GoDaddy 2023 Sustainability Report: Our Operations | Cybersecurity and Data Privacy

Jun 25, 2024 10:00 AM ET
GoDaddy employee shown in corporate office space.

Originally published in GoDaddy's 2023 Sustainability Report

Cybersecurity and Data Privacy

Cybersecurity and data privacy are a top priority for GoDaddy as an operator of large internet infrastructure. We take our commitment to cybersecurity and data privacy seriously. We maintain enterprise-wide cybersecurity and data privacy programs designed to manage the risks to GoDaddy’s information systems, customer data, and personal information of our customers and employees from cyber threats, and to comply with our regulatory obligations.

Our approach to management of cybersecurity risk and data privacy obligations includes:

  • Board Oversight: Our Board oversees the company's cybersecurity risk management program through its Audit and Finance Committee. The Audit and Finance Committee receives regular reports from GoDaddy’s Chief Information Security Officer (CISO) regarding the state of the company’s cybersecurity program. These reports are shared, at least quarterly, with the Board of Directors. In addition, our Corporate Audit Services team audits our privacy practices, and the results of those audits are presented to senior leadership and discussed with the Audit and Finance Committee. Updates on privacy and cybersecurity matters are also included as part of the Audit and Finance Committee’s review of the Company’s enterprise risk management efforts. 
     
  • Cybersecurity Risk Management: Our management is responsible for identifying, assessing, and managing the company's material cybersecurity risks on an ongoing basis; establishing processes designed to help ensure that potential cybersecurity risk exposures are monitored; putting in place appropriate mitigation and remediation measures; and maintaining the company's cybersecurity programs. GoDaddy's CISO has primary responsibility for the company's programs for identifying, assessing, and managing the company's cybersecurity risks. The CISO reports directly to the company's Chief Technology Officer and regularly provides reports and updates to the company's Chief Executive Officer on significant cybersecurity-related matters relevant to the company's cybersecurity risk. 
     
  • Privacy Program Management: Our Privacy Officer manages our Data Privacy Office and global privacy program. Our Data Privacy Office is responsible for day-to-day operations of our privacy program, including but not limited to conducting privacy impact assessments, providing training to employees, responding to data subject requests, and responding to inquiries from data protection authorities. Other personnel and departments at GoDaddy also assist the Data Privacy Office, including but not limited to the company’s Legal and Information Security teams.

Cybersecurity

We’re committed to protecting customer information from cybersecurity threats. Our information security team uses a variety of controls to protect our systems and customer information from cybersecurity threats. Some of their efforts include:

  • Proactive Monitoring and Assessment: We use monitoring and detection tools designed to identify and mitigate threats before they impact GoDaddy or our customers. We also regularly scan our environment to identify potential vulnerabilities. 
     
  • Security by Design: Our developers are encouraged to consider cybersecurity from the initial design phase of our products to completion. We also have designed and implemented risk-based processes and procedures to conduct security reviews on new or updated applications prior to launch. 
     
  • Security Frameworks: Some parts of our business are required to align with specialized frameworks, such as the Payment Card Industry Data Security Standards (PCI-DSS) for handling payment card data. Where required by our customer or other agreements, we align our practices and controls with other recognized standards such as International Organization for Standardization (ISO) 27001. 
     
  • Incident Response: We have a dedicated incident response team that works with our business units and other internal and external subject matter experts to respond to potential cybersecurity incidents. In 2023, we updated our policies and procedures for reporting cybersecurity threats internally to strengthen our overall response capabilities.

Employee Training and Education 

GoDaddy employees receive annual data security and privacy training through our Do The Right Thing (DTRT) compliance training. We also send alerts to employees to keep them updated on the latest security threats and host regular workshops for specific teams on privacy topics.

