This Data Processing Agreement (“Agreement”) is between HostM Web Hosting, a division of Intuitient Ltd, registered in England and Wales (reg. no. 10826281) at The Garden Suite, 23 Westfield Park, Redland, Bristol, BS6 6LT, United Kingdom (“the Supplier”) and the Client for web hosting and/or related services (“the Services”).
This Agreement is an addendum to the Terms of Service (“TOS”) between the Supplier and the Client, hereafter referred to as the Parties.
“Account-Level Security” refers to the security of the Client’s hosting accounts and other Services and the protection of any Personal Data processed through the involvement of such accounts including but not limited to the use of any applications or tools placed within said hosting accounts by the Client, any party authorized or instructed by the Client, or any unauthorized party due to the inadequate, improper, or absence of implementation of security measures on the part of the Client.
“Data Controller” or “Controller” refers to an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” or “Processor” refers to an entity that processes Personal Data on behalf of the Data Controller.
“Data Protection Law” refers to, for the purposes of this Agreement, the data protection laws and regulations of the UK, Switzerland, and the EEA, including the UK DPA, the Swiss FADP, and the GDPR.
“Data Subject” refers to a natural person whose Personal Data is processed by a Data Controller or a Data Processor or Sub-Processor.
“Data Sub-Processor” or “Sub-processor” refers to an entity appointed by the Data Processor that processes Personal Data on behalf of the relevant Data Controller.
“EEA” refers to the European Economic Area, which includes all EU countries as well as Iceland, Liechtenstein, and Norway.
“EC” refers to the European Commission.
“EU” refers to the European Union.
“GDPR” refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, also known as the General Data Protection Regulation, which is applicable to all EEA countries.
“Personal Data” shall have the meaning ascribed to it in the GDPR.
“Processing” shall have the meaning ascribed to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Service-Level Security” refers to the security and the protection of Personal Data processed through the Client’s usage of the Services that does not fall within the scope of Account-Level Security.
“Swiss FADP” refers to the Federal Act on Data Protection of Switzerland.
“UK” refers to the United Kingdom.
“UK DPA” refers to the Data Protection Act of the United Kingdom.
1.1 The subject matter and duration of the Agreement shall be determined according to the information provided in the respective contractual relationship established by the Client’s usage of the Services.
1.2 The Supplier shall process Personal Data on behalf of the Client in accordance with Data Protection Law.
1.3 For the purposes of this Agreement and Data Protection Law, the Client is deemd to be the Data Controller, and the Supplier the Data Processor.
1.4 Where the Client is acting as a Data Processor in relation to a relevant Data Controller, the Parties expressly agree that:
The Client warrants to the Supplier that it has entered into an agreement with the relevant Data Controller that is fully consistent with the terms and conditions of this Agreement;
The Client’s instructions and actions with respect to the Personal Data have been authorized by the relevant Data Controller;
The Supplier shall process the Personal Data only under the Client’s instructions and not receive any instructions directly from the Data Controller, except in cases where the Client has factually disappeared or has ceased to exist in law without any successor entity taking on the rights and obligations of the Client; and
The Client shall hold the Supplier harmless against any action, claim, or complaint from the relevant Data Controller concerning any provision of this Agreement or any instructions received by the Supplier from the Client in execution of the TOS.
1.5 Notwithstanding the above, the Parties expressly agree that under all circumstances, the Client remains fully responsible for the proper execution of the obligations of the Data Controller as outlined in this Agreement.
1.6 The processing of Personal Data by the Supplier as a Data Controller is outside the scope of this Agreement.
2.1 The Supplier processes Personal Data on behalf of the Client as part of the provision of the Services.
2.2 The following types and categories of Personal Data are the object of this agreement:
Personal information including but not limited to name, contact information, financial information, information revealing personal health, racial or ethnic origins, political opinions, religious or philosophical beliefs, and trade-union memberships, among others;
Communication data including but not limited to email and contact form data; and
Log data including but not limited to Internet Protocol (IP) addresses, web browser types, and referrer pages.
2.3 The Personal Data may concern the following natural persons:
Prospective, current and previous employees, agents, advisors, freelancers, end users, clients, subscribers, resellers, referrers, business partners, vendors, and associates of the Client and/or relevant Data Controller; and
Persons authorized by the Client to use the Service.
