Reseller Agreement


This Reseller Agreement (this “RSA”) is a legal agreement by and between you, as you have identified yourself in your account information (“You” and “Your”) and Nicnames, Inc., its affiliates and subsidiaries (collectively, “”). You warrant that the information You provide in Your account with (“Your Account”) is accurate and that You will keep it updated. If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Subscriber,” “You,” or “Your” herein refers to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the Services.

Unless You and have executed another agreement governing Your resale of the Services, as defined herein, this RSA sets forth the terms and conditions of Your resale of's domain name registration services and related services, in addition to any other services we may make available for resale from time to time (collectively, the “Services”). By reselling the Services or offering the Services for resale, You acknowledge that You have read, understand and agree to be bound by this RSA, along with any additional terms, conditions or policies which or the Internet Company for Assigned Names and Numbers (“ICANN”) may establish from time to time. You agree that this RSA governs transactions entered into by You with regard to Your resale of the Services, in addition to transactions initiated through Your Account on behalf of Your Customers, as defined herein. This RSA will be effective upon Your acceptance of these Terms, as electronically recorded by

    1. may be modify this RSA from time to time. Non-material modifications will be effective when such modified version of this RSA is posted to the website. Material modifications made to this RSA will become effective thirty (30) days after such modified version is posted to the website or upon Your acceptance to the modified terms, including by continuing Your performance under this RSA after you have been notified of such modifications, whichever is earlier. You agree that we may notify You of the modifications by, for example, sending an email to You at any of the email addresses associated with Your account or by adding a general notification in Your account.
    2. You acknowledge that changes to ICANN, registry or any other applicable policies may require changes to this RSA. In such an event, will endeavor to provide You with thirty (30) days’ notice of any changes, but You acknowledge and accept that giving of this notice may not be possible in all cases. If such changes are required, You agree that those changes may become effective fewer than thirty (30) days after’s notice to You.
    3. If You do not wish to accept the modified terms of this RSA, Your sole remedy is to terminate this RSA in accordance with the procedures outlined in Section 10 below.
    1. Subject to the terms and conditions of this RSA, grants You a non-exclusive, fully-paid-up, royalty-free, terminable, non-transferable right and license to resell the Services worldwide. To resell domain name registration services, You and each of Your end customers, including the customers of Your Sub-Resellers, (“Your Customers”) purchasing such Services must explicitly agree to the Domain Name Registration Agreement (the “ Registration Agreement”) and You must retain a written record of such explicit acceptance by Your Customers. To resell’s Advanced Security privacy service which lists proxy contact information in the DRS database instead of each of Your Customer’s contact information, You and each of Your Customers purchasing such Services must agree to the Whois Privacy Service Agreement. You agree to indemnify and hold harmless for any failure by You to obtain the consent of any customer to these agreements and additional terms and conditions. The Services do not include other services which are not made available through Your Account by or its third-party licensors. In addition to these agreements, You may enter into further terms with Your Customers (“Your Additional Terms”). Your Additional Terms must expressly state that in the event of a conflict between the Registration Agreement and Your Additional Terms, the Registration Agreement will control.
    2. You may elect to further resell the Services through resellers of your own (each, a “Sub-Reseller”), provided that Your Sub-Resellers enter into an agreement (a “Sub-Reseller Agreement”) with You requiring each such Sub-Reseller to comply with the terms and conditions of this RSA, including all of Your covenants, obligations, representations, and warranties herein. You will be liable for the acts and omissions of Your Sub-Resellers as if they were made by You directly and’s obligations under this RSA will not be altered due to Your appointment of Sub-Resellers. Your Sub-Reseller Agreement must explicitly require Your Sub-Resellers to (i) agree to and ensure their customers explicitly agree to the Reseller Agreement and Registration Agreement; (ii) agree to and ensure their customers explicitly agree to the Whois Privacy Service Agreement, if applicable; and (iii) indemnify, defend and hold harmless, and the individual registry operator and its affiliates and subsidiaries, as well as their respective owners, directors, managers, officers, employees, representatives, agents, service providers and contractors from and against any and all claims, damages, liabilities, costs and expenses of any kind, including without limitation reasonable legal fees and expenses (including on appeal), arising out of or relating to any claim or alleged claim relating to (a) any product or service of such Sub-Reseller; (b) any agreement with any customer who purchases the Services through such Sub-Reseller; (c) such Sub-Reseller’s domain name registration business or other activities, including, but not limited to, such Sub-Reseller’s advertising, domain name application process, systems and other processes, fees charged, billing practices and customer service; and/or (d) any breach by the Sub-Reseller of any of the terms, conditions, covenants, obligations, agreements, representations or warranties set forth herein. This indemnification obligation must be made to survive any termination or expiration of the Sub-Reseller Agreement and/or this RSA.
    3. If You stop using Your Account, become unavailable or unresponsive to, Your Customers, or this RSA is terminated by for any reason, may, but is not obligated to, directly engage with and provide services to any of Your Customers.
    1. You may set Your own prices to charge Your Customers for the Services. Unless otherwise communicated to You in writing by, You will be charged’s standard retail price for the Services ordered through Your Account. You must publish on Your website all fees for domain name registrations, renewals, post-expiration renewal fees (if different), and also redemption/restore fees. In addition, you must include such fees in Your Additional Terms.
    2. Unless otherwise communicated to You in writing by, You are required to maintain a positive and sufficient account balance or set up a valid payment profile, such as a credit card, to resell the Services. may require that You pay for the Services using a particular payment means, such as by wire transfer. may also demand reasonable assurance of payment, at’s sole discretion.
    3. You authorize to deduct from your account balance, or debit the credit card You present in relation to a particular transaction or the credit card You otherwise provide through Your Account, for all Services sold to Your Customers through You, and any additional fees or costs associated therewith. You and Your Customers must present only approved transactions to
    4. Prior to contacting Your credit card company in relation to any charges, You will first contact to verify the charges and the manner of billing. You must require all customers in and below Your Account to only present approved transactions to and to contact regarding charges, as described above.
