Data Processing Agreement (DPA)

This page is the operative Data Processing Agreement for HostStack services. By using HostStack's hosting services as a business, you agree to the terms below, which govern how HostStack processes personal data on your behalf. For individual/consumer users, see our Privacy Policy and GDPR Statement.

1. Parties & Context

Party	Details
Data Controller ("you")	The legal entity or individual that has entered into a Service Agreement with HostStack and determines the purposes and means of processing personal data.
Data Processor ("HostStack")	HostStack, operating from Bramapur Nath Para, Kolkata 700084, West Bengal, India. Email: [email protected]

This Data Processing Agreement ("DPA") supplements and forms part of HostStack's Terms of Service. In the event of any conflict, this DPA prevails with respect to data protection matters.

2. Scope of Processing

Item	Detail
Subject matter	Provision of web hosting, email hosting, VPS, and related services
Duration	For the term of the Service Agreement, plus 90 days for data return/deletion
Nature of processing	Storage, transmission, backup, and retrieval of data on hosted infrastructure
Purpose	To deliver the hosting services subscribed to by the Controller
Data types	Any personal data the Controller stores on HostStack's servers (e.g., website visitor data, customer databases, email correspondence)
Data subjects	The Controller's end-users, customers, employees, or any individuals whose data is stored on HostStack infrastructure

3. HostStack's Obligations as Processor

HostStack shall:

Process personal data only on documented instructions from the Controller (i.e., to deliver the hosting service), unless required by applicable law.
Ensure that all personnel authorised to process personal data have committed to confidentiality obligations.
Implement appropriate technical and organisational measures (TOMs) — see Section 6.
Not engage any sub-processor without the Controller's general written authorisation — our current sub-processors are listed in Section 7.
Assist the Controller in fulfilling data subject rights requests (access, erasure, portability, etc.) where technically feasible.
Notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware.
At the Controller's option, delete or return all personal data upon termination of services.
Provide all information necessary to demonstrate compliance with this DPA and allow for audits.

4. Controller's Obligations

The Controller shall:

Ensure they have a valid legal basis for processing personal data under GDPR and have provided required notices to data subjects.
Provide HostStack with documented instructions where required.
Not store data that violates applicable law or HostStack's Acceptable Use Policy.
Be responsible for the security of data on their applications (e.g., application-level passwords, CMS security).

5. International Data Transfers

HostStack's primary data centre is in India, which the European Commission has not recognised as providing an adequate level of data protection. To ensure your data is lawfully transferred and processed, we rely on:

EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor). These are incorporated into this DPA by reference.
UK International Data Transfer Addendum (IDTA) — For UK-based Controllers, the ICO's IDTA is incorporated.

By signing or accepting this DPA, the Controller and HostStack agree to be bound by the SCCs/IDTA as set out above. HostStack completes Annex I (description of processing) and Annex II (technical/organisational measures) as detailed in Sections 2 and 6 of this DPA.

6. Technical & Organisational Measures (TOMs)

HostStack implements the following measures to protect personal data:

Area	Measures
Encryption in transit	TLS 1.2+ for all connections; free SSL certificates on all hosted domains
Encryption at rest	AES-256 encryption on storage volumes
Access control	Principle of least privilege; MFA on all admin systems; role-based access
Backup	Daily automated backups; 30-day retention; off-site copies
Network security	DDoS protection (Imunify360), firewall, intrusion detection
Physical security	Data centre physical access controls; 24/7 CCTV; biometric entry
Incident response	72-hour breach notification; incident response plan; post-incident review
Staff training	Regular data protection training for all staff with access to personal data

7. Authorised Sub-Processors

The Controller provides general authorisation for HostStack to engage the following sub-processors. HostStack will notify the Controller of any changes (additions or replacements) with 14 days' notice, giving the Controller opportunity to object.

Sub-processor	Purpose	Location	Safeguard
Razorpay	Payment processing	India	Indian law applicable
Stripe	International payments	USA	SCCs + DPA
PayPal	International payments	USA	SCCs + DPA
Cloudflare	DDoS / CDN	USA	SCCs + DPA
Google LLC	Analytics (opt-in)	USA	SCCs + DPA
Tawk.to	Live chat	USA	GDPR DPA
WHMCS	Billing system	India	Indian law applicable

8. Data Breach Notification

In the event that HostStack becomes aware of a confirmed personal data breach affecting Controller's data, HostStack will:

Notify the Controller within 72 hours of becoming aware of the breach.
Provide: nature of the breach; approximate number of data subjects and records; categories of data; likely consequences; measures taken or proposed.
Cooperate fully with the Controller's incident response activities.

For urgent security matters: [email protected] (Subject: "Security Incident")

9. Data Return & Deletion

Upon termination or expiry of the service agreement, HostStack will, at the Controller's written request:

Return: Provide a full backup of all hosted data in a standard format (cPanel backup file) within 14 days.
Delete: Securely delete all personal data from HostStack's systems within 30 days, and provide written confirmation of deletion.

Note: Billing records are retained for 7 years as required by Indian tax law. Anonymised usage statistics may be retained indefinitely.

10. Governing Law & Disputes

This DPA is governed by the laws of India (primarily IT Act 2000, IT Rules 2011, and DPDP Act 2023). However, where the processing involves EU/EEA personal data, the Standard Contractual Clauses referred to in Section 5 are also binding and take precedence over Indian law to the extent required by GDPR.

Disputes arising from this DPA shall first be attempted to be resolved by good-faith negotiation between the parties. If unresolved within 30 days, disputes shall be submitted to binding arbitration under the Arbitration and Conciliation Act 1996 of India.

Get Your Signed DPA

Email us with your company name, registration number, and HostStack account email. We'll issue a signed DPA within 3 business days.

✉ Request DPA via Email

Response within 3 business days · Free for all business customers

Data Processing Agreement

📩 Request Your DPA