Data Processing Addendum

Last updated June 1, 2026

MEGAPORT COMPUTE AND STORAGE SERVICES -  DATA PROCESSING ADDENDUM (“DPA”)

This Data Processing Addendum (“DPA”) is incorporated into the Customer Agreement in respect of the Compute Services and Storage Services provided by Megaport (“Processor”) to Customer under the applicable Service Schedule(s), each a “Party” and collectively the “Parties”. This DPA applies to the extent Megaport Processes Personal Information on behalf of Customer in connection with such Services. 

  1. INTERPRETATION

Capitalised terms used but not defined in this DPA have the meanings given in the Agreement. For purposes of this DPA, the following terms have the meanings set out below:

  1. Agreement” means the agreement governing Customer’s use of the Services, including the applicable Service Schedule(s), as amended from time to time;

  2. Applicable Privacy Laws” means any laws and regulations governing the processing of PI, including, without limitation, and where applicable, the EU’s General Data Protection Regulation 2016/679 (“GDPR”), the UK’s Data Protection Act 2018, the Brazilian Data Protection Law 13,709/2018 ("LGPD"), and California’s Consumer Privacy Protection Act, as amended, and US Privacy Laws;

  3. "Controller", "Data Subject", "PI Breach", and "Processing" shall have the same meaning as provided in Applicable Privacy Laws. For purposes of this DPA, a Controller includes a “Business” and a Processor includes a “Service Provider” as those terms are defined in US Privacy Laws;

  4. Customer” means the signing party specified in the Agreement;

  5. Group” means the Megaport Ltd group of companies; 

  6. Megaport” means the relevant Group entity providing the Services to Customer;

  7. PI” means ‘Personal Information’ as defined in the Agreement and under Applicable Privacy Laws;

  8. Services” means the Compute Services and Storage Services provided under the applicable Service Schedule(s);

  9. Swiss Addendum” means the modifications and additional provisions required to adapt the Model Clauses for compliance with the Federal Act on Data Protection (FADP) of Switzerland, including specific adaptations mandated by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

  10. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses approved by the United Kingdom’s Information Commissioner’s Office (as amended, superseded or updated from time to time), and excluding any illustrative/optional clauses; and

  11. US Privacy Laws” means laws and regulations governing the processing of PI in the United States, including but not limited to the (a) the California Consumer Privacy Act of 2018 (CCPA), as amended and integrated by the California Privacy Rights Act of 2020 (CPRA) and following implementing regulations; (b) the Virginia Consumer Data Protection Act of 2021 (VCDPA); (c) the Colorado Privacy Act of 2021 (CPA); (d) the Connecticut Data Privacy Act of 2022 (CTDPA); and (e) the Utah Consumer Privacy Act of 2022 (UCPA); in each case as amended or superseded from time to time

  12. PI PROCESSING.

    1. Scope: This DPA applies to the extent that Megaport Processes PI on behalf of Customer that is subject to Applicable Privacy Laws in connection with the Services. For the purposes of such Processing, Customer acts as the Controller and Megaport acts as the Processor, except where Customer acts as a Processor, in which case Megaport shall act as a Sub-processor. 

    2. Processing Details:  As between the Parties, Customer determines the PI processed using the Services, including the selection of service configurations, deployment regions, and related settings, and is responsible for ensuring that its processing of such PI complies with Applicable Privacy Laws. Megaport shall process PI only in accordance with Customer’s documented instructions, as set out in this DPA and the Agreement, and as configured by Customer through its account or otherwise communicated to Megaport. Megaport may also Process PI where required by applicable law, in which case it shall, to the extent permitted, inform Customer in advance. Megaport shall not sell or share PI (as those terms are defined in US Privacy Laws) and shall not retain, use, or disclose PI other than as necessary to provide the Services in accordance with the Agreement or as required by applicable law. If Megaport determines that it can no longer meet its obligations under Applicable Privacy Laws, it shall promptly notify Customer, and Customer may take reasonable and appropriate steps to prevent or remediate any unauthorized Processing of PI.