    5. Any chargeback by a credit card company or similar action by or through another payment provider relating to payment to, for whatever reason, whether by You, by any customer below Your Account i) is a material breach of this RSA, ii) is an act for which You agree to be jointly and severally liable to make whole, iii) is an act with respect to which will charge $35.00 per incident, in addition to merchant services fees and other payment provider service charges which may be charged to, and iv) shall be grounds for suspension and/or termination of this RSA and the Services, in’s sole discretion. Under such circumstances, may suspend Your access to any and all of Your Accounts and may assume all right, title, interest in, and use of any domain name registration(s) and/or websites, email, or other data hosted on systems controlled by (the “Collateral”). may reinstate rights in the Collateral solely in its discretion, subject to receipt of the fee(s) owed and a then-current reinstatement fee, currently set at US$200. You hereby acknowledge and consent to’s right, but not obligation, to sell, dispose of, or retain the Collateral if determines the same to be a means of obtaining some monetary or other satisfaction or security, even if You assert that the value of the Collateral exceeds the amount You owe
    6. You authorize to deduct from Your account balance any amounts owed by You to, including, without limitation, amounts owed as a result of Your indemnification of for third party claims and any administrative costs, including reasonable administrative costs which may be charged for inactive accounts.
    7. You authorize to sell, take title to, and/or use any Collateral as a means of obtaining some monetary or other satisfaction for any amounts owed by You to, including, without limitation, amounts owed as a result of Your indemnification of for third party claims and any administrative costs, including reasonable administrative costs which may be charged for inactive accounts.
    1. You are responsible for providing customer service, billing, and technical support to Your Customers on a consistent basis, including reasonable response times. may, but is not obligated to, provide support directly to Your Customers. If receives communications from registrants or from third-parties regarding Services provided in Your Account, will, where appropriate, forward such communications to You at’s discretion for further action; however, reserves the right to respond to such communications directly. If determines that You are providing inadequate support to Your Customers (resulting in, for example, an excessive number of support calls directly from Your Customers), You will be in breach of this RSA and may terminate this RSA.
    2. will endeavor to provide email and/or telephone support to You during our normal business hours, as indicated on our website.
    1. The Services may only be accessed through the application programming interface (including the associated documentation, the “API”), Your Account, websites created by which use the API, updates and upgrades thereto, and through such other means and technologies which makes available through its websites or downloads (collectively, the “Technology”). In addition to the requirements listed below, Your and any Sub-Reseller’s use of the API is governed by the API Access Agreement, which, by entering into this RSA, You agree to be bound by.
    2. hereby grants to You a non-exclusive, non-transferable, royalty-free, full-paid-up, terminable license, exercisable solely during the term of this RSA, to use the Technology solely for the purpose of accessing and using the Services. You shall not, directly or indirectly, reverse engineer, decompile, disassemble or otherwise attempt to derive source code or other trade secrets from the Technology. You shall not branch or otherwise prepare derivatives of the API. You shall not copy or use the Technology except as specified in this RSA. You shall not use the Technology to communicate with or control a system other than one(s) designated by, and You may not access the Services using any access mechanism other than the Technology. Should Your or any Sub-Reseller’s use of the Technology in any way cause or risk causing a degradation of infrastructure or the Technology, may suspend Your or any Sub-Reseller’s ability to use the Technology or resell the Services immediately and without notice. Such suspension may be temporary or permanent, as determines is necessary to ensure the security, stability and integrity of its Technology and other systems. Due to the risk of degradation to the systems, using the Technology for drop catching is explicitly prohibited.
    3. hereby grants You a non-exclusive, worldwide, fully-paid-up, royalty-free, terminable right and license to use’s trademarks (the “ Trademarks”) solely as provided by and solely for such use as pre-approved in writing in connection with the marketing and promotion of the Services. All approved uses of Trademarks will inure to the benefit of You shall not create, apply for, or otherwise procure any rights in any Trademarks or any patent or copyright interest in the Technology and any derivative thereof (“IP Interest”) which IP Interest would block, impede, or make more expensive’s continued use and enjoyment of any Trademarks or the Technology. If You breach the provisions of this Section 5.C., any IP Interests created thereby are hereby assigned to at the point they are fixed in tangible form. You agree to execute any documents necessary to affect an assignment of any such IP Interests to without compensation, to take any other action, and/or to assist with any other action needed to affect such assignment.
    4. Except for the rights expressly granted above, this RSA does not transfer from to You, Your Customers, or Sub-Resellers any Trademarks, Technology or intellectual property rights, and all rights, titles and interests in and to the Trademarks, Technology and intellectual property remain solely with
    5. You hereby grant a non-exclusive, worldwide, fully-paid-up, royalty-free terminable right and license to use Your name and trademarks (“Reseller Trademarks”) as provided by You and in connection with Your use and resale of the Services.
    You acknowledge and agree that the registration and use of domain names is governed, in part, by rules issued, and contracts entered into, by ICANN. Pursuant to’s Registrar Accreditation Agreement with ICANN (a current version of which can be found here) (the “RAA”) You must comply with the following terms:
    1. You must not display the ICANN or ICANN-Accredited Registrar logo, or otherwise represent Yourself as accredited by ICANN unless You have written permission from ICANN to do so.
    2. You shall ensure that the information You provide to Your Customers, including Your Additional Terms, include all registration agreement provisions and notices required by the RAA and any ICANN Consensus Policies. Your Additional Terms must also identify Nicnames, Inc. as the sponsoring registrar or provide a means to Your Customers to identify the sponsoring registrar. Furthermore, you must provide the identity of the sponsoring registrar upon an inquiry from your customer.
    3. You must comply with any ICANN-adopted specification or policy that establishes a program for accreditation of individuals or entities who provide proxy and privacy registration services (a “Proxy Accreditation Program”). Among other features, the Proxy Accreditation Program may require that proxy and privacy registration services may only be provided in respect of domain name registrations by individuals or entities accredited by ICANN pursuant to such Proxy Accreditation Program. In such a case, You must not knowingly accept registrations from any provider of proxy and privacy registration services that is not Accredited by ICANN pursuant to the Proxy Accreditation Program. Until such time as the Proxy Accreditation Program is established, You must comply with the Specification on Privacy and Proxy Registrations.
    4. You must publish on Your website(s) and/or provide a link to the Registrants’ Benefits and Responsibilities. You must provide a link to such webpage on any website You may operate for domain name registration or renewal, such link which must be clearly displayed to Your Customers at least as clearly as You link to policies or notifications required to be displayed under ICANN consensus policies.
    5. Any other terms and conditions which come into effect through the revision of the RAA by ICANN or through the introduction of any amended or new ICANN consensus policy, whether or not gives You notice of such revisions, amendments, or new policies.

In addition to any other right to terminate set forth in this RSA, specifically has the right to immediately terminate this RSA, without notice or right to cure, in the event that You violate any terms found in this Section 6.

