DATA PROCESSING AGREEMENT

This Data Processing Agreement (this “DPA”) is entered between PremiumSide Sdn. Bhd. (“PremiumSide Hosting”, “PremiumSide”, “we”) and Customer (“Customer”, “you”), together referred as “The Parties”. This agreement (“DPA”) is part of the Terms of Service, Privacy Policy and other relevant policies available here. Customer agreeing to these terms enters in this DPA on their own behalf to the extent required under applicable Data Protection Regulations and Laws and to the extent PremiumSide Hosting processes Customer Data as instructed by the Controller (as defined in the Section 1). 

In the course of providing the Services to the Customer PremiumSide Hosting may Process Customer Data on behalf of the Customer. The Parties agree to comply with the following provisions with respect to any Customer Data, each acting reasonably and in good faith. 

1. DEFINITIONS

Unless otherwise defined in this DPA, all capitalized terms have the meanings outlined below:

“Agreement” means the Terms of Service and other relevant policies announced on our website, together with your Order for the purchase of Services and the Order confirmation sent by PremiumSide Hosting. 

“Order” means any Customer’s order for purchase of the respective services.

“Site” means the PremiumSide Hosting website and all services we offer through our website.

“Services” means any hosting services we offer and the Customer has purchased that could involve processing of Personal Data by PremiumSide Hosting.

“Partner” means any entity that directly or indirectly controls, is controlled by, or is under common control with the PremiumSide Hosting subject entity. “Control,” for the purpose of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Additional Products” means any features, products, software, programs, addons, plugins, scripts, tools or any other third-party software or content that are not part of the Services but that may be accessible via the PremiumSide Hosting User Area or the Control Panel, installed by the Customer or otherwise for the usage of the Services.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of customer data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Controller” means the natural person or the legal entity which, alone or jointly with others, determines the purposes and means of the processing of customer data;

“Customer Data” means any “Personal Data” that is provided to PremiumSide Hosting by, or on behalf of the Customer through their use of the Services and that is stored in the Customer’s account (for avoidance of doubt Personal Data part of the Customer’s order for purchase of the respective service shall not be treated as Customer Data). Customer Data may include, but is not limited to, customer data within the meaning set in the GDPR.

“Personal Data” has the meaning as given in Article 4 of GDPR. 

“Data Protection Regulations and Laws” means all regulations and laws, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Customer Data under this DPA.

“Data Subject” means the identified or identifiable person to whom the Customer Data relates.

“Effective date” means, as applicable:

  1. 25th May 2018, if the Customer has executed Order(s) and accepted the Agreements or the Parties have otherwise agreed to this DPA in respect of the applicable Agreement prior to or on such date; or
  2. the date on which the Customer clicked to accept the Agreement or the Parties otherwise agreed to this DPA in respect of the applicable Agreement, if such date is after 25th May 2018.

“Processing” has the meaning as given in Article 4 of GDPR.

“Processor” means the entity which processes Customer Data on behalf of the Controller.

“PremiumSide” means the PremiumSide entity which is a party to this DPA, as specified in the section, a company registered in Malaysia (registration number 201701046663), with address: No. 82B, Jalan Awan Jawa, Taman Yarl, 58200, Kuala Lumpur, Malaysia.

“PremiumSide Group of Companies” means PremiumSide and its related parties engaged in the Processing of Customer Data:

  • PremiumSide Sdn. Bhd.. registered and existing under the laws of Malaysia, with address: No. 82B, Jalan Awan Jawa, Taman Yarl, 58200, Kuala Lumpur, Malaysia.
  • PremiumSide Hosting Sdn. Bhd. registered and existing under the laws of Malaysia, with address: No. 82B, Jalan Awan Jawa, Taman Yarl, 58200, Kuala Lumpur, Malaysia.

“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of Customer Data, as described in Article 46, p.2, c) of the GDPR, Appendix 1 to this DPA.

“Sub-processor” means any Processor engaged by PremiumSide Hosting or a member of the PremiumSide Hosting Group.

“Supervisory Authority” means an independent public authority, which is established in United Kingdom within the territory of the EU Member State pursuant to the GDPR.  

“Term” means the period from the Effective Date until the end of PremiumSide Hosting’s provisioning of the Services under the applicable Agreement, including, if applicable, any period during which  the Services may have been suspended and any post-termination period (namely 60 calendar days) during which PremiumSide Hosting may continue providing Services for transitional purposes.

