Legal
Data Processing Agreement
Last Updated: · Questions? support@quicksrv.io
Introduction and Framework
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service ("Agreement") between ClearStack B.V., operating under the brand quicksrv.io ("Processor", "Company", "we", "us", or "our"), and the customer identified in the Agreement ("Controller", "Customer", or "you").
This DPA reflects the parties' agreement with regard to the processing of personal data carried out by us on your behalf in the course of providing the Services, and is concluded pursuant to Article 28(3) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and, where applicable, the UK GDPR and the Dutch Implementation Act (UAVG).
Where Customer Data processed through the Services contains personal data, this DPA applies and prevails over any conflicting provision of the Agreement in respect of the processing of such personal data. In all other respects the Agreement remains in full force and effect.
Definitions
Capitalised terms not defined in this DPA have the meaning given to them in the Agreement. In addition:
Personal Data
means any information relating to an identified or identifiable natural person ("data subject") within the meaning of Art. 4(1) GDPR that is contained in Customer Data and processed by us on your behalf under the Agreement.
Processing
has the meaning given in Art. 4(2) GDPR and "process", "processes", and "processed" are construed accordingly.
Controller / Processor
have the meanings given in Art. 4(7) and Art. 4(8) GDPR. For the purposes of this DPA, you act as Controller (or as processor on behalf of your own controller) and we act as Processor (or sub-processor, as applicable).
Sub-Processor
means any third party engaged by us to process Personal Data on our behalf in connection with the Services.
Data Protection Law
means the GDPR, the UK GDPR, the UAVG, the ePrivacy rules as implemented in the Netherlands, and all other applicable laws relating to the processing of personal data and privacy.
Personal Data Breach
has the meaning given in Art. 4(12) GDPR.
Roles and Scope of Processing
Allocation of Roles
As between the parties, you are the Controller and determine the purposes and means of the processing of Personal Data contained in Customer Data. We are the Processor and process such Personal Data only on your behalf. Where you are yourself a processor acting on behalf of a third-party controller, we act as sub-processor and you warrant that you have the necessary authority and mandate to engage us on the terms of this DPA.
Our Own Processing
Our processing of account, billing, identification, and similar data that we collect and determine the means and purposes of as a controller in our own right (for example to operate our business, bill you, prevent fraud, and comply with law) is not governed by this DPA but by our Privacy Policy.
Customer Responsibility
You are responsible for the lawfulness of the Personal Data you process through the Services and of your instructions to us, including having a valid legal basis, providing required information to data subjects, and complying with your own obligations under Data Protection Law. We do not control and are not responsible for what Personal Data you choose to store, transmit, or process on our infrastructure.
Processing on Documented Instructions
Documented Instructions
We process Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by EU, Member State, or other applicable law to which we are subject; in such a case, we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Scope of Instructions
The Agreement, this DPA (including its Annexes), your use and configuration of the Services through the control panel and APIs, and any further written instructions agreed between the parties, together constitute your complete and final documented instructions to us for the processing of Personal Data. Additional or alternative instructions must be agreed in writing and may be subject to additional fees.
Unlawful Instructions
We will inform you without undue delay if, in our opinion, an instruction infringes Data Protection Law, without obligation to actively monitor or seek out such infringements. We may suspend the execution of an instruction that we reasonably believe to be unlawful until it is confirmed, withdrawn, or amended.
Details of the Processing
In accordance with Art. 28(3) GDPR, the subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex A (Details of the Processing).
Confidentiality
We ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who need access to perform our obligations under the Agreement, and such personnel are bound by confidentiality obligations and receive appropriate data-protection awareness training.
Security of Processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. A description of these measures is set out in Annex B (Technical and Organisational Measures).
We may update our technical and organisational measures from time to time, provided that such updates do not result in a material reduction of the overall level of security of the Services.
Sub-Processors
General Authorisation
You provide general written authorisation for us to engage Sub-Processors to process Personal Data, subject to the conditions in this Section. A current list of Sub-Processors is set out in Annex C and is updated as engagements change.
Obligations Flow-Down
Where we engage a Sub-Processor, we impose, by way of a written contract, data-protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. We remain fully liable to you for the performance of each Sub-Processor's obligations.
Changes and Objection
We will inform you of any intended addition or replacement of a Sub-Processor with reasonable prior notice (via email or the client portal), thereby giving you the opportunity to object on reasonable, documented data-protection grounds before the Sub-Processor begins processing. If you raise a legitimate objection that we cannot reasonably accommodate, you may, as your sole and exclusive remedy, terminate the affected Service.
Infrastructure
We operate our own software stack on our own and leased hardware located in the Netherlands and the United Kingdom. Data-centre facility providers act as physical colocation providers only and do not have logical access to the content of Customer Data. We do not transfer Customer Data to third-party public-cloud providers for the operation of our core Services.
International Data Transfers
We process Personal Data within the European Economic Area (EEA) and the United Kingdom. We will not transfer Personal Data to a country outside the EEA or the UK unless one of the conditions below is met:
- the European Commission (or, for UK transfers, the relevant UK authority) has adopted an adequacy decision for the recipient country; or
- appropriate safeguards under Art. 46 GDPR are in place, in particular the EU Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Addendum (IDTA), supplemented by additional technical and organisational measures where required; or
- another lawful transfer mechanism under Data Protection Law applies.
Where we rely on the SCCs, they are incorporated into this DPA by reference and completed with the information set out in the Annexes. For transfers between the EEA and the UK, the European Commission's adequacy decision for the UK applies.
Assistance to the Controller
Data Subject Requests
Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests for the exercise of data-subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts us directly in respect of Customer Data, we will, where lawful, refer them to you and not respond on your behalf without your instruction.
