Data Processing Agreement

Summary

Privacy and data protection are the core values of Statichost.eu (“we”), and as such no personal data is processed other than that which is strictly necessary in order to provide the Service.

In order to provide the Customers websites to visitors, we need to process the IP addresses of said visitors. This processing is strictly necessary in order to send websites to visitors over the Internet.

To be clear, visitors’ Personal Data (including IP addresses) is not stored anywhere, because we believe this is not necessary in order to provide the Service.

Statichost.eu will, under the applicable data protection laws, act as processor to the Customer in relation to the processing of Personal Data required to carry out the Services.

1. DEFINITIONS

   “Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.

   “Customer Agreement” shall mean the agreement the Customer has entered into with Statichost.eu in order to make use of the Services, which forms the subject matter of the processing of Personal Data under this Agreement.

   “Data Protection Laws” shall mean the applicable national laws concerning data protection including, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016/679, the GDPR) and the national implementations thereof and related national legislation.

   “EEA” shall mean the European Economic Area.

   “Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.

   “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

   “Service” shall mean the website hosting platform Statichost.eu provides its customers.

   “Service Processing” shall mean the processing of Personal Data carried out by Statichost.eu on behalf of the Customer, as specified in SCHEDULE 1.

2. GENERAL TERMS

   1. Statichost.eu may under this Agreement only carry out the Service Processing of Personal Data in accordance with the instructions of the Customer.

   2. This Agreement is intended to constitute and shall be interpreted as a written data processing agreement between Statichost.eu and the Customer pursuant to applicable Data Protection Laws.

3. THE Service PROCESSING

   1. Statichost.eu shall process the Personal Data relating to the categories of data subjects and the Service Processing shall consist of the processing operations as set out in SCHEDULE 1.

   2. In carrying out the Service Processing of the Personal Data, Statichost.eu shall act as processor to the Customer and the Customer shall act as controller as defined in the Data Protection Laws.

   3. Statichost.eu shall carry out the Service Processing of the Personal Data for the purpose of providing and optimizing the Service to the Customer.

4. TERM OF Service Processing

   1. This Agreement shall enter into force on the date of last signing and, subject to the below section 4.2, shall remain effective until the Customer Agreement is terminated or expires.

   2. Upon the termination or expiry of the Customer Agreement, without entering into a new agreement replacing this Agreement, the provisions of this Agreement shall continue to apply as long as and to the extent Statichost.eu carries out the Service Processing pursuant to the instructions of the Customer.

5. STATICHOST.EU’S OBLIGATIONS

   1. Statichost.eu may carry out the Service Processing of Personal Data only for purposes necessary for the due performance of the Customer Agreement and only in accordance with the Data Protection Laws applicable to Statichost.eu and in accordance with the written instructions from the Customer as further detailed in SCHEDULE 2 and as otherwise instructed by the Customer in writing from time to time. Statichost.eu may not disclose any Personal Data to a third party without the prior written approval from the Customer or if required by law.

   2. If Statichost.eu does not have sufficient instructions to enable Statichost.eu to deliver the Service or otherwise fulfil its obligations, Statichost.eu shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Customer prior to continuing the relevant Service Processing of the Personal Data.

   3. Statichost.eu shall implement and maintain appropriate and adequate technical and organisational measures as set forth in SCHEDULE 2 and as required under Data Protection Laws to ensure the security for the Personal Data included in the Service Processing. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed by Statichost.eu. The measures shall take into account the particular risks associated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed. The measures shall ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of the processed data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; a process for regularly testing assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

   4. Statichost.eu undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the Service Processing operations carried out by Statichost.eu to comply with confidentiality obligations and access restrictions with regards to the Service Processing of Personal Data. Statichost.eu shall ensure that only such employees have access to Personal Data who have received training and/or instructions in the care and handling of Personal Data.

   5. Statichost.eu may, as part of the Service, inform the data subjects about the processing of the Personal Data and seek consent on behalf of the Customer where required, provided that the parties agree on this. The Customer acknowledges that the Customer, as controller of the Personal Data, is ultimately responsible under Data Protection Laws for the collection of consent where required.

