This Data Processing Agreement (“DPA”) is an addendum to the User Terms of Service (“Terms”) between VelociHOST, Inc (“VelociHOST”) and the User. User enters this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates (defined below).
1.1 In this addendum, the following terms shall have the meanings set out below and cognate terms shall be constructed accordingly.
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity, conformed either by User or VelociHOST.
“User Personal Data” means any data that VelociHOST and/or its Affiliates processes on behalf of User in the course of providing the Services under the Terms.
“Data Protection Laws” means (i) Directive 95/46/EC and, from 25 May 2018, Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998, and (iii) the national legislation of the Swiss Confederation on the protection of Data Subjects with regard to the processing of Personal Data and on the free movement of such data, as amended from time to time, and other data protection or privacy legislation in force from time to time in the Swiss Confederation.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
“Services” means any product or service provided by VelociHOST to User pursuant to and as more particularly described in the Terms.
1.2 The terms “Controller“, “Data Subject“, “Personal Data“, “Personal Data Breach“, “Process” and “Processor” have the same meanings as described in the Data Protection Laws and cognate terms shall be construed accordingly.
1.3 All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms.
2. Scope and Applicability
2.1 This DPA applies where and only to the extent that VelociHOST processes Personal Data on behalf of the User in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
2.2 Role of the Parties. The Parties acknowledge and agree that regarding the Processing of User Personal Data, and as more fully described in Annex  hereto, User acts as a Controller and VeloicHOST acts as a Processor.
The Parties expressly agree that User shall be solely responsible for ensuring timely communications to User’s Affiliates who receive the Services, so far as such communications may be required or useful in light of applicable Data Protection Laws to enable User to comply with such laws.
2.3 User Obligations. User agrees that (i) it shall observe with its responsibilities as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to VelociHOST; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for VelociHOST to process Personal Data and provide the Services pursuant to the Terms and this DPA.
2.4 VelociHOST Processing of Personal Data. As a Processor, VelociHOST shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Terms; (ii) processing to perform any steps necessary for the performance of the Terms; and (iii) to comply with other reasonable instructions provided by User to the extent they are consistent with the terms of this Terms and only in accordance with User’s documented lawful instructions. The parties agree that this DPA and the Terms set out the User’s complete and final instructions to VelociHOST in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between User and VelociHOST.
2.5 Nature of the Data. VelociHOST handles User Data provided by User. Such User Data may contain special categories of data depending on how the Services are used by User. The User Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to User; (ii) to provide User and technical support to User; and (iii) disclosures as required by law or otherwise set forth in the Terms.
2.6 VelociHOST Data. Notwithstanding anything to the contrary in the Terms (including this DPA), User acknowledges that VelociHOST shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, VelociHOST is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
3.1 Authorized Sub-processors. User agrees that VelociHOST may engage Sub-processors to process Personal Data on User’s behalf.
3.2 Sub-processor Obligations. VelociHOST shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause VelociHOST to breach any of its obligations under this DPA.
3.3 Changes to Sub-processors. VelociHOST shall provide User reasonable advance notice (for which email shall suffice) if it adds or removes Sub-processors.
3.4 Objection to Sub-processors. User may object in writing to VelociHOST’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying VelociHOST promptly in writing within five (5) calendar days of receipt of VelociHOST’s notice in accordance with Section 3.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by VelociHOST without the use of the objected-to-new Sub-processor.
4.1 Security Measures. VelociHOST shall instrument and uphold proper technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in agreement with VelociHOST’s technical and organizational measures described in Annex B (“Technical and Organizational Measures”).
4.2 Confidentiality of Processing. VelociHOST will guarantee that any person who is authorized by VelociHOST to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate commitment of confidentiality.
4.3 Security Incident Response. Upon becoming aware of a Security Incident, VelociHOST will notify User without unnecessary delay and will provide appropriate information relating to the Security Incident as it is identified or as is reasonably requested by User.
4.4 Updates to Security Measures. User acknowledges that the Security Measures are subject to technical development and change and that VelociHOST may update or modify the Technical and Organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the User.
