New Hosting Revenue — Unlocked!
Launch your own professional WordPress services without upfront
investment or headcount. Powered by Seahawk — Branded as you.
Spring Offer Your WordPress services. Under your brand. Earn up to 70% margin — offer closes April 30.
CLAIM THE OFFER

WordPress Pro Services. Extra 30% on your margins.

Zero Upfront Investment. Live in 2 weeks.

Start Earning More
VPS Bundle Better margins on every VPS. CloudLinux OS + Imunify360, bundled.
Explore the VPS Bundle
WordPress Agency Survey 2026 | How are agencies handling security across client sites?
TAKE THE SURVEY

DATA PROCESSING ADDENDUM

(Version June 2025) Download PDF

This Data Processing Addendum (“DPA”), forms part of the Imunify360, Imunify AV, Imunify AV Plus, Imunify Email, Imunify Patch EULA (available at https://blog.imunify360.com/legal/eula), or other written or electronic agreement, by and between Cloud Linux Software, Inc. (“CloudLinux”) and the undersigned customer of CloudLinux (“Customer”) for certain security services (collectively, the “Service”) provided by CloudLinux (the “Main Agreement”). All capitalized terms not defined herein shall have the meanings set forth in the Main Agreement. Each of Customer and CloudLinux may be referred to herein as a “Party” and together as the “Parties.”

In connection with the Service, the parties anticipate that CloudLinux may process outside of the European Economic Area (“EEA”), and Switzerland, and United Kingdom (“UK”), certain Personal Data in respect of which the Customer or any Affiliate of Customer may be a data controller or data processor, as applicable, under Applicable Data Protection Laws.

The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by Applicable Data Protection Laws.

DATA PROCESSING TERMS

In the course of providing the Service to Customer pursuant to the Main Agreement, CloudLinux may Process Personal Data on behalf of Customer. CloudLinux agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to CloudLinux or collected and processed by or for Customer using CloudLinux’s Services.

  • Definitions

The following definitions are used in this DPA:

  1. Adequate Country” means a country or territory that is recognized under General Data Protection Regulation (EU) 2016/679 as providing adequate protection for Personal Data.
  2. Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).
  3. Applicable Data Protection Laws” means all applicable data protection, data privacy, and cybersecurity laws, rules, and regulations anywhere in the world that are in force from time to time, including, but not limited to, the (i) EU General Data Protection Regulation 2016/679, (ii) Swiss Federal Act on Data Protection of 1st of September 2023 (“FADP”), (iii) in respect of the United Kingdom, the GDPR as it forms part of UK law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.
  4. Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.
  5. GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 25 May 2018 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  6. Personal Data” means any information relating to an identified or identifiable natural person that relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular natural person and as defined by Applicable Data Protection Laws and accessed, stored or otherwise processed by CloudLinux as part of its provision of the Service to Customer. 
  7. Verified Technical Resource” means a category, in accordance with Article 13(1)(e) of the GDPR, of technical contractors verified by CloudLinux to be able to technically adhere to the security provisions of this DPA and the GDPR, have entered into an agreement with CloudLinux at least as restrictive as this DPA; and may provide services to CloudLinux when requested.
  8. processing”, “data controller”, “data subject”, “supervisory authority”, and “data processor” shall have the meanings described by the Applicable Data Protection Laws.
  9. An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
  10. Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
  11. SCC” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, (“EU SCCs”); and (ii) where the UK GDPR applies standard data protection clauses adopted (“UK SCCs”); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority (“Swiss SCCs”).
  12. “UK Addendum” means the International Data Transfer Addendum to the EU SCC, which is a legal instrument developed by the UK’s Information Commissioner’s Office (ICO).
  13. US State Privacy Laws” means all state laws relating to the protection and processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Online Privacy Protection Act (“DOPPA”).

