Data Processing Agreement

GDPR Article 28(3) · Last reviewed: 4 July 2026

Version 1.0 — pending final review by counsel. This Data Processing Agreement forms part of the JBMPC-SOLUTIONS Paid Hosting Terms of Service and is incorporated into your contract by reference (Terms §2). It is written to satisfy GDPR Article 28(3) but has not yet completed licensed NL/EU legal review; we will post the reviewed version here.

1. Parties and roles

This Data Processing Agreement ("DPA") forms part of, and is governed by, the JBMPC-SOLUTIONS Paid Hosting Terms of Service (the "Agreement") between:

  • Processor: JBMPC-SOLUTIONS, a Dutch sole proprietorship (eenmanszaak) of Janis Berzins, trading as "veldhost", KvK 98167820, VAT NL005311289B72, registered office and contacts as stated in the "Who we are" panel above, legal contact legal@veldhost.eu ("veldhost", "we", "Processor"); and
  • Controller: the customer identified in the account/order ("Customer", "you", "Controller").

For Customer Content — the websites, applications, files, databases, mailboxes, backups, DNS records and any personal data you host with us — you are the controller and veldhost is your processor. For account, billing, support, security and abuse-prevention data, veldhost is an independent controller under the separate Privacy Policy, and this DPA does not apply to that data.

Where you are yourself a processor for a third party, you act here as controller toward us and warrant you have authority to instruct us on that third party's behalf.

2. Subject-matter, duration, nature and purpose

  • Subject-matter: processing of personal data contained in Customer Content in the course of providing the managed hosting service.
  • Duration: for the term of the Agreement, plus the retention/return/deletion period in §11.
  • Nature and purpose: hosting, storing, transmitting, backing up, serving, securing and operating Customer Content and the associated managed services (compute, DNS, TLS, storage, email when enabled, monitoring, backups, support) solely to deliver the service you ordered.
  • Type of personal data: determined by you as controller. Typically may include website/app users' names, email addresses, contact details, account credentials, order/transaction data, IP addresses, support content, and any other personal data you choose to place in your hosted content. You must not place special-category data (GDPR Art. 9) or criminal-offence data in Customer Content without a separate written agreement.
  • Categories of data subjects: determined by you — typically your website/app visitors, users, customers, employees and contacts.

3. Processor obligations (Art. 28(3))

veldhost shall:

  1. Process only on documented instructions. Process Customer Content personal data only on your documented instructions (including the Agreement, portal configuration, and support requests), including for international transfers, unless required by EU/Member-State law — in which case we inform you first unless the law prohibits it.
  2. Confidentiality. Ensure persons authorised to process the data (currently the owner; any future staff/contractors) are bound by confidentiality.
  3. Security. Implement the technical and organisational measures in §7 (Art. 32).
  4. Sub-processors. Engage sub-processors only under §6.
  5. Assist with data-subject rights. Taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection) — see §8.
  6. Assist with compliance. Assist you in ensuring compliance with Art. 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the information available to us.
  7. Deletion/return. At the end of the service, delete or return Customer Content per §11.
  8. Demonstrate compliance. Make available information necessary to demonstrate Art. 28 compliance and allow for and contribute to audits per §9.
  9. Flag unlawful instructions. Immediately inform you if, in our opinion, an instruction infringes the GDPR or other EU/Member-State data-protection law.

4. Controller obligations

You warrant that: you have a lawful basis for the processing; you are responsible for the accuracy, content and legality of Customer Content; you will not instruct us to process data unlawfully; you have provided any required notices and obtained any required consents from your data subjects; and you will not place special-category or criminal-offence data in the service without a prior written agreement.

5. International transfers

veldhost's product promise is EU/EEA data residency for Customer Content. We do not intentionally place Customer Content, production compute, or backups outside the EU/EEA, and any new sub-processor that will carry Customer Content is pinned to an EU location before use.

The only disclosed non-EEA flow is domain registration via OpenSRS / Tucows Inc. (Canada), which — under the veldhost-as-registrant model — receives only the domain-name string and veldhost's own business contact, not your personal data. Canada benefits from a European Commission adequacy decision for PIPEDA-regulated commercial organisations (Commission Decision 2002/2/EC), providing the Chapter V basis for this bounded path. If any future flow requires Customer Content personal data to leave the EEA, we will implement an appropriate Chapter V safeguard (adequacy decision or the EU Standard Contractual Clauses) and update the sub-processor list before enabling it.

6. Sub-processors

You give general written authorisation for veldhost to engage the sub-processors listed below. We will notify you at least 14 days before adding or replacing a sub-processor (via the portal or email), and you may object on reasonable data-protection grounds; if we cannot resolve the objection, you may terminate the affected service. We impose data-protection obligations on each sub-processor no less protective than this DPA and remain fully liable for their performance. The table below is the single, versioned source of truth for our sub-processor register.

