Data Processing Agreement

Last updated: March 14, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between GrandHosting (“Processor,” “we,” “us”) and the customer (“Controller,” “you”) who uses the GrandHosting platform to host websites and web applications.

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the Service.

1. Definitions

“Personal Data”: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
“Processing”: Any operation or set of operations performed on personal data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
“Data Subject”: An identified or identifiable natural person whose personal data is processed.
“Controller”: The customer who determines the purposes and means of the processing of personal data hosted on the GrandHosting platform.
“Processor”: GrandHosting, which processes personal data on behalf of the Controller in connection with providing the hosting service.
“Sub-Processor”: A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
“Service”: The managed WordPress hosting service provided by GrandHosting, including all associated infrastructure, tools, APIs, and support.
“Supervisory Authority”: An independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

2. Scope and Purpose

This DPA applies to the processing of personal data that the Controller stores on or transmits through the GrandHosting platform. The Processor processes personal data solely for the purpose of providing the managed WordPress hosting service as described in the Terms of Service.

The Processor does not determine the purposes or means of processing the personal data — the Controller retains full control over what data is collected through their website(s) and how it is used.

3. Data Processing Details

3.1 Categories of Data Subjects

The personal data processed may relate to the following categories of data subjects, as determined by the Controller:

Visitors to the Controller’s website(s)
Registered users or customers of the Controller’s website(s)
Employees or contractors of the Controller who manage the website(s)
Any other individuals whose data the Controller collects through their hosted website(s)

3.2 Types of Personal Data

The types of personal data processed depend on the Controller’s website and may include:

Contact information (names, email addresses, phone numbers)
Account credentials (usernames, hashed passwords)
User-generated content (comments, form submissions, orders)
Technical data (IP addresses, browser information, access logs)
E-commerce data (order details, shipping addresses, transaction records)
Media files that may contain personal data (images, documents)

3.3 Processing Activities

The Processor performs the following processing activities in the course of providing the Service:

Hosting and storage of website files, databases, and media
Serving web pages and API responses to website visitors
Creating and storing backup copies of website data
Delivering media files via content delivery network
Logging web server requests for security and operational purposes
Scanning files for malware and security threats
Monitoring resource usage for billing and scaling purposes

3.4 Duration of Processing

Processing continues for the duration of the Controller’s use of the Service. Upon termination, the Processor retains data for 30 days to allow for data export, after which all personal data is permanently deleted, including backup copies.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law. The documented instructions are set out in the Terms of Service and this DPA. If the Processor believes an instruction infringes the GDPR or other data protection provisions, it shall immediately inform the Controller.

4.2 Confidentiality

The Processor ensures that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited to personnel who require it to perform their duties.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 (Security Measures) of this DPA. These measures are designed to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4.4 Sub-Processor Management

The Processor shall not engage another processor (sub-processor) without prior written authorization from the Controller. The Controller provides general authorization for the sub-processors listed in Section 5 of this DPA. The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors, giving the Controller the opportunity to object.

Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a contract. The Processor remains fully liable for the performance of each sub-processor’s obligations.

4.5 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, portability, restriction, objection). This includes providing the Controller with the technical means to export, modify, or delete personal data stored on the platform.

4.6 Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include:

The nature of the personal data breach, including the categories and approximate number of data subjects and records affected
The likely consequences of the breach
The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
The name and contact details of the Processor’s data protection contact point

4.7 Data Deletion and Return

Upon termination of the Service, the Processor shall, at the choice of the Controller:

Return all personal data to the Controller in a structured, commonly used, and machine-readable format (website files as archives, database as SQL exports), or
Delete all personal data and certify the deletion, unless EU or Member State law requires continued storage

The Controller has 30 days after termination to export their data. After this period, all data is permanently deleted.

5. Sub-Processors

The Controller authorizes the use of the following sub-processors for the specified purposes:

Sub-Processor	Purpose	Location
EU Infrastructure Provider	Infrastructure hosting — servers, storage, networking	Germany (EU)
GrandHosting CDN	Content delivery — media file caching and distribution	EU (Slovenia)
GrandHosting Backup Storage	Backup storage — encrypted website and database backups	EU region
Supabase	Platform authentication and database	EU region
Stripe	Payment processing	Ireland (EU)
GrandHosting SMTP	Transactional email delivery	US (SCCs in place)
Sentry	Error tracking and application monitoring	EU data region

The Processor will notify the Controller by email at least 14 days prior to engaging any new sub-processor. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties will work in good faith to find an alternative solution. If no resolution is reached, the Controller may terminate the affected services without penalty.

