All legal documentsDPA · LEGAL

Data Processing Addendum

When you process personal data of EU, UK, or Swiss residents through the Services, this addendum sets the terms between us as processor and you as controller.

Last updated April 15, 2026Version 2026.4

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR. "Customer Personal Data" means personal data you process on the Services. "Sub-processor" means a third party we engage to assist with the Services.

2. Roles & Scope

You are the controller of Customer Personal Data; we are the processor. This addendum applies to our processing of Customer Personal Data carried out on your behalf in connection with the Services. It supplements, and does not replace, the Terms of Service.

3. Customer Instructions

We process Customer Personal Data only on your documented instructions, which include the Terms, this addendum, and your use of the Services. If we believe an instruction violates applicable law, we will notify you and may suspend processing the affected data.

4. Sub-processors

You authorize us to engage sub-processors to provide the Services. The current list, including the function and location of each, is published at /legal/subprocessors. We notify customers at least 30 days before adding a sub-processor; you may object on reasonable grounds.

We require each sub-processor to commit to data-protection obligations no less protective than those in this addendum, and we remain liable for their performance.

5. Security Measures

We maintain technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access controls, audit logging, vendor management, and an incident response program. Our measures are audited annually under SOC 2 Type II and ISO 27001.

6. International Transfers

Where Customer Personal Data is transferred from the EU, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the Standard Contractual Clauses into this addendum. The applicable modules and any local addenda are stated in the SCC exhibit.

7. Data Subject Rights

We provide tools that enable you to respond to data-subject requests for access, correction, deletion, and portability. Where you require additional assistance, we'll provide reasonable cooperation taking into account the nature of the processing.

8. Personal Data Breaches

We notify you without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data Breach affecting Customer Personal Data. Our notice will include the information necessary for you to meet your own notification obligations.

9. Audits

On request and no more than once per year, we make available our most recent SOC 2 Type II report and ISO 27001 certificate under NDA. For customers whose regulatory regime requires direct audit rights, we'll arrange a mutually agreeable scope, with reasonable advance notice.

10. Return or Deletion of Data

On termination of the Services, we delete Customer Personal Data within 30 days, except where retention is required by law. Earlier export or deletion is available on request from your account dashboard.

11. Term

This addendum takes effect on the day you first use the Services and remains in force for as long as we process Customer Personal Data on your behalf.

OTHER LEGAL DOCUMENTS
TOSUpdated April 15, 2026

Terms of Service

How RockSolidHost works, how billing works, and the limits on our liability.

Read in full
PRIVUpdated April 15, 2026

Privacy Policy

What we collect, how we use it, and the controls you have.

Read in full
AUPUpdated April 15, 2026

Acceptable Use Policy

What you can't host, what you can't do, and what happens if you cross either line.

Read in full