Data Protection Legislation: The General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland and then (iii) any successor legislation to the GDPR or the Data Protection Acts 1988 & 2003

DATA PROCESSING AGREEMENT

DEFINITIONS

“Customer” is the purchaser of the services of Digital Media Internet Services Limited trading as LetsHost (“LetsHost”) of 2nd Floor, 5 Ellis Quay, Dublin 7, D07C2YP

“Database Software” is a software program or utility used for creating, editing and maintaining database files or records, such as (but not limited to) MySQL and MariaDB.

“Logical Security” the protection of computer software (“Operating System”) of LetsHost’s platform, including user identification and password access, authentication, access rights. These measures are to ensure that only authorised users are able to perform actions or access information on our platform.

“Parties” are LetsHost together with the Customer.

“Physical Security” the protection of hardware, software, network and data from physical action and events that could cause serious loss or damage to LetsHost’s platform. This includes protection from fire, flood, natural disasters, theft and vandalism.

“Software” is defined as (but not limited to) WordPress, Magento, Spreadsheets, Documents, customers code.

DATA PROTECTION LEGISLATION

Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

ROLES

1. The parties acknowledge that for the purposes of the Data Protection Legislation, Digital Media Internet Services Limited t/a LetsHost (“LetsHost”) is the data processor.
2. This data processing agreement should be read in conjunction with LetsHost’s acceptable use policy and terms and conditions.
3. The duration of the processing shall be from the date of the Customer’s acceptance of this agreement, until the agreement expires or terminates in accordance with the expiry or termination of the Customer’s services with LetsHost.
4. The categories of Data Subjects are those whose personal data are provided or made available to LetsHost by or on behalf of the Customer through the use or provision of the services purchased by the Customer (the “Services”) and shall exclude special categories of personal data or data relating to criminal convictions and offences.
5. LetsHost shall process the personal data for the Customer in accordance with article 4 no. 2 and article 28 of the GDPR.

 

LETSHOST’S RESPONSIBILITIES

1. LetsHost’s responsibilities with regard to the processing of personal data provided by the Customer in its use of the Services is limited to providing adequate security measures to store the data uploaded by the Customer onto the hosting platform. LetsHost is responsible for the Physical Security of its platform, and the Logical Security of the Operating System and the Database Software which serves the Customer’s database. LetsHost is not responsible for the security of the data however populated within such databases and/or hosting space by the Customer, or Software managed by the Customer and the access to the data that this has. This is the sole responsibility of the Customer.
2. LetsHost shall, in relation to any personal data processed in connection with the performance by LetsHost of its obligations under this agreement:
3. process that personal data only on the written instructions of the Customer, unless Hosting Irleand is otherwise required to do so by the laws of any member of the European Union or by the laws of the European Union that apply to LetsHost (“Applicable Laws”). Where LetsHost is required by Applicable Laws to process personal data, LetsHost shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prevent LetsHost from notifying the Customer;

• • pursuant to article 32 of the GDPR, ensure that it has appropriate technical and organisational measures in place in order to protect against any unauthorised or unlawful processing of personal data, accidental loss or destruction of personal data, and damage being caused to personal data. Such measures are set out in appendix 1 of this agreement.
  • ensure only personnel required for the purposes of carrying out this agreement have access to, and that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
  • if the Customer is unable to access the relevant information, to assist the Customer, and in any event, at the Customer’s cost, provide reasonable assistance in responding to any request from a supervising authority or a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
  • notify the Customer on becoming aware of a personal data breach;
  • in accordance with LetsHost’s standard policies, delete, or return (at the Customer’s cost) in a format determined by LetsHost, personal data and copies thereof, on termination of the agreement, unless required by any Applicable Laws to continue to store the personal data; and
  • maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits to be carried out by the Customer, only so far as is necessary in order to demonstrate compliance, provided that the Customer (a) provides LetsHost with no less than 30 days’ notice of such audit or inspection; (b) refunds LetsHost for all reasonable costs and expenses that it incurs as a result of any such audit or inspection (c) both parties agree the scope, duration and purpose of such audit or inspection. If the Customer becomes privy to any Confidential Information of LetsHost as a result of this clause, the Customer shall hold such Confidential Information in confidence and, unless required by law, not make the Confidential Information available to any third party, or use the Confidential Information for any other purpose. The Customer acknowledges that LetsHost shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third party assets, records or information as part of any audit; and
  • to provide a list of sub-processors engaged to full Services by sending an email request to gdpr@letshost.ie

