There are upcoming maintenance events which may impact our services. Learn more

Data Processing Agreement

Last updated:

This Data Processing Agreement (the DPA) forms part of and is incorporated into the Website Terms of Service and Service Level Agreement between Strategy Hosting, a trading name of Pixel Lab Studios Ltd (Provider, Processor, we, us or our) and the Customer identified in the applicable Order or Service Schedule (Customer, Controller, you or your).

This DPA applies to the extent that we process Personal Data on your behalf in connection with the Services.

1. Definitions

1.1 Defined Terms

In this DPA:

Applicable Data Protection Law
means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor or replacement legislation.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, Processed, and Processing
have the meanings given to them in Applicable Data Protection Law.
Customer Personal Data
means any Personal Data Processed by us or on our behalf on behalf of the Customer in connection with the Services.
Restricted Transfer
means any transfer of Personal Data that is restricted under Applicable Data Protection Law.
Subprocessor
means any third party engaged by us to Process Customer Personal Data on behalf of the Customer in connection with the Services.
Supervisory Authority
means the UK Information Commissioner's Office or any other competent data protection supervisory authority with jurisdiction over the Processing of Customer Personal Data.
UK GDPR
means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.2 Interpretation

Unless otherwise defined in this DPA, capitalised terms have the meanings given to them in the Agreement.

2. Scope and Role of the Parties

2.1 Scope

This DPA applies only to the Processing of Customer Personal Data by us as Processor on behalf of the Customer in connection with the Services.

2.2 Party Roles

As between the parties, the Customer is the Controller and we are the Processor, unless the parties expressly agree otherwise in writing in relation to specific Processing activities.

2.3 Controller Responsibility

The Customer is responsible for ensuring that:

  1. it has all necessary rights, consents, permissions, and lawful bases to disclose Customer Personal Data to us and to authorise us to Process Customer Personal Data in accordance with the Agreement and this DPA;
  2. its instructions to us comply with Applicable Data Protection Law;
  3. it provides all notices and obtains all consents required under Applicable Data Protection Law.

3. Details of Processing

3.1 Subject Matter and Duration

The subject matter of the Processing is the provision of the Services under the Agreement. The duration of the Processing is the term of the Agreement plus any period during which we retain Customer Personal Data in accordance with the Agreement or Applicable Data Protection Law.

3.2 Nature and Purpose of Processing

The nature and purpose of the Processing are to provide the Services, including hosting, storage, transmission, access management, backup, support, maintenance, security monitoring, incident response, troubleshooting, and such other Processing activities as are reasonably necessary to provide, secure, support, or improve the Services in accordance with the Agreement.

3.3 Categories of Data Subjects

Depending on how you use the Services, Data Subjects may include your employees, workers, contractors, agents, customers, prospective customers, suppliers, website visitors, end users, and other individuals whose Personal Data is submitted to or made available through the Services.

3.4 Categories of Personal Data

Depending on how you use the Services, Customer Personal Data may include names, contact details, account identifiers, login details, device identifiers, IP addresses, traffic and usage data, billing data, communication content, customer records, personnel records, support records, and any other Personal Data submitted to or made available through the Services.

3.5 Special Categories and Criminal Offence Data

You must not provide, submit, or make available any special category Personal Data or criminal offence data through the Services unless such Processing is strictly necessary for your permitted use of the Services and you have identified that requirement to us in writing in advance.

4. Processing Instructions

4.1 Documented Instructions

We will Process Customer Personal Data only on your documented instructions, unless otherwise required by Applicable Data Protection Law. The Agreement, this DPA, your use of the Services, and any documented service configuration or support request consistent with the Agreement constitute your complete documented instructions to us at the date of this DPA.

4.2 Additional Instructions

You may provide additional reasonable written instructions to us, provided that:

  1. they are consistent with the Agreement and this DPA;
  2. they are technically feasible and lawful; and
  3. you pay any reasonable additional charges we incur in complying with them.

4.3 Unlawful Instructions

If we believe that an instruction infringes Applicable Data Protection Law, we may suspend performance of that instruction and will inform you without undue delay, unless prohibited by law.

5. Confidentiality and Personnel

5.1 Confidentiality Commitments

We will ensure that persons authorised to Process Customer Personal Data are subject to appropriate obligations of confidentiality.

5.2 Access Limitation

We will ensure that access to Customer Personal Data is limited to those personnel, agents, and subprocessors who need access for the purposes of providing, securing, supporting, or improving the Services in accordance with the Agreement.

6. Security of Processing

6.1 Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

6.2 Security Controls

Those measures may include, as appropriate:

  1. access controls and authentication measures;
  2. logical segregation of customer environments where relevant;
  3. encryption in transit and, where implemented by the Service, at rest;
  4. logging and monitoring;
  5. backup and recovery processes;
  6. vulnerability management and patching;
  7. incident response procedures; and
  8. physical and environmental security controls for infrastructure under our control.

6.3 No Absolute Security Guarantee

You acknowledge that no method of transmission over the internet or method of electronic storage is completely secure and that we cannot guarantee absolute security.

7. Subprocessing

7.1 General Authorisation

You give us general authorisation to appoint Subprocessors to Process Customer Personal Data on your behalf in connection with the Services.

7.2 Subprocessor Conditions

Where we appoint a Subprocessor, we will:

  1. carry out appropriate due diligence in relation to that Subprocessor;
  2. enter into a written agreement with the Subprocessor imposing data protection obligations that are no less protective of Customer Personal Data than those set out in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor; and
  3. remain responsible for the acts and omissions of the Subprocessor to the extent required by Applicable Data Protection Law.

7.3 Subprocessor Information

We will make available information about our current Subprocessors by publication on our website, customer portal, or on request.

7.4 Changes to Subprocessors

We may add or replace Subprocessors from time to time. Where we make a change to a Subprocessor that is likely to materially affect the Processing of Customer Personal Data, we will provide notice by updating our Subprocessor list, by Customer Portal notification, by email, or by another reasonable means.

7.5 Objections

If you reasonably object to a new Subprocessor on data protection grounds, you must notify us in writing within 10 days after the notice referred to in Clause 7.4. The parties will discuss the objection in good faith. If we cannot provide a commercially reasonable alternative, we may terminate the affected Services on written notice and refund any prepaid fees covering the terminated period after the termination date, and that termination will be your sole and exclusive remedy in relation to the objection.

8. International Transfers

8.1 Transfer Restriction

We will not make a Restricted Transfer of Customer Personal Data unless we have taken such measures as are required under Applicable Data Protection Law to ensure the transfer is lawful.

8.2 Transfer Mechanisms

Such measures may include:

  1. transferring Customer Personal Data to a country or territory benefiting from adequacy regulations;
  2. entering into the UK International Data Transfer Agreement, the International Data Transfer Addendum to the EU Standard Contractual Clauses, or other approved transfer mechanism; or
  3. relying on another valid transfer ground or derogation available under Applicable Data Protection Law.

8.3 Cooperation on Transfers

You will reasonably cooperate with us in relation to any steps required to implement a lawful transfer mechanism where Customer Personal Data is subject to a Restricted Transfer.

9. Assistance to the Customer

9.1 Data Subject Requests

Taking into account the nature of the Processing, we will provide reasonable assistance to you, by appropriate technical and organisational measures where possible, to enable you to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.

9.2 Requests Received by Us

If we receive a request from a Data Subject relating to Customer Personal Data, we may:

  1. direct the Data Subject to you;
  2. notify you of the request; or
  3. where legally required or operationally appropriate, assist you in responding,

provided that we are not legally prohibited from doing so.

9.3 Compliance Assistance

Taking into account the nature of the Processing and the information available to us, we will provide reasonable assistance to you in relation to:

  1. security of Processing;
  2. notification of a Personal Data Breach to a Supervisory Authority or Data Subjects;
  3. data protection impact assessments; and
  4. prior consultation with a Supervisory Authority,

in each case to the extent required under Applicable Data Protection Law and to the extent the relevant information is not otherwise available to you.

9.4 Charges

We may charge you our reasonable costs for assistance provided under this Clause 9, except to the extent the assistance is required because of our breach of this DPA or Applicable Data Protection Law.

10. Personal Data Breaches

10.1 Breach Notification

If we become aware of a Personal Data Breach affecting Customer Personal Data, we will notify you without undue delay.

10.2 Breach Information

Our notification may be provided in stages as information becomes available and will include such information as we are reasonably able to provide, which may include:

  1. the nature of the Personal Data Breach;
  2. the categories and approximate number of affected Data Subjects;
  3. the categories and approximate number of affected Personal Data records;
  4. the likely consequences of the Personal Data Breach; and
  5. the measures taken or proposed to address the Personal Data Breach.