    3. Authorised Personnel: Megaport shall ensure that access to PI, if any, is limited to personnel who require such access to perform the Services and who are subject to appropriate confidentiality obligations. Megaport shall take reasonable steps to ensure the reliability of such personnel. 

    4. Sub-processors: Megaport may engage Affiliates and third-party Sub-processors to Process PI on its behalf in connection with the Services, provided that such Sub-processors are bound by written agreements imposing data protection obligations no less protective than those set out in this DPA. The name and details of the processing to be performed, are set forth in the Sub-processor page here, as amended by Megaport from time to time subject to the terms of this Section 2.4. Customers may subscribe to receive notifications of any proposed Sub-processor changes or additions (which it may do via emailing privacy@megaport.com) in which case Megaport shall notify Customer accordingly. If Customer is not satisfied with any Sub-processor for any legitimate reason, it may terminate the relevant Service (unless the Service is still subject to an agreed fixed term in which case it may only terminate the Service if it has set out those reasons in a formal objection sent to privacy@megaport.com and Megaport has failed to adequately address its concerns within 30 days thereafter). See this page for a list of all Affiliates and their details. 

    5. Restricted Transfers: Customer determines the configuration and deployment region for PI processed using the Services. Megaport will not transfer PI to a different deployment region except as provided in the Agreement or as instructed by Customer. Customer acknowledges that Megaport and its Sub-processors may access or Process PI from locations outside the selected deployment region for the purpose of providing the Services, which may constitute a transfer of PI under Applicable Privacy Laws. Customer is responsible for ensuring that any such transfers comply with Applicable Privacy Laws, including implementing any required safeguards.

      1. EU Transfers: In the event of a Restricted Transfer subject to the GDPR, the Model Clauses (and in particular the Controller-to-Processor or Processor to Sub-processor module) shall apply and are hereby incorporated by reference (with such Model Clauses prevailing in the event and to the extent of any inconsistencies between them and any other provisions of this DPA), it being agreed for purposes that (a) Customer is the ‘data exporter’ Controller and Megaport is the ‘data importer’ Processor; (b) Megaport has the general authorisation to engage Sub-processors in accordance with clause 2.4 above; (c) the technical and organisational security measures implemented by the data importer are those specified in clause 2.6 below; (d) the laws of Ireland will govern with the courts of Ireland having jurisdiction over any Model Clause-related disputes between the parties (save where applicable law dictates otherwise); (e) the EU Supervisory Authority (if relevant) will be determined with reference to Customer’s country of incorporation, or country in which its EU representative is based (if applicable), or the EU member state in which most of the data subjects are located; and (f) the parties acceptance/signature of the Agreement incorporating this DPA will be considered a signature to the Model Clauses (provided that if required by any Applicable Privacy Laws, the parties shall execute or re-execute the Model Clauses as a separate document). 

      2. UK and Swiss Transfers: When a Restricted Transfer includes UK or Swiss PI, the Parties agree to enter into the UK Addendum and the Swiss Addendum, respectively, which supplement the Model Clauses referenced in Section 2.6.1

      3. Brazil Transfers: For Restricted Transfers involving Brazil PI, the parties agree to implement the Brazil SCCs without modification, as required under Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados - LGPD) and ANPD Resolution No. 19/2024. These Brazil SCCs shall apply in full and supersede any inconsistent terms in this DPA or in the Model Clauses referenced in Section 2.6.1.

    6. Security: Megaport implements reasonable technical and organisational measures designed to protect the Services against unauthorised or accidental Processing and similar risks, including the measures identified in the Agreement and Appendix 1. These measures are intended to ensure the confidentiality, integrity, availability, and resilience of the Services and to support the timely restoration of access to PI following an incident. While Megaport maintains safeguards designed to protect the Services, no security measures can guarantee complete protection against unauthorised access or misuse by third parties. Customer is responsible for securely configuring and using the Services and for taking appropriate steps to protect and back up PI processed through the Services, including through the use of encryption, available security features, and regular backups or archiving.

    7. Co-operation: To the extent possible given the nature of the Services, the Parties shall reasonably co-operate with each other to enable each other to discharge their Applicable Privacy Law obligations (including compulsory data protection impact assessments and data subject access requests), as may be applicable.  

