Data Processing Agreement

KivCloud processes personal data on behalf of the client solely for the purposes of providing hosting services: file and database storage, website operation, email, technical support, and security.

Typical categories of personal data that may be processed:

• Contact details (name, email, phone) — if stored in client's database
• IP addresses of visitors to the client's website (web server logs)
• Content uploaded by users of the client's website
• Account data (if the client's site has user registration)
• Technical metadata (logs, cookies)

KivCloud undertakes to:

• Process data only per the client's documented instructions
• Ensure confidentiality by all staff with data access
• Implement technical and organisational security measures (Art. 32 GDPR)
• Not transfer data to third parties without client's knowledge (except sub-processors)
• Notify client of any data subject requests relating to hosting
• Assist client in fulfilling GDPR obligations (Art. 28(3)(f))
• Delete or return data upon contract termination

• Have a lawful basis for collecting and processing users' personal data
• Provide adequate privacy notices to data subjects
• Apply GDPR principles by design in their website or app
• Not store special categories of data without additional agreement
• Respond independently to data subjects and supervisory authorities

Current sub-processors:

• EU Data Centres — physical data storage
• Cloudflare, Inc. — DNS, DDoS protection, CDN
• Stripe / PayPal — payment processing

KivCloud will notify clients at least 30 days in advance of any sub-processor changes.

• Account isolation (CloudLinux CageFS)
• Malware protection (Imunify360 — antivirus + WAF)
• Connection encryption (SSL/TLS for all hosted sites)
• Access control — authorised personnel only
• Regular updates and security patches
• Anomaly monitoring and intrusion detection
• Encrypted backups (JetBackup)

In the event of a personal data breach, KivCloud will:

• Notify the client within 72 hours of becoming aware
• Provide details on nature, consequences, and measures taken
• Cooperate with the client to contain impact and document the incident

Notifications sent to the registered account email address.

KivCloud provides all information necessary to demonstrate compliance with this DPA. Upon reasonable request, security documentation may be shared.

Audit requests: [email protected] — subject: DPA Audit Request.

• KivCloud deletes account data within 30 days after contract expiry
• Client may download data via cPanel before access expires
• Deletion confirmation provided upon request

KivCloud's liability is limited to its obligations as Processor under this DPA and GDPR.

The client, as Controller, bears full responsibility for the lawfulness of processing their users' data.

This DPA is governed by the law of the Republic of Poland.

Questions: [email protected] — subject: DPA.