Data Processing Agreement (DPA)
Last updated: 2025-10
This Data Processing Agreement (“Agreement” or “DPA”) is entered into between:
- Controller: The "Customer" using Hosst B.V.’s services (and its Affiliates where elected under Article 16).
- Processor: Hosst B.V. (trading as “Stellar Hosted”) registered in the Netherlands, with its principal place of business at Coehoornsingel 2A, 9711 BS Groningen, The Netherlands, Chamber of Commerce (KvK) 96216794.
This DPA forms part of the service agreement ("Main Agreement") under which Processor provides the Services to the Customer.
Order of precedence: (i) SCCs (where applicable), (ii) this DPA, (iii) the Main Agreement, but only to the extent of conflict relating to Processing.
- Services: Managed open-source software hosting.
- Security/Privacy contact: security@stellarhosted.com or designated portal.
- Supervisory Authority: Dutch Data Protection Authority.
- Governing law: Governed by the laws of the Netherlands, disputes shall be settled by the competent courts of Groningen, the Netherlands.
Definitions
- "Data Processing Agreement" this document, also referred to as "DPA"
- "Party" means either the Controller or the Processor individually; "Parties" means both collectively.
- "Applicable Data Protection Law" means applicable privacy and data protection laws, including the GDPR, UK GDPR and Swiss FADP where applicable.
- "GDPR" means Regulation (EU) 2016/679.
- "UK GDPR" means the UK Data Protection Act 2018 and the retained EU law version of the GDPR.
- "Swiss FADP" means the Swiss Federal Act on Data Protection.
- "Personal Data" means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Art. 4(1)).
- "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Art. 4(2)).
- "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (GDPR Art. 4(7)).
- "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller (GDPR Art. 4(8)).
- "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates (GDPR Art. 4(1)).
- "Data Subject Request" or "DSR" means a request from a Data Subject to exercise rights under Applicable Data Protection Law (e.g., access, rectification, erasure, restriction, portability, objection and not to be subject to automated decision-making), whether submitted directly to Processor or forwarded by Controller.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (GDPR Art. 4(12)).
- "Supervisory Authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR (GDPR Art. 4(21)).
- "Sub-processor" means any processor engaged by Processor to assist with Processing Personal Data on behalf of Controller.
- "Technical and Organizational Measures" or “TOMs” means the security measures described in Annex I.
- "Standard Contractual Clauses" or "SCCs" means the European Commission’s 2021/914 clauses (Modules 2 and/or 3).
- "Security Incident" means any confirmed or reasonably suspected event that compromises the confidentiality, integrity, or availability of Customer Data or the systems processing it, including unauthorized access, disclosure, alteration, loss, or destruction, whether accidental or unlawful. A Personal Data Breach is a Security Incident involving Personal Data as defined by Applicable Data Protection Law.
- "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO (version B.1.0).
- "Customer Data" means Personal Data processed by Processor on behalf of Controller under the Main Agreement.
- "Service Data" means data processed by Processor as an independent Controller for billing, account management, abuse/fraud prevention, compliance and minimal product analytics on the basis of legitimate interests, subject to data minimisation and, where required by law, opt-out mechanisms, as described in Processor’s Privacy Notice [link].
- "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
- "Professional Services" means fee-based services provided by the Processor outside the standard scope of the Services, including but not limited to bespoke assistance with DPIAs, TIAs, audits, security questionnaires, custom data exports or transformations, migration support, configuration or integration work and atypical or complex Data Subject Request support, billed at the then-current rates unless otherwise agreed in writing.
- "Hours of Operation" means 17:00 on Sunday to 17:00 on Friday Universal Time Zone (UTC), except for holidays in local time (Amsterdam) also referred to as "After hours"
- "Business Day" means any day during the Hours of Operation also referred to as "Business Days" or "Day"
- "Business Hours" means 09:00 to 17:00 Universal Time Zone (UTC) on Business Days
Article 1. General
- Processor will process Personal Data only on documented instructions from Controller, which include this DPA, the Main Agreement and Controller’s configuration/use of the Services.
- This DPA applies for the term of the Main Agreement and until deletion or return of data in accordance with Article 8, confidentiality, audit cooperation and proof-of-deletion obligations survive termination.
- Documented instructions shall be submitted via the Controller’s designated secure channel.
- Processor shall refuse unlawful instructions and retain an instruction change-log and Processor will promptly inform Controller if an instruction infringes Applicable Data Protection Law.