Security, Breaches, and Impact Assessments
Taking into account the nature of the processing and the information available to us, we assist you in ensuring compliance with your obligations under Art. 32 to 36 GDPR, including the security of processing, notification of Personal Data Breaches to the supervisory authority and affected data subjects, data protection impact assessments, and prior consultation with the supervisory authority.
Reasonable Costs
Assistance that goes materially beyond the standard functionality of the Services and the measures described in this DPA may be subject to reasonable charges, which we will communicate to you in advance where practicable.
Personal Data Breach Notification
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The notification will, to the extent available to us, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. We will cooperate with you and take reasonable steps to mitigate the effects and to minimise any damage resulting from the breach. Our notification is not, and shall not be construed as, an acknowledgement of fault or liability.
Return and Deletion of Personal Data
At your choice, we will delete or return all Personal Data to you after the end of the provision of the Services relating to the processing, and delete existing copies, unless EU or Member State law requires storage of the Personal Data.
Following termination or expiry of the relevant Service, and after any applicable grace period set out in the Agreement, Personal Data associated with the terminated Service may be deleted or rendered inaccessible in the ordinary course of operation. You are solely responsible for exporting Customer Data before the end of the applicable period. Residual copies present in routine backups are deleted in accordance with our standard backup-rotation cycle.
Audits and Demonstration of Compliance
Information
We make available to you all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA.
Audits
We allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. To the extent permitted by Data Protection Law, we may satisfy audit requests by providing relevant documentation, certifications, or summaries of measures, before any on-site inspection is required.
Conduct of Audits
On-site audits must be requested with reasonable prior written notice, conducted during normal business hours, no more than once per calendar year (save where required by a supervisory authority or following a Personal Data Breach), in a manner that does not unreasonably disrupt our operations or compromise the security or confidentiality of other customers' data, and subject to confidentiality obligations. You bear your own costs and any reasonable costs we incur in supporting an on-site audit.
Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together. Nothing in this DPA limits any liability that cannot be limited or excluded under Data Protection Law.
Term, Order of Precedence and Changes
Term
This DPA takes effect on the effective date of the Agreement and remains in force for as long as we process Personal Data on your behalf, after which the provisions that by their nature should survive (in particular those relating to confidentiality, return and deletion, and liability) continue to apply.
Order of Precedence
In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.
Changes
We may update this DPA where necessary to reflect changes in Data Protection Law, guidance from supervisory authorities, or changes to the Services, provided that such updates do not materially reduce the protections afforded to data subjects. Material changes will be notified in accordance with the modifications clause of the Agreement.
Governing Law and Jurisdiction
This DPA is governed by the laws of the Netherlands, and the parties submit to the jurisdiction set out in the Agreement, save where mandatory Data Protection Law or the SCCs provide otherwise.
Annex A — Details of the Processing
Subject matter and duration
Subject matter
Processing of Personal Data contained in Customer Data as necessary for the provision of the Services (KVM Cloud VPS, cPanel Hosting, and related infrastructure and network services) under the Agreement.
Duration
For the duration of the Agreement and until the return or deletion of Customer Data in accordance with Section 12.
Nature and purpose
Nature of processing
Hosting, storage, transmission, organisation, structuring, retrieval, consultation, use, backup, erasure, and other operations necessary to operate the Services and the infrastructure on which Customer Data resides.
Purpose
To provide, maintain, secure, and support the Services selected and configured by you, and to perform the Agreement.
Categories of data subjects
Data subjects
Data subjects are determined and controlled by you. They may include your customers, employees, contractors, suppliers, end-users, website visitors, and any other individuals whose Personal Data you choose to process through the Services.
Types of Personal Data
Types of data
The types of Personal Data are determined and controlled by you and may include any Personal Data you store, transmit, or process through the Services — for example identification and contact data, account credentials, content of communications, transactional data, log and usage data, and any other categories you choose to upload. You are responsible for ensuring that any processing of special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10 GDPR) is lawful and accompanied by appropriate safeguards.
Annex B — Technical and Organisational Measures
Taking into account the state of the art and the risk to data subjects, we implement and maintain technical and organisational measures appropriate to the risk pursuant to Art. 32 GDPR. These measures include, as appropriate:
- encryption of Personal Data in transit (e.g. TLS) and, where relevant, at rest;
- strict access controls, role-based permissions, the principle of least privilege, and multi-factor authentication for administrative access;
- network segmentation, firewalls, and intrusion-detection measures;
- logging, monitoring, and regular review of administrative activity;
- physical security at our data-centre facilities, including access controls and environmental protections;
- secure development, change-management, and patching practices;
- regular backups and tested recovery procedures for our own systems;
- measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- procedures for regularly testing, assessing, and evaluating the effectiveness of these measures;
- confidentiality obligations and data-protection awareness for all personnel with access to Personal Data.
A more detailed description of our security practices is set out in our Privacy Policy and is available on request.
Annex C — Approved Sub-Processors
We operate our own software stack on our own and leased hardware located in the Netherlands and the United Kingdom, and we send operational and transactional email from our own self-hosted mail servers. We do not currently engage third-party Sub-Processors that have logical access to the content of Customer Data for the provision of our core hosting Services.
Data-centre facility providers in the Netherlands and the United Kingdom provide physical colocation and connectivity only and do not have logical access to Customer Data. Payment service providers used to process your billing data (for example for card, Klarna, or cryptocurrency payments) act as independent controllers in their own right and are described in our Privacy Policy; they are not Sub-Processors under this DPA.
Where we engage a Sub-Processor with access to Customer Data in the future, we will update this Annex and notify you in accordance with Section 8 before that Sub-Processor begins processing.