Data Processing Agreement

1. Parties & roles

This DPA is between [OpenHost legal entity name, company number, registered address] ("OpenHost", "Processor") and the customer agreeing to the Terms of Service ("Customer", "Controller"). It applies where OpenHost processes personal data on the Customer's behalf in providing the hosting services.

Where the GDPR applies, the Customer is the controller and OpenHost the processor. OpenHost is the controller for the limited account and billing data it determines, which is covered by the Privacy Policy.

2. Definitions

"Applicable Data Protection Law" means the EU GDPR and, where applicable, the Israeli Privacy Protection Law and its regulations.

"Personal data", "processing", "controller", "processor", "data subject" and "personal data breach" have the meanings given to them in the GDPR.

3. Subject-matter, duration, nature & purpose

OpenHost processes personal data only to provide and support the hosting services, for the duration of the Customer's subscription and any wind-down or backup window described in clause 14.

The nature and purpose of processing is hosting, storing, transmitting and backing up the Customer's website, application, database and email content, and providing related support.

4. Types of personal data & data subjects (Annex A)

The data subjects are typically the Customer's website visitors, registered users, customers and buyers, newsletter recipients and mailbox correspondents, as set out in Annex A.

The types of personal data are determined by the Customer and may include identifiers, contact details, account credentials, order and payment metadata, and any content the Customer chooses to store.

5. Customer instructions

OpenHost processes personal data only on the Customer's documented instructions — including the Terms, this DPA and the Customer's use of the control panel and API — unless required to do otherwise by law, in which case OpenHost informs the Customer first where legally permitted.

OpenHost informs the Customer if, in its opinion, an instruction appears to infringe Applicable Data Protection Law.

6. Confidentiality

OpenHost ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations.

7. Security (Annex B)

OpenHost implements appropriate technical and organisational measures, summarised in Annex B, including encryption in transit, tenant isolation, access controls and multi-factor authentication, hardened and patched hosts, network firewalling and intrusion prevention, encrypted off-site backups, and logging and monitoring with regular review.

Measures may be updated from time to time provided the level of protection is not lowered.

8. Sub-processors

The Customer gives OpenHost general authorisation to engage sub-processors to provide the services. The current sub-processors are listed on the Sub-processors page (Annex C) by role and region; their full legal entity names are provided to customers in the executed DPA or on request to privacy@openhost.one.

OpenHost imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains fully liable for its sub-processors' performance.

OpenHost will give at least 30 days' notice of an intended new or replacement sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected service.

9. International transfers

Personal data is hosted in the European Union. Where providing the services requires a transfer to a country without an EU adequacy decision — for example certain email-delivery or storage functions — OpenHost relies on an appropriate Article 46 safeguard, such as the EU Standard Contractual Clauses (incorporated by reference in Annex D) or another lawful mechanism.

10. Data-subject rights & assistance

Taking into account the nature of the processing, OpenHost assists the Customer with appropriate technical and organisational measures to respond to data-subject requests — including access, rectification, erasure, restriction, portability and objection.

OpenHost forwards any data-subject request it receives directly to the Customer without responding itself, except to confirm that it will forward the request.

11. Breach notification

OpenHost notifies the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Customer's data, with the information available to help the Customer meet its own obligations under GDPR Articles 33 and 34 and under the PPL.

12. Assisting the Customer's compliance

OpenHost assists the Customer, to the extent reasonable, with data-protection impact assessments and prior consultation (GDPR Articles 35–36) for processing that OpenHost performs.

13. Audit

OpenHost makes available the information reasonably necessary to demonstrate compliance with Article 28 and allows for and contributes to audits. This includes providing security documentation, responding to a reasonable annual questionnaire, and — where strictly necessary and on reasonable notice — a supervised on-site review that does not compromise other customers' security or confidentiality.

14. Deletion or return

On termination, at the Customer's choice, OpenHost deletes or returns all personal data and deletes existing copies, unless retention is required by law.

Active hosting data is deleted on termination; residual copies in encrypted backups are overwritten on the standard backup-rotation cycle (maximum [N] days), after which they are irretrievable.

15. Order of precedence & changes

If this DPA conflicts with the Terms of Service on data protection, this DPA prevails. Material changes follow the change process in the Terms.

Annexes

Annex A — processing details. Annex B — technical and organisational security measures. Annex C — sub-processor list (or a link to the live Sub-processors page). Annex D — Standard Contractual Clauses, if and when applicable.