- If unlawful, Processor will notify without undue delay and suspend the affected Processing until lawful measures are agreed. If unresolved within ten Business Days, either Party may suspend the affected Services for that scope.
- Controller is responsible for determining the categories and accuracy of Personal Data included in Customer Data.
- This Data Processing Agreement terminates automatically upon deletion of all Personal Data processed on behalf of the Controller.
Article 2. Data processing
- Considering the nature of processing, Processor will provide assistance with data subject requests and Controller’s compliance with Articles 32–36, including DPIAs and consultations.
- Processor maintains records of processing activities and makes them available to Controller and supervisory authorities upon request.
- Processor notifies Controller prior to disclosure unless legally prohibited; challenge unlawful/overbroad requests, disclose only the minimum necessary, document legal-basis reviews and gag-order handling and share aggregate transparency statistics at least annually upon request.
- Processor treats any remote access to Customer Data from outside the EEA/UK as a Transfer under Article 4 and allow such access only under an approved transfer mechanism with supplementary measures (encryption, JIT access, logging).
- Controller will not upload special categories of Personal Data unless explicitly agreed with appropriate safeguards.
- Controller will configure and use the Services securely and respond to Data Subject Requests addressed to Controller.
- Controller determines the purposes and lawful bases for Processing Customer Data and is solely responsible for providing all required notices to Data Subjects and, where applicable, obtaining and managing consents.
- Processor may generate aggregated and/or anonymized statistics from Customer Data for service improvement and benchmarking, provided such information does not identify a natural person and no Personal Data is disclosed.
- Processor will not use Customer Data or Service Data to train, fine-tune, or improve general-purpose ML/AI models. Limited profiling strictly for security/abuse prevention is permitted under Article 2.
- Processor will not sell Personal Data or use it for purposes other than those instructed by Controller or required by law.
Article 3. Sub-Processors and Affiliates
- Processor may engage with Sub-processors listed in Annex II for the Services.
- Processor will impose data protection obligations on Sub‑processors no less protective than this DPA and remains responsible for their performance per GDPR Art. 28(3).
- Processor will notify Controller at least thirty (30) days prior to authorizing a new Sub-processor (emergency replacements allowed with prompt notice within five (5) Business Days).
- Controller may object on reasonable (data protection) and substantiated grounds within fifteen (15) days, if unresolved, Controller may terminate the affected Services upon written notice and receive a pro‑rata refund of prepaid fees.
- Processor performs initial and annual security due diligence on all Sub-processors and records data categories and regions used.
- Controller may extend this DPA to its Affiliates using the Services under the Main Agreement by written notice.
- Controller is responsible for Affiliate compliance.
- Audit, instruction and liability provisions apply as if references to Controller included such Affiliates, unless otherwise agreed in writing.
- Processor ensures confidentiality of authorized persons, bind them by confidentiality obligations and provide appropriate training.
Article 4. International Data Transfers
- Processor will not transfer Customer Personal Data outside the EEA or to an international organisation unless compliant with Chapter V GDPR, primary processing and data at rest occur in the EU/EEA.
- Where transfers to a country without adequacy occur, the EU SCCs (2021/914) are incorporated. Module 2 (C→P) and/or Module 3 (P→P) apply; Clause 7 (Docking): enabled; Clause 9(a): general authorisation; Clause 17: law of the Netherlands; Clause 18: Dutch DPA and Dutch courts. The Parties deem-sign the SCCs (including Annexes I–III) upon execution of the Main Agreement or acceptance of this DPA. SCC Annexes completed per Annex VI.
- Processor will provide Transfer Impact Assessments (TIAs) upon written request, provide a high-level summary within 15 Business Days and apply supplementary measures where feasible.
- For UK transfers the UK Addendum (ICO vB.1.0) applies with choices set out in Annex VI (Tables 1–4).
- For Swiss transfers, data subject to the FADP, the EU SCCs apply with the FDPIC as competent authority, references to “Member State” interpreted to include Switzerland and rights for Swiss data subjects preserved (see Annex VI).
Article 5. Security measures
- Processor implements appropriate Technical Organizational Measures (TOMs) in line with GDPR Art. 32 and regularly test, assess and evaluate their effectiveness at least annually.
- Processor ensures ongoing confidentiality, integrity, availability and resilience of Processing systems and services; restore availability and access in a timely manner after an incident.
- Controller is responsible for configuring the Services (e.g. access rights, retention, etc) to align with its policies.