   6. Taking into account the nature of the processing, Statichost.eu shall, upon the Customer’s request and in accordance with the Customer’s written instructions, assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject’s rights under applicable Data Protection Laws.

   7. Statichost.eu undertakes to assist the Customer upon the Customer’s request in ensuring compliance with applicable Data Protection Laws, including but not limited to, with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.

6. CUSTOMER’S OBLIGATIONS

   1. The Customer undertakes to comply with this Agreement and its obligations as controller under the Data Protection Laws, including, as applicable, inform the data subjects about the Service Processing and collect consent in accordance with Applicable Laws.

7. DATA SUBJECT REQUESTS

   1. If the Customer receives a request from a Data Subject in relation to the Personal Data and the Customer deems that such request requires information or actions from Statichost.eu, the Customer shall inform Statichost.eu and Statichost.eu shall use its best efforts to provide the information and/ or take the actions as instructed by the Customer as soon as reasonably possible. If Statichost.eu receives a request from a Data Subject, the instructions in SCHEDULE 2 shall apply.

8. NOTIFICATION

   1. Statichost.eu shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.

   2. Statichost.eu shall notify the Customer without undue delay, after becoming aware of a Personal Data Breach relating to the Personal Data processed in the Service Processing. Statichost.eu shall without undue delay provide the Customer with all information about the Data Breach necessary for the Customer to provide notice to the data subjects and authorities, as applicable. Statichost.eu shall not disclose any information relating to a Data Breach without the prior written consent of the Customer. For the avoidance of doubt, information relating to a Data Breach shall be treated by Statichost.eu as confidential information.

   3. Statichost.eu shall not respond, without the Customer’s prior written specific consent, to requests or inquiries of third parties, including but not limited to government agencies, public authorities, courts, data subjects, relating to the processing of Personal Data under this Agreement and Statichost.eu shall immediately forward such requests or inquiries to the Customer.

   4. In the event Statichost.eu is required to disclose information, including but not limited to the processed Personal Data or information relating to the Service Processing, according to Data Protection Laws or the decisions of public authorities or courts, Statichost.eu shall be obligated to inform the Customer thereof immediately and request confidentiality in conjunction with the disclosure of requested information, unless otherwise specified in Applicable Laws.

9. INFORMATION AND AUDIT

   1. Each party is obliged to, at its own cost, upon the other Party’s request, make available to the requesting Party all information necessary for the purpose of demonstrating compliance with applicable Data Protection Laws.

   2. The Customer may carry out or mandate a third party auditor to carry out an audit, with ten (10) days of prior notice, in order to verify Statichost.eu’s compliance with this Agreement and with applicable Data Protection Laws. Statichost.eu grants access to Statichost.eu’s premises, records and documents for the Customer or mandated third party auditor to carry out the audit to which Statichost.eu shall provide assistance and Statichost.eu shall bear the costs of such audit if the audit reveals any non-compliance with this agreement or applicable Data Protection Laws.

10. SUBPROCESSORS

    1. The Customer authorises Statichost.eu to appoint subprocessors in accordance with this section 10.

    2. Statichost.eu may continue to use those Subprocessors already engaged by Statichost.eu prior to the date of this Agreement listed in SCHEDULE 3, subject to Statichost.eu in each case as soon as practicable meeting the obligations set out in section 10.4.

    3. Statichost.eu shall give the Customer prior written notice of the appointment of any new Subprocessor, including full details of the processing to be undertaken by the subprocessor. If, within 14 days of receipt of that notice, the Customer notifies Statichost.eu in writing of any objections (on reasonable grounds) to the proposed appointment Statichost.eu shall not appoint (or disclose any Personal Data to) that proposed subprocessor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken.

    4. Provided that the Customer has provided its consent in accordance with section 10.1, all subprocessors must as a minimum conform to the respective requirements of this Agreement. When engaging subprocessors, Statichost.eu undertakes to ensure that the contract entered into between Statichost.eu and any subprocessor shall impose at least the same data protection obligations as set out in this Agreement.

    5. Statichost.eu may not transfer Personal Data for the Service Processing to a country outside the EEA without the prior written approval of the Customer. Transfer to the subprocessors listed in SCHEDULE 3 shall be considered approved. Statichost.eu shall be fully liable for the lawfulness of any data transfer approved by the Customer and shall secure necessary safe guards for the transfer.

