Skip to main content
HomeLegalData Processing Agreement

Data Processing Agreement

Effective February 11, 2026

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between dnsfox.com ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Terms of Service (collectively, the "Agreement").

  • Controller: The customer who determines the purposes and means of processing personal data by using dnsfox.com services.
  • Processor: dnsfox.com, which processes personal data on behalf of the Controller.
  • Data Subject: An identified or identifiable natural person whose personal data is processed.
  • Personal Data: Any information relating to a Data Subject as defined in Article 4(1) of the GDPR.
  • Processing: Any operation performed on personal data, as defined in Article 4(2) of the GDPR.
  • Sub-Processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Scope and Purpose

This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the provision of managed WordPress hosting services pursuant to the Agreement.

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The duration of processing shall be for the term of the Agreement plus any retention period required by applicable law or as specified in our Privacy Policy.

3. Data Processing Details

Categories of Data Subjects

  • Customers and their authorized users
  • End users of websites hosted on the platform
  • Visitors to customer websites

Types of Personal Data

  • Account information (name, email address, phone number)
  • Billing and payment data (processed via Stripe)
  • Technical data (IP addresses, browser information, server logs)
  • Website content and databases hosted by customers
  • Support ticket content and communications
  • Usage and performance metrics

Nature and Purpose of Processing

  • Hosting and serving customer WordPress websites
  • Performing automated and manual backups
  • Providing security services (WAF, malware scanning, DDoS mitigation)
  • Processing payments and managing subscriptions
  • Providing customer support
  • Monitoring performance and uptime
  • Sending service-related notifications
  • Collecting anonymized website usage analytics (with consent)

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law.
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Take all measures required pursuant to Article 32 of the GDPR (security of processing).
  • Respect the conditions for engaging sub-processors as set out in Section 6.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR.
  • Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

5. Controller Obligations

The Controller shall:

  • Ensure that the processing of personal data is lawful and that all necessary consents have been obtained from Data Subjects.
  • Provide documented instructions to the Processor regarding the processing of personal data.
  • Ensure that personal data provided to the Processor is accurate and up to date.
  • Comply with all applicable data protection laws in relation to the personal data processed under this DPA.
  • Notify the Processor without undue delay of any changes to applicable data protection legislation that may affect the Processor's obligations.

6. Sub-Processors

The Controller provides general written authorization for the Processor to engage sub-processors. The current list of sub-processors is maintained at our Subprocessor List page.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall provide at least 30 days' prior notice before engaging a new sub-processor.

Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR, including:

  • Right of access (Article 15): Providing copies of personal data being processed.
  • Right to rectification (Article 16): Correcting inaccurate personal data.
  • Right to erasure (Article 17): Deleting personal data where appropriate.
  • Right to restriction of processing (Article 18): Restricting processing in certain circumstances.
  • Right to data portability (Article 20): Providing data in a structured, machine-readable format.
  • Right to object (Article 21): Ceasing processing where the Data Subject objects.

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request itself unless authorized to do so by the Controller.

8. Security Measures

In accordance with Article 32 of the GDPR, the Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

Encryption

  • AES-256-GCM encryption for sensitive data at rest
  • TLS 1.2+ encryption for all data in transit
  • Encrypted backups stored in geographically separate locations

Access Control

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) required for all administrative access
  • bcrypt password hashing with appropriate cost factors
  • Automated session management and token expiration

Network Security

  • Web Application Firewall (WAF) with industry-standard rule sets
  • DDoS mitigation
  • Rate limiting on all API endpoints
  • Regular vulnerability scanning and patching

Monitoring and Logging

  • Comprehensive audit logging of all administrative actions
  • Real-time security event monitoring and alerting
  • Automated malware scanning and removal
  • 24/7 uptime monitoring

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay, and in any event within 48 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the breach under Articles 33 and 34 of the GDPR.
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.
  • Not inform any third party of any breach without first obtaining the Controller's prior written consent, unless required by applicable law.

Breach Notification Content

The notification shall include, where possible:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects concerned
  • The name and contact details of the Processor's data protection contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to be taken to address the breach

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller shall provide the Processor with reasonable prior notice (at least 30 days) of any audit or inspection, unless such audit is required by a supervisory authority. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

11. International Transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless:

  • The transfer is to a country that has been deemed to provide an adequate level of data protection by the European Commission.
  • Appropriate safeguards have been put in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The transfer falls within a recognized derogation under Article 49 of the GDPR.

Where personal data is transferred to the United States, the Processor relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other approved transfer mechanisms as applicable.

12. Data Return and Deletion

Upon termination or expiration of the Agreement, or upon the Controller's request, the Processor shall:

  • Return all personal data to the Controller in a structured, commonly used, and machine-readable format, or
  • Delete all personal data and existing copies, unless applicable law requires continued storage.

The Controller may request data return or deletion at any time during the term of the Agreement. The Processor shall comply with such requests within 30 days.

Following account deletion, personal data is permanently removed after a 30-day grace period, during which the Controller may cancel the deletion request. Backups containing personal data are purged within 30 days of the deletion being finalized.

13. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. In no event shall either party exclude or limit its liability for:

  • Breaches of its obligations under this DPA caused by willful misconduct or gross negligence.
  • Damages arising from a breach of its confidentiality obligations.
  • Any liability that cannot be excluded or limited under applicable law, including under the GDPR.

14. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations of the Processor regarding the protection of personal data shall survive any termination or expiration of this DPA for as long as the Processor continues to process personal data on behalf of the Controller.

Either party may terminate this DPA in accordance with the termination provisions of the Agreement. Upon termination, the provisions of Section 12 (Data Return and Deletion) shall apply.

For questions about this DPA, contact us at privacy@dnsfox.com.