5. International Transfers
5.1 Processing Location and Transfer. VelociHOST stores and processes EU Data (defined below) as well as all other User Data in data centers located in the United States and anywhere in the world where User, its Affiliates and/or its Sub-processors maintain data processing operations. VelociHOST will employ proper safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws. Moreover, the parties agree that VelociHOST shall be deemed to provide appropriate safeguards for data transfer of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland (“EU Data”) in or to countries which do not guarantee an adequate level of data protection within the meaning of applicable Data Protection Laws. User hereby authorizes any transfer of EU Data to, or access to EU Data from, such destinations outside the EU subject to any of these safeguards having been taken.
6. Return or Deletion of Data
6.1 Upon deactivation of the Services, VelociHOST will cease Processing the User Personal Data, and delete all copies of the User Personal Data Processed by VelociHOST, unless (and solely to the extent and for such period as) Union or Member State law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, VelociHOST may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth here.
7.1 To the extent permissible by law, User shall indemnify and hold harmless VelociHOST against all (i) losses, (ii) third party claims, (iii) administrative fines and (iv) costs and expenses (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by VelociHOST and that arise from any breach by User of this Addendum or of its obligations under applicable Data Protection Laws.
8.1 The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.
Last updated: November 31, 2019
Annex : Description of Processing of User Personal Data
This Annex includes certain details of the Processing of User Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the User Personal Data are set out in in Sections 1.2 and 1.3 of the Terms.
The nature and purpose of the Processing of the Personal Data
The nature and purpose of the Processing of the User Personal Data are set out as described in Section 1.3 of the Terms.
The categories of Data Subject to whom the User Personal Data relates
The User is solely responsible for determining the categories of Data Subject to whom the User Personal Data relates, and for indicating to VelociHOST those categories. VelociHOST only stores such Data or backs it up upon User demand.
The types of User Personal Data to be Processed
The User is solely responsible for determining the types of Personal Data to be Processed, and for indicating to VelociHOST those types. VelociHOST only stores such Data or backs it up upon User demand.
The obligations and rights of User
The principal obligations and rights of User are set out in Sections 2, 4, 5, 8 and 9 of the Terms and in this Addendum.
Data exporter (as applicable)
User, which engages VelociHOST for the services specified in the Terms.
Data importer (as applicable)
VelociHOST, which provides the services to User pursuant to the Terms.
Processing operations (as applicable)
The personal data transferred will be subject to the following basic processing activities (please specify):
VelociHOST stores and backs up the data (including any Personal Data) that the User chooses to have hosted by VelociHOST.
Last updated: November 31, 2019
Annex : Technical and Organizational Measures
- VelociHOST implements appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of personal data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
- VelociHOST implements acceptable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (This includes telephones, database, backup, and application servers and their related hardware) where the personal data are processed or used. This includes establishing security areas, establishing access authorizations for employees and third parties, including the respective documentation, all access to the data centers where personal data are hosted is logged, monitored, and tracked, and the data center where personal data is hosted is secured by a security alarm system, and other appropriate security measures.
- Security of the network powering the VelociHOST Services is a critical component of our overall security objectives. The production data network is isolated from our administrative network in order to offer access only to staff members with legitimate business access needs.
- The VelociHOST company network is protected with protected IP space, isolation and firewalls.
- Access to VelociHOST Service production network components is only permitted from administrative hosts (endpoints) with audited user credentials located on the Company network.
- All devices that perform routing or switching of VelociHOST Service Production traffic are managed using templates with out-of-band audited change management tools. The templates are designed with default, limited, control plane ACL’s to ensure access is highly limited. Additionally, nonrouted IP space is implemented wherever possible to limit CPU exposure to Internet traffic. Encrypted access to these devices is only permitted from the administrative host. Central log collection is utilized for expedited troubleshooting.
- The VelociHOST automation and hypervisor cluster security is enforced through strict firewall enforcement and limited access trusted administrators. System health is monitored from our 24x7x365 NOC through a variety of central logging tools, proactive monitoring, and internal portals alerts.
- Our system administration team also manages critical patches centrally through internal repositories and follows industry-standard peer review practices to publish changes in a non-user impacting fashion. Additionally, non-routed IP space is implemented wherever possible to limit CPU exposure to Internet traffic. Encrypted access to these devices is only permitted from the system administration host. Central log collection is utilized for expedited troubleshooting.
Last updated: January 24, 2020.