Data Processing Agreement (DPA)

What this is about

When we provide hosting or migration services to you, we process personal data on your behalf. The GDPR (Art. 28) requires a written agreement between you (controller) and us (processor). We sign such a DPA with every customer before the service begins.

What the DPA covers

• Subject matter and duration of processing
• Nature, purpose, data subjects and data categories
• Controller's right to issue instructions
• Confidentiality obligations
• Technical and organisational measures (TOM) — see appendix
• Use of sub-processors (Hetzner, Let's Encrypt)
• Data-subject rights and controller support
• Breach-notification duties
• Return and deletion of data after contract end

How to obtain the DPA

We provide the DPA as a ready-to-sign PDF on request and sign it before the contract begins. Send a brief mail to datenschutz@your-server.info with subject "DPA request".

Sub-processors

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — data centre and server infrastructure (Nuremberg, DE)
• Internet Security Research Group (Let's Encrypt), San Francisco, USA — SSL certificate issuance

Technical and organisational measures (TOM) — short form

• Data-centre access only for authorised Hetzner personnel (ISO 27001 certified)
• Server access via SSH keys only — no password authentication
• Container isolation between customer websites (Docker)
• Reverse proxy with TLS 1.3 (Let's Encrypt), HSTS enabled
• CrowdSec for real-time defence against automated attacks
• Daily encrypted backups, 14-day rolling retention
• Regular malware scans (monthly minimum)
• At-rest encryption for backup volumes
• Documented incident-response process (notification within 24 h)