Steadcloud ™
Commencer
Virtual Instances Managed Hosting Tarifs À propos Contact

Langue

en nl de es fr ua
Se connecter Commencer
Legal

Data Processing Agreement

GDPR Article 28 compliant data processing terms for business customers using Steadcloud cloud infrastructure.

Last updated: February 12, 2026

1 Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Terms") between Steadcloud ™, statutory name PeaceWeb B.V. ("Processor," "we," "us," or "our"), and the Client ("Controller," "you," or "your"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the Terms.

In the context of this DPA, the Controller determines the purposes and means of the processing of personal data, while the Processor processes personal data solely on behalf of and in accordance with the documented instructions of the Controller. This DPA shall prevail over any conflicting terms in the Terms of Service with respect to data protection matters.

Legal Entity

Trading name: Steadcloud ™

Statutory name: PeaceWeb B.V.

Address: Hedikhuizerweg 7F, 5222 BC 's-Hertogenbosch, Netherlands

Chamber of Commerce (KVK): 88526461

VAT Number (BTW): NL864668788B01

Important: This DPA forms an integral part of the agreement between the Controller and the Processor. By using Steadcloud services that involve the processing of personal data, you agree to the terms of this DPA.

2 Scope of Processing

The Processor shall process personal data only to the extent necessary to provide the services described in the Terms and in accordance with the Controller's documented instructions. The nature, purpose, and duration of processing are determined by the services ordered by the Controller.

2.1 Processing Activities

The Processor may process personal data in connection with the following services:

VPS Provisioning & Management

Virtual server deployment, configuration, and lifecycle management

Managed Hosting

Fully managed infrastructure with monitoring, patching, and support

Block Storage

Persistent SSD-backed storage volumes attached to instances

Backup Services

Automated and on-demand backup solutions with encryption

IP Address Allocation

Dedicated IPv4 and IPv6 address assignment and management

Private Networking

Isolated private networks for secure instance-to-instance communication

Billing & Invoicing

Payment processing, invoice generation, and financial administration

Customer Support

Technical assistance, ticket management, and communication

2.2 Data Subjects

Personal data processed under this DPA may relate to the following categories of data subjects:

Client's Employees

Staff members and contractors of the Controller who access or use the services.

Client's Contacts

Business contacts, partners, and suppliers whose data is stored on the infrastructure.

End-Users

Individuals who interact with the Controller's applications hosted on Steadcloud infrastructure.

Website Visitors

Visitors to the Controller's websites and web applications hosted on the services.

2.3 Categories of Personal Data

The following categories of personal data may be processed:

  • Contact details: names, email addresses, phone numbers, postal addresses, company information
  • Hosting content: any personal data stored by the Controller on virtual instances, block storage, or backups
  • Technical logs: IP addresses, access logs, error logs, system event logs, and metadata
  • Payment references: billing information, transaction identifiers, and invoice data (no full card numbers are stored)
  • Support communications: ticket content, email correspondence, and chat transcripts related to customer support

3 Processor Obligations

In accordance with Article 28(3) of the GDPR, the Processor shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject
  • Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
  • Respect the conditions for engaging another processor (sub-processor) as set out in Article 28(2) and (4) of the GDPR
  • Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
  • At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions

4 Security Measures

Pursuant to Article 32 of the GDPR, the Processor has implemented and shall maintain the following technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

4.1 Encryption

Data in Transit

All data transmitted between the Controller and the Processor's infrastructure is encrypted using TLS 1.3 (or TLS 1.2 minimum). API communications, management interfaces, and control plane traffic are encrypted by default.

Data at Rest

All stored data, including block storage volumes and backups, is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management system with regular key rotation.

4.2 Access Controls

Role-Based Access Control (RBAC)

Access to personal data is restricted to authorised personnel on a need-to-know basis using role-based access controls. All access is logged and auditable.