    You shall include in Your agreement with Your Customers and Sub-Resellers all terms and conditions required by the registry operator to pass on to Your Customers and Sub-Resellers for the top-level domain in which you resell domain name registration services. Such terms and conditions can be found in's Registration Agreement.
    In connection with providing materials to in performance of the Services, You grant a limited license to modify, adapt, incorporate with other material, and otherwise to use the materials provided by You but only to the extent necessary or useful to provide the Services as directed by You. You warrant that the materials provided by You to are Your sole property or that You have obtained appropriate licenses to the material such that’s use of the material in providing the Services shall not subject to a claim.
    You must not make any representations or warranties about the Services to any of Your Customers, Your Sub-Resellers, or any other third party that are inconsistent with this RSA or applicable ICANN or registry operator policies. You agree not to use the Services, or to allow Your Customers to use the Services for any activities that violate the Acceptable Use Policy, including, but not limited to:
    1. The transmission of unsolicited email (spam);
    2. Repetitive, high volume inquires or other excessive use or abuse of the Services or Technology;
    3. Any activity which results in’s IP addresses being reported to spam blocking organizations or other organizations which attempt to police or monitor abuse of the Internet;
    4. Any illegal, dishonest, deceptive or unfair trade practices;
    5. Any use which fails to abide by customary industry acceptable use policies or any applicable laws, including intellectual property and privacy laws;
    6. Any use which You know will lead or contribute to the actions described in A – F above.

In addition to any other right to terminate set forth in this RSA, specifically has the right to immediately terminate this RSA, without notice or right to cure, in the event that You violate any terms found in this Section 9.


