Data Processing Agreement

1 Introduction

1.1 Purpose

This Data Processing Agreement ("DPA") supplements and forms an integral part of the True Registrar Terms of Service ("Agreement") between the Client and True Registrar. This DPA sets out the terms and conditions under which True Registrar processes personal data on behalf of the Client in the course of providing its services, in accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch Implementation Act for the GDPR (Uitvoeringswet AVG).

In the context of this DPA, the Client acts as the Controller (or, where applicable, as a processor on behalf of another controller) and True Registrar acts as the Processor. Where True Registrar processes personal data for its own purposes (e.g., account management, billing), it acts as an independent controller, as described in our Privacy Policy.

1.2 Definitions

Unless otherwise defined herein, capitalized terms have the meanings assigned to them in the GDPR or the Terms of Service. The terms "personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given to them in Article 4 of the GDPR.

1.3 Legal Entity Information

2 Scope of Processing

2.1 Processing Activities

The Processor processes personal data on behalf of the Controller in connection with the following services:

• • Domain Registration and Management: Registration, renewal, transfer, and administration of domain names, including transmission of registration data to applicable registries and ICANN.
• • DNS Hosting: Authoritative DNS hosting, DNS record management, and DNSSEC services.
• • Web Hosting: Shared and managed web hosting, including storage, email hosting, and database hosting.
• • VPS Provisioning: Virtual Private Server provisioning, management, and maintenance of underlying infrastructure.
• • SSL Certificate Management: Issuance, renewal, and management of SSL/TLS certificates.
• • Billing and Invoicing: Processing of payment references, invoice generation, and financial record keeping.
• • Customer Support: Handling of support requests, technical assistance, and account inquiries.

2.2 Categories of Data Subjects

The personal data processed under this DPA may relate to the following categories of data subjects:

• • The Controller's employees, contractors, and authorized representatives
• • The Controller's business contacts and domain registrant contacts
• • The Controller's end-users and customers
• • Visitors to websites hosted on the Controller's hosting or VPS services

2.3 Categories of Personal Data

The following categories of personal data may be processed under this DPA:

2.4 Nature of Processing

The nature of the processing includes the storage, hosting, transmission, backup, and retrieval of personal data, as well as the registration of domain names with applicable registries. Processing is carried out by automated means and is limited to what is necessary for the provision of the services described in the Terms of Service.

3 Processor Obligations

In accordance with Article 28(3) of the GDPR, the Processor undertakes the following obligations:

3.1 Processing on Documented Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are documented in this DPA, the Terms of Service, and any subsequent written instructions provided by the Controller.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All True Registrar employees and contractors with access to personal data are bound by non-disclosure agreements and are required to comply with our internal data protection policies.

3.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. The specific security measures implemented by the Processor are described in Section 4 of this DPA.

3.4 Sub-Processors

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. The conditions for engaging sub-processors are set forth in Section 5 of this DPA. Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA on that sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

3.5 Assistance with Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (Articles 15–22). The specific arrangements for this assistance are described in Section 7 of this DPA.

3.6 Assistance with DPIA and Prior Consultation

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with data protection impact assessments (DPIAs) and prior consultation with the supervisory authority where required.

3.7 Deletion and Return of Data

At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. The specific terms for data return and deletion are set forth in Section 10 of this DPA.

3.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The specific terms for audits are set forth in Section 9 of this DPA.

4 Security Measures

In accordance with Article 32 of the GDPR, the Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:

4.1 Encryption

• • In Transit: All data transmitted between clients and our infrastructure is encrypted using TLS 1.3. Internal service-to-service communication is encrypted using mutual TLS (mTLS) where applicable.
• • At Rest: Sensitive data stored on our systems is encrypted using AES-256 encryption. Full-disk encryption is enabled on all production servers and storage volumes.

4.2 Access Control

• • Role-Based Access Control (RBAC): Access to personal data is restricted to authorized personnel on a need-to-know basis, using role-based access control policies.
• • Multi-Factor Authentication (MFA): MFA is enforced for all administrative access to production systems, databases, and management interfaces.
• • Principle of Least Privilege: Access rights are granted based on the minimum level of access required to perform job functions and are reviewed regularly.

4.3 Infrastructure Security

• • Data Centers: All primary infrastructure is hosted in Tier III+ data centers located within the European Union (Netherlands). Data centers maintain ISO 27001 certification and SOC 2 Type II compliance.
• • Physical Security: Data centers employ 24/7 on-site security, biometric access controls, CCTV surveillance, mantrap entry systems, and visitor logging.
• • Redundancy: Redundant power supplies (N+1 UPS, diesel generators), redundant cooling systems, and redundant network connectivity ensure high availability.