  • Status of the parties

  1. The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature, and purpose of the processing, and the categories of data subjects, are as described in Annex 1.
  2. Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Applicable Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
  3. In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that the Customer is the data controller or processor, and CloudLinux is the data processor or sub-processor, as applicable, and accordingly CloudLinux agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
  4. If Customer is an EU-based data processor, Customer warrants to CloudLinux that Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and concluding the SCC with all relevant Appendices, have been authorized by the relevant controller.

If Customer is a UK-based data processor, Customer warrants to CloudLinux that Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and concluding the UK Addendum, have been authorized by the relevant controller.

If Customer is a Swiss-based data processor, the Customer warrants to CloudLinux that the Customer’s instructions and actions with respect to the Personal Data, including its appointment of CloudLinux as another processor and and entering into the SCC required for international data transfers in compliance with Swiss FADP, have been authorized by the relevant controller.

  1. Each party shall appoint a Data Privacy Officer within its organization authorized to respond from time to time to enquiries regarding Personal Data, the parties shall make the Data Privacy Officer known to the other party, and the Data Privacy Officer shall deal with such enquiries promptly.
  2. Throughout the term of the Main Agreement, the Customer continuously guarantees that all Personal Data provided to CloudLinux has been lawfully collected and transferred in full compliance with Applicable Data Protection Laws. During this DPA’s term, the Customer is solely responsible for obtaining and maintaining all necessary consents and authorizations from every data subject, as required by law, to permit CloudLinux to process their Personal Data under the Main Agreement and fulfill its obligations under this DPA
  3. Customer warrants that it has provided all necessary information and notices to Data Subjects regarding the Processing of their Personal Data, including the engagement of CloudLinux, in a manner that is transparent, intelligible, and easily accessible.
  4. Customer warrants that the Personal Data provided to CloudLinux is accurate and, where necessary, kept up to date. Customer will instruct CloudLinux of any corrections or erasures required to maintain the accuracy of the data. 
  5. Customer warrants that the scope of Personal Data disclosed is limited to what is adequate, relevant, and necessary in relation to the purposes for which it is processed as specified in this DPA. 
  6. Customer warrants that its instructions to CloudLinux for the Processing of Personal Data shall, at all times, be lawful and in compliance with Applicable Data Protection Laws. 
  7. Customer is solely responsible for determining whether the security measures implemented within the Service are adequate to meet its obligations under Applicable Data Protection Laws. The Customer is also responsible for ensuring the secure use of the Services, including the protection of Personal Data transmitted to and from the Service (e.g., through appropriate encryption or secure backups).

  • CloudLinux obligations

  1. With respect to all Personal Data, CloudLinux warrants that it shall:
    1. only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, (ii) the Customer’s written instructions as set forth in the Main Agreement and this DPA, and (iii) as required by Applicable Data Protection Laws;
    2. upon becoming aware, inform the Customer if, in CloudLinux’s opinion, any instructions provided by the Customer under clause 3.1(a) are in conflict with the Applicable Data Protection Laws;
    3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures commonly adopted in accordance with recognized security standards, such as SOC 2 Type II or ISO 27001, and as required by Applicable Data Protection Laws; 
    4. take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality;
    5. without undue delay after becoming aware, notify the Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by CloudLinux, its sub-processors, or any other identified or unidentified third party (a “Security Breach”);
    6. promptly provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in CloudLinux’s possession concerning such Security Breach insofar as it affects the Customer, including, to the extent then known, the following:
      • the possible cause and consequences for the Data Subjects of the Security Breach;
      • the categories of Personal Data involved;
      • a summary of the possible consequences for the relevant data subjects;
      • a summary of the unauthorized recipients of the Personal Data; and
      • the measures taken by CloudLinux to mitigate any damage;
    7. not make any public announcement about a Security Breach (a “Breach Notice”) without the prior written consent of the Customer, unless required by Applicable Data Protection Laws;
    8. promptly notify the Customer if it receives a request from a data subject of Customer to access, rectify or erase that individual’s Personal Data, or if a data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (each a “Data Subject Request”). CloudLinux shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees. To the extent that the Customer does not have the ability to address a Data Subject Request, then upon Customer’s request CloudLinux shall provide reasonable assistance to the Customer to facilitate such Data Subject Request to the extent able and in line with Applicable Data Protection Laws. To the extent the Customer does not respond, CloudLinux may respond to the Data Subject Request in any manner it deems appropriate. Customer shall cover all costs incurred by CloudLinux in connection with its provision of such assistance or response;
    9. other than to the extent required to comply with Applicable Data Protection Laws, following termination or expiry of the Main Agreement or completion of the Service, CloudLinux will delete all Personal Data (including copies thereof) processed pursuant to this DPA;
    10. considering the nature of processing and the information available to CloudLinux, provide such assistance to the Customer as the Customer reasonably requests in relation to CloudLinux’s obligations under the Applicable Data Protection Laws with respect to:
  1. data protection impact assessments (as such term is defined in the Applicable Data Protection Laws);
  2. notifications to the supervisory authority under the Applicable Data Protection Laws and/or communications to data subjects by the Customer in response to any Security Breach; and
  3. the Customer’s compliance with its obligations under the Applicable Data Protection Laws with respect to the security of processing;

