Data Processing Agreement (DPA)

1. Parties and Roles

This agreement is established between the data controller (customer) and the data processor (Hosted Cloud) pursuant to GDPR Article 28. Hosted Cloud processes personal data in accordance with the customer's instructions.

2. Scope of Processing

Data processing activities:

• Server hosting and storage services
• Backup and disaster recovery
• Technical support services
• Monitoring and log management

3. Sub-Processors

Hosted Cloud uses the following sub-processors:

• Data center providers (Tier III certified)
• Payment processors (PCI DSS compliant)
• Email service providers

All sub-processors have signed GDPR-compliant DPAs. Customers are notified of sub-processor changes.

4. Data Security Measures

• Data encryption (in transit and at rest)
• Access control and two-factor authentication
• Regular security testing and penetration testing
• ISO 27001 and SOC 2 certifications
• Security incident response plan

5. Data Subject Rights

Hosted Cloud assists the data controller (customer) in fulfilling data subject rights under GDPR Chapter 3. Access, deletion, correction, and portability requests are processed within 30 days.

6. Data Breach Notification

In the event of a data breach, Hosted Cloud notifies the customer within 72 hours. Breach details, affected data, and measures taken are reported.

7. Audit Rights

Customers may request an audit once per year. ISO 27001 and SOC 2 audit reports are provided upon request. Audit costs are borne by the customer.

8. Agreement Duration and Termination

This DPA is valid for the duration of the customer's service agreement with Hosted Cloud. Upon termination, data is securely deleted or returned to the customer within 90 days.