Data Processor Agreement

By using the services, you (“Data Controller”) accept the following terms and conditions.

1.        Definitions. The following terms have the respective meanings set forth below:

Data Controller” means the natural or legal person, public authority agency or other body which determines the purposes and means of the processing of personal data.

Data Processor” shall refer to in its role processing personal data on behalf of the Data Controller.

Data Subject” means any identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specifically to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Description of Processing” includes Data Controller’s written description of the subject matter of processing; duration of processing; nature and purpose of processing; type of Personal Data to be processed; categories of Data Subjects about which the data relates; and instructions regarding how Personal Data is to be processed by The Description of Processing may be included in any proposal, SOW, project plan, or supplemental exhibit.

GDPR” shall refer to The European Parliament and the Council’s Regulation 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data. The GDPR shall not be applicable until and after May 25, 2018.

Instructions” shall be Data Controller’s written instructions directing to process Personal Information identified in the Description of Processing.

Personal Data” includes any information relating to an identified or identifiable natural personal, or Data Subject, and that is identified in Data Controller’s Description of Processing.

Privacy Shield Framework” shall refer to the voluntary certification program located at

2.         Documented Instructions. shall only act and process Personal Data in accordance with documented instructions from the Data Controller. Instructions shall be included within the Description of Processing provided by Data Controller.  

3.         Confidentiality. shall treat all Personal Data as strictly confidential information. Personal Data may not be copied, transferred, or otherwise processed in conflict with the Instructions, unless the Data Controller has agreed to the change in writing. employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat the Personal Data covered under this Agreement with strict confidentiality.

4.         Security

  1. shall maintain appropriate technical and organizational measures to keep its PCI DSS certification in good standing. shall also maintain its Privacy Shield certification for as long as legally required.

  2. shall ensure that access to the Personal Data is restricted to only the employees to whom it is necessary and relevant to process the Personal Data in order for to perform its obligations under the Agreement.

  3. Upon receipt of a non-disclosure agreement executed by the parties, shall make the results from its most recent PCI DSS audit available to the Data Controller.

5.         Third Party Sub-Processors

  1. is given general authorization to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that notifies the Data Controller in writing about the identity of a potential Sub-Processor before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice in writing within five (5) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.

  2. In the event enters into an agreement with a Sub-Processor, the agreement shall provide the same data protection obligations as the ones applicable to, including the obligations under this Agreement. shall on an ongoing basis monitor and control its Sub-Processor’s compliance with the Applicable Law.

  3. shall be accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

6.         Responding to Data Subjects

  1. If the Data Controller receives a request from a Data Subject for the exercise of the Data Subject’s rights and the correct and legitimate reply to such a request necessitates’s assistance, shall assist the Data Controller by providing the necessary information and documentation within a reasonable period of time after receiving such a request in writing. The Data Controller shall compensate based on time spent to perform these obligations at’s established hourly rate.

  2. If receives a request from a data subject for the exercise of the data subject’s rights and such request is related to the Personal Data of the Data Controller, shall immediately forward the request to the Data Controller and shall refrain from responding to the person directly.

7.         Personal Data Breaches

  1. shall give notice within forty-eight (48) hours to the Data Controller if a breach of the data security occurs that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed of the Personal Data processed on behalf of the Data Controller (“Personal Data Breach”).

  2. shall have and maintain a register of all Personal Data Breaches. The register shall include the following:

    1. A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of Personal Data.

    2. A description of likely and actual consequences of the Personal Data Breach.

    3. A description of the measures that has taken or proposes to take to address the Personal Data Breach, including measures taken to mitigate its adverse effects.

8.         Data Protection Impact Assessment (“DPIA”). If’s assistance is necessary and relevant, then shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36. The Data Controller shall compensate based on time spent to perform these obligations at’s established hourly rate.

9.         Return and Deletion of Personal Data. shall return Personal Data to Data Controller and, to the extent allowed by applicable law, delete Personal Data in accordance with the procedures and time frames specified in Data Controller’s Description of Processing.

10.       Cross-border Transfers. The Personal Data is only processed by at its hosting locations within the United States.