 

THE CUSTOMER’S RESPONSIBILITIES

1. The Customer acknowledges that LetsHost has no knowledge of the type/content of any personal data received, stored, or transmitted to Letshost’s platform, by using the Services.
2. If LetsHost believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at the Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
3. In respect of personal data which the Customer receives, stores, or transmits using the Services, the Customer:
   • will ensure, and warrants that, it has all necessary and appropriate consents and notices in place to ensure that it can lawfully transfer the personal data to LetsHost, for the duration and purposes of this agreement;

   • undertakes that its use of the Services for processing personal data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data,

     1. 1. 2. not cause LetsHost to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices and other requirements in place to enable lawful processing of the customer personal data by LetsHost for the duration and purposes of this agreement;

           3. shall, unless otherwise provided for in the agreement, be solely responsible for the legality, confidentiality, integrity, availability, accuracy and quality of all data it processes;
           4. shall be solely responsible for ensuring the safety and security of all the data it controls and processes. The Customer warrants it has relevant and appropriate security measures in place to adequately protect the personal data it collects/processes. The Customer must verify the adequacy of LetsHost’s security measures as appropriate for the type of personal data the Customer collects/processes and stores on LetsHosts’s platform. The Customer should refer to the Acceptable Use Policy to ensure it is not in breach of LetsHosts’s terms and conditions.
           5. is solely responsible for responding to any request from a data subject and in ensuring its own compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
           6. shall indemnify LetsHost against any claims, actions, liabilities, proceedings, direct losses, damages, expenses, fines and costs (including without limitation court costs and reasonable legal fees) incurred by LetsHost as a direct result of any negligence, wilful misconduct, or breach of the Data Protection Legislation of the Customer.

           7. LetsHost may appoint alternative third party processors to provide materially like for like services to the Customer as part of the Services subject to: (a) LetsHost entering into a written agreement with such third party processor incorporating terms which are substantially similar to those set out in this agreement; and (b) such third party processor being able to demonstrate at least as high a standard of service quality and compliance to the previously appointed third party processor.

           8. The Customer agrees to LetsHost giving any such sub processors access to the Customer’s details so that LetsHost can deliver the Services under the agreement. The Customer further agrees that those sub processors may be based outside of the country in which the Customer has chosen to store Customer Personal Data, subject to LetsHost taking steps to ensure transfer protections are in place if transfers are made to those sub processors. LetsHost requires that its sub processors maintain security and data protection practices that are consistent with the agreement.

 

Indemnity

The Controller shall indemnify and hold harmless on demand LetsHost for any loss, damage, liabilities, penalties, expenses or fines incurred, whether foreseeable or unforeseeable or direct or indirect, (“losses”) as a result of:

1. The Controller breaching its obligations under clause 1 (Data Protection Legisation);
2. Any unsuccessful claim by a data subject when such claim holds both Controller and LetsHost as jointly and severally liable under the GDPR.
3. Where under GDPR LetsHost and the Controller incur joint and several liability, as Controller and Processor with any other person, and, as such, LetsHost incurs losses, other than for damage caused by processing where it has not complied with obligations under GDPR specifically directed to Processors or where it has acted outside or contrary to the Controller’s lawful instructions under these terms and conditions, the Controller shall indemnify LetsHost on demand against all such losses, save for such liability as corresponds directly to LetsHost’s part of the responsibility for the damage caused by LetsHost’s breach of the obligations of GDPR or under these terms and conditions.