    1. This RSA is effective for a period of one (1) year from the date of Your acceptance of these terms, as shown by log files. This RSA will then renew for an indefinite number of one (1)-year terms until terminated. Upon at least thirty (30) days written notice, with email being sufficient, either party may terminate this RSA for any reason or no reason. also retains the right to terminate this RSA immediately if determines, in its sole discretion, that You, Your Sub-Resellers or Your Customers have failed to comply with any term or condition of this RSA or the Registration Agreement, or that Your use of the Services presents an unreasonable risk of harm to or its affiliates, the Services, other users, or members of the general public.
    2. In addition to any other rights or remedies of herein, reserves the right to suspend performance of the Services or to preclude use of or access to the Technology in the event of an unresolved breach of this RSA or suspension or cancellation is required by any policy now in effect or later adopted by ICANN. You agree that Your failure to comply completely with the terms and conditions of this RSA and any rule or policy may be considered to be a material breach of this RSA and may provide You with notice of such breach either in writing or electronically (i.e. email). In the event You do not provide with material evidence that You have not breached Your obligations within ten (10) business days of receiving such notice of breach, may terminate this RSA and take any remedial action available to under the applicable laws. Such remedial action may be implemented without notice to You and may include, but is not limited to, canceling the registration of any of Your domain names and discontinuing any Services provided to You. No fees or payments will be refunded to You should Your RSA be canceled or Services be discontinued because of a breach.
    3. You explicitly acknowledge’s right to suspend any Services and/or terminate this RSA, whether purchased by You or Your Customers through Your account or through any Sub-Resellers, for any of the reasons described in the Registration Agreement, including, but not limited to: (i) registration of prohibited domain name(s); (ii) abuse of the Services; (iii) payment irregularities or fraudulent payment information; (iv) allegations of illegal conduct or infringement of any third-party intellectual property right or other right, including violations of the Acceptable Use Policy; (v) failure to keep Your Account or DRS information accurate and up to date or failure of Your Customers or any Sub-Resellers to do the same; (vi) failure to respond to inquiries from within five (5) calendar days; (vii) suspected, alleged or actual violations of sanctions laws as described below; or (viii) if Your use of the Services involves in a violation or alleged violation of any third-party's rights or acceptable use policies, including but not limited to the transmission of unsolicited email or the violation or alleged violation of any intellectual property right or other right. No fee refund will be made by to You when there is a suspension or termination of Services for cause.
    4. You further acknowledge that may reject, terminate or suspend this RSA and/or the Services to You, Your Sub-Resellers or Your Customers, and terminate this RSA immediately and freeze Your account and all associated funds, without notice, if we cannot confirm that You or any other person to whom You are providing the Services, or who otherwise has an interest in the Services, is not a Sanctioned Person to whom we are prohibited by law from providing the Services. For purposes of this section, “Sanctioned Person” means any person or entity that is the subject or target of sanctions or restrictions under United Nations or U.S. economic sanctions or export controls, including any person or entity that is: (i) owned or controlled by a person or entity that is, listed on any applicable United Nations, U.S. or non-U.S. sanctions- or export-related restricted party list, including, the U.S. Department of the Treasury Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons List; or (ii) a national of or located in or organized under the laws of a jurisdiction that is subject to comprehensive United Nations or U.S. sanctions (including Iran, North Korea, Syria, or the Donetsk People’s Republic, Luhansk People’s Republic and Crimea regions of Ukraine).
    5. If You terminate this RSA, will assist You and Your Customers in transferring the Services to a new sponsoring registrar, which will be designated by You in Your sole discretion. In transferring any domain names held by You or Your Customers, the parties agree to comply with the terms of the ICANN Transfer Policy, as it may be updated from time to time.
    During the term of this RSA and for three (3) years thereafter, each party must treat the other party's Confidential Information as confidential, and must not use such Confidential Information except as expressly permitted under this RSA. Each party shall take reasonable measures to prevent the disclosure and unauthorized use of the Confidential Information of the other party; which measures shall be include the same degree of care that such party uses to protect its own like information, and in no instance shall be less than reasonable care. Neither party will use the other's Confidential Information for purposes other than those necessary to directly further the purposes of this RSA. Neither party will disclose to third parties the other's Confidential Information without the prior written consent of the other party. For purposes of this RSA "Confidential Information" means any non-public information relating to either party's business, product plans, designs, costs, prices and names, finances, business opportunities, personnel, research development, customer information, or know-how. "Confidential Information" does not include information that: (i) is or becomes publicly known or available through no fault of the receiving party; (ii) is already known by the receiving party at the time of disclosure; (iii) is independently developed or learned by the receiving party without reference to the other party's Confidential Information; or (iv) is lawfully obtained from a third party that does not have an obligation of confidentiality to the disclosing party. It is not a breach of this RSA to disclose Confidential Information of the other party pursuant to an order or requirement of a court, administrative agency, other governmental body, or securities exchange, provided that the disclosing party will promptly notify the other party in writing prior to making any such disclosure in order to facilitate that party seeking a protective order or other appropriate remedy from the proper authority.
    1. You represent and warrant:
      1. That if You are an entity, that You duly organized, validly existing, and in good standing under the laws of the jurisdiction of Your incorporation or other organization;
      2. That You have the full right, power, and authority to enter into and perform Your obligations under this RSA and to grant the rights, licenses, consents, and authorizations You grant or are required to grant under this RSA;
      3. That You will provide the Services in a good and workmanlike manner;
      4. That You will use established, industry-standard methodologies to provide the Services;
      5. That You are and will remain fully compliant with any and all applicable laws, including data protection laws or regulations, or individual portions thereof, applicable to You or to this RSA and the Services, including the EU’s General Data Protection Regulation 2016/679 and the California Consumer Privacy Act, as well as the terms and conditions set out in the data protection agreement attached hereto as Appendix I. Without limiting the generality of the foregoing, You represent and warrant that: (i) You will not act in any fashion or take any action that will render liable for a violation of any applicable anti-bribery regulation (including without limitation, the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010); and (ii) You will comply with U.S. laws that prohibit or limit the ability of U.S. persons from directly or indirectly exporting or providing goods or services to certain persons or countries. You shall comply with all U.S. export regulations if shipping to another country, including licensing requirements.
    2. represents and warrants:
      1. That it is a duly organized, validly existing corporation in good standing under the laws of the State of Delaware;
      2. That it has the full right, power, and authority to enter into and perform its obligations under this RSA and to grant the rights, licenses, consents, and authorizations it grants or is required to grant under this RSA;
      3. That it is an ICANN-accredited registrar in good standing;
