Data Processing Agreement

Agreement and data processing policy

Processing of personal data
Processing of personal data
Table of Contents

I. Introduction
II. Definitions
III. Application of the Agreement
IV. Processing of Personal Data
V. Data Access
VI. Instructions / indications
VII. Hostico's Obligations
VIII. Client's Obligations
IX. Rights of the Data Subject
X. Subcontracting
XI. Technical and organizational measures
XII. Audit
XIII. Duration

I. Introduction

This agreement governs the processing of personal data carried out by Hostico as the "Data Processor," on behalf of the client acting as the "Controller." The Data Processing Agreement represents the understanding between the parties and establishes the rules regarding the processing of data by Hostico as the Processor, on behalf of the client as the Controller. This agreement supplements the Terms and Conditions and/or the contract concluded between Hostico and the Client.

II. Definitions

In this agreement:

  • Services - represent the service provided to the Client in accordance with the respective Terms and Conditions or contract concluded with Hostico.
  • Personal data - means any information relating to an identified or identifiable natural person (data subject).
  • Client or Controller - represents the natural person, legal entity, public authority, or any other entity determining the purpose and means of processing personal data.
  • Processor or Hostico - represents the authority that will process personal data on behalf of the controller.
  • Processing - means any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or making available, alignment or combination, restriction, erasure, or destruction.
  • Sub-processor or Partner - represents a third party, a Hostico-designated partner, for the delivery of services and/or the processing of the client's personal data.
  • Technical and Organizational Security Measures - measures aimed at ensuring an appropriate level of security, including pseudonymization and encryption of personal data, the ability to ensure confidentiality, integrity, availability, and resilience of processing systems and services, the capability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, a regular process for testing and assessing the effectiveness of processing security.
  • Applicable Laws - all national and European Union laws and provisions in the field of personal data protection.
  • Data Subjects - users or customers of the controller.

III. Application of the Agreement

In relation to the services provided, this agreement applies to:

  • all data sent by the client to Hostico for processing
  • all data accessed by Hostico for processing on behalf of the client
  • all data received by Hostico on behalf of the client

IV. Processing of Personal Data

In accordance with GDPR policy, it is the sole responsibility of the client to ensure the accuracy, quality, and processing of personal data of data subjects. Hostico will access, use, or process this data on behalf of the client only under the following specific circumstances:

  • at the direct request of the client
  • for the purpose of providing contracted services
  • to provide technical assistance regarding the provided services
  • for maintenance operations

The client will be responsible for determining the origin and purpose of personal data, as well as the categories of data subjects involved.

In order to fulfill the agreement and specifically for the provision of contracted services, Hostico will process certain categories and types of personal data on behalf of the client in accordance with the client's authorization and request.

The types and categories of personal data processed by Hostico are:

Contact Information:

  • Name, surname, address, phone number, email address, personal identification number
  • Personal data of representatives, employees, and other third parties provided by the client

These personal data are not covered by this Data Processing Agreement but are addressed under the Privacy Policy, as Hostico plays the role of a Controller in this situation.

Service-related Data:

Data residing on Hostico's servers

Data stored and processed by users, such as source code, databases, files, etc.

Electronic logs: connection logs, authentication logs, access logs, error logs

Hostico does not have control over the content of these logs, as they are automatically generated by the services running on the equipment and by the client's applications.

The processing activities carried out will be limited to those necessary and relevant for the provided services. Processing requests from the client will be recorded by Hostico and kept until the client exercises the right to be forgotten. Hostico will process personal data related to the client and the contacts provided through the sales departments and the Hostico.ro website, in accordance with GDPR provisions.

V. Data Access

During the use of the services, the client has the right to access, modify, and delete personal data by authenticating into the owned accounts using common protocols and tools.

In case of any modification or alteration to the data, the original version may be stored as an entry in a log for a period of 10 years, in accordance with Hostico's data retention policy.

VI. Instructions / indications

Hostico will act and process personal data exclusively for the purpose of providing the contracted services, in strict accordance with precise and documented instructions received from the client. By accepting this Data Processing Agreement, it is understood that Hostico has the right to process the client's personal data solely for the purpose of providing the contracted services and in accordance with the presented Terms and Conditions or the concluded contract. The client guarantees that the provided personal data comply with applicable laws, including legal requirements regarding data processing. In case Hostico believes that the instructions received from the client regarding data processing conflict with applicable laws, Hostico will promptly notify the client in this regard.

VII. Hostico's Obligations

Confidentiality

Hostico will treat all personal data received from clients as confidential information and will ensure that they are used solely for the purpose of providing the contracted services. Personal data will not be disclosed or transferred to third parties, except for Hostico employees and partners who require access to this data for service provision and who are obligated by confidentiality agreements to handle them with utmost seriousness and strict confidentiality.

