Warning: Undefined variable $menu_width in /home/sdove/public_html/wp-content/themes/vw-hosting-services-pro/template-parts/header/content-header.php on line 122
Between: isnhosting.net (the “Processor”) and the Customer (the “Controller”).
This DPA is incorporated into the Master Terms of Service and applies where Processor processes Personal Data on behalf of the Customer in the course of providing Web Hosting, Linux Containers, SaaS, or AI Agent development services.
1. Definitions
“Applicable Data Protection Laws” means PIPEDA (Canada), GDPR (EU), and LFPDPPP (Mexico).
“Personal Data” means any information relating to an identified or identifiable natural person processed within the Customer’s hosted environment.
2. Role of the Parties
The parties acknowledge that for the purposes of the Services, the Customer is the Controller and isnhosting.net is the Processor. Processor shall process Personal Data only on documented instructions from the Customer, including for the transfer of data to Munich, Germany.
3. Processor Obligations
Processor agrees to:
Confidentiality: Ensure that staff in Canada and Mexico authorized to process Personal Data have committed themselves to strict confidentiality.
Security: Implement technical measures (Encryption, MFA, Firewalls) to protect data at rest on Munich servers and in transit.
Sub-processors: Customer provides a general authorization for Processor to engage sub-processors (e.g., Data Centers and AI Providers). Processor shall maintain an up-to-date list and notify Customer of changes 30 days in advance to allow for objections.
Data Subject Rights: Assist the Customer, insofar as possible, in responding to requests from individuals exercising their rights (Access, Erasure, Rectification).
4. Breach Notification
In the event of a “Breach of Security Safeguards,” Processor shall notify the Customer without undue delay and, where feasible, within 48 hours of becoming aware of the breach. Processor will provide reasonable assistance to the Customer to meet their legal notification obligations under PIPEDA or GDPR.
5. International Transfers (The Munich Shield)
Storage: Personal Data is stored in Munich, Germany.
Transfers: Any transfer of Personal Data outside of the European Economic Area (EEA) to Processor’s support teams in Canada or Mexico is governed by Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to GDPR standards.
6. Audit Rights
Processor shall make available to the Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits or inspections conducted by the Customer or an authorized auditor.
7. Deletion or Return of Data
Upon termination of services, Processor shall delete all Personal Data hosted on Munich infrastructure within 30 days, unless applicable law requires continued storage.
Appendix 1: Subject Matter and Details of Processing
Subject Matter: Provision of digital infrastructure and AI development services.
Duration: The term of the Service Agreement plus 30 days for data purging.
Nature/Purpose: Hosting, storage, and processing required to operate web applications and AI agents.
Categories of Data Subjects: Customer’s employees, end-users, and website visitors.
Appendix 2: Authorized Sub-processors
Sub-processor
Purpose
Location
Hetzner Online GmbH (or your specific provider)
Physical Infrastructure/Hosting
Munich, Germany
OpenAI, LLC
AI Model API Processing
USA / Global
Google Cloud (Gemini)
AI Model API Processing
USA / Global
How to implement this:
Host it: Save this as isnhosting.net/dpa.
Reference it: In your Terms of Service, add: “For business customers, the isnhosting.net Data Processing Addendum (DPA) at [URL] is incorporated into this agreement by reference.”
The “30-Day Notice”: If you ever switch your German server provider or add a new AI model (like Anthropic), you must send a quick email to your customers 30 days before the change to stay compliant with Section 3.
Would you like me to draft that “30-day notice” email template so you have it ready for the future?