      4. That it is and will remain fully compliant with any and all applicable laws, including data protection laws or regulations, or individual portions thereof, applicable to or to this RSA and the Services, including the EU’s General Data Protection Regulation 2016/679 and the California Consumer Privacy Act, as well as the terms and conditions set out in the data protection agreement attached hereto as Appendix I.
    You, at Your own expense, will indemnify, defend and hold harmless and its employees, directors, officers, representatives, agents and affiliates against any claim, suit, action, or other proceeding based on or arising from any claim or alleged claim (i) arising from a breach by You or any Sub-Resellers of any covenant, representation or warranty in this RSA, including but not limited to the ICANN Obligations set forth in Section 6; (ii) relating to any product or service of Yours or of Your Sub-Resellers; (iii) relating to Your or Your Sub-Reseller’s use of the Services; or (iv) relating to Your or Your Sub-Reseller’s domain name registration and related service business, including, but not limited to, advertising, domain name application process, systems and other processes, fees charged, billing practices and customer service; provided, however, that in any such case: (a) provides You with prompt notice of any such claim, and (b) upon Your written request, provides You with all available information and assistance reasonably necessary for You to defend such claim, provided that You reimburse for actual and reasonable costs. You or Your Sub-Resellers shall not enter into any settlement or compromise of any such indemnifiable claim without's prior written consent, which consent shall not be unreasonably withheld. You shall pay any and all costs, damages, and expenses, including, but not limited to, reasonable attorneys' fees and costs awarded against or otherwise incurred by in connection with or arising from any such indemnifiable claim, suit, action or proceeding.
    1. A material provision of entering into this RSA is that's liability shall be limited as follows: in relation to each component of the Services for which a separate fee is charged, shall be liable in an amount no greater than the fees received by for performing the specific transaction(s) that gave rise to the liability.’s aggregate liability for all claims of any sort shall not exceed the aggregate amount received by from You over the twelve (12) month period preceding the date the incident upon which the claim is based occurred. shall not be liable for any unauthorized access to, or any corruption, erasure, theft, destruction, alteration, or inadvertent disclosure of data, information, or content transmitted, received, or stored on its or any third-party systems. With respect to passwords, account identifiers, and other systems used to control access to Your Account, it is Your responsibility to safeguard such passwords, account identifiers, and other systems used to control access to Your Account. As a service to You, may, but is not required to, take reasonable measures to verify the identity of parties who claim to have lost or forgotten passwords and/or account information and to then provide the information to such parties and that shall not be responsible to You for losses or claims for any inadvertent disclosure of such passwords which may result thereby. is entitled to email passwords to designated email account(s), to phone designated phone numbers, or to employ security questions as a means to verify the identity of the party entitled to control Your account.
    The parties to this RSA are independent contractors and have no right or authority to bind or commit the other party in any way without the other party's express written authorization to do so. This RSA does not create an employer/employee, joint venture, partnership, or agency relationship between the parties.
  8. AUDIT:
    During the term of this RSA and for seven (7) years thereafter, You and each of Your Sub-Resellers must maintain (a) in electronic, paper, or microfilm form, all written communications constituting registration applications, confirmations, modifications, or terminations and related correspondence with Your Customers, including registration contracts; and (b) in electronic form, records of the accounts of all Your Customers, including dates and amounts of all payments and refunds in conjunction with domain name registrations. Upon request, You will provide any information identified in this Section 17 to within two (2) business days and otherwise cooperate with in any compliance, regulatory or legal issue arising out of the registration of domain names. Your failure to provide any such information to within two (2) business days or Your failure to provide such cooperation will be a material breach of this RSA.
    You may not assign, transfer, or otherwise dispose of this RSA or any of Your rights, benefits, or interests under this RSA without prior written consent of, and any such assignment in violation shall be void. may also assign this RSA to a party which acquires the assets of which relate to performance of this RSA. may assign all or part of its rights and obligations under this RSA to its parent corporation, to a subsidiary or affiliate, to its survivor in connection with a corporate reorganization, to any entity acquiring all or substantially all of its property, or to any entity into which it is merged or consolidated. No assignment of this RSA shall operate to discharge the assignor of any duty or obligations hereunder without prior written consent.
  10. TAXES:
    Unless specified otherwise, the fees for the Service do not include taxes. If is required to pay ICANN fees or United States or international sales, use, property, value-added, royalty, license or other taxes based on the licenses granted in this RSA or on Your use of the Services, then You must pay such taxes or fees. This section does not apply to taxes based on's income.
    Neither party shall be in default or liable for any loss or damage resulting from delays in performance or from failure to perform or comply with terms of this RSA (other than the obligation to make payments, which shall not be affected by this provision) due to any causes beyond its reasonable control, which causes include but are not limited to Acts of God or the public enemy; riots and insurrections; war; fire; strikes and other labor difficulties (whether or not the party is in a position to concede to such demands); embargoes; judicial action; lack of or inability to obtain export permits or approvals, necessary labor, materials, energy, components or machinery; acts of civil or military authorities; failure of telecommunications; or other casualty. If such delay or failure lasts more than ninety (90) consecutive days, may terminate this RSA without penalty. For the avoidance of doubt, this Section does not apply to any payment rights or obligations found in this RSA.
    This RSA shall be governed by the laws of the United States of America and the State of Washington, as if this RSA was a contract wholly entered into and wholly performed within the State of Washington. Any dispute, claim or controversy arising out of or relating to this RSA or the breach, termination, enforcement, interpretation or validity thereof, including the determination of the scope or applicability of the agreement to arbitrate, shall be determined by arbitration in King County, Washington, before one arbitrator. The arbitration shall be administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures. Judgment on the award may be entered in any court having jurisdiction. This clause shall not preclude parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.
  13. GENERAL:
    The parties hereby incorporate the requirements of 41 CFR 60-1.4(a), 300.5(a) and 741.5, if applicable. Any notice by you to under this RSA must be delivered in English in writing to either the physical address listed on our website or via email to This RSA, together with all modifications, constitute the complete and exclusive agreement between You and, and supersedes and governs all prior proposals, agreements, or other communications and is not intended to confer upon any person or entity other than and You any rights or remedies hereunder. The failure of to require Your performance of any provision hereof shall not affect the full right to require such performance at any time thereafter; nor shall the waiver by of a breach of any provision hereof be taken or held to be a waiver of the provision itself. In the event that any provision of this RSA shall be unenforceable or invalid under any applicable law or be so held by applicable court decision, such unenforceability or invalidity shall not render this RSA unenforceable or invalid as a whole. will amend or replace such provision with one that is valid and enforceable and which achieves, to the extent possible, its original objectives and intent as reflected in the original provision.


