Data Processing Addendum (DPA)

MODX Cloud customers that are required to comply with the GDPR should have a MODX Systems Data Processing Addendum in effect.

Data Processing Addendum

MODX Systems, LLC Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service or other written agreement entered into between MODX Systems, LLC (“MODX”), and you that incorporates this Addendum by reference (the “Agreement”), and governs the Processing of Personal Information by MODX in providing its service to host, manage, and develop websites, applications, and similar, (the “Service”) pursuant to the Agreement.

  1. Definitions
    1. “Data Subject” means any individual about whom Personal Information may be Processed under this Addendum.
    2. “Data Protection Legislation” means the GDPR (as defined below), together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.
    3. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
    4. “Personal Information” means personal data (as defined under the Data Protection Legislation) that are subject to the Data Protection Legislation and that you authorize MODX to collect in connection with MODX’s provision of the Service under the Agreement.
    5. “Process” or “Processing” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.
    6. ”Security Incident” means any breach of MODX’s obligations under this DPA, other loss, destruction, damage of, or compromise to the Personal Data or any other event relating to Relevant Personal Data which falls within the definition of ‘personal data breach’ set out in Data Protection Law (including but not necessarily limited to, effective 25th May 2018, Article 4(12) of the GDPR).
    7. “Sensitive Information” means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
  2. Limitations on Use. MODX will Process Personal Information solely on your behalf and in accordance with the Agreement, this Addendum and any other documented instructions from you (whether in written or electronic form), or as otherwise required by applicable law. MODX is hereby instructed to Process Personal Information to the extent necessary to enable MODX to provide the Service in accordance with the Agreement. In case MODX cannot process Personal Information in accordance with your instructions due to a legal requirement under any European Union or Member State law to which MODX is subject, MODX shall (i) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant Processing, to the extent permitted by the applicable law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as you provide MODX with new instructions. You will be responsible for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Information is provided by you to MODX for Processing pursuant to this Addendum. You acknowledge that the Service are not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service.
  3. Security.​ MODX shall implement, and maintain throughout the term of the Addendum at all times in accordance with then current good industry practice, appropriate technical and organizational measures to protect Personal Information in accordance with Article 32 of the GDPR. MODX will ensure all persons authorized to process the Personal Information have committed to confidentiality or are under appropriate statutory obligation of confidentiality. On request, MODX shall provide you with a written description of the security measures being taken. The Service provides reasonable technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist you in securing Personal Information Processed by MODX. MODX will also assist you with conducting any legally required data protection impact assessments (including subsequent consultation with a supervisory authority), if so required by the Data Protection Legislation, taking into account the nature of Processing and the information available to MODX. MODX may charge a reasonable fee agreed by both parties prior to assisting for any such assistance, as permitted by applicable law.
  4. Data Subject Requests​. You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by MODX under this Addendum. MODX will notify you promptly and in any event no less than seven (7) business days’ notice, unless prohibited by applicable law, if MODX receives any such requests or complaints. The Service includes technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist customers, insofar as this is possible, in fulfilling their obligations to respond to such requests or complaints.
  5. Regulatory Investigations. ​At your request, MODX will assist you in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the Processing of Personal Information by MODX on your behalf in accordance with this Addendum. MODX may charge a reasonable fee agreed by both parties prior to assisting for such requested assistance except where such investigation arises from a breach by MODX of the Agreement or this Addendum, to the extent permitted by applicable law.
  6. Security Incident.​ In the event that MODX becomes aware of a Security Incident, MODX will notify you without undue delay after MODX discovers the Security Incident. In the event of such a Security Incident, MODX shall provide you with a detailed description of the Security Incident and the type of Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Following such notification, MODX will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. At your request, MODX will provide reasonable assistance and cooperation with respect to any notifications that you are legally required to send to affected Data Subjects and regulators. MODX may charge a reasonable fee for such requested assistance where the breach has not been caused by MODX.
  7. Sub-processing
    1. Authorized Sub-processors. You agree that MODX may engage Sub-processors to process Personal Information on your behalf. The Sub-processors currently engaged by MODX and authorized by you are listed at
    2. Sub-processor Obligations. MODX shall: (i) enter into a written agreement with the Sub- processor imposing data protection terms that require the Sub-processor to protect the Personal Information to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause MODX to breach any of its obligations under this DPA.
  8. International Transfers
    1. Data center locations. MODX may transfer and process Personal Information in the world where MODX, its Affiliates or its Sub-processors maintain data processing operations. MODX shall at all times provide an adequate level of protection for the Personal information processed, in accordance with the requirements of Data Protection Laws.
    2. Privacy Shield. To the extent that MODX processes any Personal Information protected by EU Data Protection Law under the Agreement and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Information, the parties acknowledge that MODX shall be deemed to provide adequate protection (within the meaning of EU Data Protection Law) for any such Personal Information by virtue of having self-certified its compliance with Privacy Shield. MODX agrees to protect such Personal Information in accordance with the requirements of the Privacy Shield Principles. If MODX is unable to comply with this requirement, MODX shall inform you.
    3. Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 8.2 shall not apply if and to the extent that MODX adopts an alternative data export solution for the lawful transfer of Personal Information (as recognized under EU Data Protection Laws) outside of the EEA (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Personal Information is transferred).
  9. Information​. MODX shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. MODX shall immediately inform you if, in its opinion, an instruction infringes the Data Protection Legislation.
  10. Return or Disposal. ​Upon termination of your User Account for any reason, MODX will return or destroy Personal Information at your request and choice.

Annex A

Details of Data Processing

1. Data Processing


The scope and purpose of processing Personal Information is to facilitate provision of the Services.


MODX provides a service to host, manage, and develop websites, applications, and other related functions, as described in the Agreement.


The purpose of the data processing under this DPA is the provision of the Services to you and the performance of MODX's obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.


As between you and MODX, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

2. Types of Personal Information

The Personal Information processed includes websites, website assets, images, documents and other data in an electronic form in the context of Provider's Services, which shall not include any Special Categories of Data.

3. Categories of Data Subject

Any individual accessing and/or using the Services through your account ("Users"); and any individual whose Personal Information you store, profile or collect via the Services.

4. Organisational and Technical Data Protection Measures

Security information related to the processing is contained in section 3 of the Addendum.


If you have any questions or concerns about our Data Processing Agreement, please email us at If you wish to send us a postal letter:

Last edited on March 16, 2021.

Launch a MODX site with ease

Turn your code into a MODX-powered digital experience and deploy with confidence.

Request a Demo Plans & Pricing

Got questions? Contact us to ask or schedule a demo. Want to self-host? Download MODX