4.4 Monitoring and Detection

• • 24/7 Monitoring: Continuous infrastructure monitoring with automated alerting for anomalies, performance degradation, and security events.
• • Intrusion Detection: Network-based and host-based intrusion detection systems (IDS/IPS) are deployed to detect and respond to potential security threats.
• • Log Management: Centralized log collection and analysis for security event correlation and forensic investigation capabilities.

4.5 Security Testing

• • Penetration Testing: Annual penetration testing is conducted by qualified independent third parties to identify and remediate vulnerabilities.
• • Vulnerability Scanning: Regular automated vulnerability scanning of all internet-facing systems and internal infrastructure.
• • Patch Management: Timely application of security patches and updates to operating systems, applications, and dependencies.

4.6 Personnel Security

• • Background Checks: Background verification is conducted for all employees and contractors with access to personal data or production systems.
• • Security Training: Mandatory security awareness training is provided to all personnel upon onboarding and on an annual basis, covering data protection, phishing awareness, and incident response procedures.
• • Non-Disclosure Agreements: All employees and contractors are bound by non-disclosure agreements covering personal data and confidential information.

4.7 Incident Response

• • Documented Procedures: A formal incident response plan is maintained, covering identification, containment, eradication, recovery, and post-incident review.
• • Regular Testing: Incident response procedures are tested regularly through tabletop exercises and simulated incident scenarios.
• • Escalation Paths: Defined escalation paths ensure that security incidents are promptly reported to appropriate personnel and, where applicable, to affected controllers.

5 Sub-Processors

5.1 General Authorization

The Controller provides general written authorization for the Processor to engage sub-processors for the provision of the services described in this DPA. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) of the GDPR.

5.2 Current Sub-Processors

The following sub-processors are currently engaged by the Processor:

5.3 Changes to Sub-Processors

The Processor shall notify the Controller at least thirty (30) days in advance of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. Notification will be provided by email to the Controller's registered email address.

The Controller may object to the appointment of a new sub-processor within fourteen (14) days of receiving notification, on reasonable grounds relating to data protection. If the Controller objects, the Processor shall use reasonable efforts to make available to the Controller a change in the services or recommend a commercially reasonable alternative. If no alternative is available and the objection is not resolved within thirty (30) days, either party may terminate the affected services without penalty.

5.4 Sub-Processor Liability

Where a sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations, in accordance with Article 28(4) of the GDPR.

6 International Transfers

6.1 Primary Data Storage

All personal data processed under this DPA is primarily stored and processed on infrastructure located in the European Union (Netherlands). The Processor does not transfer personal data outside the European Economic Area (EEA) unless necessary for the provision of specific services and only in compliance with GDPR Chapter V requirements.

6.2 Transfer Safeguards

Where personal data is transferred to a country outside the EEA that has not been deemed adequate by the European Commission, the Processor ensures that appropriate safeguards are in place, including:

• • EU Standard Contractual Clauses (SCCs): The Processor enters into the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all sub-processors located outside the EEA that do not benefit from an adequacy decision.
• • Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection, the Processor may rely on that adequacy decision.
• • Supplementary Measures: In line with the Court of Justice of the European Union's Schrems II ruling (Case C-311/18), the Processor conducts transfer impact assessments and implements supplementary technical, organizational, and contractual measures where necessary to ensure that the level of protection guaranteed by the GDPR is not undermined.

6.3 Domain Registration Transfers

7 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15 to 22 of the GDPR, including requests for access, rectification, erasure, restriction of processing, data portability, and objection.

7.1 Assistance Obligations

• • The Processor shall promptly notify the Controller if it receives a request from a data subject directly, unless otherwise authorized by the Controller to respond.
• • The Processor shall provide the Controller with reasonable assistance in responding to data subject requests within a reasonable timeframe, taking into account the nature of the processing.
• • The Processor shall implement appropriate technical measures to enable the Controller to fulfil data subject requests, including the ability to export, correct, and delete personal data.

7.2 Domain WHOIS Data

8 Data Breach Notification

8.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. Notification shall be provided to the Controller's registered email address and, where available, through the client portal.