Nicnames, Inc. Reseller Agreement Data Processing Addendum

This Reseller Agreement Data Processing Addendum (the “Data Processing Addendum” or “DPA”) is made by and between Nicnames,, Inc. (the “Registrar” or “Controller”) and the undersigned reseller (the “Reseller” or “Processor”) (each a “Party” and together the “Parties”), and supplements the terms and conditions of the Reseller Agreement (the “Agreement”) executed between the Parties and is deemed to be effective as of the date of the Agreement.

To the extent of any conflict between the Agreement, as amended (including any of its attachments), and this DPA, the terms of this DPA will take precedence. Capitalized terms not defined below will have the meaning provided to them in the Agreement.

    This DPA establishes the Parties’ respective responsibilities for the Processing of Shared Personal Data under the Agreement. It is intended to ensure that Shared Personal Data is Processed in a manner that is secure and in accordance with Applicable Laws and its defined Purpose(s). Though this Data Processing Addendum is executed by and between the Registrar and Reseller as an addendum to the Agreement, Purposes for Processing are often at the direction or requirement of the separate agreement between ICANN and the Registrar (“Registrar Accreditation Agreement” or “RAA”). Certain Purposes for Processing under the RAA may also be at the direction of the Registrar or Registry, each as a Controller, and may necessitate updates to the instructions provided to the Reseller, and require updates to this DPA.
    1. Applicable Agreements. Collectively means this Data Processing Addendum, the Reseller Agreement, the Registrar Accreditation Agreement (“RAA”), and the Registry Agreement (“RA”) insofar as those documents are applicable and binding on any individual Party.
    2. Applicable Laws. The General Data Protection Regulation (2016/679) (“GDPR”), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all other applicable laws and regulations worldwide, including their successors or as modified, relating to the Processing of Shared Personal Data.
    3. Disclosing Party. Means the Reseller, the Party that transfers Shared Personal Data to the Receiving Party.
    4. Data Protection Authority. Means the relevant and applicable supervisory data protection authority in the member state or other territory where a Party to this Data Processing Addendum is established or has identified as its lead supervisory authority, or otherwise has jurisdiction over a Party to this Data Protection Addendum.
    5. Data Security Breach. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data, and which is further subject to the provisions of Section 6 below.
    6. Data Subject. Means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to Personal Data.
    7. Personal Data. Means any information such as a name, an identification number, location data, an online identifier or information pertaining to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity relating to that natural person, that can be used to directly or indirectly identify a Data Subject.
    8. Processing. Means any operation or set of operations which is performed on the Shared Personal Data, whether or not by automated means, and which includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing, Processes, Processed or other derivatives as used herein, will have the same meaning.
    9. Purpose(s). Has the meaning provided in Section 3 below.
    10. Receiving Party. Means the Controller, the Party receiving Shared Personal Data from the Disclosing Party.
    11. Registration Data. Means data required to be collected by the Registrar under Applicable Agreements, or as is required by the Registrar as Controller, and which must be provided to the Registrar under the Agreement.
    12. Shared Personal Data. Means Personal Data contained in the fields within Registration Data and that is Processed in accordance with the Applicable Agreements. Shared Data also indicated that Registration Data may also be, be shared with the Registry under the terms of the relevant agreements to which the Registrar, as controller is party to(RAA and/or RA)
    13. Temporary Specification. Means the “Temporary Specification for gTLD Registration Data” Adopted on 17 May 2018 by the ICANN Board of Directors, as may be amended or supplemented from time to time. If and when such a Temporary specification is replaced (by ICANN Consensus policy), this shall also mean any resultant ICANN consensus policy arising as a result of the Temporary Specification.
    1. Purpose(s). Processing of Shared Personal Data under this Data Processing Addendum by the Parties is for the limited purpose of provisioning, servicing, managing and maintaining domain names, as required of Registries and Registrars. The Reseller shall only process Shared Data for these purposes, and the Purposes stated and the Agreement collectively shall be considered to the instructions of the Controller for the purpose of the Applicable Laws. Such instructions shall include, to the extent those purposes which serve to ensure the stability and security of the Domain Name System and that support the lawful, proper and legitimate use of the services offered by the Parties. Only Shared Personal Data is subject to the terms of this Data Processing Addendum.
    2. Subject Matter. This Data Processing Addendum sets out the framework for the protection of Shared Personal Data for the Purposes noted in this section and defines the principles and procedures that the Parties will adhere to and the responsibilities the Parties owe to each other. The Parties collectively acknowledge and agree that Processing necessitated by the Purpose(s) is to be performed at different stages, or at times even simultaneously by the Parties. Thus, this Data Processing Addendum is required to ensure that where Shared Personal Data may be Processed, it is done so at all times in compliance with the requirements of Applicable Laws.
    3. Roles and Responsibilities. The Parties acknowledge and agree that, with respect to Processing of Shared Personal Data for the Purposes of this Data Processing Addendum:
      1. The details of Processing are established and set forth in Annex 1;
      2. The Reseller acts as a processor for the Registrar; and
      3. Although ICANN, a Registry and the Registrar may each take on the role, or additional role, of Controller or Processor in the lifecycle of processing Registration Data under Applicable Agreements, for the purposes of this Data Processing Addendum, only the roles of the Registrar and the Reseller are applicable.
    4. To the extent either the Purpose(s) or Subject Matter is not specifically referenced or noted when detailing the respective or shared rights, duties, liabilities or obligations hereunder, the Parties nonetheless mutually acknowledge and agree that the Purpose(s) and Subject Matter is and will be at all times the basis upon which legitimate and lawful processing hereunder may be conducted and performed.
    1. Each Party will ensure that it processes the Shared Personal Data fairly and lawfully in accordance with this Data Processing Addendum and Applicable Laws.
    2. Each Party will ensure that it processes Shared Personal Data on the basis of one of the following legal grounds:
      1. The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific Purposes;
      2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
      3. Processing is necessary for compliance with a legal obligation to which the parties are subject, so long as such legal obligations are not in breach of any Applicable Law;
      4. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data; or
      5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; this shall be confirmed, as applicable by the Controller.
    1. All Parties agree that they are responsible for Processing of Shared Personal Data in accordance with Applicable Laws and the Data Processing Addendum. The Parties will fully cooperate with each other to the extent necessary to effectuate corrections, amendments, restrictions or deletions of Personal Data as required by Applicable Laws and/or at the request of any Data Subject in accordance with Applicable Laws.
    2. A Party may only transfer Shared Personal Data relating to EU individuals to outside of the European Economic Area (“EEA”) (or if such Shared Personal Data is already outside of the EEA, to any third party also outside the EEA), in compliance with the terms of this Data Processing Addendum and the requirements of Applicable Laws, the latter including any relevant Adequacy Decision of the European Commission or the use of EU Standard Contractual Clauses (incorporated at Annex 4). For the avoidance of doubt, the Registrar maintains a Privacy Shield certification and where it transfers any Shared Personal Data relating to EU individuals outside of the EEA, the Registrar shall conform with the requirements of the Privacy Shield Framework (including any subsequent updates to the Privacy Shield Framework, as may arise, as may be required to maintain our ongoing certification).
    3. Reseller must immediately notify the Registrar if, in its opinion, instructions or requirements under Applicable Agreements infringes any Applicable Laws, or are contrary to EU Standard Contractual Clauses, see Annex 4.
    4. All Shared Personal Data must be treated as strictly confidential and a Party must inform all its employees or approved agents engaged in processing the Shared Personal Data of the confidential nature of the Shared Personal Data, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the Shared Personal Data.
    5. The Reseller acknowledges and agrees that it is responsible for maintaining appropriate organizational and security measures to protect such Shared Personal Data that they Process, and that all such processing will be in accordance with all Applicable Laws. Appropriate organizational and security measures are further enumerated in Section 7 of this Data Processing Addendum, but generally must include:
      1. Measures to ensure that only authorized individuals for the Purposes of this Data Processing Addendum can access the Shared Personal Data;
      2. The pseudonymisation and encryption of the Shared Personal Data, where necessary or appropriate;
      3. The ability to ensure continued security, confidentiality, integrity, availability and resilience of its processing systems and services;
      4. The ability to restore the availability and access to Shared Personal Data in a timely manner;
      5. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Shared Personal Data, see Annex 3; and
      6. Measures to identify vulnerabilities with regard to the processing of Shared Personal Data in its systems.
    6. The Parties will, in respect of Shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to Data Subjects in order for them to understand what of their Personal Data is included in Shared Personal Data, the circumstances in which it will be shared, the purposes for the Personal Data sharing and either the identity with whom the Personal Data is shared or a description of the type of organization that will receive the Shared Personal Data. The reseller shall clearly identify the Controller of the data (i.e the Registrar) in such a notice.
    7. The Parties undertake to inform Data Subjects of the Purposes for which it will process the Shared Personal Data and provide all of the information that it must provide in accordance with applicable Laws, to ensure that the Data Subjects understand how their Personal Data will be Processed.
    8. The Shared Personal Data must not be irrelevant or excessive with regard to the Purposes.
    9. A Party will, subject to the instructions of the Data Subject, ensure that Shared Personal Data is accurate. Where any Party becomes aware of inaccuracies in Shared Personal Data, they will, where necessary, notify the other Parties, to enable the timely rectification of such data.
    1. The Data Processor shall not appoint a third party sub-contractor to Process the Data as a sub-processor without the prior specific or general written authorization of the Data Controller and for the avoidance of doubt, the Data Controller consents to the engagement by the Data Processor of the sub-processors outlined at Annex 2.