 

Limitation of Liability

1. Neither party excludes or limits liability to the other party for any matter for which it would be unlawful for the parties to exclude liability.
2. Subject to Clause 7.1 above, with respect to any claim relating to a breach of the GDPR or a breach of this Addendum, LetsHost shall not in any circumstances be liable to the Controller whether in contract, tort, including for negligence and breach of statutory duty howsoever arising, misrepresentation, whether innocent or negligent, restitution or otherwise, for:
   • Any loss, whether direct or indirect, of profits, business, business opportunities, revenue, turnover, reputation or goodwill; and
   • Any loss or corruption, whether direct or indirect, of personal data or information;
3. Subject to Clause 7.1 above, LetsHost’s total aggregate liability to the Controller in contract, tort, including negligence and breach of statutory duty howsoever arising, misrepresentation, whether innocent or negligent, restitution or otherwise, arising in connection with a breach of GDPR or a breach of this Addendum or any collateral contract shall in all circumstances be limited to the greater of:
   • The Charges paid or payable by the Controller to LetsHost under the relevant contract in the Initial Term; or
   • The total Charges paid or payable by the Controller to LetsHost under the relevant contract in the contract year concerned.

 

Governing Law and Jurisdiction

This Addendum and any dispute or claim arising out of or in connection with it, or its subject matter or formation, including non-contractual disputes or claims, shall be governed by, and construed in accordance with, Irish law. The parties agree that the courts of Ireland will have exclusive jurisdiction to settle any dispute, whether contractual or non-contractual, arising from or in connection with the Addendum.

LetsHost reserves the right to change these terms and conditions without notice. In order to avoid doubt, such terms and conditions are referenced at the checkout and on all invoices. By confirming acceptance at the checkout or payment of invoices the Applicants and/or existing Clients confirms their ongoing acceptance of the terms and conditions. It is the Applicant’s and/or Client’s responsibility to check these terms and conditions before accepting them.

 

Appendix 1 – Technical and Organisational Measures in Accordance with Article 32 GDPR

Confidentiality

Building Security & Access Control:

1. LetsHost has external and internal CCTV systems, with a dedicated security team manned 24×7.365. This only applies to LetsHost’s Data Centre.
2. LetsHost has access fob tags for all doors in and out of the data centre building. This only applies to LetsHost’s Data Centre.

 

Electronic Access Control

1. For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:
   1. Server root passwords are only known to LetsHost, either at initial deployment of the server or when the Customer has provided LetsHost with the details in order to assist with troubleshooting. LetsHost will maintain the original password provided in its records, and recommend that Customer change passwords upon receipt of the service. It is the Customer’s responsibility to ensure passwords are secure and changed when required.
2. For Managed dedicated / VPS / Cloud servers:
   1. Server root passwords are only known to LetsHost. Passwords are restricted to authorised staff. Customers have access to the server using a third party control panel, as well as generally available tools such as PuTTY.
3. For Control Panel / Web Hosting (FTP):
   1. Server root passwords are only known to LetsHost. Passwords are restricted to authorised staff. Customers have access to the server using a third party control panel.
   2. Before Customer account access is enabled via the Online Control Panel, unique usernames and passwords need to meet LetsHost’s minimum-security requirements and passwords are encrypted.
   3. Customer account access can be limited by IP range/country and login frequency, which can be managed in the Security Settings section of the Customer’s Online Control Panel.
   4. Where Customers upload using FTP, Customers can also control access via IP.
4. For Web Site (Builder, Ecommerce or Build me a website):
   1. All Customer passwords are encrypted and only known to the Customer and LetsHost.
5. For mailboxes:
   1. All Customer passwords are encrypted and only know to the Customer.

