Data Processing Addendum
Data Processing Agreement — GDPR Article 28
This is a courtesy translation. The French version is the legally binding document.
1. Purpose
This addendum (the "DPA") governs the processing of personal data by Hostynet, as data processor, on behalf of the Client, as data controller, under Regulation (EU) 2016/679 (GDPR), Article 28.
This DPA applies to personal data that the Client hosts, processes or transmits through VPS Services provided by Hostynet.
2. Parties
2.1 Data controller
The Client, as identified in the order/contract.
2.2 Data processor
Hostynet
Registered office: 2 rue Guillaume Apollinaire, Canto-Perdrix Licorne 1, 13500 Martigues, France
SIREN: 900 207 150 — SIRET: 900 207 150 00021 — VAT: FR36900207150
Contact: contact@hostynet.fr — DPO: rgpd@hostynet.fr
3. Description of processing
| Element | Description |
|---|---|
| Subject matter | Provision of VPS hosting service (infrastructure, network, storage, technical supervision). |
| Duration | During the contract, then deletion per Article 10 below, unless required by law. |
| Nature of operations | Hosting, storage, technical infrastructure access, maintenance, diagnostics, service continuity. |
| Purpose | Enable the Client to operate their services/applications and process data through the VPS. |
| Data subjects | Determined by the Client (e.g. end users, customers, employees, prospects). |
| Data categories | Determined by the Client, including identification data, account data, technical data, and any other hosted data. |
4. Documented instructions
Hostynet processes personal data only on documented instructions from the Client. Instructions include normal use of the Services as described in the contract and documentation, as well as written requests (e.g. support ticket).
If Hostynet believes an instruction constitutes a violation of the GDPR, Hostynet will inform the Client promptly.
5. Confidentiality
Hostynet ensures that persons authorized to process personal data are subject to appropriate confidentiality obligations and that access is limited to a strict need-to-know basis.
6. VPS access & managed services
Standard service: Hostynet does not access VPS content or Client admin credentials.
Managed services / Premium Support: Hostynet may intervene only upon Client request and consent, via the ticket system or other written means. Required access must be provided as temporary credentials.
7. Security (GDPR Article 32)
Hostynet implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- access control limited to authorized personnel,
- network and system security measures,
- monitoring and logging for security and diagnostics,
- maintenance and updates to maintain system security.
8. Sub-processors
The Client authorizes Hostynet to use sub-processors strictly necessary for Service delivery. The up-to-date list is published in the Privacy Policy.
| Sub-processor | Role | Location |
|---|---|---|
| Orange Pro | Internet connectivity (fiber) | France / EU |
| Free Pro | Internet connectivity (fiber) | France / EU |
| Servperso Systems | IP provisioning / NoBGP tunnel | Belgium (EU) |
| OVHcloud | Domain name registration | EU |
| Revolut Business | Payment processing | EU |
9. Client assistance
9.1 Data subject rights
Hostynet assists the Client, within reason, to respond to data subject rights requests (access, rectification, erasure, restriction, objection, portability) for data processed through the VPS.
9.2 Data breaches
In the event of a personal data breach, Hostynet notifies the Client promptly and provides available technical information to help the Client fulfill their obligations (GDPR Articles 33 and 34).
9.3 Impact assessments
Where applicable, Hostynet may provide reasonably necessary information to help the Client conduct a Data Protection Impact Assessment (DPIA).
10. Data fate at end of contract
Upon termination, Hostynet deletes hosted data within 30 days, unless:
- prior written restitution request from the Client,
- legal retention obligation applicable to certain data.
The Client remains responsible for backing up and recovering their data before the end of the contract.
11. Audits and information
The Client may request reasonable information demonstrating compliance with this DPA, within the limits of: (i) available information, (ii) Hostynet's security requirements, and (iii) no access to other clients' data.
12. Location & transfers
VPS Services are primarily operated in France. Hostynet does not transfer data outside the EU without a GDPR-compliant legal basis. Listed sub-processors are located within the European Union.
13. Contact
For any questions regarding this DPA: rgpd@hostynet.fr.