This page contains our data processing agreement, which you agree to comply with when ordering and using our services.

Annex to General Terms and Conditions

This annex is an integral part of the general terms and conditions of Hostaan Oy (hereinafter the “Service Provider”). This annex and these data protection terms apply when the Service Provider acts on behalf of the Customer as a data processor under Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), where the Customer is the data controller who has outsourced the processing of personal data to the Service Provider. In case of any conflict between the general terms and conditions and these data protection terms, the general terms and conditions shall prevail.

Definitions

Terms used in this annex, such as “data controller,” “data subject,” “personal data,” “processing,” “data processor,” and “personal data breach,” shall have the meaning assigned to them in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter the “GDPR”).

Purpose

The Service Provider is a company offering hosting services. The Customer is a business, organization, or other entity acquiring hosting services from the Service Provider. Under these data protection terms, the parties agree that, for the duration of the agreement, the Service Provider shall process personal data on behalf of the Customer, who acts as the data controller.

The Data Processor shall process personal data solely for the purpose of providing hosting services and performing other contractual obligations described in the agreement, in accordance with the Customer’s written instructions.

The Data Processor shall not process personal data for any other purpose or on behalf of any other party. The Data Processor is entitled to transfer personal data to countries outside the EU or EEA, provided that adequate safeguards as defined in the GDPR are implemented. The Data Processor shall immediately notify the Data Controller if it becomes aware that any written instructions given by the Customer may violate the GDPR or other applicable EU or national data protection laws. In addition to these terms, both parties shall comply with applicable national data protection legislation and GDPR provisions as appropriate.

Scope of Personal Data Processing

The processing of personal data concerns the provision and delivery of services offered by the Service Provider, including web hosting, server hosting, cloud services, email services, server software, domain registration, and other similar hosting services. The Service Provider collects, stores, and processes personal data of customers acting as data controllers in accordance with the service agreement, these terms, and applicable law.

Since the Customer exclusively decides what personal data is stored in the hosting service, and the Service Provider has neither the obligation nor the practical ability to verify such data, the Customer may technically store any data deemed necessary in the service. Typically, personal data may include, but is not limited to, name, address, other contact details, e-commerce order history, marketing consents, and other service-related data. Typical data subjects include the Customer’s own clients, potential clients, web service users, and newsletter subscribers.

Subprocessors

The Data Processor may engage other data processors to assist in processing. When engaging another processor, the Data Processor shall ensure that processing is subject to the same data protection obligations described in this annex. Hostaan Oy uses the following subprocessors:

 

• Traficom – Finnish Transport and Communications Agency (Finland): domain registration and maintenance (role: domain registration and maintenance)
• Joker.com/CSL GmbH (Germany): domain registration and maintenance (role: domain registration and maintenance)
• UpCloud Oy (Finland): cloud infrastructure, virtual servers, S3 object storage (role: network infrastructure, storage)
• Hetzner Online GmbH (Germany): cloud infrastructure, virtual servers, S3 object storage (role: network infrastructure, storage)
• Plesk International GmbH (Germany/Switzerland): control panel software, access for support situations (role: application platform support)
• Site.pro / UAB "B1.lt" (Lithuania): website builder platform, access for support situations (role: application platform support)
• Let’s Encrypt / Internet Security Research Group ISRG (USA): SSL certificate issuance (role: processing domain and email data for certificate issuance)
• Google Ireland Ltd (Ireland): Google Workspace resale (role: third-party service, separate data controller), Google Ads, Display ja Analytics (role: marketing, targeting and tracking)
• Meta Platforms, Inc. (USA): Facebook Advertising (role: marketing, targeting and tracking)
• Apple Inc. (USA): iCloud and workstations (role: internal office use for processing personal data for internal office use)
• Gallant Iisalmi Oy (Finland): bookkeeping (role: accounting and financial statements)
• Visma Solutions Oy (Finland): Netvisor accounting system (role: accounting and financial reporting software)
• Maventa Oy (Finland): e-invoicing (role: electronic invoice sending)
• Kravia Finland Oy (Finland): debt collection (role: processing debt collection assignments) 

 

Confidentiality

Personal data processed on behalf of the Data Controller shall be treated as confidential. The Data Processor undertakes not to disclose such data to any third party or use it for any purpose other than as agreed.

 

Only personnel of the Service Provider shall process personal data, always confidentially, and only to the extent necessary for their work duties.

 

Data Security

The Data Processor shall implement appropriate technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. These measures shall be designed considering the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons, including:
proper anonymization and encryption of personal data,
ensuring continuous confidentiality, availability, and resilience of services,
rapid restoration in the event of a technical failure,
mechanisms to evaluate the effectiveness of security measures.

Data Breach Notification

In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay and provide sufficient information to enable the Data Controller to fulfill its obligations under the GDPR. The Data Processor shall take appropriate remedial measures to mitigate adverse effects and prevent future breaches.

Data Protection Impact Assessment and Data Subject Rights

If the Data Processor identifies a planned processing that is likely to result in a high risk to the rights and freedoms of natural persons, it shall notify the Data Controller and assist as necessary with data protection impact assessments.

The Data Processor shall reasonably and without undue delay assist the Data Controller in fulfilling obligations regarding data subject rights under the GDPR, including access, rectification, objection, erasure (“right to be forgotten”), restriction, and data portability. Any such requests received by the Data Processor shall be communicated to the Data Controller without delay.

Audits

To demonstrate compliance with GDPR obligations, the Data Processor shall provide the Data Controller with all necessary information. The Data Processor shall permit audits by the Data Controller or a designated auditor, including inspection of premises, systems, processes, and documentation, and shall reasonably participate in such audits if requested, provided they occur during normal business hours with minimal disruption. Written notice of at least two months is required.

Assistance Obligations

During the term of the agreement, the Customer may request in writing that the Service Provider assist in fulfilling GDPR obligations applicable to the Customer as a data controller. This includes assisting with data subject requests, data protection impact assessments, and personal data breaches.

All costs incurred for such assistance shall be borne by the Customer. If not otherwise agreed, the Service Provider may charge hourly fees based on its standard rates.

Customer Responsibilities

As the data controller, the Customer is responsible for compliance with all legal obligations, including ensuring lawful processing bases, obtaining consents, providing information to data subjects, and maintaining privacy notices. The Customer shall provide lawful processing instructions to the Service Provider.

The Customer is responsible for the content of the data stored, including personal data, the right to process and transfer it to the Service Provider, and for determining what data is stored, for what purpose, and to whom it is disclosed. The Customer shall ensure data quality, accuracy, deletion, and anonymization.

The Customer is responsible for its own processing, integrity, security, maintenance, and protection of personal data. The Customer shall comply with all applicable data protection, security, and safety laws and regulations.

Term and Termination

This annex comes into effect upon the commencement of the hosting service agreement and remains valid for the duration of that agreement.

Upon termination, the Data Processor shall, within a reasonable period, delete or return all personal data to the Data Controller, remove backups, and remove any access credentials, except where retention is required by EU or national law or court orders. The Data Processor may retain personal data lawfully, without continuing any other processing, and shall remain bound by confidentiality obligations.

The Data Controller remains ultimately responsible for deletion or retention of personal data and must ensure that necessary copies are retained if required after termination.

Limitation of Liability

The Service Provider shall not be liable to the Data Controller for any breaches, indirect or consequential damages, or claims from third parties. Liability limitations in the Service Provider’s general terms shall apply.