 

Internal Access Control

1. For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:
   1. The responsibility of access control is with the Customer.
2. For Managed dedicated / VPS / Cloud server:
   1. LetsHost shall prevent unauthorised access by applying necessary security updates regularly. It is the Customer’s responsibility to ensure that they restrict to whom they provide access.
   2. LetsHost shall ensure access is restricted to only those employees that need to access the system in order to perform their duties within the organisation.
3. For Control Panel / Web Hosting (FTP/SFTP):
   1. LetsHost shall ensure access is restricted to only those employees that need to access the system in order to perform their duties within the organisation
4. For Web Site (Builder, Ecommerce or Build me a website):
   1. LetsHost shall ensure access is restricted to only those employees that need to access the system in order to perform their duties within the organisation.
5.  For Mailboxes:
   1. The responsibility of access control is with the Customer.
   2. LetsHost shall ensure access is restricted to only those employees that need to access the system in order to perform their duties within the organisation.

 

Transfer Control

1. For Control Panel / Web Hosting / Web Site Builder, Ecommerce or Build me a website / mailboxes:
   1. When a Customer’s service is not renewed and/or is cancelled with LetsHost, the Customer’s hosting and data stored on the hosting account is deleted including but not limited to any databases Customers have created for use with the Service. It is the Customer’s responsibility to delete any data from their hosting space, databases or servers before expiry of their Service term.
2. For self-managed dedicated / VPS / Cloud servers, colocation servers and Customer solution servers:
3. For Managed dedicated / VPS / Cloud servers:
   1. When a Customer ends their rental agreement with LetsHost, the server is delegated into the cancellation delegation where the data is deleted on the disks.
4. Failed disks:
   1. LetsHost attend the Data Centre to securely and permenantly disable each drive on site once they have become faulty or end of life. These are then removed form site and disposed of.

 

Isolation Control

1. For Control Panel / Web Hosting / Web Site Builder, Ecommerce or Build me website / mailboxes:
   1. The Customer is responsible for input control. Data is entered or collected by the Customer.
2. For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:
   1. The Customer is responsible for input control. Data is entered or collected by the Customer.
3. For Managed dedicated / VPS / Cloud servers:
   1. The Customer is responsible for input control. Data is entered or collected by the Customer.

 

Availability and Resilience (Article. 32 Para.1 Clause b GDPR)

1. For LetsHost’s internal system:
   1. Daily backups of all relevant data realigned for fulfilment of the Services
   2. Employment of security measure (virus scanning, firewalls, encryption of data only where appropriate, spam filters).
   3. Employment of Raid protection on all relevant servers.
   4. Monitoring of all relevant servers.
   5. Data centre power protection (Generators & UPS).
   7. 2. For Control Panel / Web Hosting / Web Site Builder, Ecommerce or Build me website / mailboxes:

         1. The Customer is responsible for their own Data backups. Where customer purchases a backup product. Customer backups are onsite.

         2. LetsHost is in control of Data centre power protection (Generators & UPS).
      3. For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:

         1. The Customer is responsible for their own Data backups.

         2. The Customer should employ software firewalls and restrict ports.
         3. LetsHost is in control of Data centre power protection (Generators & UPS).
      4. For Managed dedicated / VPS / Cloud servers:

         1. The Customer is responsible for their own Data backups. Where a customer purchases a backup product, LetsHost shall provide the tools for Customer to ensure they have setup the backup routine.

         2. The Customer should employ software firewalls and restrict ports.
         3. LetsHost is in control of Data centre power protection (Generators & UPS).
      5. For rapid recovery measures (Article 32 Para. 1 Clause c GDPR):
         1. LetsHost has a defined escalation chain which is followed in the event of known issues in order to address the issues promptly.

   8. Procedure for regular testing, assessments and evaluation (Article. 25 Para.1 GDPR)

      1. As per Article. 25 Para. 2 GDPR, data protection default settings are taken into account for LetsHost software development.
      2. Contract / Agreement Control:
         1. LetsHost’s terms and conditions, along with the Privacy Policy outlines the scope of our data processing and use of Customers’ personal data.
         2. LetsHost has appointed a Data Protection Officer and Information SecurityOfficer.