+353 (01) 901 9700  |  My Account

Data Processing Addendum (DPA)2025-06-04T17:01:20+00:00

Data Processing Addendum (DPA)

Effective Date: May, 2025

Introduction

This Data Processing Addendum (“DPA”) forms an integral part of the SmartHost Terms and Conditions of Service (“T&Cs”) and is entered into between SmartHost Web Services Limited (“SmartHost,” “the Processor”) and you (“Customer,” “the Controller”). 

This DPA is mandatory for all business customers who use SmartHost’s Services to process personal data on behalf of third parties. It is designed to ensure compliance with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws. This document defines the roles, responsibilities, and obligations of both the Customer, acting as the Data Controller, and SmartHost, acting as the Data Processor, concerning the processing of personal data. 

1. Definitions

1.1. The terms “Personal Data,” “Data Controller,” “Data Processor,” “Data Subject,” “Processing,” and “Personal Data Breach” shall have the meanings ascribed to them in the GDPR. 

1.2. Customer Data: Refers to any Personal Data that the Customer, or its end-users, uploads, stores, processes, or transmits through the Services provided by SmartHost. The Customer is the Data Controller of this data. 

1.3. Account Data: Refers to the personal information SmartHost collects about the Customer to manage their account, such as name, email address, payment details, and IP addresses. SmartHost is the Data Controller for this data. 

2. Scope and Details of Processing

2.1. Subject Matter: The subject matter of the data processing under this DPA is the Customer Data provided by the Controller. 

2.2. Duration: The processing will continue for the duration of the service agreement between the Customer and SmartHost, and until the data is deleted or returned in accordance with this DPA. 

2.3. Nature and Purpose of Processing: SmartHost will process Customer Data for the sole purpose of providing the Services purchased by the Customer. This includes, but is not limited to, web hosting, email hosting, database management, and other related digital infrastructure services necessary to store, manage, and deliver the Customer’s Content. 

2.4. Categories of Data Subjects: The Data Subjects are determined by the Customer in its capacity as Data Controller and may include the Customer’s own customers, employees, website visitors, subscribers, or other end-users. 

2.5. Types of Personal Data: The types of Personal Data processed are determined and controlled by the Customer. This may include, but is not limited to, names, email addresses, phone numbers, transactional data, images, database entries, and any other personal information that the Customer chooses to store on SmartHost’s systems. 

3. Roles and Obligations

3.1. Processor’s Obligations (SmartHost): 

As the Data Processor, SmartHost shall:  

  • Process Customer Data only on the documented instructions of the Customer (the Controller), unless required to do so by Union or Member State law.  
  • Ensure that all SmartHost personnel authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.  
  • Implement and maintain the technical and organisational security measures outlined in Section 4 and Appendix A of this DPA.  
  • Respect the conditions for engaging another processor (sub-processor) as described in Section 5.  
  • Assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights.  
  • Assist the Customer in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Personal Data Breach notification, and Data Protection Impact Assessments).  
  • Upon termination of the Services, at the choice of the Customer, delete or return all Customer Data to the Customer, in accordance with the procedures detailed in Appendix A.  
  • Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 8. 

3.2. Controller’s Obligations (Customer): 

As the Data Controller, the Customer warrants that:  

  • It has complied, and will continue to comply, with all applicable data protection laws in its use of the Services and its own processing of Customer Data.  
  • It is solely responsible for the accuracy, quality, and legality of the Customer Data and how it acquired this data.  
  • It has provided all necessary notices and obtained all necessary consents from Data Subjects for the lawful processing of Customer Data.  
  • It is solely responsible for implementing suitable encryption and protection for any confidential data stored at rest on SmartHost’s servers.  

The Customer agrees not to process special categories of personal data unless it has obtained the necessary legal basis and informed SmartHost in writing in advance. 

4. Security Measures

SmartHost implements and maintains robust technical and organisational security measures to protect Customer Data. These measures include:  

  • Encryption in Transit: All data transferred to and from SmartHost’s systems is encrypted using modern standards. Free SSL certificates are provided to customers to help encrypt data between their website and visitors, though the customer is responsible for proper configuration.  
  • Physical Security: Customer Data is stored on servers in secure data centres with restricted access, protected by firewalls and continuous monitoring systems.  
  • Access Controls: SmartHost enforces strict access controls to its systems. Customer passwords are required to be strong and are stored in a hashed and encrypted format. The use of two-factor authentication (2FA) is strongly recommended. 
  • System Integrity: SmartHost conducts regular technical compliance reviews, including vulnerability assessments, on its information systems. 

Specific technical and organisational measures as they apply to different services are detailed in Appendix A. 

5. Sub-Processors

5.1. The Customer acknowledges and agrees that SmartHost may engage third-party sub-processors in connection with the provision of the Services. SmartHost has entered into written agreements with each sub-processor containing data protection obligations no less protective than those in this DPA. 

5.2. SmartHost currently uses sub-processors for functions such as payment processing and domain registration. A current list of sub-processors is available upon request. 

5.3. Customers may object to the addition of a sub-processor by providing written notice within 7 days of notification. If no resolution is reached, the Customer may terminate the affected service without penalty. 

