Version: 1 | Effective Date: November 2025
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Service Agreement between:
(1) Cloudys (“Processor”), a company established under the laws of Estonia, with principal office at Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Estonia;
and
(2) [Customer Name] (“Controller”), using Cloudys services under the Main Service Agreement,
together referred to as the “Parties”.
1. Purpose and Scope
1.1. Cloudys processes Personal Data on behalf of the Controller to provide hosting, synchronization, and replication services.
1.2. This DPA outlines the obligations of both Parties under Article 28 GDPR and applies to all Personal Data processed by Cloudys.
1.3. The Controller determines the purposes and means of processing.
2. Subject Matter and Duration
| Aspect | Description |
|---|---|
| Subject Matter | Hosting, replication, and management of Personal Data provided by the Controller. |
| Duration | For the term of the Service Agreement and until data deletion or return. |
| Nature & Purpose | Cloud hosting, redundancy, backup, and performance optimization. |
| Categories of Data | Customer and user account data, contact details, logs, billing information, and content uploaded by users. |
| Data Subjects | Controller’s customers, staff, partners, and end users. |
3. Data Location and Replication
Cloudys utilizes Hetzner data centers in multiple regions for redundancy and high availability:
| Region | Entity | Role | Legal Transfer Basis |
|---|---|---|---|
| Germany (EU/EEA) | Hetzner Online GmbH | Primary data center | GDPR-compliant (within EEA) |
| United States | Hetzner USA LLC | Secondary replication site | EU Standard Contractual Clauses (2021/914/EU) |
| Singapore | Hetzner Singapore Pte Ltd. | Asia-Pacific replication | EU SCCs (2021/914/EU) |
All replicated data is encrypted in transit and at rest. Encryption keys remain stored exclusively within the EEA.
4. Roles and Responsibilities
4.1 Controller
- Determines lawful basis and purpose of processing.
- Ensures data subjects are informed about processing activities.
4.2 Cloudys (Processor)
Cloudys shall:
- Process data only on documented instructions from the Controller.
- Ensure confidentiality of authorized personnel.
- Maintain appropriate technical and organizational measures (TOMs).
- Notify the Controller without undue delay in the event of a data breach.
- Assist the Controller with GDPR data-subject requests (Arts. 15–22).
- Maintain records of processing activities and cooperate with authorities.
5. Technical and Organizational Measures (TOMs)
Cloudys implements and maintains security controls consistent with Hetzner’s ISO 27001-certified environment, including:
- Encryption: AES-256 at rest, TLS 1.3 in transit.
- Access Controls: Role-based access, least privilege, and MFA.
- Network Security: Firewalls, DDoS protection, and isolation.
- Monitoring: Logging, anomaly detection, and security alerts.
- Data Integrity: Redundant backups, integrity checks, and versioning.
- Key Management: Encryption keys stored only within the EU.
- Audits: Annual penetration testing and infrastructure security reviews.
(Full list provided in Annex II.)
6. Subprocessors
Controller authorizes Cloudys to engage the following subprocessors:
| Subprocessor | Legal Entity | Location | Function | Legal Basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Industriestr. 25, 91710 Gunzenhausen, Germany | EU | Primary hosting provider | Within EEA |
| Hetzner USA LLC | Delaware, USA | USA | Redundant replication node | SCCs (Module Two) |
| Hetzner Singapore Pte Ltd. | Singapore | Singapore | Asia-Pacific replication node | SCCs (Module Two) |
Each subprocessor is bound by written terms ensuring data protection obligations equivalent to this DPA.
7. International Transfers
7.1. Data transfers to non-EEA subprocessors occur only under the EU Standard Contractual Clauses (Decision 2021/914/EU), including Module Two (Controller–Processor).
7.2. Supplementary safeguards include:
- End-to-end encryption during transfer and storage.
- EU-based encryption key management.
- Regular risk assessments and due diligence on subprocessors.
7.3. No additional onward transfers are made without written authorization.
8. Data Breach Notification
Cloudys will notify the Controller without undue delay after becoming aware of a personal-data breach, describing:
- The nature and scope of the breach.
- The categories and approximate number of data subjects affected.
- The measures taken or proposed to mitigate its impact.
9. Data Deletion and Return
Upon termination of services, Cloudys will delete or return all personal data, unless retention is required by law. Confirmation of deletion can be provided upon request.
10. Audits and Demonstration of Compliance
Cloudys will provide documentation and independent audit summaries (e.g., Hetzner ISO 27001 or SOC 2 reports) to demonstrate compliance.
Controller may conduct audits with reasonable notice and subject to confidentiality.
11. Subprocessor Chain
Hetzner operates as Cloudys’s subprocessor.
Cloudys and Hetzner are bound by a Data Processing Agreement (https://www.hetzner.com/legal/dpa), which includes detailed technical and organizational measures consistent with GDPR.
12. Governing Law
This DPA shall be governed by the laws of the European Union and, where applicable, the Member State where the Controller is established.
13. Order of Precedence
If this DPA conflicts with other contractual terms, this DPA shall prevail to the extent necessary to ensure GDPR compliance.
Signatures
Controller: ___________________________ Date: __________
Processor (Cloudys): ___________________________ Date: __________
Annex I – Details of Processing
| Category | Description |
|---|---|
| Data Types | Customer contact data, account credentials, configuration, logs, and content. |
| Purpose | Hosting, synchronization, redundancy, and data replication. |
| Data Subjects | Controller’s customers, employees, and users. |
| Retention | Duration of the service + up to 90 days for backup validation. |
Annex II – Technical and Organizational Measures
- Encryption at rest and in transit.
- Access restriction and multi-factor authentication.
- Network segmentation and intrusion detection.
- Logging and continuous monitoring.
- Secure backup and recovery strategy.
- Physical and environmental protection by Hetzner.
- EU-based key management.
- Annual third-party security audits.
Annex III – Approved Subprocessors
| Name | Address | Role | Legal Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Primary Infrastructure Provider | Within EEA |
| Hetzner USA LLC | USA | Backup & Replication | SCCs |
| Hetzner Singapore Pte Ltd. | Singapore | Backup & Replication | SCCs |
