Data Processing Agreement (DPA)
Last updated: 2026-05-08
⚠️ The document below is a structural placeholder. Final content requires review by a licensed attorney before production cutover. Until finalized, this document is NOT legally binding.
This Data Processing Agreement ("DPA") governs the processing of personal data by GrafixHost ("Processor") on behalf of the Customer ("Controller") in accordance with GDPR (EU Regulation 2016/679). The DPA is an integral part of the Terms and applies automatically to all business plans.
1. Subject Matter
Processor provides web hosting infrastructure on which Controller stores and processes personal data (database content, files, emails, log files). The type of personal data and categories of data subjects are determined by the Controller.
2. Duration
The DPA enters into force on Service activation and applies for the duration of the contract + 30-day grace period after termination (for migration and data export).
3. Processing Activities
Processor performs: (a) data storage on its own infrastructure; (b) data transfer between data centers for redundancy and performance; (c) backups within 30 days; (d) automated security scanning and malware detection processes; (e) providing technical access to the Controller.
4. Sub-processors
Processor uses the following sub-processors: Cloudflare Inc. (CDN, DDoS protection, EU + US POPs), Vercel Inc. (frontend hosting, EU regions), Stripe Inc. (payments), Resend (transactional email), Anthropic PBC (AI chat — anonymized requests). Changes to the list are announced with at least 30 days notice; Controller has the right to object.
5. Technical and Organizational Measures
Processor applies: (a) encryption at-rest (AES-256) and in-transit (TLS 1.3); (b) role-based access control with MFA mandatory for all employees; (c) daily backups with 30-day retention; (d) monthly security audits; (e) physical security in data centers (ISO 27001); (f) GDPR employee training every 6 months.
6. Incident Notification
On detection of a security incident affecting personal data — Processor notifies Controller within 24 hours. Detailed report (affected data, causes, mitigations) — within 72 hours. Cooperation with Controller for GDPR notification to the supervisory authority if applicable.
7. Audit Rights
Controller has the right to an annual audit of Processor's security practices. Options: (a) review of available SOC 2 reports; (b) on-site audit with 30 days advance notice; (c) third-party security assessment. On-site audit costs are borne by the Controller.
8. Termination and Data Deletion
On contract termination, Controller has 30 days to export their data in standard format. After that period — full deletion from production and backups within 60 days. Confirmation of deletion provided on request.