Winhost Data Processing Addendum

This Customer Data Processing Addendum (DPA) is part of the requirements of the European Data Protection Regulation (GDPR) and is an addendum to our Hosting Terms of Service (TOS) and Affiliate Program Agreement.

Definitions

Controller: Entity who determines the purpose and means of processing Personal Data.
Customer Data: Data that Winhost processes on behalf of Customer.
Personal Data: Data relating to an identified or identifiable natural person.
Processor: Entity that processes Personal Data on behalf of Customer.
Security Incidents: Unauthorized and/or unlawful breach of security leading to accidental and/or unlawful destruction, alteration, loss, unauthorized disclosure of or access to Personal Data.
Subprocessor: Processors used by Winhost to fulfill its obligations in providing the Service.

Scope

This DPA applies only to the extent that Winhost processes Personal Data on behalf of the Customer in the course of providing the Service and in the case such Personal Data is subject to Data Protection Laws of the European Union (EU).

In this DPA, the Customer is the Controller of Personal Data and Winhost will process Personal Data only as a Processor on behalf of Customer. Nothing in this DPA prevents Winhost from using any data that Winhost collects and processes independently of Customer's use of the Service.

As a Controller, Customer agrees that they will comply with its obligations under Data Protection Laws in respect to their processing of Personal Data and any processing instructions they issue to Winhost; and that they have obtained consents and rights necessary under Data Protection Laws for Winhost to process Personal Data and provide the Service.

As a Processor, Winhost will process Personal Data only for the following purposes:
- processing to perform the Service in accordance with the TOS; and
- to comply with other reasonable instructions provided by Customer.

Winhost handles Customer Data provided by Customer and the Customer Data may contain special categories of data depending on how the Service is used by Customer. The Customer Data may be subject to the following process activities:
- storage and other processing necessary to provide and improve the Service;
- to provide customer and technical support to Customer; and
- disclosures as required by law or otherwise set forth in the TOS.

Customer acknowledges that Winhost has the right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Service for its legitimate business purposes (e.g., billing, technical support, product development..etc.). For data that is considered personal data under Data Protection Laws, Winhost will process such data in compliance with Data Protection Laws.

Subprocessing

Customer agrees that Winhost may engage Subprocessors to process Personal Data on Customer's behalf. You may request a list of Subprocessors currently engaged by Winhost.

When engaging with a Subprocessor, Winhost will
- enter into a written agreement with the Subprocessor which imposes data protection terms that require the Subprocessor to protect Personal Data to the standards required by Data Protection Laws; and
- remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Winhost to breach any of its obligations under this DPA.

Winhost shall provide Customer reasonable advance notice via email if it adds or removes Subprocessors.

Customer may object to Winhost’s engagement with a new Subprocessor on reasonable grounds relating to data protection by notifying Winhost in writing within five (5) days of receipt of Winhost's notice. The notice should reasonably explain the grounds for the objection. The parties will discuss such concerns in good faith with the goal of achieving a reasonable resolution. If a resolution is not possible, either party may terminate the applicable Service related to the use of the Subprocessor.

Security

Winhost will implement and maintain appropriate security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.

Winhost will ensure that any person who is authorized by Winhost to process Personal Data (e.g., Winhost staff, subcontractors) will be under an appropriate obligation of confidentiality.

In the event of a Security Incident, Winhost will notify Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known.

Customer acknowledges that the security measures evolve and that Winhost may update or modify the security measures from time to time.

International Transfers

Customer Data may be transferred and processed in the United States and anywhere in the world where Customer and/or its Subprocessors maintain data processing operations. Winhost will implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

Return and Deletion of Data

Customers have access to their uploaded files and databases and can download them. If Customer has any issues with downloading their content, they can contact our Technical Support for assistance. Upon deactivation of a Winhost Service, all Personal Data will be deleted, except for data which is required to be retained by applicable law, or Personal Data that is archived on backup systems (which are securely isolated and protected from further processing.

Cooperation

If Customer is unable to independently access the specific Personal Data within the Service in response to requests from individuals or data protection authorities, Winhost will (at Customer's expense) provide reasonable cooperation to assist Customer, if possible. In the event that any such request is made directly to Winhost, Winhost will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Winhost is required to respond to such a request, Winhost will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

To the extent Winhost is required under Data Protection Law, Winhost will (at Customer's expense) provide reasonably requested information regarding Winhost’s processing of Personal Data under the TOS to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

Miscellaneous

Except for the changes made by this DPA, the TOS remains unchanged and in full force and effect. If there is any conflict between this DPA and the TOS, the DPA will prevail to the extent of that conflict.

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the TOS, unless required otherwise by Data Protection Laws.

Last updated May 21st, 2018.