Article 1. Purposes of processing
1.1. Processor hereby agrees under the terms of this Data Processing Agreement to process
personal data on behalf of the Controller. Processing shall be done solely for the purpose
of the Agreement, in particular for providing web hosting services, and all purposes
compatible therewith or as determined jointly.
1.2. The personal data to be processed by Processor for the purposes as set out in the
previous clause and the categories of data subjects involved are set out in Appendix 1 to
this Data Processing Agreement. Processor shall not process the personal data for any
other purpose unless with Controller’s consent. Controller shall inform Processor of any
processing purposes to the extent not already mentioned in this Data Processing
1.3. All personal data processed on behalf of Controller shall remain the property of
Controller and/or the data subjects in question.
Article 2. Allocation of responsibilities
2.1. Processor shall make available IT facilities to be used by Controller for the purposes
mentioned above. Processor shall not itself perform processing operations unless
separately agreed otherwise.
2.2. Processor will process the personal data only on the basis of written instructions from the
Controller in the context of the execution of the Agreement and the services provided, or
in connection with all legal obligations.
2.3. Controller represents and warrants that the content, usage and instructions to process
the personal data as meant in this Data Processing Agreement are lawful and do not
violate any right of any (third) party.
Article 3. Processor obligations
3.1. Regarding the processing operations referred to in the previous clause, Processor shall
comply with all applicable legislation, including at least all data processing legislation such
as the EU General Data Protection Regulation 2016/679 (hereinafter: GDPR).
3.2. Upon written request Processor shall inform Controller about any measures taken to
comply with its obligations under this Data Processing Agreement.
3.3. All obligations for Processor under this Data Processing Agreement shall apply equally to
any persons processing personal data under the supervision of Processor, including but
not limited to employees in the broadest sense of the term.
3.4. Processor shall inform Controller if in its opinion an instruction of Controller would
violate the legislation referred to in the first clause of this article.
3.5. Processor enables the Controller to comply with the obligations under Articles 32 to 36
GDPR, which includes the security obligation, the reporting of data breaches, the
performance of privacy impact assessments and the prior consultation of a processing
operation with high risk after implemented control measures.
Article 4. Data transfer
4.1. Processor may process the personal data processed on behalf of Controller in any
country within the European Economic Area.
4.2. Before any data transfer will be performed Processor shall inform Controller in writing of
the countries involved in the data transfer. If personal data processed under this
Agreement is transferred from a country within the European Economic Area to a country
outside the European Economic Area, the Processor shall ensure that the personal data
are adequately protected. To achieve this, the Processor shall, unless agreed otherwise,
rely on EU approved standard contractual clauses for the transfer of personal data.
Article 5. Involvement of sub-processors
5.1. The Processor is permitted to involve sub-processors when processing the personal data.
The Processor shall timely inform the Controller of any intended changes regarding the
addition or replacement of these sub-processors. The Controller may object to the
appointment of a sub-processor on reasonable grounds.
5.2. The Processor is obliged to conclude an agreement with the sub-processor(s) which has
the same or similar content as this Data Processing Agreement. In these cases, the
Processor remains the contact point and is responsible for compliance with the
provisions of this Data Processing Agreement at all times.
Article 6. Security
6.1. The Processor takes appropriate technical and organizational measures to protect
personal data against loss or any form of unlawful processing, in accordance with Article
32 GDPR. These measures guarantee an appropriate level of security, given the nature of
the personal data processed by the Processor. Appendix 2 indicates which specific
security measures the Processor has taken to protect the personal data.
6.2. The security measures in question should, taking into account the state of the art and the
costs of implementation, provide an appropriate level of security in view of the risks
involved in the processing and the nature of the data to be protected. These measures
are also aimed at preventing unnecessary collection and further processing of the
Article 7. Notification and communication of data breaches
7.1. Controller is responsible at all times for notification of any security breaches and/or
personal data breaches (which are understood as: a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access
to, personal data transmitted, stored or otherwise processed) to the competent
supervisory authority, and for communication of the same to data subjects. In order to
enable Controller to comply with this legal requirement, Processor shall notify Controller
without delay, but no later than within 24 hours after becoming aware of an actual or
threatened security or personal data breach as referred to in Articles 33 and 34 GDPR.
7.2. If the Processor determines that there is a data breach, it will take measures to prevent
further disclosure or distribution of the personal data.
7.3. The notification shall include at least the fact that a breach has occurred. In addition, the
- describe the nature of the personal data breach including, where possible, the
categories and approximate number of data subjects concerned and the
categories and approximate number of personal data records concerned;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address
the personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects.
Article 8. Data subjects rights
8.1. Processor shall assist Controller by implementing appropriate technical and
organizational measures, insofar as this is possible, for the fulfilment of the Controller
obligations, to respond to requests to exercise Data Subject rights under the Data
Article 9. Confidentiality obligations
9.1. Processor and employees of Processor shall keep personal data that Processor receives
from Controller and/or collects itself confidential, unless Controller has granted explicit
permission to provide the information to third parties, the provision to third parties is
reasonably necessary considering the nature of the assignment to Controller or the
provision is legally required.
Article 10. Audit
10.1. Controller has the right to have audits performed on Processor.
10.2. The audit findings shall be assessed by Processor and implemented if and to the extent
deemed reasonable by Processor.
Article 11. Liability
11.1. If the Processor causes damage due to non-compliance with the agreements in this Data
Processing Agreement, the legal rules and regulations in the field of protection of
personal data or the security policy, the Processor is liable for this damage with due
observance of the provisions of article 12 of the Agreement.
Article 12. Term and termination
12.1. This Data Processing Agreement shall become effective upon the date this Data
Processing Agreement is signed.
12.2. All notices, confirmations and other statements made by Controller in connection with
this Data Processing Agreement shall be in writing and shall be sent per e-mail to
12.3. This Data Processing Agreement is entered into for the duration of the Agreement.
Obligations with an enduring nature continue to exist between the parties.
12.4. Upon termination of the Data Processing Agreement, regardless of reason or manner,
Processor shall - at the choice of Controller – return (in original format), delete and/or
destroy the personal data processed on behalf of Controller.
12.5. This Data Processing Agreement may be changed in the same manner as the Agreement.
Appendix 1: Stipulation of personal data and data subjects
Processor shall process the below personal data under the supervision of Controller, as specified
in article 1 of the Data Processing Agreement:
- - Names
- - Email addresses
- - IP addresses
All personal data that customers collect and use using the provided web hosting services of the following categories of data subjects:
Controller represents and warrants that the description of personal data and categories of data
subjects in this Appendix 1 is complete and accurate, and shall indemnify and hold harmless Process
for all faults and claims that may arise from a violation of this representation and warranty.
Appendix 2: Security measures
Organisational security measures
Our team is very security minded. We have various security policies in place and new employees
are required to read and adhere to our internal security guidelines. Due to the relative small size
of our team it is still possible to test our personnel on an ad-hoc basis. However, we are creating
policies to make these tests repeatable and measurable.
Legal & Law
We adhere to Thai law and all responsibilities that come with it. We will cooperate with law
enforcement unless it is in conflict with Thai law.
No rights can be derived from the information in this appendix.