EU Customer Data Processing Agreement

Unless otherwise stated, definitions used in this addendum shall have the same meaning as those in SkyToaster’s terms and conditions.

Purpose and scope of SkyToaster Data Processing on behalf of Data Controllers

For the purpose of providing the Services, SkyToaster will process Customer Hosted Data. To the extent that Customer Hosted Data is comprised of Personal Data, the parties acknowledge that SkyToaster acts as a Data Processor for all Customer Hosted Data supplied to SkyToaster by the Customer as well as the Customer’s own customers or agents.

The Services are provided on the basis that either:

· the Customer is the Data Controller for all Customer Hosted Data supplied to SkyToaster under the Services and has complied with its obligations under the applicable Data Protection Laws, including but not limited to obtaining the required consents (“Data Protection Consents”); or

· where the Customer is a Data Processor on behalf of a Data Controller, that SkyToaster is a sub-Data Processor and that the Customer has:

1. ensured that all necessary Data Protection Consents have been obtained or other lawful grounds for Processing have been correctly established;
2. entered into the required contractual arrangements, including arrangements with the relevant Data Controller for SkyToaster to act as sub-processor legally;
3. has complied with its obligations as Data Processor under the applicable Data Protection Laws; and
4. shall be liable to the Data Controller for SkyToaster’s acts and omissions and a sub-Data Processor.

By accepting this addendum the Customer indicates their acceptance of the provisions below and warrants that the basis of the Services set out in this Data Processing Addendum is accurate.

Nature of the Processing

SkyToaster undertakes a range of Processing as defined by the Services, i.e. the provision of hosting services to the Customer, the choice of which is determined by the Customer. The Customer acknowledges that the scope of the Services explicitly excludes the access to, manipulation, transformation or optimization of or decision-making based on Customer Hosted Data for the purposes of such Processing by SkyToaster. SkyToaster provides a shared, Virtual Private Server, dedicated and cloud-based hosting infrastructure to support the Customer’s or Customer’s agents’ processing of data to that end.

SkyToaster maintains no visibility of and has no intention to access or manipulate Customer Hosted Data, even in the case where SkyToaster maintains technical access for the purposes of management of the infrastructure of the Customer Hosted Solution. This is due to the Customer’s position as the Primary System Administrator. SkyToaster interacts with the Customer Hosted Solution at an infrastructure level only, not at the level of Customer Hosted Data or the Customer Hosted Applications. Further, any processing by SkyToaster of Customer Hosted Data (which may comprise Processing of Personal Data) is determined by the Customer insofar as it is the Customer that ultimately determines what the Services will be and, therefore, what data processing occurs.

SkyToaster classifies all Customer Hosted Data as the same type of data and does not maintain visibility of different types or Customer Hosted Data or categories of Personal Data within this set. SkyToaster applies the same level of generic security controls to all Customer Hosted Solutions.

SkyToaster provides a service which constitutes among other things the provision of shared hosting, reseller hosting, VPSes, storage, networking and dedicated servers to Customers. Whilst we will try to ensure the compliance of those underlying services with the applicable Data Protection Laws, we do not maintain reliable access to the Operating Systems, applications or data that Customers upload to their Customer Hosted Solution, so the Customer is responsible for all data protection issues not related to the underlying services.

Duration of Processing

The Customer is responsible for the duration of the processing of any Personal Data comprising Customer Hosted Data. While the Agreement is in force, SkyToaster will Process all such Personal Data in accordance with the Customer’s written instructions.

SkyToaster Responsibilities

SECURITY AND COMPLIANCE OF THE UNDERLYING HOSTING INFRASTRUCTURE

SkyToaster will be responsible for maintaining the GDPR compliance of the underlying hosting infrastructure, SkyToaster support personnel (including that such personnel are subject to a duty of confidence that is compliant with the applicable Data Protection Laws) and physical locations, including appropriate technical and organizational controls to secure and ensure the resilience of the underlying hosting infrastructure as defined by our security procedures.

