Data Processing Agreement

This Data Processing Agreement is an appendix to the agreement (hereinafter: “Agreement”) by and between Customer (hereinafter: “Controller”) and Hosted Git (hereinafter: “Processor”). Unless otherwise defined herein, capitalized terms and expressions in this Data Processing Agreement have the meaning set forth in the Agreement. Where the Agreement deviates from this Data Processing Agreement, this Data Processing Agreement prevails.

Article 1. Purposes of processing

1.1. Processor hereby agrees under the terms of this Data Processing Agreement to process personal data on behalf of the Controller. Processing shall be done solely for the purpose of the Agreement, in particular for providing web hosting services, and all purposes compatible therewith or as determined jointly.

1.2. The personal data to be processed by Processor for the purposes as set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. Processor shall not process the personal data for any other purpose unless with Controller’s consent. Controller shall inform Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement.

1.3. All personal data processed on behalf of Controller shall remain the property of Controller and/or the data subjects in question.

Article 2. Allocation of responsibilities

2.1. Processor shall make available IT facilities to be used by Controller for the purposes mentioned above. Processor shall not itself perform processing operations unless separately agreed otherwise.

2.2. Processor will process the personal data only on the basis of written instructions from the Controller in the context of the execution of the Agreement and the services provided, or in connection with all legal obligations.

2.3. Controller represents and warrants that the content, usage and instructions to process the personal data as meant in this Data Processing Agreement are lawful and do not violate any right of any (third) party.

Article 3. Processor obligations

3.1. Regarding the processing operations referred to in the previous clause, Processor shall comply with all applicable legislation, including at least all data processing legislation such as the EU General Data Protection Regulation 2016/679 (hereinafter: GDPR).

3.2. Upon written request Processor shall inform Controller about any measures taken to comply with its obligations under this Data Processing Agreement.

3.3. All obligations for Processor under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees in the broadest sense of the term.

3.4. Processor shall inform Controller if in its opinion an instruction of Controller would violate the legislation referred to in the first clause of this article.

3.5. Processor enables the Controller to comply with the obligations under Articles 32 to 36 GDPR, which includes the security obligation, the reporting of data breaches, the performance of privacy impact assessments and the prior consultation of a processing operation with high risk after implemented control measures.

Article 4. Data transfer

4.1. Processor may process the personal data processed on behalf of Controller in any country within the European Economic Area.

4.2. Before any data transfer will be performed Processor shall inform Controller in writing of the countries involved in the data transfer. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Processor shall ensure that the personal data are adequately protected. To achieve this, the Processor shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

Article 5. Involvement of sub-processors

5.1. The Processor is permitted to involve sub-processors when processing the personal data. The Processor shall timely inform the Controller of any intended changes regarding the addition or replacement of these sub-processors. The Controller may object to the appointment of a sub-processor on reasonable grounds.

5.2. The Processor is obliged to conclude an agreement with the sub-processor(s) which has the same or similar content as this Data Processing Agreement. In these cases, the Processor remains the contact point and is responsible for compliance with the provisions of this Data Processing Agreement at all times.

Article 6. Security

6.1. The Processor takes appropriate technical and organizational measures to protect personal data against loss or any form of unlawful processing, in accordance with Article 32 GDPR. These measures guarantee an appropriate level of security, given the nature of the personal data processed by the Processor. Appendix 2 indicates which specific security measures the Processor has taken to protect the personal data.

6.2. The security measures in question should, taking into account the state of the art and the costs of implementation, provide an appropriate level of security in view of the risks involved in the processing and the nature of the data to be protected. These measures are also aimed at preventing unnecessary collection and further processing of the personal data.

Article 7. Notification and communication of data breaches

7.1. Controller is responsible at all times for notification of any security breaches and/or personal data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller without delay, but no later than within 24 hours after becoming aware of an actual or threatened security or personal data breach as referred to in Articles 33 and 34 GDPR.

7.2. If the Processor determines that there is a data breach, it will take measures to prevent further disclosure or distribution of the personal data.

7.3. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall: - describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; - describe the likely consequences of the personal data breach; - describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Article 8. Data subjects rights

8.1. Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Article 9. Confidentiality obligations

9.1. Processor and employees of Processor shall keep personal data that Processor receives from Controller and/or collects itself confidential, unless Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Controller or the provision is legally required.

Article 10. Audit

10.1. Controller has the right to have audits performed on Processor.

10.2. The audit findings shall be assessed by Processor and implemented if and to the extent deemed reasonable by Processor.

Article 11. Liability

11.1. If the Processor causes damage due to non-compliance with the agreements in this Data Processing Agreement, the legal rules and regulations in the field of protection of personal data or the security policy, the Processor is liable for this damage with due observance of the provisions of article 12 of the Agreement.

Article 12. Term and termination

12.1. This Data Processing Agreement shall become effective upon the date this Data Processing Agreement is signed.

12.2. All notices, confirmations and other statements made by Controller in connection with this Data Processing Agreement shall be in writing and shall be sent per e-mail to Processor.

12.3. This Data Processing Agreement is entered into for the duration of the Agreement. Obligations with an enduring nature continue to exist between the parties.

12.4. Upon termination of the Data Processing Agreement, regardless of reason or manner, Processor shall - at the choice of Controller – return (in original format), delete and/or destroy the personal data processed on behalf of Controller.

12.5. This Data Processing Agreement may be changed in the same manner as the Agreement.

Appendix 1: Stipulation of personal data and data subjects

Personal data Processor shall process the below personal data under the supervision of Controller, as specified in article 1 of the Data Processing Agreement:

  • - Names
  • - Email addresses
  • - IP addresses

All personal data that customers collect and use using the provided web hosting services of the following categories of data subjects:

  • - Personnel

Controller represents and warrants that the description of personal data and categories of data subjects in this Appendix 1 is complete and accurate, and shall indemnify and hold harmless Process for all faults and claims that may arise from a violation of this representation and warranty.

Appendix 2: Security measures

Organisational security measures

Our team is very security minded. We have various security policies in place and new employees are required to read and adhere to our internal security guidelines. Due to the relative small size of our team it is still possible to test our personnel on an ad-hoc basis. However, we are creating policies to make these tests repeatable and measurable.

Legal & Law

We adhere to Thai law and all responsibilities that come with it. We will cooperate with law enforcement unless it is in conflict with Thai law. No rights can be derived from the information in this appendix.