Data Processing Agreement

1 Introduction

This Data Processing Agreement (hereinafter the "Agreement" or "DPA") is entered into between:

Data Processor: CodeCard.Cloud (t/a WebHosting4U) / Eleftherios Skoulas, 31 Thermopylon St., 18900 Salamina, Greece, tel.: 229 402 8627, email: support@webhosting4u.gr, GEMI: 175884103000, EETT Reg. No: 23-131
Data Controller: The customer-user of our services (hereinafter the "User" or "Data Controller")

This Agreement constitutes an integral part of the WebHosting4U General Terms of Service and sets out the obligations and rights of the parties with respect to the processing of personal data, in accordance with:

Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR), and in particular Article 28
Law 4624/2019 (Greek implementing law of the GDPR)
Law 5160/2024 (Amendments to national data protection legislation)

2 Subject Matter of the Processing

WebHosting4U, acting as Data Processor, provides web hosting, email hosting, domain name registration and management, and related services. In this context, WebHosting4U processes personal data stored on its servers by the User or on behalf of the User.

The processing is carried out solely on the instructions of and on behalf of the Data Controller, in accordance with the Controller's documented instructions, unless otherwise required by Union or Member State law.

3 Duration of Processing

The processing of personal data commences upon activation of the User's account on the WebHosting4U platform and continues throughout the term of the service agreement.

The agreement terminates upon cancellation or expiry of the User's account, regardless of the reason for termination. After termination, processing ceases unless data retention is required by:

Obligations arising from Union or national law (e.g. tax legislation)
Regulatory requirements of EETT regarding the maintenance of domain name registrar records
Pending legal claims or disputes between the parties

4 Nature and Purpose of the Processing

The nature of the processing includes the storage, availability, transfer and secure custody of personal data that the User stores, transmits or processes through our services. Specifically:

Web hosting: Storage and serving of files, databases and website content of the User
Email hosting: Storage, sending and receiving of electronic mail messages
Domain name registration: Processing of registrant data via the EPP protocol for managing registrations with the .gr/.el Registry
Security and backups: Creation of backup copies for data protection and recovery

5 Types of Data and Categories of Data Subjects

Types of personal data

The personal data that may be processed include, but are not limited to:

Full names and identification details
Email addresses
Postal addresses and billing details
Phone numbers
IP addresses and technical access metadata
Payment references (transaction references; no card details are stored)
Domain name registrant data (registrant data per ICANN/EETT requirements)

Categories of data subjects

The data subjects may include:

Visitors of websites hosted by the User on our servers
Customers and partners of the User whose data are stored in our services
Domain name registrants who submit details through the registration service

6 Obligations of the Data Processor

WebHosting4U, as Data Processor, undertakes the following obligations in accordance with Article 28(3) of the GDPR:

a Documented instructions: Processes personal data only on the basis of documented instructions from the Data Controller, including instructions regarding data transfers to a third country, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller before processing, unless the law prohibits such notification.
b Confidentiality: Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c Technical and organisational measures: Takes all required technical and organisational security measures in accordance with Article 32 of the GDPR (detailed in Section 7).
d Sub-processors: Does not engage another processor without prior written authorisation of the Data Controller (general or specific). In the case of general written authorisation, the Processor shall inform the Controller of any changes (detailed in Section 8).
e Data subject rights: Assists the Data Controller, insofar as possible and taking into account the nature of the processing, in fulfilling the Controller's obligation to respond to data subject access requests (DSARs) regarding the exercise of their rights under Chapter III of the GDPR.
f Breach notification: Assists the Data Controller in ensuring compliance with the obligations regarding data breach notifications under Articles 33 and 34 of the GDPR. In particular, notifies the Controller of any data breach without undue delay and within 48 hours of becoming aware of it.
g Data protection impact assessment: Assists the Data Controller in carrying out Data Protection Impact Assessments (DPIAs) and, where required, in prior consultation with the Hellenic Data Protection Authority.
h Deletion or return: At the choice of the Data Controller, deletes or returns all personal data after the end of the provision of services, unless storage is required by law (detailed in Section 11).
i Audits: Makes available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allows for and contributes to audits and inspections conducted by the Controller or an authorised auditor.

7 Technical and Organisational Measures (TOMs)

In accordance with Article 32 of the GDPR, WebHosting4U implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

Encryption: Encryption of data in transit via TLS/SSL across all services. Free SSL certificates for all hosted domains.
Access control: Data access based on the principle of least privilege. Use of strong passwords and multi-factor authentication (MFA) for administrative systems.
Regular backups: Automated daily backups with recovery capability. Backups are stored on separate, secure systems.
Data centre: Equipment is hosted at the Synapsecom S.A. data centre in Greece, which holds ISO 27001 and ISO 9001 certifications, with 24/7 physical security, fire suppression systems and uninterruptible power supply (UPS, generators).
Firewalls and intrusion detection: Network-level and application-level firewalls, intrusion detection and prevention systems (IDS/IPS), and continuous monitoring of network traffic.
Incident response plan: A documented security incident response plan covering identification, containment, remediation and stakeholder notification.
Security updates: Regular application of security patches to operating systems, server software and third-party applications.

