This is the current published policy (updated June 5, 2026). See all policies in our Legal Center.
Adaptive Web Hosting — Data Processing Agreement (DPA)
Effective Date: January 1, 2025
Last Updated: June 5, 2026
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between Adaptive Web Hosting ("Adaptive," "Processor," "we," "us," or "our") and the customer ("Customer," "Controller," "you"), and applies where Adaptive processes Personal Data on your behalf in the course of providing the Services. Capitalized terms not defined here have the meaning given in our Terms & Conditions or in applicable data protection law, including the EU and UK General Data Protection Regulation ("GDPR").
> In short: When we host data on your behalf, you are the controller and we are the processor. We process your data only on your instructions, keep it secure, help you meet your obligations, and return or delete it when the Services end.
1. Roles of the Parties
1.1 For Personal Data you upload, store, or process through the Services, you are the Controller and Adaptive is the Processor.
1.2 For limited Personal Data we collect to operate our business (such as your account and billing information), Adaptive acts as a Controller; that processing is described in our Privacy & Cookie Policy.
2. Scope and Purpose of Processing
2.1 Subject matter: the provision of web hosting, email, database, domain, and related Services.
2.2 Duration: for the term of the Services and until data is returned or deleted under Section 9.
2.3 Nature and purpose: hosting, storage, transmission, backup, and processing of Customer data as necessary to provide the Services.
2.4 Types of Personal Data and categories of data subjects: as determined and controlled by you through your use of the Services.
3. Processor Obligations
We will:
- Process Personal Data only on your documented instructions, including the Terms & Conditions and your use of the Services, unless required by law (in which case we will inform you where legally permitted)
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see Section 5)
- Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and data-protection-impact-assessment obligations
- Make available information reasonably necessary to demonstrate compliance with this DPA
4. Sub-processors
4.1 You authorize Adaptive to engage sub-processors to provide the Services, including our data-center and infrastructure provider (Amazon Web Services, United States — Northern Virginia region).
4.2 We impose data-protection obligations on sub-processors that are no less protective than those in this DPA, and we remain responsible for their performance.
4.3 We will inform you of intended changes to our sub-processors and give you the opportunity to object on reasonable data-protection grounds.
5. Security
We maintain appropriate technical and organizational measures designed to protect Personal Data, including access controls, encryption in transit, network protection (DDoS mitigation and a Web Application Firewall), and regular backups. You remain responsible for securing your own applications, credentials, and configurations.
6. Personal Data Breach
We will notify you without undue delay after becoming aware of a Personal Data breach affecting your data, and will provide information reasonably available to help you meet your own notification obligations.
7. Data-Subject Requests
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfil your obligation to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will refer the individual to you.
8. International Transfers
Where Personal Data originating in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, such transfers are made subject to appropriate safeguards, including the applicable Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference.
9. Return and Deletion of Data
On termination or expiration of the Services, and at your choice, we will return or delete the Personal Data we process on your behalf, except where retention is required by law. Residual copies held in routine backups are deleted in the ordinary course of our backup rotation.
10. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, subject to confidentiality and to reasonable notice, scope, and frequency.
11. Liability and Order of Precedence
Liability under this DPA is subject to the limitations set out in the Terms & Conditions. In the event of a conflict between this DPA and the Terms & Conditions regarding the processing of Personal Data, this DPA controls.
12. Contact
For data-protection matters, or to put a countersigned DPA in place, open a support ticket from your client area at cp.adaptivewebhosting.com, or email [email protected] as a last resort.
