Data Processing Agreement
Last updated: March 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") forms part of the Terms of Service between HostStack ("Processor") and the Customer ("Controller") for the provision of cloud hosting services. This DPA sets out the terms on which the Processor processes personal data on behalf of the Controller in compliance with Regulation (EU) 2016/679 (GDPR).
2. Data Residency
All customer data is processed and stored exclusively within the European Union / European Economic Area. Our infrastructure is operated through European hosting providers with data centers in:
- Falkenstein, Germany (FSN1) -- Primary data center
- Helsinki, Finland (HEL1) -- Secondary data center / disaster recovery
No personal data is transferred outside the EU/EEA unless explicitly requested by the Controller and documented with appropriate safeguards.
3. Sub-Processors
The Processor engages the following sub-processors for the delivery of its services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Infrastructure hosting provider (EU) | Infrastructure (servers, networking) | Germany / Finland |
| Stripe, Inc. | Payment processing | Ireland (EU entity) / US (SCCs in place) |
| Postmark (ActiveCampaign) | Transactional email delivery | US (SCCs in place) |
The Controller will be notified at least 30 days before any new sub-processor is engaged or an existing one is replaced. The Controller may object to the use of a new sub-processor on reasonable grounds.
4. Security Measures
The Processor implements the following technical and organizational security measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Container-level isolation with dropped capabilities, no-new-privileges, and PID limits
- Argon2id password hashing for all user credentials
- Two-factor authentication (TOTP) support for all accounts
- Role-based and granular permission-based access control for team members
- Automated daily backups with 30-day retention for managed databases
- Rate limiting on all API endpoints
- Comprehensive audit logging of all administrative actions
- Network isolation per project with Docker bridge networks
- Automated SSL certificate provisioning and renewal via Let's Encrypt
5. Data Subject Rights
The Processor assists the Controller in fulfilling data subject requests under GDPR Articles 15-22, including:
- Right of Access (Art. 15) -- Full data export available through the dashboard or API
- Right to Rectification (Art. 16) -- Profile and account data can be updated at any time
- Right to Erasure (Art. 17) -- Account deletion available through settings, with complete data removal within 30 days
- Right to Data Portability (Art. 20) -- Data export in machine-readable JSON format
6. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach. The notification shall describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach.
7. Data Retention and Deletion
Upon termination of the agreement or upon request by the Controller, the Processor shall delete all personal data within 30 days unless retention is required by applicable EU/EEA law. The Processor shall provide the Controller with a certificate of deletion upon request.
8. Contact
For questions regarding this DPA or to exercise any rights, please contact our Data Protection Officer at dpo@hoststack.dev.