Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter "DPA" or "Agreement") supplements the existing service contract between HOSTON SRL (as Processor) and the Client (as Controller) and is concluded pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR).

The Agreement applies where the Client stores or processes on HostON infrastructure personal data belonging to third parties (e.g. website visitors, online store customers, portal members, etc.).

By using HostON services and accepting the Terms and Conditions, the Client also accepts the terms of this DPA. If you are a business customer and require a signed version of this agreement, please contact us at info@hoston.ro.

• Controller — the Client who determines the purposes and means of processing the personal data of third parties
• Processor — HOSTON SRL, which processes personal data on behalf of the Controller
• Personal data — any information relating to an identified or identifiable natural person stored on HostON infrastructure
• Data subject — the Client's end user (website visitor, e-commerce customer, etc.) whose data is stored on HostON servers
• Security incident — any security breach leading to the destruction, loss, alteration, unauthorised disclosure of or unauthorised access to personal data

• Nature of processing: storage, processing, transmission and backup of personal data on HostON infrastructure (servers, VPS, hosting)
• Purpose of processing: exclusively the provision of hosting services under the contract — HostON does not process data for its own purposes
• Types of data: any personal data that the Client stores on HostON servers (e.g. names, emails, addresses, payment data, behavioural data, etc.)
• Categories of data subjects: the Client's visitors, customers, users or employees
• Duration: for the duration of the service contract, plus the post-contract retention period specified in this agreement

The Client, as Controller, warrants that:

• The processing of data on HostON infrastructure has a valid legal basis under GDPR (Art. 6 and/or Art. 9)
• It has informed data subjects about data processing, including the use of hosting services as sub-processors
• It has implemented adequate technical and organisational measures at the application level (strong passwords, 2FA authentication, application-level encryption, etc.)
• It will notify HostON of any specific processing instructions that go beyond standard hosting obligations
• It is responsible for the content stored on HostON servers and for the lawfulness of the processing it carries out

HOSTON SRL, as Processor, undertakes to:

• Process data solely in accordance with the Client's instructions, without using it for its own or third-party purposes
• Ensure confidentiality — all staff authorised to access data are contractually bound to confidentiality
• Implement adequate security measures: account isolation (CageFS), encryption in transit (TLS/SSL), firewall, automatic backup, DDoS protection via Cloudflare, continuous monitoring
• Assist the Client in fulfilling obligations to data subjects (right of access, rectification, erasure, portability) to the extent possible through technical capabilities
• Not transfer data without the Client's consent, except as required by law
• Notify the Client without undue delay (within 72 hours) of any security incident affecting data stored on HostON infrastructure
• Delete or return data at the Client's request or upon contract termination, according to the Client's choice
• Make available information to demonstrate compliance and allow reasonable audits

The Client provides general authorisation for HostON to use sub-processors in providing services. Current sub-processors are:

• Romanian data centre — server colocation (physical data storage)
• Cloudflare Inc. — DDoS protection and CDN (IP address processing)
• Brevo (Sendinblue) — operational email notifications (client email address)

HostON will notify the Client at least 14 days in advance of adding or replacing a sub-processor. The Client has the right to object, in which case they may terminate the contract without penalty.

HostON imposes equivalent data protection obligations on sub-processors through dedicated contracts.

HostON implements and maintains adequate technical and organisational measures to protect data, including:

• Encryption in transit (TLS 1.2/1.3) and at rest for backups
• Complete account isolation via CloudLinux CageFS
• Network and application-level firewall (ModSecurity WAF)
• Automatic daily backup with 7-day retention (JetBackup)
• 24/7 monitoring and automatic anomaly alerting
• Restricted staff access on a need-to-know basis
• Antivirus and anti-malware scanning via Imunify360

In the event of a security incident affecting the Client's data, HostON will:

1. Notify the Client without undue delay and within a maximum of 72 hours of becoming aware
2. Provide all available information: the nature of the incident, categories of data affected, estimated number of data subjects, likely consequences, measures taken or proposed
3. Cooperate fully with the Client in managing the incident and notifying the ANSPDCP

Notification is sent to the email address associated with the client account in the HostON system.

Data stored on HostON servers is located in Romania (EU). Transfers carried out by sub-processors (Cloudflare, Brevo) to third countries are performed in compliance with GDPR transfer mechanisms (Adequacy Decisions, Standard Contractual Clauses — SCC). Details in the Privacy Policy.

HostON will provide upon request the documentation necessary to demonstrate compliance with GDPR Art. 28.

Physical or technical audits at HostON's premises/infrastructure are possible with a minimum of 30 days' notice, once per year, at the Client's expense, and must not disrupt the operations of other clients. HostON may refuse excessive or unreasonable audits.

Upon termination of the service contract (by expiry, termination or express request):

• The Client has 14 calendar days from suspension to download data from the control panel (cPanel/DirectAdmin)
• After this period, data will be permanently deleted from HostON servers
• Upon explicit request, HostON can provide a written confirmation of data deletion
• System backups are retained for a maximum of 30 days after account deletion, then permanently destroyed

dpaPage.s12P

For requests related to this agreement, for signed DPA requests or to exercise rights under GDPR Art. 28, contact us at info@hoston.ro with subject "DPA / GDPR Agreement".