Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") is entered into between HostupCloud ("Data Processor") and you, the customer ("Data Controller"), in accordance with Article 28 of the EU GDPR, the UK GDPR as reformed by the Data (Use and Access) Act 2025, the Indian Digital Personal Data Protection Act 2023 + DPDP Rules 2025, and applicable US state privacy laws including CCPA/CPRA and the 20+ state comprehensive privacy laws active as of 2026. This DPA also addresses obligations under the EU Data Act 2023(effective September 2025) and NIS2 Directive (transposed October 2024). It forms part of the General Terms and Conditions.
Last updated: 22 February 2026 · Effective: 22 February 2026
1. Roles of the Parties
Data Controller
You (the Customer)
You determine the purposes and means of processing personal data stored on HostupCloud infrastructure (e.g. your end customers' data, employee data, user databases). You are responsible for your lawful basis for processing.
Data Processor
HostupCloud
HostupCloud processes personal data only on your documented instructions — by providing compute, storage, and network infrastructure. We do not determine the purpose of processing and do not use your data for our own commercial purposes.
2. Subject Matter & Nature of Processing
Hosting, storage, transmission, and backup of personal data on HostupCloud servers and network infrastructure as instructed by the Controller.
To provide the contracted cloud infrastructure services (Shared Hosting, Cloud VPS, Bare Metal, Object Storage, etc.) to the Controller.
For the term of the service agreement. Processing ceases on termination; data is deleted within 30 days unless required by law.
Any personal data the Controller uploads or stores — typically contact details, account credentials, user records, logs, or application data.
End users of the Controller's applications and services, employees, or any individuals whose data the Controller hosts on HostupCloud.
HostupCloud processes data solely on the Controller's instructions (service configuration, support tickets, backup/restore requests).
3. HostupCloud's Processor Obligations
4. Sub-processors
HostupCloud uses the following sub-processors to deliver services. By accepting this DPA, you provide general written authorisation for these sub-processors. We will notify you 30 days before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Razorpay | Payment processing (billing data only) | India |
| Sentry (Functional Software) | Anonymised error monitoring | USA (SCCs) |
| Crisp IM SAS | Live chat support | France (EU) |
| MaxMind | IP geolocation for fraud prevention | USA (SCCs) |
| Cloudflare | DDoS protection and CDN (edge caching) | USA (SCCs) |
SCCs = EU Standard Contractual Clauses are in place for transfers to the USA. An up-to-date list is available at privacy@hostupcloud.com.
5. Technical & Organisational Security Measures
Encryption in transit
TLS 1.2+ enforced on all public-facing endpoints. HTTP redirected to HTTPS.
Encryption at rest
Storage volumes encrypted using AES-256. Backup data encrypted before transfer.
Access control
Role-based access control (RBAC), least-privilege principle, MFA mandatory for HostupCloud staff with infrastructure access.
Network isolation
Customer VMs are isolated at the hypervisor layer. Private networking available for inter-service communication.
Intrusion detection
Imunify360, WAF, and real-time network anomaly detection deployed across shared hosting infrastructure.
Audit logging
All administrative access to customer infrastructure is logged and retained for 90 days.
Vulnerability management
Regular patching cycles (OS, hypervisor, control panel). Critical CVEs patched within 24–72 hours.
Physical security
Data centres operate with biometric access, 24/7 CCTV, fire suppression, and N+1 power redundancy.
6. International Data Transfers
Customer data is processed in the data centre location selected at provisioning time. HostupCloud does not transfer Customer Content across regions without your instruction.
India
Primary data centre. Governed by DPDPA 2023 + DPDP Rules 2025. Data localisation available. Data Protection Board of India being constituted.
European Union
EU infrastructure planned. Governed by EU GDPR, EU Data Act 2023 (effective Sept 2025), and NIS2 Directive (Oct 2024). SCCs in place for US sub-processors.
United Kingdom
Governed by UK GDPR as reformed by the Data (Use and Access) Act 2025. UK International Data Transfer Agreements (IDTAs) used for transfers outside the UK.
United States
US-region available. Governed by applicable state privacy laws (CCPA/CPRA, TDPSA, VCDPA, and 17+ others active in 2026). SCCs and DPA between HostupCloud Inc. and EU/UK customers.
7. Data Subject Rights Assistance
HostupCloud will assist you in responding to data subject requests to the extent technically feasible for a processor. The Controller remains responsible for responding to data subjects.
8. Personal Data Breach Notification
9. Data Retention & Deletion
10. Liability
Each party is liable for damage caused by processing that infringes GDPR or this DPA. A party is exempt from liability if it proves it was not in any way responsible for the event giving rise to the damage. HostupCloud's aggregate liability under this DPA is subject to the limitation of liability in the General Terms and Conditions.
Need a signed DPA?
Enterprise customers may request a countersigned DPA for their compliance records. Contact our privacy team with your company details.