Data Privacy 

We take a proactive approach to managing our data privacy obligations. Some of our efforts include:

Establishing Core Data Privacy Practices: We empower our customers, employees, and individual data subjects to manage their privacy preferences and exercise their privacy rights when visiting our websites, using our services, communicating with us, or working with us. Our core privacy practices are set forth in our Global Privacy Notice and related privacy policies. We apply our core practices to all individuals with whom we interact.

Global Regulatory Compliance: While we maintain a global privacy program where we apply a core set of common principles to how we handle personal data, we are mindful of local requirements and restrictions in many of the jurisdictions where we do business and have developed jurisdiction specific data privacy notices for the United States, the United Kingdom, and the European Union. From time to time, we have also adjusted our privacy practices to meet local requirements in other jurisdictions where we do business. We also follow jurisdiction-specific privacy practices relating to handling of personal data relating to our employees and job applicants.

International Data Transfers: In 2023, the U.S. and E.U. reached agreement on a new framework to allow lawful transfers of personal data from Europe to the United States (the “U.S.-E.U. Data Privacy Framework”). GoDaddy certified its compliance with this framework, as well as its compliance with the U.S. and U.K. extension to the U.S.- E.U. Data Privacy Framework. Where the Data Privacy Framework does not apply to transfers from the U.K. and E.U., we use other recognized transfer mechanisms, including standard contractual clauses.

  • Data Processing Agreements: In addition to our responsibilities for handling the personal data of our customers, employees, and other data subjects with whom we interact directly, we also handle personal data on behalf of our customers. In this capacity, we act as a data processor, and our customers retain primary responsibility for safely and lawfully processing personal data. Where required by our agreements or applicable laws, we enter into data processing addendums that regulate our rights and responsibilities for processing personal data on behalf of our customers. 
     
  • Service Providers: Whether acting as a data controller or processor, we use service providers to process personal data when necessary or appropriate to provide our services or conduct our business. When we provide personal data to a service provider or other third-party acting on our behalf, those service providers and third parties are required to comply with our instructions and contractual restrictions in processing personal information on our behalf. 
     
  • GDPR Independent Assessment: In 2023, TRUSTe independently assessed GoDaddy’s compliance with the EU General Data Protection Regulation (GDPR) and validated that GoDaddy provided evidence and other support showing that it implemented program-level measures that are designed to meet TRUSTe’s 40 GDPR Privacy Program Validation Requirements. 
     
  • Privacy by Design: Our Data Privacy Office also consults with our business teams on day-to-day privacy issues, ranging from conducting privacy impact assessments (PIAs) on new business practices to participating in the earliest phases of new product designs to ensure that privacy concerns are addressed during product development. In 2023, we rolled out a new technical solution to streamline the PIA review and more closely integrate privacy reviews with engineering reviews.

Ambitions for 2024

We saw significant changes in the global privacy and cybersecurity landscape in 2023, as many jurisdictions rolled out new rules and regulations that may affect our business in the coming year. We also have seen rapid technological change as new AI and ML tools have been deployed that allow processing of personal information in new ways. In 2024, we aim to continue to adapt our privacy program and cybersecurity practices to meet evolving legal requirements and business needs in this rapidly changing environment.

To learn more, read our 2023 Sustainability Report.

###

About this Report 

The GoDaddy 2023 Sustainability Report details our progress toward our corporate sustainability goals, strategies, and initiatives in support of our overarching corporate mission and values. Unless otherwise noted, this report reflects our corporate sustainability performance across our global operations covering the fiscal year period from January 1 to December 31, 2023. To demonstrate our commitment to transparent communication regarding our sustainability progress, we routinely share updates through our website and our annual Sustainability Report. We welcome your questions, comments, and feedback on this report by contacting ESG@GoDaddy.com.

This report references the Global Reporting Initiative (GRI) Standards and includes select Sustainability Accounting Standards Board (SASB) metrics for the Internet Media and Services sector. We also disclose our contributions and progress toward priority UN SDGs. For additional information on how we align with these frameworks and key indicators demonstrating our sustainability performance, please review the Frameworks and Metrics section.