G4
G4

Data Processing Addendum (DPA)

Last updated: 2026-05-02 | Version 2.0

Plain-language summary: This DPA governs how G4 processes Customer Data on your behalf. It reflects GDPR, UK GDPR, and CCPA requirements. It includes Standard Contractual Clauses for international data transfers, specifies sub-processors (with notice of changes and objection rights), and outlines our commitment to assist with data subject rights, breach notification, and data protection impact assessments.

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Agreement between G4 Cloud Inc. (“G4,” “Processor”) and the Customer (“Controller”) and sets out the terms governing the Processing of Customer Data.

2. Definitions

  • “Customer Data” means all personal data processed by G4 on behalf of Customer in connection with the Service.
  • “Data Protection Laws” means all applicable laws and regulations relating to the processing of personal data and privacy, including the GDPR, UK GDPR, CCPA, and any implementing legislation.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • “UK GDPR” means the GDPR as incorporated into UK law.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data.
  • “Processing” has the meaning given in applicable Data Protection Laws.
  • “SCCs” means the Standard Contractual Clauses adopted by the European Commission Decision 2021/914.

3. Processing of Customer Data

3.1 Roles

Customer is the Controller. G4 is the Processor. G4 may engage Sub-processors in accordance with Section 6.

3.2 Scope and Purpose

G4 will process Customer Data only for the purpose of providing the Service as described in the Agreement and in accordance with Customer’s documented lawful instructions.

3.3 Duration

G4 will process Customer Data for the duration of the Agreement plus the data deletion period set forth in the Agreement.

3.4 Types of Data

Customer Data may include: name, email address, IP address, job title, company name, and any other personal data contained in emails, files, documents, or other content uploaded to the Service.

3.5 Categories of Data Subjects

Data subjects include Customer’s employees, contractors, clients, partners, and any other individuals whose personal data is included in Customer Data.

4. G4’s Obligations

G4 shall: (a) process Customer Data only on documented instructions from Customer; (b) ensure that persons authorised to process Customer Data are bound by confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) assist Customer in fulfilling its obligations to respond to data subject requests; (e) notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach; (f) assist Customer with data protection impact assessments; (g) delete or return all Customer Data at the end of the provision of services; and (h) make available to Customer all information necessary to demonstrate compliance.

5. Assistance with Data Subject Rights

G4 will assist Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights under Data Protection Laws. If a data subject makes a request directly to G4, G4 will promptly forward it to Customer and will not respond directly without Customer’s authorisation.

6. Sub-processors

6.1 Authorised Sub-processors

Customer agrees that G4 may engage Sub-processors. Authorised Sub-processors include: Amazon Web Services, Inc. (cloud infrastructure), Google Cloud LLC (ancillary services), Cloudflare, Inc. (CDN, DDoS mitigation), Datadog, Inc. (monitoring), and Stripe, Inc. (payment processing).

6.2 Notice of Changes

G4 will provide Customer with at least 30 days’ notice before adding or replacing any Sub-processor by email and by posting to trust.g4.business.

6.3 Objection Right

Customer may object to a new Sub-processor within 14 days of notice. If the objection is reasonable, G4 will either not engage the Sub-processor or provide a commercially reasonable alternative.

7. Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach, G4 will: (a) notify Customer without undue delay and in any event within 72 hours; (b) provide a description of the nature of the breach, categories and approximate number of data subjects and records concerned; (c) describe the likely consequences and measures taken or proposed; and (d) cooperate with Customer in investigating and mitigating the breach.

8. International Transfers

For transfers of Customer Data from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, the parties enter into the SCCs (Module 2 — Controller to Processor) as incorporated by reference.

9. Audit Rights

G4 will make available to Customer all information necessary to demonstrate compliance. Upon Customer’s reasonable request (not more than once per 12 months), G4 will permit an independent third-party auditor to conduct an audit of G4’s data processing activities.

10. CCPA Compliance

For purposes of the California Consumer Privacy Act (CCPA), G4 is a Service Provider. G4 will not sell Customer Data or retain, use, or disclose Customer Data for any purpose other than providing the Service.

11. Deletion of Customer Data

Within 30 days following termination of the Agreement, G4 will delete all Customer Data from its production systems. Backups will be deleted within 90 days. This obligation does not apply where retention is required by applicable law.

12. Governing Law

This DPA shall be governed by the laws of the State of Delaware, except to the extent that the SCCs or Data Protection Laws specify otherwise.

We use cookies to improve your experience. By using G4 Cloud, you agree to our Cookie Policy and Privacy Policy.

We use cookies to improve your experience. By using G4 Cloud, you agree to our Cookie Policy and Privacy Policy.