6. Data Breach Notification

In the event of a Personal Data Breach affecting Customer Data, SmartHost will notify the Customer without undue delay after becoming aware of the breach. This notification will, at a minimum, describe the nature of the breach, the likely consequences, and the measures taken or proposed to be taken to address it. 

7. International Data Transfers

SmartHost processes and stores all Customer Data within the European Economic Area (EEA). SmartHost will not transfer Customer Data outside the EEA without implementing appropriate safeguards under Chapter V of the GDPR, unless required to do so by Union or Member State law. 

8. Audits

8.1. SmartHost shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR. 

8.2. On reasonable notice and subject to appropriate confidentiality, the Customer may audit SmartHost’s compliance through a third-party auditor once per year, at the Customer’s expense, provided it does not disrupt SmartHost’s normal operations. 

9. General Terms

9.1. Conflict: In the event of a conflict between this DPA and any other policy or agreement between the parties, the terms of this DPA shall prevail with regard to the subject matter of data processing. 

9.2. Governing Law: This DPA and any disputes arising from it shall be governed by and construed in accordance with the laws of Ireland. 

9.3. Amendments: SmartHost reserves the right to update or modify this DPA from time to time. SmartHost will provide reasonable notice for significant changes. Your continued use of the Services after such notice constitutes your acceptance of the updated DPA. 

Appendix A: Technical and Organisational Measures 

This appendix details specific security measures and responsibilities as they apply to different SmartHost services. 

A.1 Shared Hosting Services 

  • Access Control: SmartHost maintains full administrator (root) access to the server infrastructure. The Customer is provided with control panel access to manage their own website files, databases, and email accounts. The Customer is responsible for managing credentials for any user accounts they create. 
  • Security Patching: SmartHost is responsible for applying necessary security patches to the shared server’s operating system and core service software. The Customer is responsible for keeping their own website applications, plugins, and scripts up to date. 
  • Data Backups: SmartHost provides courtesy daily backups for Shared Hosting accounts. These backups are provided without warranty, and the Customer remains solely responsible for maintaining their own independent backups of their Content. 
  • Data Deletion on Termination: Upon service termination, all Customer Data residing on the shared hosting account (website files, databases, emails) will be permanently deleted from the live system. Data within the courtesy backup system will be deleted in accordance with the backup rotation schedule, typically within 30-90 days. 

A.2 Virtual Private Server (VPS) Hosting 

  • Access Control: The Customer is provided with administrator (root) access to their VPS instance and is solely responsible for all activities conducted with this level of access. SmartHost personnel will only access the Customer’s VPS with their explicit permission for support purposes. 
  • Security Patching: The Customer is solely responsible for all security management, including patching the operating system and any installed software. 
  • Data Backups: SmartHost does not provide backups for VPS environments unless a specific backup service is purchased as an add-on. The Customer is solely responsible for implementing and maintaining their own data backup strategy. 
  • Data Deletion on Termination: Upon service termination, the entire VPS container, including all disks and data, is destroyed. The underlying storage blocks are forensically wiped before being returned to the resource pool. 

A.3 Email Services 

  • Access Control: The Customer is responsible for creating and managing individual email accounts and their passwords. 
  • Security Measures: SmartHost provides robust anti-spam and anti-virus filtering for all email services. 
  • Data Backups: Email data on shared hosting platforms is included in the courtesy daily backups. However, the Customer is ultimately responsible for securing and backing up critical email data. 
  • Data Deletion on Termination: Inactive webmail accounts may be subject to permanent deletion. Upon termination of the hosting service, all associated email accounts and their contents will be permanently deleted from the mail server. Inactive accounts are defined as those with no login or mail activity for 180 consecutive days. 

A.4 Hardware Lifecycle Management 

  • Failed Disks: In the event of a disk failure, the faulty hardware is securely and permanently disabled on-site by SmartHost personnel. The disabled drive is then physically removed for destruction and disposal to ensure data cannot be recovered. 

* SmartHost offers new .ie domain registrations for €2.75 (ex VAT) for the first year when registered through our website. This offer is limited to 10 domains per customer and only applies to the initial billing period. Standard renewal rates of €19.99 (ex VAT) will apply thereafter. This promotion cannot be combined with other offers and may be withdrawn at SmartHost Web Services Limited’s discretion. Note: This offer is exclusive to .ie domains.

* SmartHost offers a special discount for the first billing period on selected plans. This discount is applicable only to the initial billing period, whether monthly or annually. It does not apply to renewals and cannot be combined with other promotions. SmartHost reserves the right to withdraw this offer at any time.

The SmartHost Logo in black and white.

SmartHost: Ireland’s fastest and most reliable hosting service is backed by decades of experience and unmatched customer support. Trust SmartHost to power your website or online business, and experience the difference for yourself.

SmartHost Block B, Maynooth Business Campus, Straffan Rd, Maynooth, Co. Kildare W23 W5X7

Web Hosting Dublin, Cork, Limerick, Galway and Nationwide

SmartHost is a cPanel Certified Partner.

Domains

Cloud VPS

Hosting

WordPress

Get In Touch

Insights

© 2025 SmartHost Web Services Limited. Company No. 679347. VAT No. IE3711022EH

Go to Top