“Data Protection Losses” means all liabilities, including: 

  1. costs (including legal costs);
  2. claims, demands, actions, settlements, charges, procedures, expenses, losses and damages (whether material or non-material, and including for emotional distress);
  3. o the extent permitted by Applicable Law:
    1. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Data Protection Supervisory Authority or any other relevant Regulatory Authority;
    2. compensation to a Data Subject ordered by a Data Protection Supervisory Authority;
    3. he reasonable costs of compliance with investigations by a Data Protection Supervisory Authority or any other relevant Regulatory Authority; and
  4. the costs of loading Customer Data and replacement of Customer materials and equipment, to the extent that the same are lost or damaged, and any loss or corruption of Customer Data including the cost of rectification or restoration of Customer Data;

“Notification Email Address” means the email address specified by the Customer in the My Detail section in the User Area to receive certain notifications from PremiumSide Hosting.

2. DATA PROCESSING

2.1. Scope

This DPA applies where and only to the extent that PremiumSide Hosting processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom (referred herein as “Customer Data”).

If the Customer agreeing to this DPA is already a Customer, this DPA forms part of the Agreement, Privacy Policy and other relevant policies and documents announced on our website. In such case, the PremiumSide Hosting entity shall be considered as a party to this DPA.

This DPA is effective only for the Customer account it was agreed for. If the Customer owns multiple accounts, a DPA will be contracted for each individual account separately.

This DPA shall be valid and legally binding only for the physical/legal entity stated in the account in the User Area and only for the Services purchased directly from PremiumSide Hosting within the respective account. 

If the Customer entity agreeing to this DPA is neither a party to an Order nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.

This DPA including its appendixes except the clauses in the Privacy Policy will be effective and replace any terms previously applicable to privacy, data processing and/or data security.

2.2. Compliance with Laws.

If European Union Data Protection Laws apply to this DPA, each party will comply with  the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Data.

2.3. Subject Matter and Details of the Data Processing

2.3.1 Subject Matter. PremiumSide Hosting will process Customer Data as necessary for the provisioning of the Services, related technical support and other inquiries pursuant to the Agreement and as further instructed by Customer in its use of the Services.

2.3.2. Duration of processing. Subject to Section 11, the duration of data processing shall be the Term designated under the Order and the applicable Agreement. 

2.3.3. Nature and Purpose of the Processing. PremiumSide Hosting will process Customer Data for the purposes of providing the Services and related technical support to the Customer in accordance with the Agreement, this DPA and other relevant policies.

2.3.4. Categories of Data Subjects. Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of the Customer (who are natural persons and legal entities);
  • Employees or contact persons of the Customer’s prospects, customers, business partners and vendors;
  • Employees, agents, advisors, freelancers of the Customer (who are natural persons);
  • Customer’s Users authorized by the Customer to use the Services;
  • Individuals who transmit data via the Services, including individuals collaborating and communicating with the Customer or Customer’s end users;
  • Individuals whose data is provided to PremiumSide Hosting via the Services by or at the direction of the Customer or by the Customer’s end users.

2.3.5. Categories of Personal Data. Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Personal Data:

  • Name
  • Address
  • Email address
  • Any personal data relating to individuals

2.4. Roles of the Parties

The parties acknowledge and agree that:

  1. PremiumSide Hosting is a processor of the Customer Data under the European Data Protection Legislation;
  2. Customer is a controller or processor, as applicable, of the Customer Data under the European Data Protection Legislation; and has obtained all consents and rights necessary under Data Protection Laws for PremiumSide Hosting to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

2.5. Instructions for Data Processing.

PremiumSide Hosting shall process Customer Data in accordance with this DPA, which is the Customer’s complete and final instructions to PremiumSide Hosting in relation to processing of Customer Data. Processing outside the scope of this DPA (if any) shall require prior written agreement between PremiumSide Hosting and Customer on additional instructions for processing. By entering into this DPA, Customer instructs PremiumSide Hosting to process Customer data only in accordance with applicable law:

  1. to provide the Services and related technical and other support;
  2. as initiated by the Customer and end users in their usage of the Services;
  3. as specified in the Agreement, Terms of Service, Privacy Policy and other relevant policies governing the provision of the Services and related technical and other support.

2.6. Access or Use.

PremiumSide Hosting shall not access or use Customer Data, except as necessary to provide the Services and related technical support to the Customer in accordance with the DPA, the Agreement and other relevant policies.