provided that the Customer shall cover all costs incurred by CloudLinux in connection with its provision of such assistance.

  1. provide to the Customer information about the region and country where the Personal Data is stored and processed by or on behalf of CloudLinux;
  2. communicate the exact address of the relevant facilities only in the event of an explicit request of a competent ыupervisory фuthority and if the aforementioned communication is suitable to discharge its obligation under Applicable Data Protection Laws.

  • Sub-processing

  1. The Customer grants a general authorization: (a) to CloudLinux to appoint current sub-processors listed in Annex 2, and (b) to CloudLinux and any Affiliate to appoint any Verified Technical Resource to act as third-party data center operators, and outsourced marketing, business, engineering, and customer support providers as sub-processors to support the performance of the Service.
  2. CloudLinux will only use a Verified Technical Resource as sub-processors of any Personal Data. If CloudLinux is reasonably able to provide the Service to the Customer in accordance with the Main Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this clause 4.2 in respect of the proposed use of the sub-processor. If CloudLinux requires use of a sub-processor at its discretion and Customer does not want CloudLinux to use a Verified Technical Resource as a sub-processor, Customer may provide written notification of any objections to CloudLinux. Within ninety (90) days from the Customer’s notification of objections, the Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the applicable Order Form without refund. If the Customer does not provide a timely objection to the use of a Verified Technical Resource in accordance with this clause 4.2, the Customer will be deemed to have consented to the use of any Verified Technical Resource as a sub-processor and waived its right to object. CloudLinux may use a new or replacement Verified Technical Resource as a sub-processor whilst the objection procedure in this clause 4.2 is in process.
  3. CloudLinux will ensure that any sub-processor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on CloudLinux in this DPA (the “Relevant Terms“). CloudLinux shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to the Customer for any breach by such person of any of the Relevant Terms.

  • Audit and records

  1. CloudLinux shall, in accordance with Applicable Data Protection Laws, make available to the Customer such information in CloudLinux’s possession or control as the Customer may reasonably request with a view to demonstrating CloudLinux’s compliance with the obligations of data processors under Applicable Data Protection Laws in relation to its processing of Personal Data.
  2. The Customer may exercise its right of audit under Applicable Data Protection Laws in relation to Personal Data, through CloudLinux providing:
  1. an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that CloudLinux’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard; 
  2. additional information in CloudLinux’s possession or control to the supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by CloudLinux under this DPA; and
  3. A Customer shall cover all costs incurred by CloudLinux in connection with any such audit.

