Data Processor Agreement

This DPA replaces any Agreements between SiteHost and the Customer and details the rights and obligations of each parties for data privacy under Applicable Laws. Updates to this DPA may be posted at any time at our sole discretion and to ensure future compliance; the current version may be found at https://sitehost.nz/pages/policies/data-processor-agreement

Definitions

Scope

This DPA applies where Customer Data is processed by SiteHost. Specific provisions in this DPA are applicable where SiteHost processes Customer Data where that data includes any Personal Data which is subject to Data Protection Laws of the European Union, The European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The Customer and SiteHost agree to comply with this DPA to comply with these laws.

Our Role

SiteHost provides hosting infrastructure and services which are made available to you as our Customer. As a digital infrastructure provider, the platforms provided to you are in your control and are highly flexible in enabling you to configure to your requirements, and in this capacity we act as your Data Processor and do not have any Proprietary Rights to any data that is accessed, maintained and/or transmitted by you or your End Users to or from SiteHost-managed infrastructure. Nothing in this DPA shall prevent SiteHost from using or sharing any data that SiteHost would otherwise collect and process independently of your use of our Services.

Customer Role

As a user of our services, you retain control of any data processed by SiteHost, so you are the Controller of any Personal Data. SiteHost shall only process this data on behalf of you, the Customer. The Customer agrees that as the Controller of any Personal Data, you will comply with any Data Protection Laws with respect to processing of that Personal Data and any instructions sent to SiteHost or SiteHost systems.

Our Obligations

As a Data Processor, we will only process data as permitted by the Agreement or your other instructions, or as necessary for our internal requirements related to the provision of Service. We will only process Personal Data as and when instructed by you and only to perform services in accordance with this Agreement, to ensure compliance with this agreement, or to comply with other lawful directions from you as the Customer which are consistent with this Agreement. No processing of Personal Data shall be made outside of this Agreement without a separate signed Agreement for that specific Processing.

Customer's Obligations

As the Data Controller, you acknowledge that you are at all times solely responsible for obtaining and maintaining Proprietary Rights for any and all Customer Data you instruct us to Process. You are solely responsible for how this data is accessed or used either directly or indirectly by you or any End Users you may have, including any intentional or un-intentional use or miss-use of your SiteHost service or account. You are reponsible for the usage of SiteHost services and ensuring your services are maintained and secured using appropriate steps to ensure all steps for protecting and backing up Customer Data. Any passwords, keys or other access logins provided to you by SiteHost are for your use only and should also be secured by you. You are responsible for any End Users of any service provided by SiteHost to you and are responsible for any steps to secure or restrict access by End Users to any Personal Data. You are responsible to ensure End Users comply with obligations under this agreement and shall be responsible to provide any support required to any End Users. SiteHost will in no way be responsible to provide support to End Users or provide advice to End Users under this agreement.

Personal Data

In the event that a Data Subject makes a direct request to SiteHost to disclose, process or retrieve any information relating to Personal Data for which you are the Controller and SiteHost is the processor, we will promptly notify you of this request, unless prohibited to do so by relevant law or lawful directions by law enforcement agencies. We will not independently take any actions in relation to a request from a Data Subject without your prior written authorisation and instructions. We will cooperate with your reasonable requests for access to Personal Data and any other information required to assist with responding to a lawful request by a Data Subject.

Subprocessing

The Customer agrees that SiteHost may use sub-processors to process Personal Data. SiteHost shall ensure that any and all sub-processors who process Personal Data shall conform to our obligations under this Agreement. You expressly grant us authorization for (i) SiteHost to appoint our Affiliates to provide processing or sub-processing services and (ii) SiteHost and our Affiliates to appoint Subprocessors, including without limitation, third party data center, development, production, maintenance marketing, financing and customer support providers in connection to any SiteHost Resource or SiteHost Service.

SiteHost will provide you with a copy of our Subprocessors which relates to your use of a SiteHost Resource or SiteHost Service upon request. If you have a reasonable objection to a Subprocessor which relates to your use of a SiteHost Resource or SiteHost Service, you shall notify SiteHost of your objection in writing and SiteHost shall respond within thirty (30) days of such request (each a "Subprocessor Request"). SiteHost, at SiteHost's sole and absolute discretion, shall determine if we are able to provide the applicable SiteHost Resource or SiteHost Service without the use of the applicable Subprocessor. If SiteHost is unable to reasonably satisfy your concerns within ninety (90) days of a Subprocessor Request, you may terminate your Account subject to any term obligations.