6. Security Measures

The Processor implements the following technical and organizational measures pursuant to Article 32 of the GDPR:

6.1 Technical Measures

Encryption in transit — all data transmitted between users, the platform, and sub-processors is encrypted using TLS 1.2 or higher
Encryption at rest — stored data, including backups, is encrypted at rest using AES-256 or equivalent encryption
Site isolation — each website operates in a dedicated isolated environment with isolated compute, storage, and network resources; no shared processes between tenants
Network segmentation — internal services communicate over private networks with network policies restricting traffic to authorized services only
Access controls — role-based access control (RBAC) is enforced at the platform, application, and database levels
Malware detection — automated scanning runs nightly with additional scans triggered by file uploads and suspicious activity
Vulnerability monitoring — continuous monitoring for known WordPress vulnerabilities, banned plugins, and security misconfigurations
Automated backups — daily backups with 30-day retention, stored encrypted on a separate storage system (secure EU storage)
Logging and monitoring — centralized log aggregation (Loki), metrics collection (Prometheus), and 13 automated alert rules for security and operational events

6.2 Organizational Measures

Least privilege access — personnel access to customer data is restricted to the minimum necessary for their role
Confidentiality obligations — all personnel with access to personal data are bound by confidentiality agreements
Incident response — documented incident response procedures with defined roles, escalation paths, and communication protocols
Sub-processor assessment — all sub-processors are assessed for data protection compliance before engagement and monitored on an ongoing basis
Data minimization — the platform collects and processes only the data necessary to provide the hosting service

7. International Transfers

The Processor stores and processes personal data primarily within the European Economic Area (EEA). Where a sub-processor processes personal data outside the EEA (see Section 5), the Processor ensures that one of the following safeguards is in place:

An adequacy decision by the European Commission under Article 45 of the GDPR
Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) of the GDPR
Binding Corporate Rules approved by a competent supervisory authority

The Processor will provide details of the specific safeguards upon request.

8. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

The Controller provides at least 30 days’ written notice of an intended audit
Audits are conducted during normal business hours and do not unreasonably disrupt the Processor’s operations
The Controller bears the costs of the audit
The auditor is bound by confidentiality obligations
Audit scope is limited to the processing activities covered by this DPA

Where multiple Controllers request audits, the Processor may provide a single consolidated audit report (e.g., SOC 2 or ISO 27001 certification) to satisfy multiple requests, provided it adequately addresses the Controller’s concerns.

9. Data Breach Procedures

In the event of a personal data breach, the following procedures apply:

Detection — the Processor maintains automated monitoring and alerting systems to detect potential breaches as early as possible
Containment — upon detection, the Processor takes immediate steps to contain the breach and prevent further unauthorized access
Notification to Controller — the Controller is notified within 48 hours of the Processor becoming aware of the breach, with all available details as described in Section 4.6
Notification to authorities — the Controller is responsible for notifying the relevant supervisory authority within 72 hours as required by Article 33 of the GDPR; the Processor provides all necessary information to support this notification
Investigation — the Processor conducts a thorough investigation, documents findings, and implements measures to prevent recurrence
Remediation — the Processor implements corrective measures and provides the Controller with a post-incident report detailing the breach, its impact, and the steps taken

10. Term and Termination

This DPA enters into force on the date the Controller begins using the GrandHosting Service and remains in effect for the duration of the processing.

This DPA automatically terminates when:

The Terms of Service between the parties expire or are terminated
The Processor no longer processes personal data on behalf of the Controller

The obligations regarding confidentiality, data deletion, and breach notification survive termination of this DPA.

11. Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws of the Republic of Cyprus, without regard to its conflict-of-law provisions. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of the Republic of Cyprus.

This DPA is subject to the mandatory provisions of the GDPR. In the event of a conflict between this DPA and the GDPR, the GDPR shall prevail.

12. Contact Information

For questions or requests related to this Data Processing Agreement, please contact:

Data Protection Officer: dpo@grandhosting.gr
Legal department: legal@grandhosting.gr

Grandhosting LTD
Lordou Vyronos 36, 1096 Nicosia, Cyprus
European Union