This Data Processing Agreement (DPA) is part of our terms of service and applies automatically as soon as you, as a B2B customer, take a service in which we process personal data of your end-users on your behalf (GDPR art. 28). You don't need to sign it separately — accepting the terms = accepting this DPA.
1. Parties and roles
Controller: you, the customer (the "Customer").
Processor: InternalHost (sole proprietorship Xaviero Kajafas, Dutch CoC 90174720).
InternalHost processes personal data only on the Customer's instructions and only insofar as necessary to deliver the agreed services (hosting, storage, mail, network).
2. Subject matter and duration
- Subject: processing of personal data in the context of the IT infrastructure services we deliver.
- Nature of processing: storage, transmission (within our infrastructure), backup — no active processing of end-user content by us.
- Purpose: making the agreed IT services available.
- Categories of data subjects: as determined by the Customer. We have no visibility (we don't look in your databases).
- Types of personal data: as determined by the Customer. Special categories (health, religion, etc.) are allowed provided the Customer takes appropriate technical and organisational measures.
- Duration: as long as the main agreement runs, plus 14-day recovery period after termination.
3. Security measures
InternalHost takes at least the following technical and organisational measures:
- Encryption in transit: TLS 1.2+ on all public endpoints, WireGuard for internal mesh.
- Encryption at-rest: LUKS on all storage volumes. Customer-level encryption is the Customer's responsibility.
- Access control: SSH via ed25519 keys only, MFA required for admin access, principle of least privilege.
- Logging: infrastructure access is logged (90 days).
- Backups: daily encrypted snapshots of customer volumes, 7d/4w/12m retention (on our side — application backup is the Customer's responsibility).
- Physical security: Qupra DC has 24/7 staffed access, ISO 27001 + 9001 certified, biometric access + mantrap.
- Software updates: security patches within 7 days of release, critical ones within 24 hours.
- Monitoring: CrowdSec + fail2ban on all exposed services.
A current technical-measures overview is available on request at [email protected].
4. Sub-processors
We use the following sub-processors. All in the EU. We notify of changes at least 30 days in advance, so the Customer can object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Qupra Data Centers BV | Datacenter / colocation | Amsterdam, NL |
| Mollie B.V. | Payments | Amsterdam, NL |
| Revolut Payments UAB | Payments (alternative) | Vilnius, LT |
| Cloudflare Germany GmbH | CDN / DDoS | DE, EU data-region |
| Hoster B.V. (OpenProvider) | Domain registration (optional) | The Hague, NL |
5. Transfer outside the EU
We do not transfer personal data to countries outside the EU/EEA, except where Cloudflare as a CDN necessarily routes via non-EU PoPs in case of DDoS. In that case, Standard Contractual Clauses apply between us and Cloudflare.
6. Data breach procedure
For a personal-data breach affecting the Customer, we notify the Customer within 24 hours of discovery (via the email on file) with:
- Nature of the breach
- Categories and approximate number of affected individuals
- Likely consequences
- Measures taken or proposed
The Customer decides whether a notification to the Data Protection Authority is required. We support as needed.
7. Termination and data return
After termination of the main agreement:
- The Customer has 14 days to download all data (via SSH/SFTP, or export request).
- After that, all personal data is permanently deleted, except where statutory retention applies (Dutch tax: invoice data 7 years).
- On request we provide a written certificate of destruction.
For specific contracts (large B2B, healthcare, financial sector) we can sign a custom DPA. Email [email protected].