Your failure to provide written objections or requests within any of the deadlines provided in Section 10.2 will be deemed to be a waiver of the applicable Subprocessor Request. SiteHost shall ensure that our Subprocessors shall only be engaged by written contract which imposes processing and sub-processing terms which are substantially no less protective of your Customer Data than this Agreement. SiteHost shall be responsible for procuring Suprocessor performance under this Agreement and shall be liable to Customer for any breach of your Customer Data by a Subprocessor, subject to any indemnification or subrogation agreements entered into by us and the applicable Subprocessor. In all instances not related to a breach of Customer Data by a Subprocessor, you and your End Users expressly acknowledge and agree that any disputes, controversies, claims or actions shall be raised in the first instance against the applicable Subprocessor and not against SiteHost.

Disclaimers and Releases

Global Transfers of Personal Data. To the extent that Personal Data originates from the European Economic Area or Switzerland, your transfers of Personal Data to us or to our Affiliates or Subprocessors are made subject to this Agreement, the EU GDPR and the EU Model Contract, with you acting as the Data Exporter and us and/or our Affiliates or Subprocessors acting as the Data Importer. The terms of this Agreement shall be read in conjunction with the EU Model Contract and/or any other appropriate transfer mechanism or device permitted by the laws of the United States of America and the European Union.

Disclaimer of Certain Issues. THE SiteHost SERVICES ARE PROVIDED "AS IS." WE, OUR AFFILIATES AND OUR SUBPROCESSORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESSED, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SiteHost SERVICES, INCLUDING ANY WARRANTY THAT THE SiteHost SERVICES WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF RISK OR ADVERSE ELEMENTS, OR THAT ANY CONTENT, INCLUDING YOUR CUSTOMER DATA, WILL BE SECURE OR NOT OTHERWISE LOST OR DAMAGED. EXCEPT TO THE EXTENT PROHIBITED BY LAW, WE AND OUR AFFILIATES AND SUBPROCESSORS DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE.

Limitation of Liability and Indemnification

Indemnification. You will indemnify, defend and hold us, our Affiliates and our Subprocessors harmless from and against all claims, damages, losses, liabilities, costs and expenses (including reasonable attorney fees and legal costs) in connection with disputes, controversies, claims or actions made or brought by a third party arising from: (i) you and your End Users' breach of this Agreement or violation of any applicable law; (ii) you and your End Users' authorized or unauthorized use of the SiteHost Services; (iii) you and your End Users' authorized or unauthorized access, maintenance or transmission of content or data by or through SiteHost Resources; (iv) you and your End Users' wrongful or negligent acts or omission in connection with its performance of any SiteHost Service; (v) you and your End Users' infringement or misappropriation of any Proprietary Right(s); (vi) Customer's disclosure of any information that is confidential or protected by law and (vii) as between you and your End Users.

Amendments or Modification.

This Agreement shall not be amended or modified, nor shall it be deemed, interpreted or construed to be amended or modified, without the prior written consent of an authorized representative of SiteHost. You agree that we may provide you with notices, including those regarding changes to this Agreement or any Service Level Agreements, by email or regular mail to be sent to the addresses listed in your Account or by publication on any SiteHost Resource(s). You must provide us with all notices through SiteHost Customer Support.

Security

Our Security

SiteHost shall maintain and implement appropriate technical and proceedural security measures to keep Customer Data protected from Security Incidents and help ensure the integrity and confidentiality of Personal Data.

Confidentiality

SiteHost shall ensure that only appropriately trained, screened and vetted personel should have access to SiteHost infrastructure where such personel need to have access to infrastructure and systems to ensure SiteHost systems are maintained and kept secure and available for reliable use. All staff, subprocessors, suppliers or contractors shall be required to act in accordance with this DPA and shall be subject to confidentiality agreements.

Incident Response

SiteHost maintains an Incident Response Plan. Appropriately trained SiteHost staff are familiar with our Incident Response plan which details responsibilities in the event of any Security Incident.

Incident Reporting

SiteHost's Incident Response Plan includes guidelines for timeframes for reporting initial and post-mortem reports in the event of an Incident which may affect Customer Data. Upon becoming aware of a Security Incident, SiteHost shall notify and provide appropriate information to the Customer inside a reasonable timeframe as information becomes confirmed and verified or as reasonably requested by the customer.

Severence

Whenever possible, each provision of this Agreement shall be interpreted to be effective and valid under applicable law. If, however, any such provision shall be prohibited by or invalid under such law, it shall be deemed modified to conform to the minimum requirements of such law, or if for any reason it is not so modified, it shall be prohibited or invalid only to the extent of such prohibition or invalidity without the remainder of such provision, or any other provision of these terms and conditions, being prohibited or invalid.