8.2 Notification Content

The breach notification shall include, to the extent reasonably available:

• • Nature of the breach: A description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records concerned.
• • Contact point: The name and contact details of the Processor's data protection contact from whom more information can be obtained.
• • Likely consequences: A description of the likely consequences of the personal data breach.
• • Measures taken or proposed: A description of the measures taken or proposed to be taken by the Processor to address the breach, including measures to mitigate its possible adverse effects.

8.3 Assistance with Controller Obligations

The Processor shall assist the Controller in complying with its obligations under Articles 33 and 34 of the GDPR, including the Controller's obligation to notify the competent supervisory authority and, where applicable, the affected data subjects. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

9 Audits

9.1 Audit Rights

The Controller, or a third-party auditor mandated by the Controller, may audit the Processor's compliance with the obligations set forth in this DPA and Article 28 of the GDPR, subject to the following conditions:

• • The Controller shall provide at least thirty (30) days' advance written notice of any intended audit.
• • Audits shall be conducted during normal business hours (Monday–Friday, 09:00–18:00 CET/CEST) and shall not unreasonably disrupt the Processor's operations.
• • The auditor must be bound by appropriate confidentiality obligations and must not be a competitor of the Processor.
• • Audits shall be limited to a maximum of once per twelve (12) months, unless a personal data breach has occurred or the Controller has reasonable grounds to believe that the Processor is not complying with its obligations under this DPA.

9.2 Alternative Audit Mechanisms

As an alternative to on-site audits, the Processor may, at its discretion, provide the Controller with:

• • Third-party audit reports, including SOC 2 Type II reports and ISO 27001 certification reports, covering the Processor's information security management system.
• • Completed security questionnaires or data protection compliance assessments.
• • Summaries of penetration testing results and vulnerability assessments (with sensitive technical details redacted).

9.3 Audit Costs

The Controller shall bear the costs of any audit it initiates, including the costs of the auditor and any reasonable expenses incurred by the Processor in facilitating the audit. The Processor shall bear the costs of providing third-party audit reports and compliance documentation under Section 9.2.

10 Termination and Data Deletion

10.1 Return of Data

Upon termination or expiry of the Agreement, the Processor shall, at the Controller's choice, return all personal data to the Controller in a standard, commonly used, and machine-readable format (such as CSV, JSON, or SQL export) within thirty (30) days of the termination date. The Controller may request data return through the client portal or by contacting privacy{{ $domain }}.

10.2 Deletion of Data

Following the return of data (or if the Controller does not request return within the 30-day period), the Processor shall delete all copies of personal data within sixty (60) days of the termination date, unless Union or Member State law requires further storage. Deletion includes the removal of personal data from production systems, backup systems, and any other storage media.

10.3 Confirmation of Deletion

Upon completion of the deletion process, the Processor shall provide the Controller with written confirmation that all personal data has been securely deleted, specifying the date of deletion and the methods used.

10.4 Legal Retention Exceptions

11 Liability

11.1 Liability for Data Processing

The liability of each party arising out of or in connection with the processing of personal data under this DPA is governed by the limitation of liability and indemnification provisions set forth in the Terms of Service (Sections 12 and 13), subject to the mandatory provisions of the GDPR.

11.2 Allocation of Liability

Each party shall be liable for its own violations of the GDPR and applicable data protection laws. In accordance with Article 82 of the GDPR:

• • The Controller is responsible for ensuring that the processing of personal data complies with the GDPR, including the lawfulness of processing instructions given to the Processor.
• • The Processor is liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

11.3 Exclusion of Liability

The Processor shall not be liable for any damage or loss arising from processing carried out in accordance with the Controller's documented instructions, provided that the Processor has complied with its obligations under this DPA and the GDPR.

12 Governing Law and Jurisdiction

12.1 Governing Law

This DPA and any disputes arising out of or in connection with this DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions, consistent with the governing law provisions of the Terms of Service.

12.2 Jurisdiction

Any legal action or proceeding arising out of or in connection with this DPA shall be brought exclusively before the competent courts of the Rechtbank Oost-Brabant, located in 's-Hertogenbosch, Netherlands. Both parties irrevocably consent to the exclusive jurisdiction and venue of such courts. This choice of jurisdiction is consistent with the Terms of Service and does not affect the rights of data subjects to lodge complaints with supervisory authorities or bring proceedings before the courts of their habitual residence.

12.3 Relationship to Terms of Service

This DPA supplements and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail. In all other respects, the Terms of Service shall continue to apply.

13 Contact Information

If you have any questions, concerns, or requests regarding this Data Processing Agreement or the processing of personal data, please contact us using the information below.