    2. The Data Processor shall not appoint any other sub-processors without giving at least 14 days’ prior written notice to the Data Controller, supplying details of the proposed sub-processor and the Processing proposed to be conducted by such sub-processor. If the Data Processor does not receive written notice of any objection (together with the reasons for such objection) from the Data Controller within 14 days, the appointment of such sub-processor shall be deemed approved.
    3. Any appointment of a sub-processor by the Data Processor shall be conditional on the sub-processor being subject to equivalent obligations as those which the Data Processor is subject to under this DPA and provided that the sub-processor’s contract terminates automatically on termination of this DPA.
    4. The Party which employs a sub-processor, vendor or other third-party to facilitate its performance under this Data Processing Addendum is and will remain fully liable for any such third party’s acts where such party fails to fulfil its obligations under this Data Processing Addendum (or similar contractual arrangement put in place to impose equivalent obligations on the third party to those incumbent on the Receiving Party under this Data Processing Addendum) or under Applicable Laws.
    5. Each Party will, at its expense, defend, indemnify and hold the other Party harmless from and against all claims, liabilities, costs and expenses arising from or relating to (i) a Data Security Breach, (ii) breach of Applicable Laws, and (iii) breach of this Data Processing Addendum, to the extent the cause of the breaching Party’s negligent, willful or intentional acts or omissions.
    1. All Parties agree to implement appropriate technical and organizational measures to protect the Shared Personal Data in their possession against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. For the purposes of this DPA, Reseller, must, at a minimum incorporate and undertake to maintain all requirements as included at Annex 3.
    2. The Disclosing Party will be responsible for the security of transmission of any Shared Personal Data in transmission to the Receiving Party by employing appropriate safeguards and technical information security controls.
    3. Implementation of the measures noted at Annex 3 is considered a condition precedent of this agreement, and any failure to implement, and subsequently maintain such measures to the extent as us deemed appropriate by the Registrar shall be considered a breach of this agreement.
    Reseller shall assist the Registrar in complying with all applicable requirements of the Data Protection Legislation. In particular, the Reseller shall:
    1. to the extent required, shall consult with the Controller about any notices given to Data Subjects in relation to the Shared Personal Data;
    2. promptly, inform the Registrar about the receipt of any relevant Data Subject Access Request from Reseller Customers;
    3. provide the Registrar with reasonable assistance in complying with any relevant Data Subject Access Request received;
    4. assist the Registrar (i) to comply with any Registrar obligations concerning requests to exercise Data Subject rights under the Data Protection Legislation (e.g., for access, rectification, deletion of Personal Data, etc.), and (ii) in ensuring compliance with its obligations under the Data Protection Legislation with respect to breach notifications, data impact assessments and consultations with supervisory authorities or regulators;
    5. notify the Registrar, without undue delay, on becoming aware of any Personal Data Breach; In the event of such Personal Data Breach, the Parties shall cooperate in good faith in connection with the investigation, mitigation, and remediation of such Personal Data Breach and for the purpose of complying with each Party’s obligations under the Data Protection Legislation;
    6. use compatible technology for the Processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from Personal Data transfers;
    7. maintain complete and accurate records and information to demonstrate its compliance with the DPA, for a term at least as required under the Data Protection Legislation; and,
    8. provide the Registrar with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including, the procedures to be followed in the event of a data security breach.
    1. Notification Timing. Should the Reseller become aware of any Data Security Breach by them or by any sub- processor in relation to Shared Personal Data, and where such a Breach is of a material impact to this Data Processing Addendum, or is likely to have a material impact on the Parties, the relevant Reseller should immediately notify the Registrar. Reseller shall provide immediate information about any impact this incident may/will have on the affected Parties, including the anticipated impacts to the rights and freedoms of Data Subjects if applicable. Such notification will be provided as promptly as possible, but in any event no later than 24 hours after detection of the Data Security Breach. Nothing in this section should be construed as limiting or changing any notification obligation of a Party under Applicable Laws.
    2. Notification Format and Content. Notification of a Data Security Breach will be in writing to the information/administrative contact ( with a ‘cc’ to or any such contact as may be identified by the Parties, though communication may take place first via telephone. The Reseller is obliged to provide the following information, to the greatest extent possible, with further updates as additional information comes to light:
      1. A description of the nature of the incident and likely consequences of the incident;
      2. Expected resolution time (if known);
      3. A description of the measures taken or proposed to address the incident including, measures to mitigate its possible adverse effects on the Parties and/orShared Personal Data;
      4. The categories and approximate volume of Shared Personal Data and individuals potentially affected by the incident, and the likely consequences of the incident on that Shared Personal Data and associated individuals; and,
      5. The name and phone number of a representative the Party may contact to obtain incident updates.
    3. Security Resources. The Reseller shall provide reasonable resources from its security group to assist with an identified Data Security Breach for the purpose of meeting its obligations in relation to the notification of a Data Security Breach under Applicable Laws or other notification obligations or requirements.
    4. Failed Security Incidents. A failed security incident will not be subject to the terms of this Data Processing Addendum. A failed security incident is one that results in no unauthorized access or acquisition to Shared Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
    5. Additional Notification Requirements. For the purpose of this section, the Reseller is also required to provide notification in accordance with this section in response to:
      1. A complaint or objection to Processing or request with respect to the exercise of a Data Subject’s rights under Applicable Laws; and
      2. An investigation into or seizure of Shared Personal Data by government officials, regulatory or law enforcement agency, or indications that such investigation or seizure is contemplated.
  10. AUDIT
    1. Subject to the Agreement, and subject to the Registrar giving the Reseller reasonable notice, Reseller agrees to allow for and contribute to audits, including inspections, by the Registrar, as Data Controller or its auditor in order for the Registrar to verify the Reseller’s compliance with this DPA.
    2. Any audits or inspections which are conducted onsite at the Reseller’s premises shall be on a mutually agreed time and date during normal business hours. The scope and content of the audit will be agreed in advance and restricted to the Data Controller’s Data and related matters and the Registrar shall comply with any reasonable requirements or directions of the Reseller in order to respect and maintain its confidentiality and security obligations to third parties. Copies of any information obtained by the Data Controller as part of the audit shall be processed in a manner consistent with the Agreement and Data Protection Legislation.
    3. If the requested audit scope is addressed in an SSAE 16/ISAE 2403 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of the Data Controller’s audit request and the Data Processor confirms there are no known material changes in the controls audited, the Data Controller agrees to accept those finding in lieu of requesting an audit of the controls covered by the report.
    1. Notwithstanding any requirements under the Applicable Agreements to the contrary, the Reseller will retain Shared Personal Data for as long as necessary to carry out the Purposes or otherwise in accordance with the Temporary Specification and as permitted under Applicable Laws, and thereafter must irrevocably delete (and provide adequate certification of such deletion) or return, in full, all Shared Personal Data to the Registrar.
    2. Where the Agreement is terminated, for any reason, Reseller must irrevocably delete (and provide adequate certification of such deletion) or return, in full, all Shared Personal Data to the Registrar.
    For the purposes of this Data Processing Addendum, transfers of Personal Data include any sharing of Shared Personal Data, and will include, but is not limited to, the following:
    1. Transfers amongst the Parties for the Purposes contemplated in this Data Processing Addendum or under any of the Applicable Agreements;
    2. Disclosure of the Shared Personal Data with any other third party with a valid legal basis for the provisioning of the Purposes;
    3. Publication of the Shared Personal Data via any medium, including, but not limited to in public registration data directory services;
    4. The transfer and storage by the Receiving Party of any Shared Personal Data from within the EEA to servers outside the EEA; and
    5. Otherwise granting any third party located outside the EEA access rights to the Shared Personal Data.
    6. Reseller will not disclose or transfer Shared Personal Data outside the EEA without ensuring that adequate and equivalent protections will be afforded to the Shared Personal Data.
    1. In the event of a dispute or claim brought by a Data Subject or an applicable Data Protection Authority against any Party concerning the processing of Shared Personal Data, the concerned Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
    2. The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by a Data Protection Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
    3. In respect of Data Security Breaches or any breach of this Data Processing Addendum, each Party will abide by a decision of a competent court of the complaining Party’s country of establishment or of any binding decision of the relevant Data Protection Authority.
    1. In the event the ICANN Board adopts changes to the Temporary Specification (a “Triggering Event”), then Registry may notify Registrar of the changes, and upon ICANN publication of the updated Temporary Specification to its website, the changes will also be adopted and incorporated automatically herein to this Data Processing Addendum.
    2. Registrar will be given thirty (30) days to accept or reject the proposed changes; rejection may result in termination of the RRA. If Registrar does not respond within thirty (30) days following notice, it is deemed to have accepted the changes to the Data Processing Addendum, as applicable.
    3. In the event Applicable Laws change in a way that the Data Processing Addendum is no longer adequate for the purpose of governing lawful processing of Shared Personal Data and there was no Triggering Event, the Parties agree that they will negotiate in good faith to review and update this Data Processing Addendum in light of the new laws.




