Data Processing Agreement — GDPR Article 28
This is a courtesy translation. The French version is the legally binding document.
This addendum (the "DPA") governs the processing of personal data by Hostynet, as data processor, on behalf of the Client, as data controller, under Regulation (EU) 2016/679 (GDPR), Article 28.
This DPA applies to personal data that the Client hosts, processes or transmits through VPS Services provided by Hostynet.
The Client, as identified in the order/contract.
Hostynet
Registered office: 2 rue Guillaume Apollinaire, Canto-Perdrix Licorne 1, 13500 Martigues, France
SIREN: 900 207 150 — SIRET: 900 207 150 00021 — VAT: FR36900207150
Contact: contact@hostynet.fr — DPO: rgpd@hostynet.fr
| Element | Description |
|---|---|
| Subject matter | Provision of VPS hosting service (infrastructure, network, storage, technical supervision). |
| Duration | During the contract, then deletion per Article 10 below, unless required by law. |
| Nature of operations | Hosting, storage, technical infrastructure access, maintenance, diagnostics, service continuity. |
| Purpose | Enable the Client to operate their services/applications and process data through the VPS. |
| Data subjects | Determined by the Client (e.g. end users, customers, employees, prospects). |
| Data categories | Determined by the Client, including identification data, account data, technical data, and any other hosted data. |
Hostynet processes personal data only on documented instructions from the Client. Instructions include normal use of the Services as described in the contract and documentation, as well as written requests (e.g. support ticket).
If Hostynet believes an instruction constitutes a violation of the GDPR, Hostynet will inform the Client promptly.
Hostynet ensures that persons authorized to process personal data are subject to appropriate confidentiality obligations and that access is limited to a strict need-to-know basis.
Standard service: Hostynet does not access VPS content or Client admin credentials.
Managed services / Premium Support: Hostynet may intervene only upon Client request and consent, via the ticket system or other written means. Required access must be provided as temporary credentials.
Hostynet implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
The Client authorizes Hostynet to use sub-processors strictly necessary for Service delivery. The up-to-date list is published in the Privacy Policy.
| Sub-processor | Role | Location |
|---|---|---|
| Orange Pro | Internet connectivity (fiber) | France / EU |
| Free Pro | Internet connectivity (fiber) | France / EU |
| Servperso Systems | IP provisioning / NoBGP tunnel | Belgium (EU) |
| OVHcloud | Domain name registration | EU |
| Revolut Business | Payment processing | EU |
Hostynet assists the Client, within reason, to respond to data subject rights requests (access, rectification, erasure, restriction, objection, portability) for data processed through the VPS.
In the event of a personal data breach, Hostynet notifies the Client promptly and provides available technical information to help the Client fulfill their obligations (GDPR Articles 33 and 34).
Where applicable, Hostynet may provide reasonably necessary information to help the Client conduct a Data Protection Impact Assessment (DPIA).
Upon termination, Hostynet deletes hosted data within 30 days, unless:
The Client remains responsible for backing up and recovering their data before the end of the contract.
The Client may request reasonable information demonstrating compliance with this DPA, within the limits of: (i) available information, (ii) Hostynet's security requirements, and (iii) no access to other clients' data.
VPS Services are primarily operated in France. Hostynet does not transfer data outside the EU without a GDPR-compliant legal basis. Listed sub-processors are located within the European Union.
For any questions regarding this DPA: rgpd@hostynet.fr.