3.1 The Client expressly agrees that it shall comply with its obligations as a Data Controller under Data Protection Law within the scope of this Agreement for its processing of Personal Data and any processing instructions it issues to the Supplier.
3.2 The Client warrants that it has obtained, or shall obtain, the necessary consent and authorization from the relevant Data Subject, Data Controller, and/or Supervisory Authority prior to processing Personal Data, and for the Supplier as Data Processor or Sub-processor to process Personal Data as part of the provision of the Services.
3.3 The Client as Data Controller shall provide any relevant instructions for the processing of Personal Data to the Data Processor in writing via the ticket system in the secure client area located on the Supplier’s website to ensure that all requests and related discussions can be properly and securely documented, and remains solely responsible for all such instructions.
3.4 The Client, as the Data Controller as well as the hosting account holder and operator, warrants that it is solely responsible for ensuring Account-Level Security by ensuring the implementation of security measures at the account level including but not limited to the following:
Using strong and unique passwords and keeping their account login credentials in a secure and confidential manner, not using the same credentials for more than one access point, and having all authorized users do the same. This includes all login credentials associated in any way with the Services provided to the Client by the Supplier, including but not limited to access credentials for:
the Client Lounge on the Supplier’s websites;
the hosting control panel;
File Transfer Protocol (FTP) accounts including but not limited to Secure File Transfer Protocol (SFTP) accounts;
email accounts including but not limited to Internet Message Access Protocol (IMAP) and Post Office Protocol 3 (POP3) accounts;
Web Distributed Authoring and Versioning (WebDAV) accounts;
Secure Shell (SSH) accounts; and
any web or other applications, scripts, or code that may be placed within the Client’s hosting account(s) including but not limited to blogs, discussion forums, e-commerce applications and Application Programming Interface (API) tools.
Managing access rights to the various login credentials including not creating any extraneous access credentials unless necessary for any specific task, not providing login credentials to unauthorized parties, and revoking login access from parties who are no longer authorized to access any service.
Taking reasonable steps to ensure that applications or code installed within their hosting accounts have no known security vulnerabilities which could lead to a compromise of Personal Data stored on the Client’s hosting account, and keeping such applications or code up-to-date with the latest security updates.
Enforcing the use of encryption over all transmission channels where Personal Data may be relayed over a public network, for example implementing Hyper Text Transfer Protocol Secure (HTTPS) on any applicable web contact forms and web application login forms, so as to prevent man-in-the-middle attacks.
Taking reasonable steps to ensure that any systems from which the Client or their authorized users perform login access to their hosting accounts or to any applications, functions, or services running on their hosting accounts are secure so as to prevent unauthorized access by malicious third parties such as through the use of keystroke monitoring mechanisms or other malware.
3.5 The Client expressly agrees that the availability of any web or other application installers and development tools that may be offered by the Supplier as part of the Services is meant solely to help improve the ease of deployment of said applications or tools by the Client, and that the Client remains fully responsible for performing their own due diligence with regard to the security of any in-house or third-party web application or development tool prior to proceeding with an installation, update, or other activity or execution on their hosting accounts, regardless of whether this is done with the aid of said installers and tools.
3.6 The Client shall hold the Supplier harmless against:
Account-Level Security breaches, including but not limited to those caused by the inadequate, improper, or absence of implementation of the Client’s security measures as Data Controller and/or hosting account holder and operator, and by security vulnerabilities that may subsequently be found to be present in applications and code placed within the Client’s hosting accounts by the Client or any party authorized or instructed by the Client, including the Supplier; and
any failure of the relevant Data Controller to comply with its obligations, including but not limited to those outlined in this Agreement.
4.1 The Supplier expressly agrees that it shall comply with its obligations as a Data Processor under Data Protection Law within the scope of this Agreement by undertaking the following:
Process the Personal Data only as necessary:
for the provision of the Services including but not limited to web hosting, email hosting, domain name registrations and renewals, online malware scanning and removals, spam protection and filtering, as well as the archiving, backing up and/or mirroring of the Client’s hosting accounts and other data in relation to the provision of the Services for contingency and business continuity purposes;
in accordance with lawful written instructions of the Client; and
as required by applicable laws.
