Hostander
Legal

Data Processing Agreement.

A standard DPA in line with Article 28 GDPR. It applies whenever you process personal data using our services. Sign-back available on request, or auto-applied via our Terms.

Last updated: April 2026

1. Roles

Where you use Hostander to host or process personal data, you are the controller and Hostander is the processor (or, where applicable, the sub-processor of your customer). We process personal data only on your documented instructions, which include the configuration of the services you order.

2. Subject matter and duration

We process personal data for the duration of your contract with us, for the purpose of delivering the managed hosting services you have ordered. Processing ends when your services are terminated.

3. Nature and purpose of processing

Hosting, storage, processing, transmission and backup of customer-supplied data on infrastructure we operate, plus operational tasks (monitoring, patching, restoring) that the managed service requires.

4. Categories of data and data subjects

Determined by you. We do not require, request or inspect the personal data you place on our infrastructure. We process whatever your applications store, on your behalf.

5. Hostander obligations

  • Process personal data only on your documented instructions.
  • Ensure that authorized personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see Privacy Policy, section 8).
  • Assist you with data subject requests, security incidents and DPIAs to the extent reasonably required.
  • Notify you without undue delay (and in any case within 72 hours) of any personal data breach affecting your data.
  • Delete or return personal data at the end of the contract, at your choice.

6. Sub-processors

We use a limited list of EU-based sub-processors, primarily for billing and email delivery. The current list is available on request and updated in advance of any change. You may object to a new sub-processor on reasonable grounds; if we cannot resolve the objection, you may terminate the affected service.

7. International transfers

We do not transfer personal data outside the EU/EEA. Hostander has no US parent, no US subsidiary and no US operations. The US CLOUD Act does not apply to us. We do not use US hyperscalers as part of our managed hosting platform.

8. Security measures

  • Encrypted transport (TLS) for all management interfaces.
  • Hardware owned by Hostander, hosted in Tier III EU data centers with biometric access control.
  • Segregated management network, principle of least privilege, MFA for all engineering access.
  • 24/7 monitoring and an EU-staffed NOC.
  • Regular vulnerability management and patching of platform components.

9. Audit

We provide reasonable information to demonstrate compliance with this DPA. Where required by Article 28(3)(h) GDPR, we cooperate with audits performed by you or an independent auditor under reasonable confidentiality and scheduling terms.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in our Terms of Service. Nothing in this DPA limits liability that cannot be limited under the GDPR.

11. Signing

This DPA is automatically incorporated into your contract once you accept our Terms of Service. A counter-signed PDF is available on request from legal@hostander.com.

Questions about this policy?

Our legal and engineering teams are based in the EU and happy to walk you through the details.

Contact us