- Technical Organizational Measures are set out in more detail Annex I (TOMs)
- Processor may update TOMs over time provided such updates do not materially reduce overall security.
Article 6. Data breaches
- Processor will notify Controller without undue delay and in any case within 72 hours after becoming aware of a Security Incident affecting Customer Data.
- Initial notice will include, to the extent available: the nature of the incident, categories/approximate number of Data Subjects and records affected, likely consequences, measures taken or proposed and a contact point.
- Processor will provide timely updates, reasonably assist with the Controller’s obligations under Articles 33–34 GDPR and document facts, effects and remedial actions.
- Breach notices are not an admission of fault or liability by the Processor.
Article 7. Data Retention, Return and Deletion
- Inactive accounts are deleted or anonymized after twelve months of inactivity (defined as no login or no billable usage, whichever is later), with 30-day and 7-day pre-deletion notices unless prohibited by law.
- Backups and logs are immutable and retained per rotation schedule, unless otherwise agreed or configured.
- Export and deletion procedures, including timelines and secure wiping standards, are described in Annex III.
- Processor will provide industry-standard export formats and reasonable assistance to facilitate data portability prior to deletion.
- Processor will acknowledge Data Subject Requests (DSRs) directed to Processor promptly, route them via the secure channel and provide reasonable assistance as soon as possible, atypical or complex DSRs may be billed at agreed Professional Services rates.
Article 8. Government and Law Enforcement Requests
- Processor will promptly notify Controller of any request from a public authority for access to Customer Data, before disclosure where legally permitted.
- Processor challenges unlawful or overbroad requests, seek to narrow scope and disclose only the minimum necessary as required by law.
- Processor maintains a transparency log of requests, available to Controller upon request.
- Where notice is prohibited, Processor will challenge gag orders where reasonable, document legal review and provide delayed notice once permitted.
Article 9. Audits
- Processor may satisfy audit obligations through current third‑party attestations/reports and executive summaries. Controller agrees these materials ordinarily satisfy Article 28(3)(h).
- If insufficient, Controller may participate in a Processor‑coordinated pooled audit or conduct its own audit once in any twelve (12) month period.
- Audits require thirty (30) days’ prior written notice, occur during Business Hours and are limited to facilities, systems and records reasonably necessary to verify compliance with this DPA for in‑scope Services. Maximum on‑site duration: two (2) Business Days; audit team not to exceed three (3) individuals unless agreed.
- Auditors must be bound by confidentiality and comply with Processor’s safety and security policies; Processor may redact third‑party confidential information and vulnerability/exploit details.
- Audit findings will be documented and addressed via a mutually agreed remediation plan; raw exploit proofs and intrusive testing on production systems are out of scope.
- Audits are at Controller’s expense unless they reveal material non‑compliance attributable to Processor. Out‑of‑scope or repeat efforts caused by Controller are billable at Professional Services rates.
Article 10. Liability
- Each Party is liable for damages/fines it causes by Processing that infringes the GDPR, in accordance with Article 82 GDPR.
- To the fullest extent permitted by law, neither Party is liable for indirect, incidental, special, consequential, or punitive damages, or lost profits, revenues, goodwill, or data, even if advised of the possibility and even if a remedy fails of its essential purpose.
- Subject to mandatory law, the Processor’s aggregate liability arising from or in connection with this DPA (including the SCCs) shall not exceed fees paid (or payable) under the Agreement for the twelve (12) months prior to the event.
- Nothing in this Data Processing Agreement limits liability that cannot lawfully be limited, nor does it limit Data Subjects’ rights under GDPR Art. 82.
Annex I – Technical and Organizational Measures (TOMs)
- Governance & SDLC: Maintain documented policies and a risk‑based secure SDLC including change control, peer review, dependency management, secret management and CI/CD hardening, updated as reasonably necessary.
- Encryption: Use industry‑standard encryption in transit (TLS 1.2+; TLS 1.3 where supported) and at rest (e.g., AES‑256 or provider‑equivalent). Manage keys via a reputable KMS/HSM with periodic rotation on a risk‑based schedule or upon key events. Customer‑Managed Keys (CMK/BYOK) may be available for eligible tiers per product documentation.
- Access control: Enforce least privilege with RBAC and MFA for administrative access. Conduct periodic (e.g., quarterly) access reviews and timely de‑provisioning. Maintain emergency access (“break‑glass”) with enhanced logging and oversight.
- Network security: Apply network segmentation and appropriate protections (e.g., firewalls/WAF/DDoS services) commensurate with risk and platform capabilities. Use hardened bastions and IP allow‑listing for privileged operations where feasible.