Inform the Client if it believes that an instruction by the Client violates Data Protection Law. The Supplier shall then be entitled to suspend the execution of the relevant instruction until the Client confirms or alters said instruction.
Inform the Client without undue delay should the Supplier receive a request directly from a Data Subject within the scope of this Agreement for the access, rectification, deletion, limitation, or portability of their Personal Data, so that the Client can respond to the request accordingly.
Provide the Client with reasonable assistance for the purpose of responding to Data Subjects should the Client require such from the Supplier. The Client shall agree in advance to cover all costs incurred by the Supplier in connection with its provision of such assistance.
Take reasonable steps to ensure that each piece of Personal Data being processed is kept strictly confidential and accessible only to personnel who need to deal with that information.
Implement the appropriate technical and organizational measures to ensure an appropriate level of Service-Level Security. Such measures include but are not limited to those listed on the hosting security page.
Due to ongoing changes and advancements in technology, the technical and organizational measures shall be subject to technical progress and further development. The Supplier may at its discretion implement improved or alternative measures that provide a similar or higher level of security. Important changes to the measures shall be reflected on the hosting security page.
Upon reasonable request from the Client, and to the extent technically feasible without compromising the level of security, provide relevant information on a confidential basis to demonstrate the implementation of the technical and organizational measures. The Client shall agree in advance to cover all costs incurred by the Supplier in connection with its provision of such information.
Take reasonable steps to ensure that protective measures are taken that are recognized as sufficient by the EC in cases where Personal Data is processed outside the UK, Switzerland, and the EEA in a country that is not subject to an adequacy decision.
Inform the Client without undue delay should the Supplier become aware of a Service-Level Security breach including the unauthorized access, loss, disclosure, or alteration of Personal Data. Such notification shall describe the nature of the breach, the possible causes and consequences for the Data Subjects of the breach, as well as the measures taken or proposed by the Supplier in response to the breach.
Without the prior written consent of the Client, agree not to make any public announcements about a Service-Level Security breach, unless required by applicable law.
Provide the Client with the ability to retrieve and delete Personal Data should it exist on the Supplier’s systems. The Client shall remain solely responsible for performing the actions necessary for the preservation of its own data stored on the Supplier’s systems, including downloading routine backups to an off-site location for safe-keeping. The Client may obtain full backups of its hosting accounts through the use of the Backup function in the hosting control panel.
The termination or expiration of the Services for any reason including non-renewals and violations of the TOS, AUP or other relevant agreement shall result in the irreversible deletion of the Client’s data stored on the Supplier’s systems within the scope of the Services, in particular but not limited to the data stored within the Client’s hosting accounts, other than to the extent required to comply with applicable law.
Take reasonable steps to ensure that each Data Sub-processor that is engaged by the Supplier complies with Data Protection Law and in particular the GDPR, regardless of whether the Data Sub-processor is based within or outside the UK, Switzerland, and the EEA. The list of Data Sub-processors is available upon request.
Inform the Client in the event of the Supplier adding or replacing a Data Sub-processor by means of an email notification. If the Client does not object to the addition or replacement of a Data Sub-processor within five (5) calendar days, the Client is deemed to agree with the addition or replacement.
Should the Client object to the addition or replacement of a Data Sub-processor within five (5) calendar days of the relevant email notification, the Parties shall work on a mutually acceptable solution, which may include terminating the relevant portions of the Services relating to the use of the new Data Sub-processor.
Assist the Client in complying with its obligations around security, notification of security breaches, and data protection impact assessments, taking into account the nature of processing and the information available to the Supplier, provided that the Client shall cover all costs incurred by the Supplier in connection with its provision of such assistance.
5.1 With the exception of any changes made by this Agreement, the TOS remains in full force and effect. Should there be any conflict between this Agreement and the TOS, this Agreement shall prevail to the extent of that conflict.
5.2 This Agreement may be updated from time to time to provide for greater clarity or updates, or to comply with changes to Data Protection Law. Please frequently check this page to review any changes to this Agreement.