Security

Hostico will implement and maintain appropriate technical and organizational measures to protect personal data against illegal or unauthorized processing, as well as against accidental loss, destruction, or damage. A detailed description of the conditions under which backup copies are performed and stored is available in the backup service documentation provided by Hostico.
To ensure the confidentiality and security of personal data, Hostico will restrict access to this data only to employees who need it for the provision of contracted services by the client. All employees will be subject to confidentiality agreements and will be instructed to process the client's personal data in accordance with the precise instructions received from the client.

If requested by the client, Hostico will provide detailed information about the security measures implemented so that the client can assess and verify how personal data is protected.
Hostico will periodically review and update security measures to ensure their effectiveness and compliance with technological advancements and legal requirements regarding personal data protection.

Security Breaches

In the event that Hostico identifies a breach of the security of personal data, affecting the personal information of its clients, the affected client will be immediately notified. To the extent possible, Hostico will engage to provide the necessary information and appropriate assistance to the client, with the aim of enabling them to fulfill all obligations related to reporting data breach incidents.

VIII. Client's Obligations

The client has the obligation to fully comply with applicable legal requirements as a data controller. Within this responsibility, it is the client's duty to ensure that any transfer or provision of personal data to Hostico is carried out with the explicit consent of the data subjects. Furthermore, the client must be able to justify each transfer of personal data to Hostico and provide the reasons and rationale for the decisions made regarding the processing and use of this data.

IX. Rights of the Data Subject

Hostico commits to providing the client with access to the services that manage the personal data of data subjects, allowing the client to perform actions such as deletion, release, correction, or blocking of the respective data. In cases where providing this access is not feasible for certain reasons, Hostico will act in accordance with the instructions received from the client, in order to perform these operations in full compliance with applicable laws. Additionally, Hostico will undertake to forward to the client any requests received from data subjects regarding access to their own personal data.

Location of Personal Data Processing

Personal data is processed by Hostico exclusively within its offices, workplaces, and data centers of its partners. Any transfer of personal data to international organizations or to third countries will only be carried out if such action is necessary and permissible, and fully complies with applicable legal provisions. By international organizations or third countries, reference is made to domain registries or certificate providers.

X. Subcontracting

Hostico will not subcontract any processing operation on behalf of the client under this Agreement without the prior consent of the client. For services that are not under Hostico's direct administration (such as domains, certificates, licenses), by placing and paying for the order, the client expresses consent for the processing of personal data through third-party providers.

Hostico has the implicit right to engage third parties to perform data processing operations on behalf of the client, without the need for written approval from the client. However, in order to ensure transparency and respect for the client's rights, Hostico will provide information regarding the identity of the third party upon explicit request from the client.

XI. Technical and Organizational Measures

Hostico will ensure that adequate technical and organizational measures are implemented and maintained throughout the processing of personal data on behalf of the client. These measures include, but are not limited to, employing qualified personnel, strict control of access to data centers and equipment, rigorous data access management, using secure protocols for data transmission, detailed logging of system activities, isolating client data from that of other clients on internal systems, regular backups, and more.

XII. Audit

In the interest of transparency and respect for personal data protection, the client has the right to request an audit by submitting a written request to verify how Hostico fulfills its obligations according to the Data Processing Agreement. During this procedure, specific details concerning the choice of auditor and audit procedures will be established through a clear and transparent consensus between the parties. However, Hostico reserves the right to refuse an audit request in situations where the client has not complied with contractual and Data Processing Agreement provisions.

XIII. Duration

The Data Processing Agreement is valid for the entire duration of the Contract between the Client and Hostico. In accordance with legal provisions, the authorization granted by Hostico for processing personal data on behalf of the Client will immediately cease upon the expiration of the Contract.

In its role as a data processor, in line with requirements and legal regulations, Hostico commits to continuing the processing of personal data for a period of 30 days after the Contract's termination. Simultaneously, Hostico will retain a backup copy of the Client's data in accordance with its established backup policies. Any data processing actions conducted by Hostico during this period will be deemed to be in accordance with the instructions received from the Client.

Hostico undertakes to erase all personal data processed on behalf of the Client within a maximum of 45 days after the termination of the Agreement. However, in cases where there are legal requests or requirements for data retention, Hostico will act in accordance with those demands, ensuring the security and confidentiality of the respective data.

In its role as a data controller, Hostico will process client data in accordance with Article IV of the Privacy Policy.

Last Update: 30.08.2023