Data Processing Agreement (DPA)

This DPA sets out data processing terms between SCS Hosts and a customer where UK GDPR requires processor terms.

1. Parties and Roles

When SCS Hosts processes customer content or personal data solely on a customer's instructions as part of hosted or managed services, SCS Hosts acts as a processor and the customer acts as controller.

For SCS Hosts' own account management, billing, service administration, and domain administration records, SCS Hosts acts as an independent controller.

2. Subject Matter, Duration, Nature, and Purpose

Subject matter: processing needed to deliver contracted services and support.

Duration: for the term of the services, plus any period required for lawful winding-down, security, and legal compliance.

Nature and purpose: hosting, storage, transmission, support, security operations, and related administrative processing on behalf of the customer.

3. Types of Data and Categories of Data Subjects

Depending on customer use, processing may include:

• Data subjects: customer personnel, authorised users, and end-users.
• Data types: identity/contact data, account identifiers, service usage and support data, and other data submitted by the customer through the services.

4. Documented Instructions

Where SCS Hosts acts as processor, we process personal data only on documented instructions from the controller, unless required to do otherwise by law.

5. Confidentiality

SCS Hosts ensures that persons authorised to process personal data are bound by confidentiality obligations.

6. Security Measures

SCS Hosts applies appropriate technical and organisational security measures, including access controls, least-privilege practices, encryption where appropriate, logging, backup controls, and incident response procedures.

7. Sub-processors

The customer gives general authorisation for SCS Hosts to engage sub-processors where reasonably required to deliver services. SCS Hosts will maintain an appropriate notice mechanism for material sub-processor changes.

SCS Hosts remains responsible for ensuring sub-processors are bound by contractual obligations equivalent to applicable data protection requirements.

8. Assistance to the Controller

Taking into account the nature of processing, SCS Hosts will provide reasonable assistance to help the controller respond to data subject requests and meet applicable data protection obligations.

9. Personal Data Breach Notification

Where SCS Hosts acts as processor and becomes aware of a personal data breach affecting controller data, we will notify the controller without undue delay and, in any event, as soon as reasonably practicable.

10. Deletion or Return of Data

At the end of services, SCS Hosts will, on request and subject to legal obligations, return or securely delete personal data processed on behalf of the controller.

11. Audit and Information Rights

SCS Hosts will make available reasonable information necessary to demonstrate compliance with these processor obligations, subject to confidentiality, proportionality, and security safeguards.

12. International Transfers

Where processing involves transfers outside the UK, SCS Hosts will implement appropriate safeguards such as UK adequacy regulations or approved contractual protections, where required.