    8. Data Breach: Without detracting from Megaport’s notification and remediation obligations under the Agreement and relevant laws, if Megaport becomes aware that a security incident also constitutes a PI Breach, Megaport shall notify the Customer without undue delay and reasonably cooperate and assist Customer in its investigation, mitigation and remediation, as well as with any reporting obligations Customer may have under Applicable Privacy Law.  Notwithstanding anything to the contrary, any notice of a PI Breach under this Section 2.8 will not be considered an admission by Megaport of fault or liability related to the PI Breach.

    9. Return or Deletion: Customer may export or delete PI during the term of the Agreement using the functionality of the applicable Services. Upon termination of the applicable Services, Megaport and its Sub-processors will securely delete or destroy PI in accordance with the Agreement, except where retention is required by applicable law or maintained in backup or archival systems in accordance with Megaport’s retention and disaster recovery procedures. Customer is solely responsible for maintaining backups of its PI and implementing appropriate safeguards against accidental deletion. Once deletion has commenced, deleted PI may not be recoverable. 

    10. Liability:  As this DPA forms part of the Agreement, each party’s liability under this DPA is still subject to the aggregate liability limitations and exclusions provided for under the Agreement, if any.

    11. Order of precedence: This DPA will prevail in the event and to the extent of any inconsistencies between it and the Agreement; provided that nothing in this DPA serves to reduce Megaport’s obligations to protect PI under, or to permit PI Processing in a manner otherwise prohibited by, the Agreement.

APPENDIX  1 intended to supplement  Annex 2 of the SCC and/or UK Addendum

SECURITY MEASURES Megaport to ensure the following basic security measures:

Governance

  • Megaport has an Information Security Policy which is aligned with industry standards and which is reviewed periodically. 

  • Organisational roles and responsibilities for Information Security are clearly defined and staffed appropriately. 

  • The Megaport Executive Leadership oversee the Information Security strategy and is formally reviewed at regular intervals.

Access Control

  • Megaport ensures access to information is restricted to authorised users. Account permissions are granted based on the principle of least privilege, where accounts are only given permissions necessary for job function.

  • Megaport enforces industry standard password complexity policies and requires Multi-Factor Authentication (MFA) for systems that store, process or transmit PI. Administrative or privileged accounts are separate from a user’s non-privileged account.

Physical Controls

  • Megaport will ensure physical security controls exist that prevent unauthorised access to areas (e.g. offices, datacentres) containing equipment performing IT functions.  

Cryptographic Controls

  • Megaport will ensure that when sensitive data is in storage or in transit that it is encrypted by industry best practice ciphers (e.g. AES-26, TLS 1.3).

  • Megaport will ensure that cryptographic keys are managed via documented standards and procedures. Cryptographic keys will be protected from unauthorised access or misuse. 

Business Continuity

  • Megaport has instituted and maintains a Business Continuity Plan and Disaster Recovery controls. 

  • Automated backups of critical data are performed on a regular basis and validated regularly.

Incident Response

  • Megaport has a documented incident response procedure aligned with industry best practice, that covers the response, notification and remediation of Security Incidents. 

  • Megaport’s Incident Response policy defines and allocates the roles and responsibilities of staff during an incident. 

Network Security

  • Megaport will implement industry best practice network security controls to ensure network traffic is monitored and unauthorised traffic is blocked.

  • Remote access into the Megaport’s network must be restricted to authorised connections only. Remote access connections will be controlled by secure protocols and appropriate encryption. 

Endpoint Security

  • Megaport will utilise malware protection on systems.. Megaport will ensure anti-malware software will receive the latest software updates and is functional.

  • Megaport will ensure systems are deployed and maintained to configuration “hardening” standards that follow industry best practices (e.g. CIS - Center for Internet Security benchmarks).

  • Megaport will ensure that software and operating systems use supported versions (not end-of-life) and security patches are applied in a timely manner.

Vulnerability Management

  • Megaport implements and maintains a vulnerability management process and applies security patches to known vulnerabilities. 

  • Vulnerabilities are classified based on severity and timeframes to address vulnerabilities are defined and adhered to.