), and 4 of this DPA, Table 4 in Part 1 is deemed completed by selecting “neither party”. Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum.
2. In relation to transfers of the Personal Data protected by the Swiss FADP, the EU SCCs: (i) apply as completed in accordance with Clause 6.1 of this DPA; and (ii) are deemed amended as specified as follows:

• All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP, and
• All references to the GDPR and EU SCC in this DPA will be interpreted as references to the FADP;
• In Clause 13 of the  EU SCC, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
• In Clause 17, the EU SCCs are governed by the laws of Switzerland;
• In Clause 18(b), disputes will be resolved before the courts of Switzerland;
• All references to member states will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).

1. If, in the performance of this DPA, CloudLinux transfers any Personal Data to a Verified Technical Sub-processor located outside of the EEA, UK and/or Switzerland (without prejudice to clause 4), CloudLinux shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:

1. the requirement for CloudLinux to execute or procure that the Verified Technical Sub-processor execute to the benefit of the EU-based Customer standard contractual clauses approved by the EU authorities under the GDPR, and for the for UK-based Customer the UK Addendum to the EU Commission Standard Contractual Clauses, as well as for the Swiss-based Customer, the standard contractual clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) under the Swiss Federal Act on Data Protection (FADP);
2. the requirement for the Verified Technical Sub-processor to have any specifically approved safeguard for data transfers (as recognized under Applicable Data Protection Laws). 

1. The following terms shall apply to the SCC as set out in p.6:

1. The Customer may exercise its right of audit under clause 5.1(f) of the standard contractual clauses as set out in, and subject to the requirements of, clause 5.2 of this DPA; and
2. CloudLinux may appoint Verified Technical Sub-processors as set out, and subject to the requirements of, clauses 4 and 6.3 of this DPA.

1. CloudLinux participates in and certifies compliance with the Data Privacy Framework. Where and to the extent the Data Privacy Framework applies, CloudLinux will use the Data Privacy Framework to lawfully receive Personal Data in the United States and will provide at least the same level of protection to such data as is required by the Data Privacy Framework Principles. 
2. In the event that CloudLinux is required to adopt an alternative transfer mechanism under Applicable Data Protection Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with Applicable Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

• Additional provisions under US State Privacy Laws

1. The following terms apply where CloudLinux processes Personal Data subject to the US State Privacy Laws:

1. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that CloudLinux as a Service Provider or Processor, on behalf of Customer, CloudLinux will process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in this DPA. CloudLinux will not:

1. retain, use, disclose, or otherwise process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Main Agreement, or as otherwise permitted under US State Privacy Laws; 
2. “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and 
3. retain, use, disclose, or otherwise process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 

1. CloudLinux will implement measures designed to maintain the security of Personal Data, ensuring a level of privacy protection consistent with the requirements of US State Privacy Laws.
2. CloudLinux will provide reasonable access to information necessary for the Customer to verify our compliance with this DPA.
3. The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Main Agreement or this DPA.

• General

1. This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
2. CloudLinux’s liability under or in connection with this DPA (including under the standard contractual clauses set out in p.6 above) is subject to the limitations on liability contained in the Main Agreement.
3. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts of Delaware.
5. This DPA is the final, complete, and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has the legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA and the performance of such party’s obligations hereunder have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.

IN WITNESS WHEREOF, the parties have each caused this DPA to be signed and delivered by its duly authorized representative.

Annex 1

Details of the Personal Data and Processing Activities

1. The nature of the Personal Data processing is subject to the following, to the extent permitted under Data Protection Laws, and the Main Agreement: 1) Receiving data, including collection, accessing, and recording; 2) Holding data, including storage, organization, and structuring; 3) Using data, including analyzing, consultation, and testing; 4) Protecting data, including restricting; 5) Erasing data, including destruction and deletion. 
2. The purpose of the Personal Data processing is to provide the Service to Customer, pursuant to the Main Agreement;
3. The types of Personal Data that may be processed include: username, file name, IP address, and user performance data. Files name and SQL requests from the users might consist of the different types of PII of the user that solely depend on the user`s realization of the server part.
4. The duration of the processing will be: until the earliest of (i) expiry/termination of the Main Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable);
5. The Data Subjects whose Personal Data may be processed in terms of provision the Service to Customer including but not limited to:

• Prospective customers, customers, resellers, referrers, business partners, and vendors of the Customer (who are natural persons);
• Employees or contact persons of the Customer’s prospective customers, customers, resellers, referrers, sub-processors, business partners, and vendors (who are natural persons);
• Employees, agents, advisors, and freelancers of the Customer (who are natural persons); and/or
• Natural persons authorized by the Customer to use the Service.

1. The location of Personal Data storage is described in Annex 2 of this DPA.
2. The retention period of Personal Data that may be processed is the following: Any file with Personal Data will be deleted in 60 (sixty) days upon identification and receipt.
   

Annex 2

LIST OF SUB-PROCESSORS

The processor uses the following sub-processors during the cooperation with the controller: