Compute

Virtual Instances Private Cloud

Storage

Block Storage Automated Backups Object Storage

Networking

Public IPv4 & IPv6 Private Networking Load Balancing & Identity Control

Use Cases

SaaS & Web Applications Development & Agencies Hosting & Resellers Enterprise Infrastructure
πŸ’° Pricing

Company

About Us Datacenters Our Commitments Careers Contact Us

Help

Knowledge Base Status Page Contact Support Contact Sales Report Abuse

Language

πŸ‡¬πŸ‡§ English πŸ‡³πŸ‡± Nederlands πŸ‡©πŸ‡ͺ Deutsch πŸ‡ͺπŸ‡Έ EspaΓ±ol πŸ‡«πŸ‡· FranΓ§ais πŸ‡ΊπŸ‡¦ Π£ΠΊΡ€Π°Ρ—Π½ΡΡŒΠΊΠ°
Sign in Sign up
GDPR Compliant

Data Processing Agreement

Your data. Your control. Our commitment.

Last updated: January 22, 2026

1 Introduction

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between PeaceWeb B.V., a company registered in the Netherlands at Saffierborch 18, 5241 LN Rosmalen, Noord-Brabant, Netherlands, registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 88526461 ("Processor", "PeaceWeb", "we", "us") and the Customer ("Controller", "you").

This DPA governs the processing of personal data by the Processor on behalf of the Controller and is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws, including the Dutch Implementation Act GDPR (Uitvoeringswet AVG).

1.1 Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.

"Processing"

Any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and erasure.

"Sub-processor"

Any third party engaged by the Processor to process personal data on behalf of the Controller.

"Data Subject"

The identified or identifiable natural person to whom personal data relates.

"Data Breach"

A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.

"Controller"

The Customer who determines the purposes and means of the processing of personal data.

2 Scope of Processing

2.1 Subject Matter

The Processor processes personal data on behalf of the Controller to provide PeaceWeb cloud infrastructure services, including but not limited to:

  • β€’ Virtual Instance (VPS) hosting and management
  • β€’ Block Storage and Object Storage services
  • β€’ Domain registration and DNS management
  • β€’ Networking services (IPv4, IPv6, Load Balancing)
  • β€’ Backup and disaster recovery services
  • β€’ Account management, billing, and customer support

2.2 Categories of Data Subjects

Personal data processed under this DPA may relate to:

  • β€’ Customer employees and authorized users
  • β€’ Technical and administrative contacts
  • β€’ End-users of applications hosted on PeaceWeb infrastructure
  • β€’ Visitors to websites hosted on PeaceWeb infrastructure

2.3 Types of Personal Data

Account Data

Name, email, phone, postal address, company details

Authentication Data

Usernames, passwords (hashed), API keys, 2FA secrets

Billing Data

Payment methods, transaction records, invoices

Technical Data

IP addresses, access logs, device information

Hosted Content

Data stored by Customer on infrastructure

Support Data

Ticket contents, communications, attachments

2.4 Duration of Processing

Processing will continue for the duration of the service agreement and for such additional period as necessary to comply with legal obligations (including tax and commercial record-keeping requirements).

3 Processor Obligations

In accordance with Article 28(3) GDPR, the Processor shall:

Process Only on Instructions

Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law.

Confidentiality

Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation.

Security Measures

Implement appropriate technical and organizational security measures as detailed in Section 4 of this DPA.

Sub-processor Requirements

Engage sub-processors only with prior authorization and under written contracts imposing equivalent data protection obligations.

Assist with Data Subject Rights

Assist the Controller in responding to requests from data subjects exercising their rights under GDPR.

Assist with Compliance

Assist with security, breach notification, DPIAs, and prior consultations as required under Articles 32-36 GDPR.

Data Return or Deletion

At the Controller's choice, delete or return all personal data upon termination of services, deleting existing copies unless storage is required by law.

Demonstrate Compliance

Make available all information necessary to demonstrate compliance and allow for and contribute to audits.

4 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR:

4.1 Encryption

TLS 1.3 encryption in transit, AES-256 encryption at rest, and encrypted backups with LZ4 compression.

4.2 Access Controls

Role-based access control (RBAC), multi-factor authentication, secure password hashing (bcrypt), and session timeout management.

4.3 Physical Security

Tier III+ certified datacenters with 24/7 security, biometric access, CCTV surveillance, mantrap entries, and N+1 power with 48-hour diesel autonomy.

4.4 Security Testing

Regular vulnerability assessments, third-party penetration testing, security incident monitoring, and documented incident response protocols.

4.5 Business Continuity

Disaster recovery procedures with documented RTO/RPO targets, automated backup with configurable retention periods, and geographic redundancy across EU datacenters in the Netherlands and Germany.

5 Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors for the provision of the services. The Processor will maintain a list of current sub-processors and notify the Controller of any intended changes, providing the Controller an opportunity to object.

The Processor ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA through written contracts in accordance with Article 28(4) GDPR.

5.1 Current Sub-processors

Datacenter Providers

Tier III+ certified facilities in Netherlands and Germany for infrastructure hosting

EU Only

Stripe, Inc.

Payment processing, card tokenization, and billing services

Payment Processor

Twilio Inc.

SMS verification services for account security

SMS Verification

Google LLC

Analytics (Google Analytics) and Advertising (Google Ads)

Analytics & Marketing

Microsoft Corporation

Advertising (Microsoft Ads)

Marketing

PostHog Inc.

Product analytics and user behavior analysis

Analytics

6 International Transfers

Personal data is primarily processed within the European Economic Area (EEA). PeaceWeb maintains 100% EU infrastructure with datacenters exclusively in the Netherlands and Germany.

When transfers outside the EEA are necessary (for example, to US-based sub-processors), the Processor ensures appropriate safeguards are in place, including:

  • β€’ EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • β€’ Adequacy decisions where applicable
  • β€’ Supplementary measures as required following CJEU Schrems II decision

Data Sovereignty: Customer data stored on PeaceWeb infrastructure never leaves the European Union. All hosted content remains exclusively within EU datacenters.

7 Data Subject Rights

The Processor will assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including:

Right of Access (Art. 15)

Confirmation of processing and copy of data

Right to Rectification (Art. 16)

Correction of inaccurate data

Right to Erasure (Art. 17)

Deletion (right to be forgotten)

Right to Restriction (Art. 18)

Limitation of processing

Right to Portability (Art. 20)

Data in structured, machine-readable format

Right to Object (Art. 21)

Objection to processing

If the Processor receives a request directly from a data subject, it will promptly notify the Controller unless legally prohibited from doing so.

8 Data Breach Notification

The Processor will notify the Controller without undue delay and in any event within 48 hours upon becoming aware of a personal data breach as defined in Article 4(12) GDPR.

Notification will include, to the extent known:

  • β€’ Description of the nature of the breach, including categories and approximate number of affected data subjects and records
  • β€’ Name and contact details of the data protection contact point
  • β€’ Description of likely consequences of the breach
  • β€’ Description of measures taken or proposed to address the breach and mitigate adverse effects

The Processor will assist the Controller in fulfilling its obligations under Articles 33 and 34 GDPR (notification to supervisory authority and communication to data subjects).

9 Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and with the obligations laid down in Article 28 GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • β€’ Notice: At least 30 days advance written notice
  • β€’ Timing: During normal business hours (Monday-Friday, 09:00-17:00 CET/CEST)
  • β€’ Confidentiality: Auditor must sign appropriate confidentiality agreements
  • β€’ Costs: Controller is responsible for audit costs, unless audit reveals material non-compliance
  • β€’ Frequency: No more than one audit per 12-month period, unless required by law or following a data breach

The Processor may satisfy audit requests by providing ISO 27001 certification, SOC 2 Type II reports, or independent third-party audit reports where available.

10 Termination and Data Deletion

Upon termination of the service agreement, the Processor will, at the Controller's written choice:

  • β€’ Return all personal data to the Controller in a commonly used, machine-readable format; or
  • β€’ Delete all personal data and existing copies, unless EU or Member State law requires continued storage

Data deletion will be completed within 30 days of termination, unless a longer period is required for legal compliance. Certification of deletion will be provided upon written request.

The Controller has a grace period of 30 days following service termination to download or export their data before deletion commences.

11 Liability

The liability of the Processor under this DPA is subject to the limitations set forth in the Terms & Conditions.

Each party is liable for damages caused by processing which infringes the GDPR and this DPA. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage, in accordance with Article 82(3) GDPR.

12 Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands, without regard to its conflict of law provisions. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of 's-Hertogenbosch, Netherlands.

The competent supervisory authority is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

13 Contact Information

For questions regarding this Data Processing Agreement or data protection matters, please contact:

PeaceWeb B.V.

Saffierborch 18

5241 LN Rosmalen

Noord-Brabant, Netherlands

Chamber of Commerce (KvK): 88526461

VAT Number (BTW): NL864668788B01

Privacy Inquiries: privacy@peaceweb.com

DPA Requests: legal@peaceweb.com

General Support: support@peaceweb.com

Related Documents

Terms & Conditions

Our service agreement

Privacy Policy

How we protect your data

Service Level Agreement

Our uptime commitments