SkyToaster has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. A non-exhaustive list of technical and organizational measures are as set out below. By entering into this addendum, the Customer confirms that it has reviewed and approved the following measures:

SECURITY MANAGEMENT & POLICY

· Maintenance of an overarching information security management system based on an industry leading international standard (currently ISO27001:2013)

· Security and Compliance teams to help ensure SkyToaster operational and policy/audit security matters receive appropriate attention and resourcing

HR & ACCESS CONTROL

· Vetting of all SkyToaster personnel prior to commencement of employment

· Appropriate on-hire, role change and termination activities related to SkyToaster access and asset management

· Use of a role-based access control system and restriction of all SkyToaster access to customer data or Customer Hosted Solutions to those personnel with a business need for access

· The ability to audit all SkyToaster personnel access to Customer Hosted Solutions and/or Customer Hosted Data

PHYSICAL & ENVIRONMENTAL SECURITY

· Sufficient physical and environmental security controls at all SkyToaster facilities

OPERATIONAL SECURITY

· Appropriate availability, performance and security logging, monitoring and audit controls for the underlying infrastructure

· Vulnerability management systems to help ensure the patch and configuration levels of the underlying infrastructure appropriate to SkyToaster’s scale and policies

· Hardening of underlying infrastructure devices to levels that are materially in accordance with good industry practice

· Appropriate encryption in transit and at rest for sensitive operational data such as API calls, control panel access, customer credentials and key material managed by SkyToaster and SkyToaster privileged user access to all infrastructure and Customer Hosted Solution devices, including a commitment to continually manage the strength of associated cryptosystems and ciphers

· Regular third party tests of the security posture of the underlying hosting environment

· Backups and infrastructure redundancy within the underlying hosting infrastructure appropriate to our Terms and Conditions and SLAs

· Appropriate security of all SkyToaster end-user devices used by SkyToaster to access the underlying hosting infrastructure, Customer Hosted Data and Customer Hosted Solutions

INCIDENT MANAGEMENT & COMMUNICATION

· Sufficient internal incident management procedures including the commitment to escalate relevant security incident to impacted Customers without undue delay

AVAILABILITY OF CUSTOMER HOSTED SOLUTIONS AND SERVICES

Temporary loss of Availability or Integrity related to an Emergency Maintenance or Scheduled Maintenance is not considered to be a loss of Availability under the applicable Data Protection Laws.

As set out in the applicable Service Definitions, SkyToaster cannot guarantee the Availability of individual Customer Hosted Solutions in an Available state at an application or data level, as this availability is primarily a result of decisions taken by the Primary System Administrator. SkyToaster guarantees the availability of data center services, e.g. availability of core network connection, power and cooling, and the availability of sufficient hypervisor capacity where Cloud services are procured in line with the provisions of the services’ respective SLAs and SkyToaster’s definition of Availability. In accordance with the Services being provided, SkyToaster is not able to decide how Personal Data comprising Customer Hosted Data is processed. The Customer Hosted Solutions are inevitably Infrastructure-as-a-Service- based and control of the data thereon is with the Customer.

Customer data protection responsibilities

As the Primary System Administrator and / or Data Controller the Customer has the following responsibilities under GDPR:

1. Maintain appropriate technical controls to secure and monitor for security:
   1. the Operating System
   2. the Applications
   3. logical data stores (data bases, or storage structures built by or on behalf of the Customer using SkyToaster Storage-as-a-Service products)
   4. Configuration of network security controls specific to the Customer Hosted Solution
   5. Monitoring of the Customer Hosted Solution for signs of security incident or intrusion
   6. all non-SkyToaster user access
   7. Ongoing management of any anti-malware controls residing on Customer virtual machines or dedicated servers
   8. Undertake any required third party testing or certification of their Customer Hosted Solution
2. Where the above is included within the scope of a Customer SLA, SkyToaster will undertake the work based on instructions from the Customer in ticket form, but the Customer remains responsible for the efficacy of the controls implemented.
3. Undertaking all organizational measures required to ensure compliance with the basic principles for processing (articles 5, 6, 7 and 9 of the GDPR) and Subject’s rights (Articles 12-22 of the GDPR) at point of collection of data, and be aware of the technical and organizational security controls put in place by SkyToaster, maintain additional technical and organizational controls to ensure compliance during processing, storage, any transfer not undertaken solely by SkyToaster and at point of destruction, if not reliant on SkyToaster’s underlying solution-level data destruction processes. (I.e. deletion of a hosting account, VPS or decommissioning of a dedicated server and associated storage media.)
4. Undertake and manage all communication with Data Subjects
5. Maintain any required relationship with the Information Commissioner’s Office on behalf of the Data Controller

SkyToaster use of Data Sub-Processors

By entering into this Data Protection Addendum, the Customer hereby permits SkyToaster to appoint sub-processors of Personal Data and, for the term that the Data Protection Addendum is in force, shall have a general right to appoint sub-processors of Personal Data. SkyToaster shall provide the Customer with prior notification before appointing any sub-processors of any Personal Data that are in addition to those noted in this Data Processing Addendum.

