Data Processing Agreement
Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR")
Effective Date: 2017-09-26
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Controller: The entity identified in the applicable service agreement ("Customer")
Processor: Euronodes Ltd, a company registered in Cyprus, with its registered office in Limassol, Cyprus ("Euronodes")
collectively referred to as the "Parties."
This DPA forms part of and is subject to the Terms of Service or other written agreement between the Parties governing Customer's use of Euronodes services (the "Principal Agreement").
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR, including collection, storage, alteration, retrieval, use, disclosure, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Sub-processor" means any third party engaged by Euronodes to process Personal Data on behalf of the Customer.
"Supervisory Authority" means the Commissioner for Personal Data Protection of the Republic of Cyprus, or any other competent data protection authority with jurisdiction over the Customer.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
3. Scope and Purpose of Processing
3.1. Euronodes processes Personal Data solely for the purpose of providing the services described in the Principal Agreement. These services may include, but are not limited to: virtual private server (VPS) hosting, web hosting, S3-compatible object storage, dedicated servers, colocation, and managed services.
3.2. Euronodes does not determine the purposes or means of processing Customer Personal Data. The Customer remains the Controller and is responsible for ensuring that the processing of Personal Data complies with GDPR and any applicable data protection laws.
3.3. The categories of Personal Data processed, the categories of Data Subjects, and the duration of processing are described in Annex A of this DPA.
4. Obligations of Euronodes (Processor)
4.1. Euronodes shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law. In such a case, Euronodes shall inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
4.2. Euronodes shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Euronodes shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR, including as appropriate:
- (a) encryption of Personal Data in transit and at rest;
- (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.
4.4. Euronodes shall assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.
4.5. Euronodes shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Euronodes.
4.6. At the choice of the Customer, Euronodes shall delete or return all Personal Data to the Customer after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
4.7. Euronodes shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Euronodes shall immediately inform the Customer if, in its opinion, an instruction infringes GDPR or other EU or Member State data protection provisions.
5. Sub-processors
5.1. The Customer provides general authorisation for Euronodes to engage Sub-processors for the performance of specific processing activities on behalf of the Customer.
5.2. Euronodes shall maintain an up-to-date list of Sub-processors, which is available at https://euronodes.com/legal/sub-processors or upon request.
5.3. Euronodes shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, giving the Customer the opportunity to object to such changes. Euronodes shall provide at least 30 days' prior written notice before engaging a new Sub-processor.
5.4. If the Customer objects to a new Sub-processor on reasonable grounds relating to data protection, the Parties shall discuss the objection in good faith. If no resolution can be reached, the Customer may terminate the affected services without penalty.
5.5. Where Euronodes engages a Sub-processor, it shall impose on the Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA. Euronodes shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.
6. Data Breach Notification
6.1. Euronodes shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Customer's Personal Data.
6.2. Such notification shall include, to the extent available:
- (a) a description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
- (b) the name and contact details of the point of contact at Euronodes where more information can be obtained;
- (c) a description of the likely consequences of the Data Breach;
- (d) a description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
6.3. Euronodes shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.
7. International Data Transfers
7.1. Euronodes operates infrastructure in the European Union and European Economic Area (Frankfurt, Germany; Lisbon, Portugal; Madrid, Spain; Prague, Czech Republic) and in Cyprus (Limassol).
7.2. Euronodes shall not transfer Personal Data outside the EEA unless: (a) an adequacy decision by the European Commission exists for the recipient country; (b) appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission; or (c) a derogation under Article 49 GDPR applies.
7.3. Where transfers to third countries occur (e.g., through Sub-processors), Euronodes shall ensure compliance with Chapter V of the GDPR and inform the Customer of such transfers.
8. Audit Rights
8.1. The Customer may, at its own expense and upon reasonable notice (not less than 30 days), conduct an audit of Euronodes' processing activities to verify compliance with this DPA. Audits shall be limited to once per calendar year unless a Data Breach or Supervisory Authority request necessitates an additional audit.
8.2. Euronodes may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2, ISO 27001), or other evidence of compliance, where available and applicable.
8.3. The Customer shall ensure that any auditor is bound by appropriate confidentiality obligations and shall conduct the audit in a manner that minimises disruption to Euronodes' operations.
9. Liability
9.1. Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.
9.2. Nothing in this DPA limits either Party's liability for breaches of GDPR that cannot be limited by contract under applicable law.
10. Term and Termination
10.1. This DPA shall come into effect on the date the Customer begins using Euronodes services and shall remain in effect for as long as Euronodes processes Personal Data on behalf of the Customer.
10.2. Upon termination of the Principal Agreement, the provisions of this DPA shall continue to apply until Euronodes ceases all processing of Personal Data on behalf of the Customer.
11. Governing Law and Jurisdiction
11.1. This DPA shall be governed by the laws of the Republic of Cyprus.
11.2. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of the Republic of Cyprus, without prejudice to the right of either Party to seek remedies before a competent Supervisory Authority.
12. Amendments
12.1. This DPA may be amended by Euronodes to reflect changes in applicable data protection law or regulatory guidance. Euronodes shall notify the Customer of material changes at least 30 days in advance. Continued use of the services after such notice constitutes acceptance of the amended DPA.
Annex A: Details of Processing
| Detail | Description |
|---|---|
| Subject matter | Provision of hosting and infrastructure services as described in the Principal Agreement |
| Duration | For the duration of the Principal Agreement, plus any period required for data deletion or return |
| Nature and purpose | Storage, transmission, backup, and technical processing of data as necessary to provide the contracted services |
| Categories of Data Subjects | Customer's end users, employees, contractors, clients, and any other individuals whose data is stored on Euronodes infrastructure |
| Types of Personal Data | As determined by the Customer; may include names, email addresses, IP addresses, and any other data stored by the Customer on Euronodes infrastructure |
| Special categories (Art. 9) | Not anticipated; however, the Customer may store special category data at its own risk and responsibility |
Annex B: Technical and Organisational Measures
Euronodes implements the following measures pursuant to Article 32 GDPR:
Access Control: Role-based access to infrastructure; multi-factor authentication for administrative access; principle of least privilege.
Encryption: TLS encryption for data in transit; encryption at rest available for storage services.
Network Security: Firewalls, intrusion detection, DDoS mitigation, network segmentation between customer environments.
Physical Security: Datacenters with 24/7 security, biometric or card-based access controls, CCTV monitoring, environmental controls (fire suppression, climate control, UPS).
Availability and Resilience: Redundant power and network; regular backups where contracted; disaster recovery procedures.
Incident Management: Documented incident response procedures; breach notification process as described in Section 6.
Personnel: Confidentiality agreements for all staff; regular security awareness training.
Monitoring: Logging and monitoring of administrative access and system events.
Annex C: Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS, DDoS protection | Global (EU processing available) |
| Stripe, Inc. | Payment processing | USA (EU processing available, SCCs in place) |
| PayPal (Europe) S.a r.l. et Cie, S.C.A. | Payment processing | Luxembourg, EU |
| Anthropic, PBC | AI-assisted customer support | USA (SCCs in place) |
| Invoice Ninja, Inc. | Billing and invoicing | USA (SCCs in place) |
Euronodes Ltd Limassol, Cyprus [email protected] https://euronodes.com