2.6.1. Customer’s Processing. The Customer shall, in their use of the Services, Process their Data in accordance with the requirements of Data Protection Laws and Regulations applicable to it. The Customer shall have sole responsibility for the accuracy, quality, and legality of their Data and the means by which the Customer acquired this Data.

2.6.2. PremiumSide Hosting’s Processing of Customer Data. PremiumSide Hosting shall only Process Customer Data on behalf of and in accordance with the Customer’s documented instructions for the following purposes: 

  1. Processing to provide the Services and related technical support in accordance with this DPA and applicable Order(s);
  2. Processing initiated by Users in their usage of the Services;
  3. Processing necessary to maintain and improve the Services.

2.6.3. PremiumSide Hosting’s Compliance with Instructions. As from the Effective Date PremiumSide Hosting shall comply with the described instructions above in the Section Customer’s Instructions, including with regard t o data transfers, unless EU or EU Member State law to which PremiumSide Hosting is subject requires other processing of Customer Data by PremiumSide Hosting, in which case PremiumSide Hosting shall inform the Customer (unless that law prohibits PremiumSide Hosting from doing so on important grounds of public interest) via the Site or the Notification Email Address.

Customer Data may be accessed and processed by PremiumSide Hosting, Authorized Users and Sub-processors to fulfill the obligations under this DPA and the respective Agreement or to provide certain services on behalf of PremiumSide Hosting. Such processing will comply with the measures outlined in Sections 3, Section 7 and Annex 2 Security Measures.

2.7. Rights of the Data Subjects.

2.7.1. Access, Rectification, Restricted Processing, Portability. During the applicable Term, PremiumSide Hosting shall, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via deletion of all or some of the Customer Data under their account or deletion of the whole account as described in Section 2.6. (Return and Deletion of customer data), and via export of Customer Data.

2.7.2.   Data Subject Requests.

2.7.2.1. Customer’s Responsibility for Requests. If during the applicable Term, PremiumSide Hosting receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), PremiumSide Hosting shall advise the Data Subject to submit his/her request to the Customer, and the Customer shall be responsible for responding to any such request including, where necessary, by using the functionality of the Services. PremiumSide Hosting shall, to the extent legally permitted, take commercially reasonable steps to notify the Customer about such requests.

2.7.2.2. PremiumSide Hosting Data Subject Request Assistance. Taking into account the nature of the Processing, Customer agrees that PremiumSide Hosting shall provide appropriate technical and organizational assistance, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:

  1. providing documentation resources in the form of tutorials and knowledge base articles, functionality and/or controls in the Control Panel that Customer may elect to use to properly configure the Services and use the Services in secure manner.
  2. providing features, functionalities and/or controls in the Control Panel that Customer may elect to use to retrieve, correct or delete the Customer Data from the Services.
  3. complying with the commitments set out in this DPA.
  4. To the extent Customer, in their use of the Services, does not have the ability to address a Data Subject Request, PremiumSide Hosting shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent PremiumSide Hosting is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from PremiumSide Hosting’s provisioning of such assistance.

The Customer shall cover PremiumSide Hosting’s reasonable costs of providing assistance in section 2.7.2.2.

2.8. Return and Deletion of customer data.

PremiumSide Hosting shall enable Customer to delete Customer Data during the applicable Term in a manner consistent with the functionality of the Services and the features as per the respective Order. If the Customer uses the Services to retrieve or delete Customer Data and the Customer Data cannot be recovered, this shall constitute an instruction to PremiumSide Hosting to delete the relevant Customer Data archived on backup systems in accordance with applicable law and within maximum period of 60 calendar days.  

Deactivation of the Services or expiry of the applicable Term shall constitute an instruction to PremiumSide Hosting to delete the Customer Data and the relevant Customer Data archived on backup systems within maximum period of 60 calendar days. 

Nothing in this Section 2.8 varies or modifies any obligation of PremiumSide Hosting to retain some or all Customer Data as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order). 

2.9. Disclosure. 

PremiumSide Hosting shall not disclose Customer Data to any government, law enforcement agencies and other authorities, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order).  

2.10. PremiumSide Hosting’s Personnel. 

PremiumSide Hosting restricts its personnel from processing Customer Data without authorisation by PremiumSide Hosting. Access to Customer Data is limited to those personnel performing a role and responsibilities in accordance with the Agreement.

PremiumSide Hosting imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. PremiumSide Hosting ensures that these confidentiality obligations survive the termination of the personnel engagement.