Multi-Factor Authentication (MFA)

All Processor personnel with access to infrastructure or personal data are required to use multi-factor authentication. MFA is also available and recommended for all Controller accounts.

4.3 Physical Security

Tier III+ EU Datacenters

All infrastructure is hosted in Tier III+ certified datacenters located within the European Union (Netherlands). Facilities feature redundant power, cooling, and network connectivity, biometric access controls, 24/7 on-site security, and CCTV surveillance.

4.4 Monitoring and Testing

  • 24/7 monitoring: Continuous infrastructure and security monitoring with automated alerting for anomalous activity
  • Annual penetration testing: Independent third-party penetration tests are conducted at least annually, with remediation of identified vulnerabilities
  • Vulnerability management: Regular vulnerability scanning and timely patching of systems and software
  • Incident response: Documented incident response procedures with defined escalation paths, tested and reviewed at least annually

4.5 Personnel Security

  • Background checks: All personnel with access to infrastructure or personal data undergo background verification prior to employment
  • Confidentiality agreements: All personnel are bound by confidentiality obligations as a condition of employment
  • Security training: Regular data protection and security awareness training for all staff

5 Sub-processors

The Controller provides general authorisation to the Processor to engage sub-processors for the provision of the services. The Processor shall ensure that sub-processors are bound by data processing obligations no less protective than those set out in this DPA.

5.1 Current Sub-processors

The following sub-processors are currently engaged by the Processor:

Datacenter Providers

Physical infrastructure hosting, power, cooling, and physical security

EU — Netherlands

Stripe

Payment processing, credit card handling, and billing infrastructure

USA — SCCs

Mollie

Payment processing for European payment methods (iDEAL, Bancontact, SEPA)

Netherlands

PostHog

Product analytics, usage tracking, and service improvement

EU

Front

Customer support platform, ticket management, and team communication

USA — SCCs

Cloudflare

CDN, DDoS protection, DNS, and web application firewall services

Global — SCCs

5.2 Changes to Sub-processors

The Processor shall notify the Controller at least 30 calendar days in advance of any intended changes to the list of sub-processors, including the addition or replacement of sub-processors. Notification will be provided via email to the Controller's registered account email address.

The Controller may object to the engagement of a new sub-processor within 14 calendar days of receiving notification, provided that the objection is based on reasonable grounds relating to data protection. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services without penalty.

6 International Transfers

The Processor stores and processes all primary data within the European Union, specifically in datacenters located in the Netherlands. Personal data is not transferred outside the EU/EEA except where necessary for the engagement of sub-processors as described in Section 5.

6.1 Transfer Safeguards

Where personal data is transferred to sub-processors located outside the EU/EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses (2021/914) are in place with all non-EU sub-processors
  • Adequacy decisions: Where applicable, transfers are made to countries recognised by the European Commission as providing an adequate level of data protection
  • Transfer Impact Assessments: In line with the Schrems II ruling (C-311/18), the Processor conducts transfer impact assessments for transfers to third countries and implements supplementary measures where necessary

EU-first approach: Steadcloud is committed to keeping personal data within the EU wherever possible. We continuously evaluate EU-based alternatives for all services and prioritise EU-hosted sub-processors.

7 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under Articles 15 to 22 of the GDPR, including:

Right of Access (Art. 15)

Providing information about the personal data processed and a copy thereof.

Right to Rectification (Art. 16)

Correcting inaccurate or incomplete personal data without undue delay.

Right to Erasure (Art. 17)

Deleting personal data where there is no compelling reason for continued processing.

Right to Restriction (Art. 18)

Restricting the processing of personal data in certain circumstances.

Right to Data Portability (Art. 20)

Providing personal data in a structured, commonly used, and machine-readable format.

Right to Object (Art. 21)

Ceasing processing of personal data where the data subject objects on legitimate grounds.