  • Data transfers

  1. To the extent any processing of Personal Data by CloudLinux takes place in any country outside the EEA, UK and Switzerland, the parties agree that it is a Restricted Transfer and Applicable Data Protection Laws require that appropriate safeguards are put in place, then the following applies:

The parties agree that the EU SCCs shall apply to Restricted Transfers from the EEA. The EU SCCs shall be deemed entered into (and incorporated into this DPA by reference) and completed as follows:

  • Customer is the “data exporter” and CloudLinux is the “data importer”.
  • Module Two (Controller to Processor) shall apply where the Customer is a Controller of Personal Data and CloudLinux is a Processor.
  • Module Three (Processor to Processor) shall apply where the Customer is a data processor that processes Personal Data on behalf of another data controller or data processor, and the CloudLinux is processing Personal Data as a data sub-processor.
  • in Clause 7, the optional docking clause will apply.
  • Clause 9 of the EU SCCs Option 2 applies, and the time period for giving notice of Sub-processor changes shall be 60 days.
  • In Clause 11 of the EU SCCs, the optional language shall not apply.
  • In Clause 17 of the EU SCCs, Option 1 applies and the EU SCCs shall be governed by the law of the Netherlands.
  • In Clause 18(b) of the EU SCCs, disputes shall be resolved by the courts of the Netherlands.
  • Annex I of the EU SCCs is deemed completed with the information set out in Annex 1 of this DPA, and the competent supervisory authority will be determined in accordance with the GDPR and Clause 13 of the EU SCCs.
  • Annex II of the EU SCCs is deemed completed with the information set out in Clause 3.1(c)  of this DPA.
  1. In relation to transfers of Personal Data that is subject to the UK GDPR, the EU SCCs: (i) apply as completed in accordance with Clauses 6.1 above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in this DPA, as well as Annex 1 and Clauses 3.1(c), and 4 of this DPA, Table 4 in Part 1 is deemed completed by selecting “neither party”. Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum.
  2. In relation to transfers of the Personal Data protected by the Swiss FADP, the EU SCCs: (i) apply as completed in accordance with Clause 6.1 of this DPA; and (ii) are deemed amended as specified as follows:
  • All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP, and
  • All references to the GDPR and EU SCC in this DPA will be interpreted as references to the FADP;
  • In Clause 13 of the  EU SCC, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;
  • In Clause 17, the EU SCCs are governed by the laws of Switzerland;
  • In Clause 18(b), disputes will be resolved before the courts of Switzerland;
  • All references to member states will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
  1. If, in the performance of this DPA, CloudLinux transfers any Personal Data to a Verified Technical Sub-processor located outside of the EEA, UK and/or Switzerland (without prejudice to clause 4), CloudLinux shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
    1. the requirement for CloudLinux to execute or procure that the Verified Technical Sub-processor execute to the benefit of the EU-based Customer standard contractual clauses approved by the EU authorities under the GDPR, and for the for UK-based Customer the UK Addendum to the EU Commission Standard Contractual Clauses, as well as for the Swiss-based Customer, the standard contractual clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) under the Swiss Federal Act on Data Protection;
    2. the requirement for the Verified Technical Sub-processor to have any specifically approved safeguard for data transfers (as recognized under Applicable Data Protection Laws). 
  2. The following terms shall apply to the SCC set out in p.6:
    1. The Customer may exercise its right of audit under clause 5.1(f) of the SCC  as set out in, and subject to the requirements of, clause 5.2 of this DPA; and
    2. CloudLinux may appoint Verified Technical Sub-processors as set out, and subject to the requirements of, clauses 4 and 6.3 of this DPA.
  3. CloudLinux participates in and certifies compliance with the Data Privacy Framework. Where and to the extent the Data Privacy Framework applies, CloudLinux will use the Data Privacy Framework to lawfully receive Personal Data in the United States and will provide at least the same level of protection to such data as is required by the Data Privacy Framework Principles. 
  4. In the event that CloudLinux is required to adopt an alternative transfer mechanism under Applicable Data Protection Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with Applicable Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

  • Additional provisions under US State Privacy Laws

  1.  The following terms apply where CloudLinux processes Personal Data subject to the US State Privacy Laws:

7.1.1. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that CloudLinux as a Service Provider or Processor, on behalf of Customer, CloudLinux will process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in this DPA. CloudLinux will not:

  1. retain, use, disclose, or otherwise process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Main Agreement, or as otherwise permitted under US State Privacy Laws; 
  2. “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and 
  3. retain, use, disclose, or otherwise process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 
  1. CloudLinux will implement measures designed to maintain the security of Personal Data, ensuring a level of privacy protection consistent with the requirements of US State Privacy Laws.
  2. CloudLinux will provide reasonable access to information necessary for the Customer to verify our compliance with this DPA.
  3.  The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Main Agreement or this DPA. 

  • General

  1. This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

  2. CloudLinux’s liability under or in connection with this DPA (including under the standard contractual clauses set out in p.6 above) is subject to the limitations on liability contained in the Main Agreement.

  3. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

  4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts of Delaware.

  5. This DPA is the final, complete, and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has the legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA and the performance of such party’s obligations hereunder have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.

IN WITNESS WHEREOF, the parties have each caused this DPA to be signed and delivered by its duly authorized representative.

 

CUSTOMER:

Cloud Linux Software, Inc.
NAME NAME Dmytro Pigul
TITLE TITLE Compliance Officer

 

ADDRESS

 

ADDRESS

 20791 Three Oaks Pkwy, #980, Estero, FL 33929, USA
DATE DATE June 23, 2025

 

Annex 1

Details of the Personal Data and processing activities

  1. The nature of the Personal Data processing is subject to the following, to the extent permitted under Data Protection Laws, and the Main Agreement: 1) Receiving data, including collection, accessing, and recording; 2) Holding data, including storage, organization and structuring; 3) Using data, including analyzing, consultation, and testing; 4) Protecting data, including restricting; 5) Erasing data, including destruction and deletion. 
  2. The purpose of the Personal Data processing is to provide the Service to Customer, pursuant to the Main Agreement.
  3. The types of the Personal Data that may be processed including but not limited to: first and last names, physical address, email address, phone number, IP address, username and geolocation data. 
  4. The duration of the processing will be: until the earliest of (i) expiry/termination of the Main Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable).
  5. Sensitive Data Transferred: The Parties do not anticipate the transfer of sensitive data. 
  6. The Data Subjects whose Personal Data may be processed in terms of provision the Service to Customer including but not limited to:
  • Prospective customers, customers, resellers, referrers, business partners, and vendors of the Customer (who are natural persons);
  • Employees or contact persons of the Customer’s prospective customers, customers, resellers, referrers, sub-processors, business partners, and vendors (who are natural persons);
  • Employees, agents, advisors, and freelancers of the Customer (who are natural persons); and/or
  • Natural persons authorized by the Customer to use the Service.
  1. The location of Personal Data storage is described in Annex 2 of this DPA.
  2. The retention period of Personal Data that may be processed is the following:
  • For Imunify360 product – any file with Personal Data will be deleted immediately upon identification.
  • For Imunify Email product – any file with Personal Data will be deleted within 72 hours upon identification.

 

Annex 2

LIST OF SUB-PROCESSORS

The processor uses the following sub-processors during the cooperation with the controller:

Name of sub-processor Physical location Security measures Purpose of processing
Hetzner Online GmbH

Nuremberg and Falkenstein/Vogtland, Germany

Helsinki, Finland

 ISO 27001:2013 Servers and DB.
Atman sp.zo.o. (formerly ATM S.A) Warsaw, Poland. ISO 27001:2013 Servers and DB.
Hivelocity, Inc. Miami, FL, United States

ISO 27001:2013

SOC 2 Type 2

 Servers and DB.
Amazon Web Services (AWS) North Virginia и Ohio United States

ISO 27001:2013

SOC 2 Type 2

 Servers and DB.
Acronis International GmbH Frankfurt, Germany

ISO 27001:2013

SOC 2 Type 2

 Cloud backup and storage services
Google Cloud Services (Looker) Ashburn, Virginia, United States

ISO 27001:2013

SOC 2 Type 2

 Database
Snowflake N. Virginia. United States

ISO 27001:2013

SOC 2 Type 2

 Database