- Logging & monitoring: Maintain centrally managed, tamper‑evident logging with time synchronization for security‑relevant events, including admin actions. Retain logs per Annex IV. Provide customer‑visible audit logs where the relevant product supports it.
- Vulnerability management: Perform regular scanning appropriate to asset criticality. Target remediation timelines of approximately critical within 7 days and high within 14 days, subject to risk‑based exceptions, maintenance windows and vendor patch availability.
- Penetration testing: Conduct independent external testing at least annually and after material changes where appropriate. Provide executive summaries under NDA upon reasonable request; track and remediate findings in line with risk.
- Backups & data recovery: Maintain encrypted backups and document service‑appropriate RTO/RPO targets. Test restores periodically (e.g., quarterly or as appropriate) and keep evidence summaries available under NDA upon reasonable request.
- Data segregation: Implement logical tenant isolation and per‑tenant secrets; use separate encryption contexts where feasible for the service architecture.
- Physical security: Rely on data center/provider attestations (e.g., ISO 27001/SOC 2). Equip company devices with full‑disk encryption and endpoint protection; apply timely patching consistent with risk.
- Personnel security: Where lawful, conduct background checks for relevant roles; require confidentiality commitments and provide recurring security/privacy training.
- Vendor management: Perform risk‑based due diligence on sub‑processors, include contractual security obligations and reassess periodically.
- Incident response: Maintain documented playbooks, roles and escalation paths; conduct exercises periodically. Provide breach notifications in accordance with Article 6 and applicable law.
- Data residency and access: Host Customer Data at rest in EU/EEA regions for in‑scope services. Restrict and log remote administrative access; where access originates from third countries, apply appropriate transfer safeguards consistent with Article 4.
Annex II – Authorized Sub-Processors
| Sub-processor |
Role |
Regions used |
Data categories |
Transfer mechanism |
Reports/attestations |
DPA/Info |
Last reviewed |
| DigitalOcean |
IaaS hosting |
EU regions |
Customer Data (compute, storage) |
N/A (EU) |
ISO/SOC |
digitalocean.com/trust |
[2025-10] |
| Google Cloud Platform |
IaaS hosting |
EU regions |
Customer Data |
N/A (EU) |
ISO/SOC |
cloud.google.com/security |
[2025-10] |
| Backblaze |
Remote backups |
EU DCs |
Customer Data (encrypted backups) |
N/A (EU) |
ISO/SOC |
backblaze.com/company/policy/dpa-for-eea-eu-residents |
[2025-10] |
| Mailgun |
Email delivery |
EU |
Contact & message metadata |
SCCs (if non-EU routing) |
ISO/SOC |
mailgun.com/gdpr |
[2025-10] |
| Plausible |
Web analytics |
EU |
Pseudonymous telemetry |
N/A (EU) |
— |
plausible.io/data-policy |
[2025-10] |
| Slack |
Internal messaging |
EU data residency (where applicable) |
Support metadata only |
SCCs (residual flows) |
SOC2 |
slack.com/trust |
[2025-10] |
| Paddle |
Payments (independent controller) |
UK/IE |
Service Data |
UK Addendum/SCCs |
ISO/SOC |
paddle.com/legal |
[2025-10] |
| Cloudflare |
CDN/WAF/DDoS |
EU (EU DLS where enabled) |
Transient traffic/metadata |
SCCs (residual flows) |
ISO/SOC2 |
cloudflare.com/trust-hub |
[2025-10] |
| Chaport |
Live chat/support |
EU |
End-user chat, contact, IP/device metadata |
N/A (EU) |
— |
chaport.com/gdpr |
[2025-10] |
| Google Workspace |
Email/collab |
EU (data regions where set) |
Contact details, message content/headers |
SCCs (if applicable) |
ISO/SOC |
workspace.google.com/security |
[2025-10] |
Notice of changes: maintained at https://www.stellarhosted.com/dpa#subprocessors with ≥ 30 days’ prior notice (emergency replacements allowed with prompt notice).
Annex III – Data Export and Deletion Procedures
- Export: Upon request/termination, Customer Data is provided in commonly used, machine-readable formats (e.g., JSON/CSV/DB dump), product-dependent. Delivery via pre-signed object storage URLs. Include SHA-256 checksums.
- Window: Export available within 30 days of request/termination; credentials delivered via the secure channel.