Sub-processor register (v1.0)

Sub-processor Role / processing Location of processing Transfer basis
Hetzner Online GmbH Core EU hosting infrastructure: compute (customer containers), block/object/file storage, backups, authoritative DNS nodes Germany / Finland (EU/EEA) Within EEA
Stripe Payments Europe, Ltd. Payment processing + billing/tax metadata. Stripe acts as an independent controller for card/payment data under its own terms; as our sub-processor it handles billing identifiers only (no full card numbers reach us) Ireland (EU) + Stripe global EEA; Stripe DPA + SCCs/DPF for any onward transfer
OpenSRS / Tucows Inc. Domain registration/management. Receives only the domain-name string + veldhost's own business WHOIS/RDAP contact — not Customer personal data Canada Adequacy (Commission Decision 2002/2/EC, PIPEDA scope)
Cloudflare, Inc. Edge/CDN + DNS for the veldhost portal and marketing domain (veldhost.eu); processes request metadata/IP for visitors to those properties EU edge; Cloudflare US entity EU SCCs + EU-U.S. Data Privacy Framework
Mail-in-a-Box (self-hosted) Mailbox/email service when enabled — runs on veldhost-controlled Hetzner EU infrastructure, not a third-party SaaS Germany/Finland (EU/EEA) Within EEA (self-operated)

7. Security measures (Art. 32)

Taking into account the state of the art, costs, and the nature/scope/context/purposes of processing and the risks to data subjects, veldhost applies technical and organisational measures including:

  • Encryption in transit (TLS for all customer-facing and management traffic); TLS certificates managed and auto-renewed.
  • Access control: multi-factor authentication, role-based access, least-privilege operator access via a separate console (bastion + mTLS), disabled root SSH, and audit logging of privileged actions.
  • Tenant isolation: per-customer LXD containers; localhost-only customer databases; separation of customer workloads.
  • Network/abuse controls: rate limiting, egress controls, malware/phishing/spam signals, monitoring.
  • Patching: fleet-wide automated security updates (daily OS-update sweep + auto-restart of affected services) and CVE scanning with alerting.
  • Backups: scheduled backups (weekly baseline; daily with add-on) to EU storage; restore testing is being brought to a routine cadence (see the SLA).
  • Secrets management: environment secrets stored encrypted; production config rebuilt under controlled privilege.
  • Logging & monitoring: security/audit logs and health monitoring; retention per the Privacy Policy.
  • Organisational: confidentiality obligations; incident-response process; sub-processor due diligence.

These measures may evolve; veldhost will not materially reduce the overall level of security during the term.

8. Assistance with data-subject rights

Because you control Customer Content, you can generally fulfil access/rectification/erasure/portability requests directly through your hosted application, database and files. Where you cannot do so with the tools provided and reasonably require our help, we will provide reasonable assistance within a reasonable time, taking into account the nature of the processing. If a data subject contacts us directly about Customer Content, we will refer them to you and (unless legally prohibited) not respond substantively ourselves.

9. Audits

veldhost will make available the information necessary to demonstrate compliance with Art. 28 and, on reasonable prior written notice and no more than once per 12 months (or after a personal-data breach affecting you), allow and contribute to an audit — satisfied first by providing existing documentation (security overview, sub-processor register, relevant certifications/reports if available), and only where genuinely insufficient by a proportionate on-site/remote audit under reasonable confidentiality and cost-allocation terms.

10. Breach notification

veldhost will notify you without undue delay and in any event within 48 hours after becoming aware of a personal-data breach affecting Customer Content, providing (as available): the nature of the breach, categories/approximate numbers of data subjects and records, likely consequences, measures taken/proposed, and a contact point. We assist you in meeting your own Art. 33/34 obligations. As controller, you are responsible for notifying the supervisory authority (e.g. Autoriteit Persoonsgegevens) and affected data subjects where required; we notify our own authority only for data where we are controller.

11. Return and deletion on termination

On expiry or termination of the service, and at your choice, veldhost will return Customer Content (via export of files/database/DNS/domain-transfer info, where technically and legally possible) and/or delete it, and delete existing copies, within the export/retention window stated in the Agreement, Privacy Policy or order — unless EU/Member-State law requires storage. Account deletion triggers automated teardown of the customer's container and hosting resources. We may retain the minimum data required by law (e.g. invoices for the 7-year Dutch fiscal retention period, security/abuse evidence) beyond service termination.

12. Liability, term, governing law

Liability under this DPA is subject to the limitations in the Agreement (Terms §14) and to mandatory law that cannot be limited (including non-waivable data-subject rights). This DPA takes effect when the Agreement does and terminates with it (subject to §11). It is governed by Dutch law; disputes go to the competent Dutch courts, without prejudice to mandatory consumer rights.

13. Order of precedence

If this DPA conflicts with the Agreement on the processing of Customer Content personal data, this DPA prevails for that subject-matter. Otherwise the Agreement governs.

Requesting a signed copy

This DPA is incorporated into your contract by reference from the Terms and is surfaced here for you to read and retain. If you require a countersigned copy for your own records, email legal@veldhost.eu.