11.       Term and Termination. This Agreement shall commence on the effective date and continue for as long as there is a valid Proposal, SOW, or Hosting Agreement in effect.’s authorization to process Personal Data on behalf of the Data Controller shall be terminated upon termination of this Agreement. At the termination of this Agreement, and its Sub-Processors shall return the Personal Data processed under this Agreement to the Data Controller, provided that the Data Controller is not already in possession of the Personal Data. is thereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data Controller.

12.       Notices. Any notice required or authorized to be given by this Agreement shall be sent to the parties hereto at their respective addresses on the signature page to this Agreement, which, which address may be changed from time to time by delivery of written notice to the other party hereto. Delivery of notice shall be considered valid and effective: (a) when delivered by hand (with written confirmation of receipt); (b) when received by the addressee if sent by a nationally recognized overnight courier (receipt requested); or (c) on the third day after the date mailed, by certified or registered mail, return receipt requested, postage prepaid.

13.       Force Majeure. Neither party hereto shall be liable for any default or delay in the performance of any of its obligations under this Agreement (other than failure to make payments when due) if such default or delay is caused, directly or indirectly, by forces beyond such party’s reasonable control, including without limitation, fire, flood, acts of God, labor disputes, accidents, acts of war or terrorism, interruptions of transportation or communications, supply shortages or the failure of any third party to perform any commitment relative to the production or delivery of any equipment or material required for such party to perform the obligations hereunder. The delayed party shall, however, make all reasonable efforts to remove or eliminate such a cause of delay or default and shall, upon the cessation of the cause, diligently pursue performance of its obligation under this Agreement.

14.       Entire Agreement. This Agreement, together with all schedules, exhibits and SOWs and any other documents incorporated herein by reference, constitutes the sole and entire agreement of the parties to this Agreement with respect to the subject matter contained herein, and supersedes all prior and contemporaneous understandings, agreements, proposals, negotiations, representations or communications, in each case, both written and oral, with respect to such subject matter. Each of the parties acknowledges and agrees that it has not been induced to enter into this Agreement by any representations or promises not specifically stated herein.

15.       Miscellaneous.

  1. This Agreement may only be amended, modified or supplemented by an agreement in writing signed by each party hereto. No waiver by any party of any of the provisions hereof shall be effective unless explicitly set forth in writing and signed by the party so waiving. Except as otherwise set forth in this Agreement, no failure to exercise, or delay in exercising, any rights, remedy, power or privilege arising from this Agreement shall operate or be construed as a waiver thereof; nor shall any single or partial exercise of any right, remedy, power or privilege hereunder preclude any other or further exercise thereof or the exercise of any other right, remedy, power or privilege.

  2. Neither party hereto may assign, transfer or delegate any or all of its rights or obligations under this Agreement, without the prior written consent of the other party; provided, that, upon prior written notice to the other party, either party may assign the Agreement to a successor of all or substantially all of the assets of such party through merger, reorganization, consolidation or acquisition. No assignment shall relieve the assigning party of any of its obligations hereunder. Any attempted assignment, transfer or other conveyance in violation of the foregoing shall be null and void. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective successors and permitted assigns.

  3. This Agreement is for the sole benefit of the parties hereto and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit or remedy of any nature whatsoever, under or by reason of this Agreement.

  4. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. A signed copy of this Agreement delivered by e-mail or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy of this Agreement.

  5. Each party hereto shall, upon the reasonable request and at the sole cost and expense of the other party, execute such documents and perform such acts as may be necessary to give full effect to the terms of this Agreement.

  6. The headings in this Agreement are for reference only and shall not affect the interpretation of this Agreement.

GDPR Frequently Asked Questions

1. What processes do you have in place to achieve GDPR compliance in time for the deadline?

As your data processor, has implemented the following steps towards meeting its own obligations under the GDPR:

  • has been a Visa/MasterCard PCI-compliant service provider since 2007 which overlaps with GDPR security requirements.

  • has created a process for removing data when a customer/prospect requests that their data be forgotten.

  • has reviewed its incident response policy/process to make sure it meets GDPR compliance requirements.

  • has reviewed its privacy policy to make sure it meets GDPR compliance requirements.

  • has appointed a Data Protection Officer.

As a data controller, the GDPR makes you responsible for determining how data is collected and used on your site. If you require assistance in this area, can provide auditing services to identify the following:

  • Entry points on the site where client information is collected which may potentially require additional user consent.

  • Review usage of cookies on the site.

  • Strategic places where you may wish to add a “Right to be Forgotten” form on the web site

  • Additional functionality that will make it easier for your admins to locate and remove end-user data within your admin section/content management system (CMS).

  • Review storage of personal data and possible encryption of that data. Encryption of personal information is not required for GDPR compliance, but it is one of the best protections against minimizing the damage if a security breach were to happen on your site.

2. Does your organization have a dedicated security team?

Yes, has a dedicated security team. has been hosting sites for over 20 years. We host over 3,000 sites in a wide variety of industries, from small and mid-sized businesses to Fortune 500 companies. We are compliant with PCI (Payment Card Industry) as a level one service provider. This is the highest level of compliance. The PCI DSS (Data Security Standard) is a single security standard comprised of the cardholder security programs from the five major credit card companies. The standard was created to protect customers from increasing identity theft and security breaches. In 2007, became one of the first ten data centers in the world to achieve PCI compliance in managed hosting. We have continued the program for over 10 years and integrated it into our daily/weekly/quarterly/annual security operation processes. We are validated by a Visa-approved auditor who performs a one week on-site audit on an annual basis.

We also have experience in hosting sites to meet other areas of compliance such as FISMA and HIPAA. In 2009, we passed a series of extensive federal background checks to receive top-secret clearance for our data centers to host the site.

3. What is your security strategy and how is it prioritized?

Our security framework is built around the Visa/MasterCard PCI requirements. We secure our sites to meet those stringent requirements, regardless of credit card use.

The following is a list of security measures that we have built into our managed hosting services:

  1. Physical Security – Biometric thumbprint scanners and closed circuit cameras at both data centers.

  2. Documentation – developed a set of documented server builds in place that meet PCI requirements. These are hardened builds which means that disable unnecessary services, remove default installation set-ups that come as part of Windows, reset default passwords, etc.

  3. Intrusion Detection System – utilizes the SNORT intrusion detection system that logs all suspicious requests and sends real time alerts. The IDS rules are automatically updated on a regular basis through an automatic download system.

  4. Anti-Virus Software – Microsoft Forefront software is installed in all servers and workstations. Virus definitions are manually and automatically updated on a daily basis.

  5. Host-based Intrusion Detection System (HIDS) – OSSEC HIDS is installed in all servers to perform log analysis, file integrity checking, Windows registry monitoring, rootkit detection, and real-time alerting.

  6. Installation of Security Patches – We use Microsoft Windows Server Update Services (WSUS) in order to keep all servers and workstations updated with the latest patches. Our Microsoft security patch process is centered around "Patch Tuesday" (second Tuesday of each month when Microsoft traditionally releases new patches). We patch our development and staging servers early Wednesday morning and testing is done throughout the day on Wednesday. If no problems are found on development/staging servers, then we schedule the patches to be applied to your servers overnight (e.g. 2-3 a.m.) A similar procedure is followed for out-of-cycle patches released by Microsoft. We have similar set-up for Linux/open source software updates. Along with the Microsoft patches, is signed up to receive notifications of new software patches/updates from all its software vendors. As a catch-all, is also subscribed to weekly bulletins from organizations like SANS ( which outline all new reported software vulnerabilities.

  7. PCI Framework –’s PCI framework includes a centralized log server where all events within the network are sent. This includes all Windows event logs, IIS web server logs, SQL Server logs, secure FTP, firewall logs, load-balancer logs, etc.

  8. Security Certificates – We utilize SSL (secured socket layer, 128-bit encryption with TLS 1.2) technology with any high-security site, and we will work with you to ensure the proper security certificates are in place for your site. This security certificate will also encrypt transmitted data from specified pages in the site.This level of security is especially important with any site that includes financial transactions.