SkyToaster utilizes a small number of Data Sub-Processors in order to provide Services to the Customer. The following list of Data Sub Processors used to provide Services will be updated from time to time to reflect the current operational position:

1. LeaseWeb Netherlands – Hardware and colocation service provider
2. So You Start (OVH) – Hardware, colocation and backup service provider
3. I3D.NET BV – Hardware and colocation service provider
4. CorgiTech – Hardware and colocation service provider
5. Tailor Made Servers – Hardware and colocation service provider
6. Cloud South – Hardware and colocation service provider
7. Amazon Web Services – Backup storage provider
8. ResellerClub – Domain name and email services
9. Mailgun – Provision of bulk emailing services

SkyToaster will update the Customer of the use of any new Data Sub-Processor at least one (1) month prior to adoption of the Sub-Processor and transfer of Customer Hosted Data or provision of any form of access to Customer Hosted Solutions by support ticket or email, and the Customer must ensure that all necessary Data Protection Consents are obtained or other legitimate grounds for processing the Personal Data are established. The Customer’s continued use of the Services constitutes approval for the use of this new Data Sub-Processor and a repeated warranty by the Customer that the use of all sub-processors is lawful under the applicable Data Protection Laws subject to SkyToaster complying with its obligations under the applicable Data Protection Laws in respect of appointing sub-processors. SkyToaster will perform appropriate due diligence on the Data Sub-Processor, as we will on any security-impacting supplier.

SkyToaster will maintain written contracts with all SkyToaster Sub-Processors including any relevant GDPR-related compliance requirements and will conduct regular audits to confirm their continuing conformance with Data Protection Laws.

Transfer to non GDPR-aligned locations or Sub-Processors

SkyToaster will not transfer Customer Hosted Data to any Data Sub-Processor located outside of the EEA or to any other third party location not deemed appropriate by Binding Corporate Rules, Privacy Shield or other adequacy decision defined on a continuing basis by the Information Commissioner’s Office without explicit written permission from the Customer.

Processing in accordance with written instructions

SkyToaster will only processing Customer Hosted Data (which may or may not include data for which the Customer is the Data Controller) in accordance with the Data Controller’s written instructions, which for the purposes of data protection and this addendum are taken to be in whole contained within the section ‘Purpose and scope of SkyToaster Data Processing on behalf of Data Controllers.’ No other written instructions can be accepted as they will fall outside of the scope of our services.

Assistance with Customer data protection obligations

Insofar as SkyToaster provides a hosting infrastructure to the Customer, SkyToaster will assist the Data Controller in meeting their data protection obligations including:

1. Audits as required by the Customer’s compliance regime or in the event of an investigation will be charged on a reasonable time and materials basis, unless SkyToaster has reasonable evidence to suggest that the investigation is related to a material failure or weakness in our Services.
2. To inform the Customer of the possibility of a material security breach of their Customer Hosted Solution if detected by our systems without undue delay.
3. Provision of Customer root or admin access to the Customer Hosted Solution at point of initial deployment. (This constitutes the technologically possible extent to which SkyToaster can provide regarding Subject Access Requests regarding data for which the Customer or Customer’s customer is the Data Controller.).
4. Keep a record of all Processing of Personal Data performed in relation to the Services.
5. Where a Security Incident resulting in a data breach has occurred or has been suspected to have occurred as a result of a material failure or weakness in the SkyToaster infrastructure we will notify impacted Customers without undue delay
6. For termination of contract for reasons other than breach of Acceptable Use Policy or non-payment of fees, provide a reasonable period in which the Customer can use standard tools to extract the data themselves provided that such extraction by the Customer does not prejudice SkyToaster or its systems. In all cases SkyToaster will delete all Customer Hosted Data on our infrastructure as part of decommissioning of the Customer Hosted Solution.
7. SkyToaster shall assist the Customer in complying with its obligations under applicable Data Protection Laws in particular in relation implementing appropriate security measures, to carrying out a data protection impact assessment, and to consulting the competent data protection authority.