2.11. Data Protection Officer.

Member/s of the PremiumSide Hosting Group have appointed a Data Protection Officer for the purposes of this DPA and Privacy Policy, who be reached at [email protected].

3. SUB-PROCESSORS

3.1. Consent to Sub-processor Engagement/Appointment of Sub-processors

The Customer acknowledges and agrees that: 

  1. PremiumSide Hosting Partners may be retained as Sub-processors; and 
  2. PremiumSide Hosting and PremiumSide Hosting Partners respectively may engage Sub-processors in connection with the provisioning of the Services. PremiumSide Hosting has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processors. If Customer has entered into Standard Contractual Clauses (Appendix 1) as described in Section 5 (Transfers of Data Out of the EEA), the above authorizations shall constitute Customer’s prior written consent to the subcontracting by SiteGround of the processing of Customer Data if such consent is required under the Standard Contractual Clauses.

3.2. Information about sub-processors/ Notification of new Sub-processors.

3.2.1. Sub-processors. PremiumSide Hosting will share information about you with Sub-processors such as the PremiumSide Hosting Group of companies who are engaged with provisioning of Services subject to your Agreement and who are based within the territory of the European Union and United States, Sub-processor/processors who are engaged with provisioning Services subject to your Agreement and who are based within the territory of the European Union and United States, Data Center service providers who are based within the territory of European Union, United States and Singapore. These Sub-processors shall process the provided data under instructions of PremiumSide Hosting and in compliance with our Privacy Policy and this DPA. We do not authorize Sub-processors to retain, share, store or use your personally identifiable information for any secondary purposes. 

3.2.2. Notification. When a new Third Party Sub-processor is engaged to process any Customer Data in connection with the provisioning of the applicable Services during the applicable Term of this DPA, PremiumSide Hosting shall inform the Customer of this engagement, including the category and location of the relevant sub-processor and the activities it shall perform, at least 10 calendar days before authorizing the new Third Party Sub-processor either by sending an email to the Notification Email Address or via the User Area.

3.3. Requirements for Sub-processor Engagement.

When engaging any Sub-processor, SiteGround shall:

  1. ensure via a written contract that:
    1. the Sub-processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Data Processing Amendment) and any Standard Contractual Clauses entered into or Alternative Transfer Solution adopted by PremiumSide Hosting as described in Section 5 (Transfers of Data Out of the EEA); and
    2. if the GDPR applies to the processing of Customer customer data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Data Processing Amendment, are imposed on the Sub-processor; and
  2. remain fully liable for all obligations subcontracted to it, and all acts and omissions of, the Sub-processor.

3.4. Objection Right for New sub-processors. 

3.4.1. Customer may object to any new Third Party Sub-processor by terminating the applicable Agreement immediately upon written notice to PremiumSide Hosting, on condition that Customer provides such notice within 10 calendar days of being informed of the engagement of the sub-processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.

3.4.2. PremiumSide Hosting shall refund Customer any prepaid fees covering the remainder of the term of such Order(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the Customer.

4. IMPACT ASSESSMENTS, CONSULTATIONS, STORAGE

4.1. Impact Assessments and Consultations. 

Upon Customer’s request, PremiumSide Hosting shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Customer’s use of Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent that such information is available to PremiumSide Hosting. PremiumSide Hosting shall provide reasonable assistance to the Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under the GDPR.

5. TRANSFERS OUT OF THE EEA.

5.1. Data center and storage

PremiumSide Hosting stores and process Customer Data in Data Centers located inside and outside the European Union. Information about our Data Center locations is available on: https://www.premiumsidehosting.com/datacenters and PremiumSide Hosting reserves the right to update it from time to time.

The Customer may specify the Data center location where their Customer Data will be stored. The Customer agrees that PremiumSide Hosting may change the locations of the Data Centers and move Customer Data to another Data Center. PremiumSide Hosting shall inform the Customer at least 10 calendar days before moving Customer Data to a new Data Center either by sending an email to the Notification Email Address or via the User Area. If the change of the Data Center results in storing the Customer Data under a different jurisdiction, the Customer may object to such change by terminating the Agreement immediately and upon written notice to SiteGround, on condition that the Customer provides such notice within 10 calendar days of being informed of the change of the Data Center.

The Customer can move their account and Customer Data to another Data Center location at any time, provided that the functionality of the Services allows it and in exchange of additional fees. Once the Customer has made their choice and specified a Data Center location within the European Union, PremiumSide Hosting will not store Customer Data outside the borders of European Union except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order).