If the Processor receives a request directly from a data subject, the Processor shall promptly redirect the data subject to the Controller and notify the Controller of the request without undue delay. The Processor shall not respond to data subject requests directly unless instructed to do so by the Controller.

8 Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach as defined in Article 4(12) of the GDPR. Notification shall be made to the Controller's registered account email address and to privacy{{ $domain }}.

8.1 Notification Content

The breach notification shall include, to the extent reasonably available:

  • A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned
  • The name and contact details of the Processor's data protection contact point
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

8.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall assist the Controller in complying with its notification obligations under Articles 33 and 34 of the GDPR, including notifications to the supervisory authority (Autoriteit Persoonsgegevens) and to affected data subjects where required.

9 Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

9.1 Audit Conditions

  • Advance notice: The Controller shall provide at least 30 calendar days' written notice of any intended audit
  • Business hours: Audits shall be conducted during normal business hours (Monday–Friday, 09:00–17:00 CET/CEST) and shall not unreasonably disrupt the Processor's operations
  • Confidentiality: The Controller and any mandated auditor shall be bound by confidentiality obligations with respect to any information obtained during the audit
  • Frequency: Audits shall be limited to a maximum of once per 12-month period, unless a data breach has occurred or the audit is required by a supervisory authority
  • Costs: The Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by the Processor

9.2 Alternative Audit Evidence

The Processor may satisfy the Controller's audit requirements by providing copies of relevant third-party audit reports or certifications, including SOC 2 Type II reports or ISO 27001 certifications, where available. The Controller agrees to accept such reports as a reasonable alternative to on-site audits, provided that they adequately address the Controller's audit objectives.

10 Termination and Data Deletion

Upon termination or expiry of the services agreement, the Processor shall, at the Controller's choice:

a

Data Return (30 days)

Return all personal data to the Controller in a structured, commonly used, and machine-readable format within 30 calendar days of termination. The Controller may request data export through the account dashboard or by contacting support.

b

Data Deletion (60 days)

Permanently delete all personal data, including all existing copies, within 60 calendar days of termination. Deletion shall be performed using industry-standard secure deletion methods.

Upon completion of data deletion, the Processor shall provide the Controller with written confirmation that all personal data has been securely deleted.

Legal retention exception: The Processor may retain personal data to the extent required by applicable Union or Member State law, including Dutch tax and accounting legislation (typically 7 years for financial records). Where data is retained for legal compliance, the Processor shall inform the Controller of the legal basis and ensure that such data is processed only for the legally required purpose.

11 Liability

The liability provisions set out in the Terms of Service shall apply to this DPA, subject to the following additional provisions specific to data protection:

11.1 GDPR Liability Allocation

In accordance with Article 82 of the GDPR, each party shall be liable for the damage caused by processing that infringes the GDPR. The Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the Controller's lawful instructions.

11.2 Indemnification

Each party shall indemnify the other party against any costs, claims, damages, or expenses incurred as a result of the indemnifying party's breach of this DPA or the GDPR, including any fines imposed by a supervisory authority to the extent attributable to the indemnifying party's breach. The Controller shall indemnify the Processor against claims arising from the Controller's processing instructions that infringe applicable data protection law.

12 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions. The GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG) shall apply to all data protection matters.

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent court at the Rechtbank Oost-Brabant, location 's-Hertogenbosch, the Netherlands. This is without prejudice to the right of data subjects to lodge complaints with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or to seek judicial remedy under Article 79 of the GDPR.

13 Contact Information

For questions, requests, or concerns regarding this Data Processing Agreement or data protection matters, please contact us:

Steadcloud ™ (statutory name: PeaceWeb B.V.)

Hedikhuizerweg 7F

5222 BC 's-Hertogenbosch

Netherlands

Privacy inquiries: privacy{{ $domain }}

Legal inquiries: legal{{ $domain }}

Chamber of Commerce (KVK): 88526461

VAT Number (BTW): NL864668788B01

Related Documents

This DPA should be read in conjunction with the following documents: