Data Processing Agreement (DPA) - Alovhost

Effective Date: 23 November 2023
Company Registration Number: 15304392
ICO Registration Reference: ZB820226
Registered Address: 128 City Road, London, EC1V 2NX, United Kingdom
Contact Email: [email protected]
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions and applies when Alovhost Ltd. ("Alovhost", "we", "us") processes personal data on behalf of customers ("you", "data controller") in compliance with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018 (UK)
Applicable international data protection laws
By using our services, you agree to this DPA, which governs how we process, store, and protect your data.
2. Definitions
For the purposes of this DPA, the following definitions apply:
"Controller" – The customer (you), who determines the purposes and means of processing personal data.
"Processor" – Alovhost Ltd., which processes personal data on behalf of the controller.
"Data Subject" – Any individual whose personal data is processed.
"Personal Data" – Any information relating to an identifiable individual, as defined under UK GDPR.
"Processing" – Any operation performed on personal data, such as collection, storage, use, or deletion.
"Sub-processor" – Any third party engaged by Alovhost to process personal data on behalf of the controller.
3. Scope & Purpose of Processing
3.1 Processing Details
Alovhost processes personal data only as necessary to provide hosting, VPS, domain, and related services. Processing activities include:
Storing website and customer account data
Managing email and support communications
Processing payments through third-party providers
Securing services and preventing fraud
3.2 Duration of Processing
Alovhost will process personal data only for as long as necessary to fulfill service obligations, unless otherwise required by law.
3.3 Nature & Types of Personal Data
We process the following categories of personal data:
Account Data: Name, email, phone number, address
Payment Data: Billing details (processed via third-party payment gateways)
Technical Data: IP address, browser type, device identifiers
Usage Data: Login timestamps, service usage logs
Sensitive data (e.g., biometric, health, political, or religious data) is not collected or processed.
3.4 Categories of Data Subjects
Customers using Alovhost services
End users accessing customer-hosted websites
Any individual interacting with our services
4. Obligations of Alovhost (Processor)
Alovhost agrees to:
Process data only on written instructions from the controller.
Ensure data confidentiality by restricting access to authorized personnel.
Implement appropriate security measures to prevent data breaches.
Assist the controller with GDPR compliance (e.g., handling data subject requests).
Delete or return all personal data after termination of services, upon request.
5. Obligations of the Controller (Customer)
As the data controller, you agree to:
Ensure personal data is collected lawfully and with proper consent.
Provide clear privacy notices to data subjects.
Respond to data subject requests (e.g., deletion, access, corrections).
Use Alovhost’s services in compliance with GDPR and applicable laws.
Notify Alovhost of any unauthorized or unlawful processing activities.
6. Security Measures
Alovhost implements industry-standard technical and organizational security measures to protect personal data:

Security Measure

Description

Encryption

Data encrypted in transit (SSL/TLS) and at rest.

Access Control

Role-based access to personal data, with authentication controls.

Monitoring

Continuous security monitoring & threat detection.

Regular Backups

Secure backups to prevent data loss.

Incident Response

Rapid response & mitigation in case of data breaches.

7. Sub-Processors & Third-Party Providers
7.1 Use of Sub-Processors
Alovhost may engage third-party service providers ("sub-processors") to assist in delivering services. These include:
Hosting & Data Centers: Infrastructure providers for hosting services.
Payment Processors: PayPal, Stripe, CryptoMus (for secure payments).
Security & Monitoring Services: Tools for detecting fraud, abuse, and cyber threats.
7.2 Compliance of Sub-Processors
All sub-processors must comply with UK GDPR and sign data protection agreements with Alovhost.
A list of current sub-processors is available upon request.
7.3 Objection to Sub-Processors
If you object to a sub-processor, you must notify Alovhost in writing within 30 days. If a resolution cannot be reached, you may terminate the service without penalty.
8. Data Subject Rights & Assistance
Alovhost assists controllers in complying with UK GDPR rights of data subjects:

Right

Assistance Provided

Right to Access

Providing copies of stored personal data.

Right to Rectification

Allowing corrections to inaccurate data.

Right to Erasure (Right to be Forgotten)

Deleting personal data upon verified request.

Right to Restriction

Limiting processing when legally required.

Right to Data Portability

Providing structured data exports.

Right to Object

Ceasing processing upon valid objection.

Controllers are responsible for handling data subject requests and must notify Alovhost if assistance is needed.
9. Data Breach Notification
If a personal data breach occurs that may affect data subjects, Alovhost will:
Notify the controller without undue delay (within 72 hours if required by law).
Provide details of the breach, including affected data, risks, and mitigation actions.
Assist in regulatory reporting to the ICO (Information Commissioner’s Office) if necessary.
10. International Data Transfers
Personal data may be transferred outside the UK (e.g., to hosting providers).
All transfers comply with UK GDPR, using safeguards like Standard Contractual Clauses (SCCs) or adequacy decisions.
If you require specific details, contact [email protected].
11. Data Retention & Deletion
Alovhost retains personal data only as long as necessary for service fulfillment.
After termination, data is deleted or anonymized within 60 days, unless required by law.
The controller may request early deletion via email.
12. Audit & Compliance
Customers may request an audit to verify Alovhost's compliance with this Data Processing Agreement (DPA), subject to the following conditions:

Audits may only be requested once per year and must be supported by a valid security concern.
All audit requests must be submitted in writing at least 30 days in advance.
Alovhost will cooperate with reasonable audit requests but reserves the right to decline excessive or unnecessary demands.
Physical audits may only be conducted with prior written approval from Alovhost.
Audit requests should be sent to [email protected].
13. Governing Law & Dispute Resolution
This DPA is governed by the laws of the United Kingdom.
Any disputes shall be resolved in the UK courts.
14. Changes to This DPA
We may update this DPA as required by law or service changes.
Customers will be notified of significant changes 30 days in advance.
15. Contact Information
For data protection inquiries, contact:
Email: [email protected]
Address: 128 City Road, London, EC1V 2NX, United Kingdom
For complaints, you may contact the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk