1. Introduction

This Data Processing Agreement ("DPA") serves as an addendum to the Terms & Conditions between Giraffe Hosting Limited ("Giraffe Hosting Limited" or "we") and you ("Customer"). This DPA shall become effective on May 25, 2018, replacing any previously applicable data processing and security terms. It will remain in effect for as long as Giraffe Hosting Limited provides the services as specified in Giraffe Hosting Limited's Terms & Conditions.

2. Definitions

• Customer Data: Data provided by or on behalf of the Customer or Customer End Users via the Services under the account.
• Data Controller: The entity determining the purposes and means of processing Personal Data.
• Data Processor: The entity processing Personal Data on behalf of the Data Controller.
• Data Protection Laws: All data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR.
• Data Subject: The individual to whom the Personal Data relates.
• EEA: European Economic Area.
• GDPR: EU General Data Protection Regulation 2016/679.
• Personal Data: Customer Data related to an identified or identifiable natural person, protected as personal data under GDPR.
• Processing: As defined in GDPR; "process," "processes," and "processed" shall be interpreted accordingly.
• Sub-Processor: Third party authorized under this DPA to have logical access to and process Customer Data to provide parts of the Services.
• Services: Any product or service provided to the Customer, as described in Giraffe Hosting Limited's Terms & Conditions.

3. Data Processing

• Giraffe Hosting Limited shall process Customer Data in accordance with documented instructions from the Customer (the "Instruction"), except when required by law to act without such Instruction.
• The Instruction, upon entering this DPA, is that Giraffe Hosting Limited may process Customer Data solely for the purpose of delivering Services as described in its Terms & Conditions and any product-specific agreements.
• Giraffe Hosting Limited may execute additional written instructions consistent with this Agreement, subject to the Agreement's terms. Customer is responsible for ensuring that authorized individuals issue such instructions.
• Giraffe Hosting Limited will inform Customer of any Instruction deemed to violate GDPR and will not execute such instructions until they have been confirmed or modified.
• Giraffe Hosting Limited is registered as a Data Controller with the Information Commissioner's Office (ICO) under Registration reference: ZB454184. Verification of this can be found on the ICO website here: https://ico.org.uk/ESDWebPages/Entry/ZB454184

4. Confidentiality

• Giraffe Hosting Limited shall treat all Customer Data as strictly confidential information, not to be copied, transferred, or otherwise processed in conflict with the Instruction unless required by law.
• Giraffe Hosting Limited employees are bound by an obligation of confidentiality, ensuring they treat all Customer Data under this DPA with strict confidentiality and process it only in accordance with the Instruction.

5. Sub-Processing

• Customer authorizes Giraffe Hosting Limited to engage third-parties ("Sub-Processors") to process Customer Data without further written authorization.
• Giraffe Hosting Limited will limit Sub-Processor access to Customer Data as necessary to provide the Services.
• Giraffe Hosting Limited will establish written agreements with Sub-Processors, ensuring they assume data protection obligations equivalent to those in this DPA. Giraffe Hosting Limited remains accountable for Sub-Processors' actions.
• Customer will be notified of new Sub-Processor engagements at least 30 days before they process Customer Data, through the account email address and/or control panel interface.

6. Security

• Giraffe Hosting Limited will implement and maintain technical and organizational measures to protect Customer Data as specified in Annex 2 of this Addendum, and in accordance with GDPR Article 32.
• Security measures may be updated or modified over time, provided they do not compromise overall security. Additional controls will be available to the Customer via the control panel.

7. Data Breach Notifications

• Giraffe Hosting Limited will promptly notify Customer if it becomes aware of a security breach involving Customer Data, including unauthorized destruction, loss, alteration, disclosure, or access.
• Notifications will be sent to the account email address provided by the Customer. Customer is responsible for keeping this information up-to-date within the control panel.
• Giraffe Hosting Limited will make reasonable efforts to identify the breach's cause and take necessary steps to prevent reoccurrence.
• Data Breach Notifications will not include unsuccessful attempts or activities that do not compromise Customer Data security.

8. Data Subject Rights

• If Giraffe Hosting Limited receives a request from a Data Subject to exercise rights related to Customer Data, it will forward the request to the Customer.
• The Customer must respond to such requests within GDPR-specified timeframes.
• Giraffe Hosting Limited will assist the Customer in fulfilling its obligations to respond to data subject requests.

9. Data Transfers

• Giraffe Hosting Limited stores and processes data in secure data centers within the European Economic Area ("EEA").
• Data may be transferred and processed outside the EEA by Sub-Processors. Customer agrees to such transfers.
• Giraffe Hosting Limited will take reasonable steps to ensure Customer Data is treated securely and in accordance with Data Protection Laws.

10. Compliance and Audit Rights

• Giraffe Hosting Limited agrees to maintain records of its security standards and provide relevant information upon the Customer's written request.
• Audits or inspections require reasonable prior written notice of at least 30 days and are limited to once per 12-month period.
• If Giraffe Hosting Limited declines an audit request, the Customer may terminate this Addendum and Services.

11. Return or Deletion of Data

• Giraffe Hosting Limited retains Customer Data only as long as necessary for the initial collection purpose.
• Termination of this Addendum or Services under Giraffe Hosting Limited's Terms & Conditions results in the deletion of all Customer Data unless required by law.
• Archived Customer Data is securely isolated and protected from further processing.

12. Limitation of Liability

• The total liability of each party under this Addendum is subject to the limitation of liability as set out in Giraffe Hosting Limited's Terms & Conditions.
• Giraffe Hosting Limited shall not be liable for losses or damages incurred by the Customer due to violations of Giraffe Hosting Limited's Terms & Conditions.

Annex 1 – Sub-Processors

Annex 2 – Security Measures

Available upon request.