8 Sub-Processors

The User grants general written authorisation to WebHosting4U for the use of the following sub-processors. WebHosting4U ensures that each sub-processor is bound by equivalent contractual data protection obligations:

Sub-Processor	Purpose	Location
Synapsecom S.A.	Data centre & server infrastructure	Greece
ICS-FORTH / GRNET	.gr/.el domain name registry (EPP)	Greece
Stripe, Inc.	Payment processing	USA (EU data processed within the EU)
Anonymouse Domains, s.r.o.	WHOIS privacy service	Czech Republic

Change notification mechanism: In the event of the addition or replacement of a sub-processor, WebHosting4U shall notify the User by email or by updating this page at least fifteen (15) days prior to the engagement.

Right to object: The User has the right to object to the use of a new sub-processor within fifteen (15) days of receiving the notification, providing reasonable grounds. If the objection cannot be resolved, the User is entitled to terminate the agreement free of charge within thirty (30) days.

9 Processing of Domain Registrant Data

In the context of the registration and management of .gr/.el domain names, WebHosting4U acts in a dual capacity:

As Data Processor (on behalf of EETT): The Hellenic Telecommunications and Post Commission (EETT) acts as Data Controller for domain name registrant data. WebHosting4U, as a licensed Registrar (EETT Reg. No: 23-131), processes registrant data on the instructions of and on behalf of EETT.

As Data Processor (on behalf of the User): For all other services (hosting, email, etc.), WebHosting4U processes data on the instructions of the User, who acts as Data Controller.

Registrant data (full name or company name, postal address, telephone number, email) is transmitted to the .gr/.el Registry operated by ICS-FORTH / GRNET via the EPP (Extensible Provisioning Protocol).

The legal basis for this processing is compliance with a legal obligation, as provided for by the Regulation on the Management and Allocation of .gr/.el Domain Names issued by EETT (Government Gazette B' 2908/2024) and any applicable regulatory acts in force.

10 International Data Transfers

WebHosting4U stores and processes data within the European Union / European Economic Area (EU/EEA). The primary servers and backups are located in Greece.

In the case of Stripe, Inc. (payment processing), payment data of EU customers is processed within the EU. For any transfers to the USA, Stripe applies the Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914, as well as supplementary security measures.

All other sub-processors (Synapsecom, ICS-FORTH/GRNET, Anonymouse Domains) process data exclusively within the EU/EEA. No transfer of personal data to third countries takes place without an appropriate transfer mechanism in accordance with Chapter V of the GDPR.

11 Deletion and Return of Data

Upon termination of the service agreement, WebHosting4U undertakes the following obligations with respect to personal data:

Data return: Upon request by the User, WebHosting4U shall provide a copy of all data in a commonly used format (e.g. zip files, SQL dumps) within a reasonable timeframe.
Data deletion: Within thirty (30) calendar days of account termination or cancellation, WebHosting4U shall delete all personal data, including backups, unless retention is required by law.
Legal retention: Data required to be retained under tax law, EETT regulatory obligations or court orders shall be retained for the minimum required period and subsequently permanently deleted.

12 Liability

Each party shall be liable for any damage caused by processing in breach of the GDPR, in accordance with Article 82 of the GDPR. Specifically:

The Data Controller (User) is responsible for the lawfulness of the processing, the lawful collection of data and obtaining the appropriate legal basis.
The Data Processor (WebHosting4U) is liable only to the extent that it has not complied with the obligations of the GDPR specifically directed at processors, or has acted outside of or contrary to the lawful instructions of the Controller.
Either party shall be exempt from liability if it proves that it is not in any way responsible for the damage.

The limitations of liability set out in the General Terms of Service (terms.en.html) apply supplementarily, to the extent they do not conflict with the GDPR.

13 Amendments

WebHosting4U reserves the right to amend this Data Processing Agreement when deemed necessary, in particular for reasons of:

Compliance with new legislative or regulatory requirements
Changes to services or sub-processors
Improvement of security measures or data protection practices
Recommendations or decisions of the Hellenic Data Protection Authority

In the event of material amendments, WebHosting4U shall notify Users by email or via a notification on the client platform at least fifteen (15) days before the changes take effect.

Continued use of the services after the effective date of the amendments constitutes acceptance thereof. For the full General Terms of Service, please refer to the Terms of Service page.