Data Processing Agreement
Last updated: May 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between MICCI (CVR: 45587452, Fyrretoften 31, 7100 Vejle, Denmark) operating HostStack ("Processor") and the Customer ("Controller") for the provision of cloud hosting services. This DPA sets out the terms on which the Processor processes personal data on behalf of the Controller in compliance with Regulation (EU) 2016/679 (GDPR).
For the avoidance of doubt: the Controller determines the purposes and means of the processing of personal data uploaded to, stored in, or produced by services the Customer operates on HostStack; the Processor executes that processing on the Controller's documented instructions, which include the Customer's configuration of the Service and these Terms.
2. Data Residency
Customer data is processed and stored in the region selected by the Controller when creating a project. Available regions:
- Falkenstein, Germany (FSN1)
- Nuremberg, Germany (NBG1)
- Helsinki, Finland (HEL1)
- Ashburn, US (ASH) — note: US region is outside the EU/EEA
EU-region projects (Germany, Finland) keep all data within the EU/EEA. US-region projects are stored in the United States under the Standard Contractual Clauses framework. The Controller selects the region at project creation and may migrate between regions.
3. Sub-Processors
The Processor engages the following sub-processors for the delivery of its services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure (servers, networking, object storage) | Germany / Finland / US |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU entity) / US (SCCs in place) |
| PostStack (operated by MICCI) | Transactional email delivery (account verification, billing receipts, support replies). Operated by the same legal entity as the Processor (MICCI, CVR 45587452); listed here for transparency. Hosted on Hetzner infrastructure, EU. | EU (Denmark) |
| Hosting Concepts B.V. (OpenProvider) | Domain registrar — when a Controller registers a domain via HostStack we forward registrant contact details (name, address, email, phone) to OpenProvider as required by ICANN. Optional feature; opt out by not using HostStack-managed domain registration. | Netherlands (EU) |
| Telegram FZ-LLC | Internal operational alerting only. Sent payloads are aggregate / fleet-level (no Controller PII; team IDs are integers, not user identifiers). Not in scope for personal data of Controller's users. | UAE |
| Let's Encrypt (ISRG) | ACME TLS certificate issuance for custom domains. The only data sent is the domain name being certified. | US (no personal data transferred) |
The Controller will be notified at least 30 days before any new sub-processor is engaged or an existing one is replaced. The Controller may object to the use of a new sub-processor on reasonable grounds.
4. Security Measures (Art. 32)
The Processor implements the following technical and organizational security measures in accordance with GDPR Article 32:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Container-level isolation with dropped capabilities, no-new-privileges, and PID limits
- Argon2id password hashing for all user credentials
- Two-factor authentication (TOTP) support for all accounts
- Role-based and granular permission-based access control for team members
- Automated daily backups for managed databases, uploaded to off-site S3 storage
- Rate limiting on all API endpoints
- Comprehensive audit logging of all administrative actions
- Network isolation per project with Docker bridge networks
- Automated SSL certificate provisioning and renewal via Let's Encrypt
5. Data Subject Rights (Art. 15–22)
The Processor assists the Controller in fulfilling data subject requests under GDPR Articles 15–22, including:
- Right of Access (Art. 15) — Full data export available through the dashboard or API.
- Right to Rectification (Art. 16) — Profile and account data can be updated at any time.
- Right to Erasure (Art. 17) — Account deletion available through settings, with complete data removal within 30 days.
- Right to Data Portability (Art. 20) — Data export in machine-readable JSON format.
- Right to Object (Art. 21) — Where processing is based on legitimate interests, data subjects may object at any time.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach. The notification shall describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach.
7. Data Retention and Deletion
Upon termination of the agreement or upon documented request by the Controller, the Processor shall delete all personal data within 30 days unless retention is required by applicable EU/EEA law (for example, invoices under Danish bookkeeping law). The Processor shall provide the Controller with a certificate of deletion upon request.
8. Liability and Governing Law
This DPA is governed by Danish law and is subject to the liability provisions of the Terms of Service. Nothing in this DPA limits either party's statutory liability under GDPR for the rights and freedoms of data subjects.
9. Contact
For questions regarding this DPA or to exercise any rights, please contact privacy@hoststack.dev.
MICCI — CVR: 45587452 — Fyrretoften 31, 7100 Vejle, Denmark