Data Processing Agreement

This Data Processing Agreement (DPA) is an addendum to DiscountASP.NET's (DASP) Hosting Terms and Conditions and Team Foundation Server Hosting Terms and Conditions and the Affiliate Program Agreement (collectively referred to as Agreement) and is part of the requirements of the European Union General Data Protection Regulation (GDPR).

1. Scope of DPA.

This DPA applies when DASP processes Personal Data on behalf of the Customer to provide DASP Services and when the Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with this DPA in connection with such Personal Data.

1.1. Definitions.

  • Controller: Entity that manages the means of processing Personal Data.
  • Customer Data: Customer Data that DASP processes on behalf of Customer in the course of providing Services.
  • GDPR: European Union General Data Protection Regulation. Final full GDPR document (pdf).
  • Personal Data: Customer Data that map to an identifiable natural person.
  • Data Privacy Framework: EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework. For more info: https://www.dataprivacyframework.gov/
  • Processor: Entity that processes Personal Data on behalf of Controller.
  • Security Incident: Any security breaches that results in loss, alteration, access, disclosure, destruction or theft of Personal Data.
  • Sub-Processor: Any Processor that DASP uses to help provide Services.

1.2. Role of Parties.

The Customer is the Controller of Personal Data and DASP is the Processor that processes Personal Data on behalf of Customer. The Personal Data processed by DASP is provided by the Controller. The DPA does not cover data that DASP may have collected and processed independently of Customer's use of the Services.

1.3. Customer Obligations

As the Controller, the Customer agrees to comply with Data Protection Laws in regard to its processing of Personal Data and processing instructions given to DASP; and will obtain all consents and rights necessary under Data Protection Laws for DASP to process Personal Data and provide the Services.

1.4. Personal Data Processing.

As a Processor, DASP will only process Personal Data to perform the Services in accordance with the Agreement and will comply with reasonable and lawful instructions provided by Customer that are consistent with the terms of the Agreement.

DASP processes Customer Data provided by Customer. The Customer Data may contain special categories of data depending on how the Services are used. The Customer Data may be subject to the following: (i) storage and other processing necessary to provide, maintain and improve the Services; (ii) customer care and technical support; and (iii) disclosures as required by law or otherwise set forth in the Agreement.

1.5. DASP as Controller.

Customer acknowledges that DASP has the right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, technical support, product development and marketing. For data considered personal data under Data Protection Laws, DASP is the Controller and will process the data in compliance with Data Protection Laws.

2. Subprocessing.

2.1 Subprocessors.

Customer agrees that DASP may engage Subprocessors to process Personal Data on behalf of the Customer. You may request a list of Subprocessors currently engaged by DASP.

2.1 Subprocessor Obligations.

When DASP engages a Subprocessor, DASP will: (i) enter an agreement with the Subprocessor that imposes data protection terms requiring the Subprocessor to protect Personal Data to standards required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause DASP to breach any of its obligations under this DPA.

2.3 Subprocessor Changes.

DASP will provide Customer reasonable advance notice via email if it adds or removes a Subprocessor.

2.4 Objection to Subprocessor.

Customer may object in writing to DASP’s engagement with a new Subprocessor on reasonable grounds relating to data protection. Customer must notify DASP in writing within five calendar days of receipt of DASP’s notice in accordance with Section 2.3. In the event of an objection, the parties will discuss their concerns in good faith and work to find a reasonable resolution. If this is not possible, either party may terminate the applicable Services.

3. Security.

3.1 Security Measures.

DASP will implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.

3.2 Processing Confidentiality.

DASP will ensure that any person who is authorized by DASP to process Personal Data, including staff and subcontractors, will be under an appropriate obligation of confidentiality.

3.3 Response to Security Incident.

In the event of a Security Incident, DASP will notify Customer without undue delay about the incident and provide timely information relating to the Security Incident as it becomes known.

3.4 Security Measure Update.

Customer acknowledges that Security Measures can change and evolve and that DASP may update or modify the Security Measures from time to time.

4. International Transfers.

4.1 Locations of Processing Operations.

DASP stores and processes Personal Data from EU citizens in data centers located inside and outside the European Union. DASP's Subprocessors may be located in the United States or anywhere in the world. DASP will implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

4.2 Transfer Mechanisms.

To the extent DASP processes or transfers Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland in or to other countries, the parties agree that DASP will be deemed to provide appropriate safeguards for such data by virtue of having certified its compliance with the Data Privacy Framework and DASP will process such data in compliance with the Data Privacy Framework Principles.

5. Return and Deletion of Data.

Customer has access to their uploaded data/content and databases and can download the data/content at any time. Should the Customer have any difficulties in downloading their data/content from DASP servers, DASP technical support can assist. Upon deactivation of the Services, all Personal Data shall be deleted, except for that which is required by applicable law to retain, or Personal Data DASP has archived on backup systems, which are securely isolated and protected from any further processing. Backups are regularly rotated; therefore, the Personal Data from a deactivated account will be removed from the backup on the next rotation.

6. Cooperation.

In response to requests from individuals or data protection authorities, if the Customer is unable to independently access Personal Data within the Services, DASP will (at Customer's expense) provide reasonable cooperation to assist Customer to gain access or obtain the data if possible. If such a request is made directly to DASP, DASP will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If DASP is required to respond to such a request, DASP will notify the Customer and provide them with a copy of the request unless legally prohibited from doing so.

To the extent DASP is required under Data Protection Law, DASP will (at Customer's expense) provide reasonably requested information regarding DASP's processing of Personal Data under the Agreement and this DPA to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

7. General.

7.1. Entire Agreement and Conflict.

Except as amended by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between the Agreement and this DPA, then this DPA will prevail.

7.2. Jurisdiction.

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Last Update: July 26, 2023