Data Processing Agreement

1 Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Terms") between Steadcloud ™, statutory name PeaceWeb B.V. ("Processor," "we," "us," or "our"), and the Client ("Controller," "you," or "your"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the Terms.

In the context of this DPA, the Controller determines the purposes and means of the processing of personal data, while the Processor processes personal data solely on behalf of and in accordance with the documented instructions of the Controller. This DPA shall prevail over any conflicting terms in the Terms of Service with respect to data protection matters.

2 Scope of Processing

The Processor shall process personal data only to the extent necessary to provide the services described in the Terms and in accordance with the Controller's documented instructions. The nature, purpose, and duration of processing are determined by the services ordered by the Controller.

2.1 Processing Activities

The Processor may process personal data in connection with the following services:

2.2 Data Subjects

Personal data processed under this DPA may relate to the following categories of data subjects:

2.3 Categories of Personal Data

The following categories of personal data may be processed:

• • Contact details: names, email addresses, phone numbers, postal addresses, company information
• • Hosting content: any personal data stored by the Controller on virtual instances, block storage, or backups
• • Technical logs: IP addresses, access logs, error logs, system event logs, and metadata
• • Payment references: billing information, transaction identifiers, and invoice data (no full card numbers are stored)
• • Support communications: ticket content, email correspondence, and chat transcripts related to customer support

3 Processor Obligations

In accordance with Article 28(3) of the GDPR, the Processor shall:

• • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject
• • Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
• • Respect the conditions for engaging another processor (sub-processor) as set out in Article 28(2) and (4) of the GDPR
• • Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR
• • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
• • At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data
• • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
• • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions

4 Security Measures

Pursuant to Article 32 of the GDPR, the Processor has implemented and shall maintain the following technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

4.1 Encryption

4.2 Access Controls

4.3 Physical Security

4.4 Monitoring and Testing

• • 24/7 monitoring: Continuous infrastructure and security monitoring with automated alerting for anomalous activity
• • Annual penetration testing: Independent third-party penetration tests are conducted at least annually, with remediation of identified vulnerabilities
• • Vulnerability management: Regular vulnerability scanning and timely patching of systems and software
• • Incident response: Documented incident response procedures with defined escalation paths, tested and reviewed at least annually

4.5 Personnel Security

• • Background checks: All personnel with access to infrastructure or personal data undergo background verification prior to employment
• • Confidentiality agreements: All personnel are bound by confidentiality obligations as a condition of employment
• • Security training: Regular data protection and security awareness training for all staff

5 Sub-processors

The Controller provides general authorisation to the Processor to engage sub-processors for the provision of the services. The Processor shall ensure that sub-processors are bound by data processing obligations no less protective than those set out in this DPA.

5.1 Current Sub-processors

The following sub-processors are currently engaged by the Processor:

5.2 Changes to Sub-processors

The Processor shall notify the Controller at least 30 calendar days in advance of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors. Notification will be provided via email to the Controller's registered account email address.

The Controller may object to the engagement of a new sub-processor within 14 calendar days of receiving notification, provided that the objection is based on reasonable grounds relating to data protection. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services without penalty.

6 International Transfers

The Processor stores and processes all primary data within the European Union, specifically in datacenters located in the Netherlands. Personal data is not transferred outside the EU/EEA except where necessary for the engagement of sub-processors as described in Section 5.

6.1 Transfer Safeguards

Where personal data is transferred to sub-processors located outside the EU/EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• • Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses (2021/914) are in place with all non-EU sub-processors
• • Adequacy decisions: Where applicable, transfers are made to countries recognised by the European Commission as providing an adequate level of data protection
• • Transfer Impact Assessments: In line with the Schrems II ruling (C-311/18), the Processor conducts transfer impact assessments for transfers to third countries and implements supplementary measures where necessary

7 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under Articles 15 to 22 of the GDPR, including:

If the Processor receives a request directly from a data subject, the Processor shall promptly redirect the data subject to the Controller and notify the Controller of the request without undue delay. The Processor shall not respond to data subject requests directly unless instructed to do so by the Controller.

8 Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach as defined in Article 4(12) of the GDPR. Notification shall be made to the Controller's registered account email address and to privacy{{ $domain }}.

8.1 Notification Content

The breach notification shall include, to the extent reasonably available:

• • A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned
• • The name and contact details of the Processor's data protection contact point
• • A description of the likely consequences of the personal data breach
• • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

8.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall assist the Controller in complying with its notification obligations under Articles 33 and 34 of the GDPR, including notifications to the supervisory authority (Autoriteit Persoonsgegevens) and to affected data subjects where required.

9 Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

9.1 Audit Conditions

• • Advance notice: The Controller shall provide at least 30 calendar days' written notice of any intended audit
• • Business hours: Audits shall be conducted during normal business hours (Monday–Friday, 09:00–17:00 CET/CEST) and shall not unreasonably disrupt the Processor's operations
• • Confidentiality: The Controller and any mandated auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit
• • Frequency: Audits shall be limited to a maximum of once per 12-month period, unless a data breach has occurred or the audit is required by a supervisory authority
• • Costs: The Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by the Processor

9.2 Alternative Audit Evidence

The Processor may satisfy the Controller's audit requirements by providing copies of relevant third-party audit reports or certifications, including SOC 2 Type II reports or ISO 27001 certifications, where available. The Controller agrees to accept such reports as a reasonable alternative to on-site audits, provided that they adequately address the Controller's audit objectives.

10 Termination and Data Deletion

Upon termination or expiry of the services agreement, the Processor shall, at the Controller's choice:

Upon completion of data deletion, the Processor shall provide the Controller with written confirmation that all personal data has been securely deleted.

11 Liability

The liability provisions set out in the Terms of Service shall apply to this DPA, subject to the following additional provisions specific to data protection:

11.1 GDPR Liability Allocation

In accordance with Article 82 of the GDPR, each party shall be liable for the damage caused by processing that infringes the GDPR. The Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the Controller's lawful instructions.

11.2 Indemnification

Each party shall indemnify the other party against any costs, claims, damages, or expenses incurred as a result of the indemnifying party's breach of this DPA or the GDPR, including any fines imposed by a supervisory authority to the extent attributable to the indemnifying party's breach. The Controller shall indemnify the Processor against claims arising from the Controller's processing instructions that infringe applicable data protection law.

12 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions. The GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG) shall apply to all data protection matters.

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent court at the Rechtbank Oost-Brabant, location 's-Hertogenbosch, the Netherlands. This is without prejudice to the right of data subjects to lodge complaints with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or to seek judicial remedy under Article 79 of the GDPR.

13 Contact Information

For questions, requests, or concerns regarding this Data Processing Agreement or data protection matters, please contact us: