This Data Processing Addendum (“DPA”) forms part of the Agreement between HOSTNEY, LLC (“HOSTNEY,” “Processor,” “we,” “us”) and the Customer (“Controller,” “you,” “your”) and governs the processing of personal data by HOSTNEY on behalf of the Customer in connection with the Services. Terms not defined in this DPA have the meanings given in the Agreement.
1. Definitions
1.1. “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR or equivalent applicable data protection law.
1.2. “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
1.3. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.4. “Sub-processor” means any third party engaged by HOSTNEY to process Personal Data on behalf of the Customer.
1.5. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 and the UK General Data Protection Regulation, as applicable.
1.7. “SCCs” means the Standard Contractual Clauses approved by the European Commission for the transfer of Personal Data to third countries.
2. Scope and Roles
2.1. The Customer is the Controller and HOSTNEY is the Processor with respect to Personal Data processed in connection with the Services.
2.2. HOSTNEY processes Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. In such a case, HOSTNEY will inform the Customer of the legal requirement before processing, unless the law prohibits such disclosure.
2.3. The types of Personal Data processed may include: names, email addresses, IP addresses, browser and device information, website visitor data, database content, and any other personal data stored by the Customer within the Services.
2.4. Data Subjects may include: the Customer’s end users, website visitors, customers, employees, and any other individuals whose Personal Data is stored within the Services.
2.5. The duration of processing corresponds to the term of the Agreement.
3. HOSTNEY's Obligations
3.1. HOSTNEY will process Personal Data only for the purpose of providing the Services and in accordance with the Customer’s documented instructions. HOSTNEY will not use or disclose Personal Data for any other purpose unless expressly authorized by the Customer in writing.
3.2. HOSTNEY will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
3.3. HOSTNEY will implement and maintain appropriate technical and organizational security measures to protect Personal Data, as described in Section 5.
3.4. HOSTNEY will assist the Customer, taking into account the nature of the processing, in responding to Data Subject requests to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. If HOSTNEY receives a request directly from a Data Subject, HOSTNEY will promptly forward the request to the Customer and will not respond to the request without the Customer’s prior authorization, unless required by law.
3.5. HOSTNEY will assist the Customer in ensuring compliance with the Customer’s obligations regarding security, Data Breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to HOSTNEY.
3.6. Upon termination or expiration of the Agreement, HOSTNEY will delete all Personal Data within 30 days, unless retention is required by applicable law. The Customer is responsible for exporting any needed data before termination, as outlined in the Agreement.
3.7. HOSTNEY will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or an independent auditor appointed by the Customer, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations. Audits will be conducted during normal business hours, no more than once per 12-month period, and at the Customer’s expense.
4. Sub-processors
4.1. The Customer provides general authorization for HOSTNEY to engage Sub-processors to perform specific processing activities on behalf of the Customer. A list of current Sub-processors is available at Sub-processors and will be kept up to date by HOSTNEY.
4.2. HOSTNEY will notify the Customer of any intended changes to Sub-processors by email or notification in the User Portal at least 30 days before the new Sub-processor begins processing Personal Data.
4.3. If the Customer has a reasonable objection to a new Sub-processor, the Customer will notify HOSTNEY in writing within 15 days of receiving notice. The parties will work together in good faith to find a mutually acceptable resolution. If no resolution is reached within 30 days of the Customer’s objection, the Customer may terminate the affected Services without penalty.
4.4. HOSTNEY will impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. HOSTNEY remains fully liable to the Customer for the performance of each Sub-processor’s obligations.
5. Security Measures
5.1. HOSTNEY implements and maintains the following technical and organizational measures to protect Personal Data:
(a) Isolation: SELinux-hardened container isolation for each customer account.
(b) Encryption in transit: TLS encryption for all data transmitted between customers, end users, and HOSTNEY’s servers.
(c) Backups: Daily automated backups of customer data.
(d) Access controls: Role-based access controls, multi-factor authentication for administrative access, and audit logging of all access and modifications.
(e) Malware protection: Automated real-time malware scanning.
(f) Network security: Behavioral bot detection, DDoS mitigation, firewall protection, and intrusion detection.
(g) Physical security: Services are hosted in data centers that maintain industry-standard physical security controls, including access restrictions, surveillance, and environmental controls.
5.2. HOSTNEY will regularly evaluate and update these measures to ensure ongoing protection of Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
6. Data Breach Notification
6.1. HOSTNEY will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Customer’s Personal Data.
6.2. The notification will include, to the extent available:
(a) A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
(b) The name and contact details of the point of contact at HOSTNEY for further information.
(c) A description of the likely consequences of the Data Breach.
(d) A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
6.3. If it is not possible to provide all information at the same time, HOSTNEY will provide the information in phases without further undue delay.
6.4. HOSTNEY will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
6.5. HOSTNEY’s obligation to notify or respond to a Data Breach under this Section is not an acknowledgment of fault or liability.
7. International Transfers
7.1. The Customer acknowledges that HOSTNEY’s Services are hosted in the United States and that Personal Data will be transferred to and processed in the United States.
7.2. Where the transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States is not covered by an applicable adequacy decision, the parties agree that such transfers are governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference.
7.3. For transfers from the EEA, the SCCs approved by European Commission Implementing Decision (EU) 2021/914 apply, with HOSTNEY as the data importer (Module 2: Controller to Processor).
7.4. For transfers from the United Kingdom, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office applies.
7.5. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection Act.
7.6. In the event of a conflict between this DPA and the SCCs, the SCCs will prevail to the extent of the conflict.
8. Liability
8.1. Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Section 12), except where applicable data protection law prohibits such limitation.
8.2. Nothing in this DPA limits or excludes either party’s liability for damages arising from a breach of the SCCs.
9. General
9.1. This DPA is effective from the date the Customer enters into the Agreement and remains in effect for the duration of the Agreement and until all Personal Data is deleted or returned in accordance with Section 3.6.
9.2. In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
9.3. This DPA is governed by the laws specified in the Agreement, except where applicable data protection law requires otherwise.
9.4. Any amendments to this DPA must be in writing and agreed to by both parties, except that HOSTNEY may update the Sub-processor list and security measures in accordance with Sections 4.2 and 5.2 respectively.