5.2. Processing Locations

To the extend the Customer has specified a Data Center outside the European Economic Area and to the extend PremiumSide Hosting provides the Services and related technical and other support, the Customer agrees that PremiumSide Hosting may, subject to Section 5, access and process Customer Data in EEA, United States and any other countries where SiteGround and/or its Partners and Sub-processors have Data Centers, facilities or maintain data processing operations. If the  storage and/or processing of Customer Data involves processing of Customer Data outside of the EEA, and the European Data Protection Legislation applies, the Customer agrees that PremiumSide Hosting reasonably requires the Customer to enter into Model Contract Clauses in respect to such transfers in accordance with Section 5.2 and Appendix 1 and the Customer agrees to do so..

5.3. Transfer Mechanism

To the extent PremiumSide Hosting processes or transfers (directly or via onward transfer) Customer Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, the parties agree that:

  1. The Standard Contractual Clauses (Appendix 1) will apply to Customer Data that is transferred.
  2. SiteGround shall be deemed to provide appropriate safeguards to protect Customer Data by virtue of making available Standard Contractual Clauses (Appendix 1) as a transfer mechanism.
  3. The Customer hereby authorises any transfer or access to Customer Data from such destinations outside the European Economic Area subject to any of the measures above;

6. PROCESSING RECORDS.

The Customer acknowledges that PremiumSide Hosting is required under the GDPR to:

  1. Collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which PremiumSide Hosting is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and 
  2. make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer data, the Customer shall, where requested, provide such information to PremiumSide Hosting via the Site or other means provided by PremiumSide Hosting, and shall use the Site or such other means to ensure that all provided information is kept accurate and up-to-date.

7. SECURITY RESPONSIBILITIES OF PREMIUMSIDE HOSTING

7.1. Security Measures.

PremiumSide Hosting shall implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to provide encrypted transmission of customer data outside the Service environment; to help ensure ongoing confidentiality, integrity, availability and resilience of PremiumSide Hosting’s systems and services; to help restore timely access to Customer Data from an available backup copy, provided either by PremiumSide Hosting Backup Services or Customer’s own backup copy following an incident; and for regular testing of effectiveness. PremiumSide Hosting may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

7.2. Customer’s Security Responsibilities and Assessment.

The Customer agrees that, without prejudice to PremiumSide Hosting’s obligations under Section 7. (Security Responsibilities of PremiumSide Hosting) and other relevant Sections in this DPA: 

  1. The Customer is solely responsible for their use of the Services, including:
    1. making appropriate use of the Services to ensure a level of security suitable to the risk in respect of the Customer Data;
    2. securing the account authentication credentials, systems, and devices the Customer uses to access the Services; 
    3. ensuring that all programs, scripts, addons, plugins and other software installed on the account are secure and their utilization does not impose any security risk in respect to the Customer Data and the account itself;
    4. securing all installed programs, scripts, addons, plugins and other software, their configuration and their regular maintenance;
    5. any content of the account;  
    6. any actions and activity on the account; and
    7. backing up their Customer Data; and
  2. PremiumSide Hosting has no obligation to protect Customer Data that the Customer chooses to store or transfer outside of PremiumSide Hosting’s and its Sub – processors’ systems (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent the Customer has opted to use them.
  3. The Customer is solely responsible for reviewing the documentation and evaluating whether the Services, the Security Measures, PremiumSide Hosting’s commitments under this Section and the following meet the Customer’s needs, including any security obligations of the Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
  4. The Customer acknowledges and agrees that (taking into account the costs of implementation and the nature, scope, context and purpose of processing of Customer data as well as the risks to individuals) the Security Measures implemented and maintained by PremiumSide Hosting as set out in Section 7.1. provide the needed level of security appropriate to the risk in respect to the Customer Data.
  5. It is the Customer’s responsibility to backup Customer Data and all data and consent stored within the account in order to prevent potential data loss.
    1. PremiumSide Hosting Backup Services are provided “as-is” and are subject to all limitations of liability set out in the applicable Agreement.
    2. Even if the Customer purchases Backup Services, they  agree that they will maintain their own set of backups independent of those that PremiumSide Hosting maintains and that PremiumSide Hosting’s only obligation is to restore the account space to its operating condition. In the event of an incident, hardware or software failure or any incidental data corruption or loss, SiteGround may provide assistance but it is the Customer’s sole obligation to restore the Customer Data.  
    3. In the event of partial or full data loss or corruption and in case that the Customer is not satisfied with the outcome of the restore by the PremiumSide Hosting Backup Services or PremiumSide Hosting’s backup copy is not recent or suitable for restore, it shall be the Customer’s obligation to restore Customer Data, their files and any data within the account from Customer’s own backup.

