Data Processing Agreement

For the data your sites store and process (your customers' data), you are the controller and sitesox is the processor. For account-level data we hold about you (the customer), sitesox is the controller — that data is covered by our Privacy Policy instead.

The processing covers the personal data you upload to or generate within your sitesox hosting account. Processing lasts for the term of your services agreement, plus the 30-day retention period after termination.

sitesox processes your data solely to provide hosting, domain, email, SSL, and backup services as described in the Terms of Service. We do not use your data for any other purpose.

The data subjects and categories of personal data are determined by you. Typical examples include:

• visitors to your hosted sites (IP addresses, form submissions, account credentials);
• your customers (names, contact details, purchase history);
• email correspondents (sender / recipient addresses, message bodies for email hosting customers).

sitesox will:

• process personal data only on documented instructions from you (the Terms of Service and your use of the panel constitute such instructions);
• ensure that personnel with access to personal data are bound by confidentiality;
• implement appropriate technical and organisational measures (see Annex 1 of this DPA, summarised in the Privacy Policy §8);
• assist you with data-subject requests, security incidents, and impact assessments to the extent reasonably required;
• delete or return personal data after termination of services, per the 30-day retention window;
• make available the information necessary to demonstrate compliance and submit to audits on reasonable notice.

You authorise the sub-processors listed in our Privacy Policy §4. We will notify you (by email at the address on your account) at least 30 days before adding or replacing any sub-processor. If you object on legitimate grounds, you may terminate the affected services with a pro-rata refund of unused pre-paid fees.

Where we transfer personal data outside the EEA (for example, to US-based sub-processors like Stripe), we rely on the Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum where applicable, and equivalent safeguards as recognised by the data-subject's jurisdiction.

We will notify you of any security incident affecting your personal data without undue delay, and in any case within 72 hours of becoming aware. The notification will include the nature of the incident, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed.

You may, on reasonable notice and during business hours, audit our compliance with this DPA. We may satisfy audit requests with up-to-date third-party security certifications and reports (where available) before any on-site audit is conducted, to minimise disruption.

On termination of services, we will delete personal data within 30 days unless legally required to retain it. You may export your data at any time before termination using the panel's built-in export tools (files, databases, email, DNS).

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service.

This DPA takes effect automatically when you sign up for any sitesox service. No further signature is required. If your organisation requires a counter-signed copy on letterhead, contact us and we will provide one.