  1. Nature and Purpose of Processing. The Parties will Process Shared Personal Data only as necessary to perform under and pursuant to the Applicable Agreements, and subject to this Data Processing Addendum, including as further instructed by Data Subjects.
  2. Duration of Processing. The Parties will Process Shared Personal Data during the Term of the underlying RRA to which this this Data Processing Addendum is applicable, but will abide by the terms of this Data Processing Addendum for the duration of the Processing if in excess of that term, and unless otherwise agreed upon in writing.
  3. Type of Personal Data. Data Subjects may provide the following Shared Personal Data in connection with the purchase of a domain name from a Registrar:
    Registrant Name: Last name First name

Registrant Street: 1234 Example Street

City: Wilmington

State/Province: DE

Postal Code: 19801

Country: US

Phone Number: +1.0123456789

Fax Number: +1.1234567890


Admin Contact: Last name First name

Phone Number: +1.2345678901

Fax Number: +1.3456789012


Technical Contact: Last name First name

Phone Number: +1.4567890123

Fax Number: +1.5678901234



Annex 2 - List of Subprocessors:

Annex 3 – Security Measures

Technical and Organizational Measures

  1. All resellers must adhere to sufficient technical and organizational measures to ensure the integrity and security of data, processed under the Agreements. By default, such measures should be commensurate with the nature of the data held, and should sufficiently protect the data from any unauthorized processing. Although does not require formal certifications, resellers handling data under this agreement should ensure equivalent protections as those required under SSAE 16/ISAE 2403 Type 2, ISO, NIST or similar standards.

Minimum Technical & Organizational measures required

  1. Organization Of Information Security
    1. Employs appropriately qualified security Personnel responsible for information security.
    2. Security responsibilities are clearly documented and accountable personnel are made aware.
    3. Maintain a comprehensive set of information security policies that are reviewed and updated regularly.
    4. All Personnel and 3rd party contractors should have signed confidentiality agreements.
    5. Internal IT and IT security governance and management.
  2. Physical Access
    1. Ensure that only authorized Personnel have access to the data center premises housing Customer Data and access is controlled through an auditable process.
    2. Data centers and their equipment are physically protected and secured against natural disasters, unauthorized entry, malicious attacks, and accidents.
    3. Equipment at the data center is protected from power failures with backup power supplies in the case of a power outage.
    4. If Cloud-Based Infrastructure is used for provision of services, contracts with these providers should provide a similar level of physical access security controls.
  3. System Access
    1. Access to systems is granted, after appropriate authorization, only to its Personnel and/or to permitted employees of its subcontractors with role based access based on least access privileges.
    2. Established password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form. Multi Factor Authentication (MFA) must be enabled where possible.
    3. Have a comprehensive process to deactivate users and their access when Personnel leaves the company or a function.
    4. All access or attempted access to systems is logged and monitored.
  4. Data Access
    1. Access to systems is granted, after appropriate authorization with role based access based on least access privileges.
    2. Restricts Personnel access to Customer Data on a "need-to-know” basis based on this justification.
    3. Any collection of Personal Data is solely to provide the services under the Agreement, and data shall not be used for any other purposes that would require or allow separate processing of data.
    4. Each such access and its subsequent operations are logged and monitored.
  5. Data Encryption and Pseudonymisation
    1. Customer access to the Vendor Service portals are protected by the most current version of Transport Layer Security (TLS).
    2. Uses approved Strong Encryption in the transmission of Customer Data within data centers, cloud environments, supporting systems, and when communicating with the customer.
    3. Ensure pseudonymization of data, as appropriate, to protect individuals from being identified directly.
  6. Data portability and destruction
    1. Upon Customer’s request, be able to provide the data that is available for the customer from the systems.
    2. Ensure data minimization to limit collection of data to only what is required to accomplish the specified purpose and only for the duration required.
    3. Customer Data will be securely deleted from all systems and backups (NIST 800-88r1) either upon request or when no longer needed.
  7. Confidentiality And Integrity
    1. Have a formal background check process in place and carry out background checks on all new Personnel.
    2. Train engineering and appropriate Personnel in application security practices and secure coding practices.
    3. Have a central, secured repository of product source code, which is accessible only to authorized Personnel.
    4. Have a formal application security program and employs a robust Secure Development Lifecycle (SDL).
    5. Security testing includes code review, penetration testing, and employing static code analysis tools on a periodic basis to identify flaws or potential weaknesses.
    6. All changes to software are via a controlled, approved release mechanism within a formal change control program.
    7. All encryption and other cryptographic functionality used within the Service uses current industry standard encryption and cryptographic measures aligned with the standards promulgated with FIPS 140-2.
  8. Availability and Resilience
    1. Have robust mechanisms and policies designed to address loss of availability of data.
    2. Ensure redundancy by storing copies of data in a different place from where the primary computer equipment is located.
    3. Each data center has redundant and reliable power sources with adequate back up.
    4. Data centers have multiple access points to the Internet.
    5. Data centers are monitored 24x7x365 for power, network, environmental and technical issues.
    6. If Cloud-Based Infrastructure is used for provision of services, contracts with these providers should provide similar service levels.
    7. Maintains a robust and regularly tested Business Continuity/Disaster Recovery program.
    8. Ensure adequate backups are in place.
    9. Test recovery of data from backups on a regular basis.
  9. Incident Management
    1. Maintains an up-to-date incident response plan.
    2. Regularly test its incident response plan with “table-top” exercises.
    3. In the event of a security breach, notify Customers within 48 hours after becoming aware of the security breach.
  10. Configuration and Vulnerability Management
    1. Ensure secure configuration of systems and applications.
    2. Review and update default configurations as needed.
    3. Disable default accounts.
    4. Deploy endpoint detection and protection software.
    5. Use both industry-standard mechanisms and, if appropriate, proprietary mechanisms to prevent intrusions and data breaches and to maintain data integrity.
    6. Have mechanisms in place to detect and respond to unusual behavior.
    7. Maintains an active vulnerability management program.
    8. Conduct annual penetration tests of the Service using external security experts.
  11. Audit
    1. Conducts regular internal and external audits of its security practices.
    2. Perform regular reviews of user accounts and assigned permissions for their systems.
    3. Ensures that Personnel are aware of and comply with the technical and organizational measures.
    4. Customers can request copies of these test results on an annual basis.
    5. Have appropriate Certification/assurance of processes and products as appropriate.
    6. Ensure appropriate logging and detection response capabilities are enabled.