- Deletion: Removed from active systems within 60 days of export completion (or request). Backups are immutable and age out on rotation (≤ 90 days) unless legal retention applies. Derived artefacts (search indexes, object versions, caches, CDNs) included in deletion or age-out per same timelines.
- Secure wiping standard: For encrypted media, deletion is by cryptographic erasure aligned with NIST SP 800-88 Rev.1 (or successor) and provider best practices; for physical media retirement, certified destruction is used.
- Verification: Processor provides a Deletion Certificate on request (Annex V).
Annex IV – Retention & Configuration Matrix
| Data class |
Retention |
Notes |
| Active Customer Data |
Lifecycle of Agreement |
Deleted within 60 days after termination/export |
| Backups |
≤ 90 days (rotation) |
Removal by rotation only |
| System logs |
6 months |
Tamper-evident; security monitoring |
| Admin/audit logs |
12 months |
Privileged actions; extended for forensics if needed |
| Support tickets/chat |
24 months |
Redaction on request (retention window unchanged) |
| Telemetry/analytics (pseudonymous) |
12 months |
Website analytics only |
| Billing/Tax |
7–10 years |
Required by law |
Legal holds and mandatory retention override these periods.
Annex V – Deletion Certificate Template
Deletion Certificate (Ref ID: [UUID])
Customer: [Legal name]
Account/Project IDs: [IDs]
Scope: Customer Data processed under the Main Agreement and DPA
Actions Completed:
- Data removed from active systems on: [YYYY-MM-DD]
- Backups aged out by: [YYYY-MM-DD] (≤ 90 days from above)
- Stores validated: [systems reviewed]
Method & Controls:
- Verified via automated deletion jobs and audit logs
- Export integrity checksums (SHA-256): [hash refs]
Authorised by:
Name/Title: [Name]
Date: [YYYY-MM-DD]
Signature: __________________
Annex VI – SCC Annexes I–III & UK/CH Addenda
SCC Annex I — List of Parties & Description of Transfer
- Exporter (Controller): [Legal name, address, contact] — Role: Controller.
- Importer (Processor/Sub-processor): Hosst B.V. (trading as “Stellar Hosted”), Coehoornsingel 2A, 9711 BS Groningen, NL; security@stellarhosted.com — Role: Processor/Sub-processor.
- Categories of data subjects: Employees, users, contributors, end-users.
- Categories of personal data: As per Article 3.
- Sensitive data: None unless expressly agreed under Article 2; safeguards: [SCC Annex II].
- Frequency: Continuous as necessary for the Services.
- Nature/Purposes: Hosting, storage, transmission, support, logging, backup to provide and secure the Services.
- Retention: As per Annex IV.
- Competent Supervisory Authority: Dutch Data Protection Authority.
- Contact points: Exporter: [Email]. Importer: security@stellarhosted.com.
- Docking clause: Enabled.
SCC Annex II — Technical and Organizational Measures (TOMs)
As per Annex I (TOMs) and any transfer-specific measures (e.g., CMK, field-level encryption, access location restrictions, split processing, transparency commitments).
SCC Annex III — List of Sub-Processors
As per Annex II.
UK Addendum (ICO vB.1.0)
- Table 1: Parties as above; Main Agreement + this DPA as linked docs.
- Table 2: Chosen SCCs: EU 2021/914 Modules 2/3 as applicable.
- Table 3: Appendix info: per SCC Annex I–III above.
- Table 4: Mandatory clauses: as published by ICO; Governing law for SCCs: Netherlands; Supervisory Authority: Dutch DPA.
- Signatures: deemed executed on acceptance of DPA/Main Agreement.
Swiss (FADP) Position
EU SCCs apply with modifications per FDPIC guidance; FDPIC is a competent authority for Swiss data; references to “Member State” include Switzerland; Swiss data subjects may enforce rights before Swiss courts.
GDPR Quick Reference – GDPR Art. 28(3) Mapping
| GDPR 28(3) requirement |
Where satisfied |
| Instructions |
Art. 1-2 |
| Confidentiality |
Art. 3,5 |
| Security measures |
Art. 5, Annex I |
| Sub-processor conditions |
Art. 3, Annex II |
| Data subject rights assistance |
Art. 2 |
| Breach notification |
Art. 6 |
| Deletion/return of data |
Art. 7, Annex III–V |
| Information for audits/inspections |
Art. 9 |
| Assistance with DPIAs/consultations |
Art. 2 |
| International transfers & SCCs |
Art. 4, Annex VI |