  9. Security Consultants - employs two highly experienced Security Consultants who have worked on projects involving the top levels of the federal government, including the White House and the home network set-up of Alan Greenspan (former Federal Reserve Chairman).

  10. Security Knowledge – We stay informed about security incidents and recent vulnerabilities by subscribing to bulletins from the SANS Institute, Cisco, Juniper, VMware, and Microsoft

  11. Tiered Access – We can design your system with tiered security access and user groupings.

    • Data input operators have the ability to retrieve and input data on to the custom forms.

    • Administrators can view a different set of data, including standard and custom reports.

    • Managers and executives can have full access to data and reports.

    • A separate set of accounts is available to web site administrators.

  12. Commitment – While cannot guarantee your site 100%, our commitment to you is to employ the necessary resources, technologies, and proven methods to ensure the protection of your information.

4. What are your security policies?

We have dozens of security policy documents spanning hundreds of pages that make up our Security Policy. This includes policies for access control, change management, data handling, software development, physical security, incident response, etc.

5. What are your data protection policies for customer data?

Customer data is stored in a PCI-compliant environment. Sensitive data in transit is protected by industry standard encryption (TLS 1.2). Customer data is protected behind a set of managed external firewalls and internal SQL firewalls. An IDS system is in place to identify malicious activity on the network. All servers are built according to our server build best practices and standards. A host-based intrusion detection system and antivirus software are installed and regularly updated on all production servers. Centralized logging is in place for forensic analysis and troubleshooting. All changes to production systems go through a change request process. We have a centralized system for deploying monthly updates and security patches.

6. For how long do you store customer data?

As the data controller, it is your decision on how long you would like to host your data. We will comply with any processing instructions that you supply.

7. What process do you have in place to notify customers or prospects when the intended use of their data changes?

As the data controller, it is your decision on the intended use of this data. will only process and use data as directed by you.

8. How do you obtain and document expressed permission to store people’s personal data?

As the data controller, you are required to obtain and document expressed permission to store your end-users’ personal data. can help provide guidance for your web site, but these requirements go beyond your web site to your entire business.

9. Do you have an appointed Data Protection Officer?

Yes. Ryan McElrath is the Data Protection Officer. Ryan has worked with since 1995 and also serves as the Chief Security Officer.

10. Do your systems undergo regular penetration testing?

Yes, our systems undergo yearly penetration tests performed by an outside security consultant.

11. What are your access control policies for both customer and internal data?

Our Access Control Policy provides details on how resources, including customer and internal data, will be protected from unauthorized access using standard based access control mechanisms.

12. Where is your data physically stored?

Data is stored in two places: our primary datacenter in Chicago, Illinois, and our backup datacenter in Kenosha, Wisconsin.

13. Who has access to your data facilities?

Only select employees have physical access to our data facilities. All data facilities require two-factor, biometric authentication to enter the building.

14. What are the terms of ownership over your data? is considered a data collector that does NOT OWN OR LICENSE nonpublic personal information. Its customers are considered data collectors that DO OWN AND LICENSE nonpublic personal information.

15. What is your formal procedure for reporting out on data leaks?

As the data controller, you are responsible for notifying your end-users in the event of a breach or data leak. If there were a breach on your web site, would activate our incident response plan and assist you with this process.

16. What internal processes do you have for taking action in the event of a security violation? would activate its incident response plan.

17. Is your security team able to discover and identify personal data, even when not stored together with other identifiers?

As the data controller, it is your responsibility to discover and identify personal data. If you need assistance, offers auditing services that can help you.

18. How does your organization handle instances when customers or prospects request their data be removed from your system(s)? has a documented process for removing data when customers/prospect request their data be removed from our system. This includes the removal of customer data from our hosting environment and from our internal systems such as our corporate intranet, accounting system, and file servers.

19. What third party organizations do you work with that may also have access to the data we share with you? does not work with any third parties that would have access to your end-user data.

20. How often do you implement vulnerability scans?

We perform quarterly internal and external vulnerability scans against our network.