    6. Statichost.eu shall, upon the Customer’s request, promptly provide all relevant information relating to the approved subprocessors, such as corporate identity, address, location and a copy of the relevant subprocessing agreement.

11. WARRANTY

    1. Both Parties warrant that they have the necessary authority and mandate to enter into this Agreement.

    2. Statichost.eu warrants that the Service Processing of Personal Data is carried out in accordance with applicable Data Protection Laws, including but not limited to the obligations relating to the security of the processing.

12. LIMITATION OF LIABILITY

    1. No Party shall be liable under this Agreement to compensate the other Party for any indirect damages, including but not limited to loss of profits or business.

    2. Statichost.eu’s total liability hereunder, whether arising under or otherwise in connection with this Agreement, shall be limited to an amount equal to the total amount paid by the Customer to Statichost.eu under the Customer Agreement during the twelve (12) month period preceding the event giving rise to the claim.

13. MEASURES UPON COMPLETION OF Service Processing

    1. When this Agreement is terminated or expires, Statichost.eu shall, upon and in accordance with Controller’s written request, delete all Personal Data used in the Service Processing or delete and return all such Personal Data to the Customer, unless Applicable Laws require Statichost.eu to store Personal Data.

14. ASSIGNMENT

    1. Neither Party may assign its obligations under this Agreement without the prior written approval of the other Party.

15. ENTIRE AGREEMENT

    1. This Agreement shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.

    2. The Customer is entitled to amend this Agreement if it is necessary to comply with requirements of applicable Data Protection Laws. Such amendments enter into force at the latest thirty (30) days after the Customer has sent an amendment notice to Statichost.eu, or such other time period which the Customer is obliged to adhere to according to Data Protection Laws and Regulations or relevant authorities. Other alterations of and amendments to this Agreement shall be made in writing and be signed by duly authorised representatives of the Parties to be binding.

16. GOVERNING LAW AND DISPUTES

    1. This Agreement shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.

    2. Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral proceedings shall be English, unless otherwise agreed.

    3. The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.

    4. The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confidentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from disclosing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.

17. Counterparts and Electronic signatures

    1. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original but all of which together shall constitute one and the same Agreement. The counterparts of this Agreement may be executed and delivered by electronic means by any of the parties to any other party and the receiving party may rely on the receipt of such document so executed as if the original had been received.

Schedules

1. Processing of Personal Data

   1. Types of Personal Data

      The following types of Personal Data are processed by Statichost.eu on behalf of the Customer in the Service Processing under the Agreement:

      (i) IP address

   2. Categories of data subjects

      The processed Personal Data concerns the following categories of data subjects:

      (i) Individuals visiting the Customers websites.

   3. Service Processing operations

      The following Service Processing operations shall be carried out for the below specified purposes by Statichost.eu under this Agreement:

      (i) Providing the Customers websites to its visitors

      Purpose: Sending content hosted on the website to visitors. Specifically, processing visitors’ IP addresses in order to send content over the Internet is needed.

      Storage: None. Statichost.eu does not store any personal data related to website visits.

2. Instructions

   1. Instructions for processing on behalf of the Data Controller

      Statichost.eu shall comply with the instructions set forth below with respect to the processing of the Personal Data under this Agreement.

   2. Handling and processing of the Personal Data

      The premises used by Statichost.eu shall be protected with adequate physical security measures.

      The IT infrastructure used by Statichost.eu shall be adequately and properly secured.

   3. Data subjects’ requests

      Statichost.eu shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.

      The Customer authorizes Statichost.eu to, subject to the provisions of this Agreement, directly fulfil the requests of data subjects received by Statichost.eu. Statichost.eu undertakes to inform the Customer of any rectification, erasure, or restriction of processing of Personal Data performed by a direct request of a data subject, unless this proves impossible or involves disproportionate effort.

      Statichost.eu shall have routines to provide Personal Data concerning a data subject in at the Customer’s request.

      Subject to the provisions of this Agreement, Statichost.eu shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.

3. Approved subprocessors

   • UpCloud Ltd. Data center provider Registered in Finland
   • Hetzner Online GmbH Data center provider Registered in Germany