GoDaddy 2024 Sustainability Report: Responsible Governance & Operations | Cybersecurity & Data Privacy

Originally published in GoDaddy's 2024 Sustainability Report

Cybersecurity & Data Privacy

As an operator of large internet infrastructure, cybersecurity and data privacy are top priorities.

We maintain enterprise-wide programs to protect our systems, safeguard customer and employee data, and address evolving cyber threats. We implement robust governance systems to maintain our cybersecurity and data protection processes.

• Board Oversight: Our Board oversees the company's cybersecurity risk management program through its Audit and Finance Committee. The Audit and Finance Committee receives regular reports from GoDaddy’s Chief Information Security Officer (CISO) regarding the state of the company’s cybersecurity program. These reports are shared, at least quarterly, with the Board.
   
• Cybersecurity Risk Management: Our management is responsible for identifying, assessing, and managing GoDaddy’s cybersecurity risks on an ongoing basis; establishing processes designed to help ensure that potential cybersecurity risk exposures are monitored; putting in place appropriate mitigation and remediation measures; and maintaining the company's cybersecurity programs. GoDaddy's CISO has primary responsibility for the company's programs for identifying, assessing, and managing the company's cybersecurity risks. The CISO regularly provides reports and updates to the Chief Executive Officer on significant cybersecurity-related matters relevant to the company's cybersecurity risk.
   
• Privacy Program Management: Our Chief Privacy Officer manages our global privacy program. Our global data privacy program includes, but is not limited to, conducting privacy impact assessments, providing training to employees, responding to data subject requests, and responding to inquiries from data protection authorities.

Cybersecurity

Our information security team employs a variety of controls and initiatives to safeguard our systems and protect our customers.

• Proactive Monitoring: We regularly scan our environment for vulnerabilities, and research and monitor industry threats to proactively identify cybersecurity issues that could impact GoDaddy and our customers.
   
• Training & Internal Communications: Education is key to maintaining our high security standards. We developed an annual data privacy and cybersecurity training program for all employees, and we deliver regular updates on the latest initiatives and best practices through timely alerts.
   
• Intentional Development: Teams within our information security organization collaborate to integrate security measures into new products and services.
   
• Security by Design: Our developers are encouraged to consider cybersecurity from the initial design phase of our products to completion. We designed and implemented risk-based processes and procedures to conduct security reviews on new or updated applications prior to launch.
   
• Incident Response: We have a dedicated incident response team that works with our business units and other internal and external subject matter experts to respond to potential cybersecurity incidents.
   
• Security Frameworks: Some parts of our business are required to align with specialized frameworks, such as the Payment Card Industry Data Security Standards (PCI-DSS) for handling payment card data. Where required by our customer or other agreements, we align our practices and controls with additional recognized standards such as International Organization for Standardization (ISO) 27001.

Data Privacy

We take a proactive approach to managing our data privacy obligations. Some of our efforts include:

• Establishing Core Data Privacy Practices: We empower our customers, employees, and individual data subjects to manage their privacy preferences and exercise their privacy rights when visiting our websites, using our services, communicating with us, or working with us. Our core privacy practices are set forth in our Global Privacy Notice and related privacy policies.
   
• Global Regulatory Compliance: We maintain a global privacy program where we apply a core set of common principles to how we handle personal data. We also take into account local requirements and restrictions in the jurisdictions where we do business.
   
• International Data Transfers: GoDaddy has certified its compliance with the U.S.-E.U. Data Privacy Framework, as well as the U.S. – U.K. extension to U.S.– E.U. Data Privacy Frameworks. Where these frameworks do not apply, we rely on Standard Contractual Clauses and other lawful mechanisms for cross-border data transfers where necessary.
   
• Data Processing Agreements: In addition to our responsibilities for handling the personal data of our customers, employees, and other data subjects with whom we interact directly, we also handle personal data on behalf of our customers. In this capacity, we act as a data processor and our customers retain primary responsibility for safely and lawfully processing personal data. Where required by our agreements or applicable laws, we enter into data processing addendums that regulate our rights and responsibilities for processing personal data on behalf of our customers.
   
• Service Providers: Whether acting as a data controller or processor, we leverage service providers to support our operations and provide services to our customers. When we share personal data with service providers or third parties, they are required to comply with our instructions, adhere to contractual restrictions for processing personal data securely, and comply with applicable laws.
   
• GDPR Independent Assessment: In 2024, TRUSTe independently assessed our compliance with the E.U. General Data Protection Regulation (GDPR). TRUSTe validated that GoDaddy continues to implement program-level measures aligned with TRUSTe’s GDPR Privacy Program Validation Requirements.
   
• Privacy by Design: Our Data Governance and Operations Team (formerly our Data Privacy Office) also consults with our business teams on day-to-day privacy issues, ranging from conducting privacy impact assessments on new business practices to participating in the earliest phases of new product designs to ensure that privacy concerns are addressed during product development.

To learn more, read our 2024 Sustainability Report.

About This Report

This GoDaddy 2024 Sustainability Report details our progress toward our corporate sustainability goals, strategies, and initiatives in support of our overarching corporate mission and values. Unless otherwise noted, this report reflects our corporate sustainability performance across our global operations covering the fiscal year period from January 1 to December 31, 2024. To demonstrate our commitment to transparent communication regarding our sustainability progress, we routinely share updates through our website and our annual Sustainability Report. We welcome your questions, comments, and feedback on this report by contacting [email protected].

This report references the Global Reporting Initiative (GRI) Standards, includes select Sustainability Accounting Standards Board (SASB) metrics for the Internet Media and Services sector, and the Task Force on Climate Related Financial Disclosures (TCFD). We also disclose our contributions and progress toward priority UN SDGs. For additional information on how we align with these frameworks and key indicators demonstrating our sustainability performance, please refer to the Frameworks & Metrics section.