8. REVIEW AND AUDITS OF COMPLIANCE

If the European Data Protection Legislation applies to the processing of Customer Data:

  1. The Customer has the right to verify PremiumSide Hosting’s compliance with its obligations under this DPA, by conducting a review of documentation or an audit, including inspections, conducted by the Customer or an independent auditor appointed by the Customer, by making a specific request to PremiumSide Hosting in a written form to the address set in the respective Terms of Service. 
  2. PremiumSide Hosting shall further provide written responses to all reasonable requests by the Customer and may charge a fee for any review or audit. PremiumSide Hosting will provide details of any applicable fee in advance of any such audit and the Customer will be responsible for any fees charged by any auditor and any fees associated with executing an audit. The reports of any such audit will be made available to PremiumSide Hosting without restrictions of the purposes for its further usage by PremiumSide Hosting.
  3. PremiumSide Hosting may object and decline in writing to the Customer or an auditor appointed by the Customer to conduct any audit if the Customer or the auditor is, in PremiumSide Hosting’s reasonable opinion, not suitably qualified or independent, a competitor of PremiumSide Hosting, or otherwise manifestly unsuitable.
  4. If SiteGround declines to follow any instruction requested by the Customer or an auditor regarding a properly requested and scoped audit or inspection, the Customer is entitled to terminate this DPA and the Terms of Service.

Nothing in this Section 8 (Review and Audits of Compliance) varies or modifies any rights or obligations of Customer or PremiumSide Hosting under any Model Contract Clauses entered into as described in Sections 5 (Transfers of Data Out of EEA).

9. SECURITY BREACH NOTIFICATION

9.1. PremiumSide Hosting maintains security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer data transmitted, stored or otherwise Processed by PremiumSide Hosting or its Sub-processors of which SiteGround becomes aware (a “Customer Data Incident”). PremiumSide Hosting shall make reasonable efforts to identify the cause of such Customer Data Incident and take the steps as PremiumSide Hosting deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within PremiumSide Hosting’s reasonable control. The obligations herein shall not apply to incidents that are caused by the Customer, Customer’s usage of the Services, Customer’s actions or activities or Customer’s Users.

9.2. Notifications made pursuant to this section shall describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps PremiumSide Hosting recommends the Customer takes to address the Data Incident. 

9.3. Notification(s) of any Data Incident(s) shall be delivered to the Notification Email Address or, at PremiumSide Hosting’s discretion, by direct communication (for example, by phone call). The Customer is solely responsible for ensuring that the Notification Email Address and contact information is current and valid.

9.4. PremiumSide Hosting shall not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to the Customer and fulfilling any third party notification obligations related to any Data Incident(s).

9.5. PremiumSide Hosting’s notification of or response to a Data Incident under this Section 10 shall not be construed as an acknowledgement by PremiumSide Hosting of any fault or liability with respect to the Data Incident.

10. LIABILITY AND INDEMNITY

10.1. The Customer shall indemnify and keep indemnified PremiumSide Hosting with respect to all data protection breaches and losses suffered or incurred by, arising from or in connection with:

  1. any non-compliance by the Customer with data protection laws and regulations;
  2. any breach by the Customer of its data protection obligations under this Agreement; 

10.2. PremiumSide Hosting shall be liable for data protection breaches and losses caused by processing of Customer Data only to the extent directly resulting from PremiumSide Hosting’s failure to comply with its obligations as Data Processor under Data Protections laws and Regulations.

11. TERMINATION

This DPA will take effect from the Effective Date until the end of PremiumSide Hosting’s provisioning of the Services under the applicable Agreement, including, if applicable, any period during which the Services may have been suspended and any post-termination period (namely 60 calendar days) during which PremiumSide Hosting may continue providing Services for transitional purposes (“Term”). The DPA will automatically expire upon deletion of all Customer Data by PremiumSide Hosting.

12. LEGAL EFFECT

To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the applicable Agreement related to the Processing of Customer Data, the terms of this DPA shall govern. Subject to the amendments if any in this DPA, such Agreement remains in full force and effect. For clarity, if the Customer has entered more than one Agreement, this DPA shall amend each of the Agreements separately.