10.3 No Admission

Notification of a Personal Data Breach under this Clause 10 does not constitute an admission of fault or liability.

11. Audit and Information Rights

11.1 Information Provision

We will make available to you information reasonably necessary to demonstrate our compliance with this DPA.

11.2 Audit Rights

Where required by Applicable Data Protection Law, and where the information made available under Clause 11.1 is insufficient, you may request an audit of our compliance with this DPA, subject to the following conditions:

  1. you must give at least 30 days' prior written notice;
  2. the audit must be limited to matters relevant to Customer Personal Data Processed under the Agreement;
  3. the audit must be conducted no more than once in any 12-month period, unless required by a Supervisory Authority or following a confirmed Personal Data Breach affecting Customer Personal Data;
  4. the audit must be conducted during normal business hours, in a manner that minimises disruption to our business;
  5. the audit must not compromise the confidentiality, security, or integrity of our systems or the data of other customers;
  6. the audit must be conducted by an independent auditor reasonably acceptable to us and bound by confidentiality obligations; and
  7. you will bear your own costs and reimburse our reasonable costs incurred in supporting the audit.

11.3 Alternative to On-Site Audit

We may satisfy our obligations under this Clause 11 by providing current third-party audit reports, certifications, summaries, questionnaires, or other comparable compliance materials, where those materials reasonably demonstrate our compliance.

12. Return and Deletion of Customer Personal Data

12.1 Return and Deletion

On termination or expiry of the Agreement, we will, at your choice and subject to the functionality of the Services and the terms of the Agreement:

  1. make Customer Personal Data available for retrieval by you for a reasonable period; or
  2. delete Customer Personal Data,

except to the extent Applicable Data Protection Law requires storage of the Customer Personal Data.

12.2 Backup Copies

You acknowledge that residual copies of Customer Personal Data may remain in backup or archival systems until overwritten or deleted in the ordinary course of business, provided that such copies remain protected in accordance with this DPA.

13. Liability

13.1 Liability Under the Agreement

This DPA is subject to the exclusions and limitations of liability in the Agreement, which apply to all claims arising under or in connection with this DPA, except to the extent prohibited by Applicable Data Protection Law.

14. Order of Precedence

14.1 DPA Prevails on Data Protection Issues

If there is any conflict between this DPA and the Agreement in relation to the Processing of Customer Personal Data, this DPA prevails to the extent of that conflict.

15. Contact Details

15.1 Customer Contact

You must keep your data protection and Security Contact details current in the Customer Portal.

15.2 Provider Contact

Questions, notices, and requests relating to this DPA may be sent to:

Email: privacy@strategy.hosting
Address: 34 Portland Square, Bristol, BS2 8RG, United Kingdom

16. Annex 1 - Details of Processing

16.1 Subject Matter

Provision of the Services under the Agreement.

16.2 Duration

For the term of the Agreement and any retention period permitted under the Agreement or required by Applicable Data Protection Law.

16.3 Nature and Purpose

Hosting, storage, transmission, organisation, access, support, maintenance, backup, security monitoring, incident response, troubleshooting, and other Processing reasonably necessary to provide the Services.

16.4 Categories of Data Subjects

Customer personnel, Customer end users, customers, prospective customers, suppliers, contractors, website visitors, and such other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.

16.5 Categories of Personal Data

Names, job titles, business contact details, personal contact details, account identifiers, login credentials, IP addresses, device identifiers, usage data, billing information, communications data, support records, customer content, and any other Personal Data submitted to the Services by or on behalf of the Customer.

16.6 Special Categories

Special category Personal Data and criminal offence data only where expressly authorised by the Customer and supported by a valid lawful basis and condition under Applicable Data Protection Law.

17. Annex 2 - Security Measures

17.1 Security Measures

We maintain security measures appropriate to the risks presented by the Processing, which may include:

  1. role-based access controls;
  2. authentication and credential management;
  3. network security controls;
  4. logging and monitoring;
  5. encryption in transit and, where supported, at rest;
  6. backup and recovery arrangements;
  7. patching and vulnerability management;
  8. incident response procedures; and
  9. physical security measures for infrastructure under our control.

We may update these measures from time to time, provided that any changes do not materially reduce the overall security of the Services.