My Account

Data Processing Agreement

Last Updated: April 2026  ·  GDPR Article 28 — Controller–Processor DPA

This Data Processing Agreement (“DPA”) forms part of the contract between Hostyt (Business Registry: 389082189, VAT: PL7011036703 — the “Processor”) and you, the customer (the “Controller”), when you use Hostyt’s hosting services to store or process personal data belonging to your customers or users.

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) and supplements the Terms of Service.

1. Scope & Purpose

Hostyt processes personal data on your behalf solely to provide the agreed hosting, VPS, email, or related services. Processing occurs only on your documented instructions and for no other purpose, unless required by EU or Polish law.

2. Nature of Processing

  • Type of processing: storage, transmission, backup, and technical processing of data on infrastructure
  • Categories of personal data: as determined and controlled by you (the Controller); typically may include user names, email addresses, IP logs, and application data
  • Categories of data subjects: your customers, employees, or users as determined by you
  • Duration: for the term of the hosting service agreement and as required by law

3. Processor Obligations (Hostyt)

Hostyt shall:

  • Process personal data only on your documented instructions and not for any independent purpose
  • Ensure that all persons authorized to process the data are bound by confidentiality
  • Implement appropriate technical and organizational security measures per Art. 32 GDPR
  • Assist you, insofar as possible, in fulfilling your obligations to respond to data subject requests (Art. 15–22 GDPR)
  • Assist you with security, breach notification, DPIAs, and prior consultations (Art. 32–36 GDPR) to the extent feasible
  • At your choice, delete or return all personal data upon termination, and delete existing copies unless EU or Polish law requires storage
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR

4. Controller Obligations

You (the Controller) are responsible for:

  • Ensuring you have a lawful basis for processing personal data on the infrastructure
  • Providing accurate and complete instructions to Hostyt
  • Informing your data subjects as required by Art. 13/14 GDPR
  • Compliance with all applicable data protection laws in your jurisdiction

5. Sub-processors

Hostyt may engage sub-processors (e.g. datacenter providers, infrastructure providers) to provide the Services. Sub-processors are engaged under contracts imposing equivalent data protection obligations. By entering into this DPA, you provide general written authorization for Hostyt to use sub-processors as necessary to deliver the Services.

Hostyt will inform you of any intended changes in sub-processors that affect the processing of your data, giving you the opportunity to object. The objection mechanism and current sub-processor list can be requested at privacy@host.yt.

6. Security Measures (Art. 32 GDPR)

Hostyt implements technical and organizational measures appropriate to the risk, including:

  • TLS encryption for data in transit
  • Access controls and authentication for infrastructure management
  • Physical security at datacenter level (managed by certified datacenter operators)
  • Incident detection and response procedures
  • Regular software security updates on managed infrastructure components

7. Personal Data Breaches

Hostyt will notify you without undue delay (and where feasible within 48 hours) after becoming aware of a personal data breach affecting your hosted data, to enable you to fulfil your notification obligations to supervisory authorities and data subjects under GDPR Articles 33–34.

8. Data Subject Rights

If Hostyt receives a request directly from your data subjects exercising their rights (Art. 15–22 GDPR), Hostyt will promptly forward the request to you. Hostyt will not respond directly to such requests on your behalf unless instructed.

9. International Transfers

If any processing occurs outside the EEA, Hostyt will ensure that appropriate safeguards are in place (e.g. EU Standard Contractual Clauses) as required by GDPR Chapter V.

10. Audit Rights

You have the right to audit Hostyt’s compliance with this DPA, including by requesting documentation or submitting written questions. Audits involving physical access to infrastructure require 30 days’ prior written notice and are conducted at your cost. Hostyt may satisfy audit requests by providing relevant certifications or third-party audit reports where available.

11. Duration & Termination

This DPA remains in force for the duration of the Services agreement. Upon termination, Hostyt will, at your choice and within a reasonable period, either delete or return all personal data and delete existing copies, subject to any retention obligations under EU or Polish law.

12. Governing Law

This DPA is governed by Polish law and EU data protection law. Disputes are subject to the jurisdiction of the courts in Warsaw, Poland.

13. How to Execute This DPA

For business customers who require a signed DPA for their compliance records, contact privacy@host.yt with the subject “DPA Request” and we will arrange execution.

By continuing to use Hostyt’s services after this DPA is published, business customers acknowledge and agree to its terms.

Hostyt  ·  Business Registry: 389082189  ·  VAT: PL7011036703  ·  Privacy: privacy@host.yt  ·  Legal: legal@host.yt  ·  Support: support@host.yt

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by