Data Processing Agreement

1. DEFINITIONS

Terms such as "Data Controller", "Data Processor", "Data Subject", and "Processing" shall have the same meaning as set out in the EU General Data Protection Regulation (GDPR).

• Customer: The entity using Hostaffin services (Data Controller).
• Hostaffin: The service provider (Data Processor).
• Personal Data: Any information relating to an identified or identifiable natural person processed within the Customer's account.

2. SUBJECT MATTER AND DURATION

The subject matter of the processing is the provision of web hosting and related services. The duration of the processing shall be for the term of the Agreement between the Customer and Hostaffin plus any period after the termination during which Hostaffin is required to retain data by law.

3. OBLIGATIONS OF THE PROCESSOR

Hostaffin agrees to:

• Process personal data only on documented instructions from the Customer.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
• Take all measures required pursuant to Article 32 of the GDPR (Security of processing).
• Respect the conditions referred to in paragraphs 2 and 4 of Article 28 for engaging another processor (Sub-processors).
• Assist the Controller in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights.

4. SUB-PROCESSING

Customer provides a general authorization for Hostaffin to engage sub-processors (e.g., data centers, domain registries). Hostaffin shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

5. DATA TRANSFERS

Hostaffin shall ensure that any transfer of personal data to a third country or an international organization is done in compliance with Chapter V of the GDPR (e.g., via Standard Contractual Clauses).

6. SECURITY MEASURES

Hostaffin implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Pseudonymization and encryption of personal data where applicable.
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
• A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

7. AUDITS

Hostaffin shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

8. DATA BREACH NOTIFICATION

Hostaffin shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Customer's data.

9. TERMINATION AND DATA DELETION

Upon termination of the service, Hostaffin shall, at the choice of the Customer, delete or return all personal data to the Customer, unless applicable law requires storage of the personal data.