Skip to main content
Sign up free! Already a user? Log in

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between A+ Hosting Inc. DBA ServerPoint.com ("Processor", "ServerPoint", "we", "us") and you ("Controller", "Customer", "you") when ServerPoint processes Personal Data on your behalf in connection with the provision of our hosting and related services.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

About the summaries: Each section below includes a plain-language summary in an orange box. These summaries are provided for your convenience only and are not legally binding. Please read the full text of each section for complete details.

1. Definitions

In Plain English: This section defines key terms used throughout the agreement. "Personal Data" is info about identifiable people. "Processing" is anything done with that data. You're the "Controller" (you decide how data is used), we're the "Processor" (we handle it for you).

In this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person that ServerPoint processes on behalf of the Customer in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by ServerPoint to process Personal Data on behalf of the Customer.
  • "Data Protection Laws" means the GDPR, and any other applicable data protection laws, including the California Consumer Privacy Act (CCPA), as amended.
  • "Services" means the hosting and related services provided by ServerPoint to the Customer under the Terms of Service.

2. Scope and Roles

In Plain English: You're responsible for your customers' data (you're the Controller). We process it only to provide our hosting services to you (we're the Processor). We only do what you tell us with the data.

2.1 Roles of the Parties

For the purposes of this DPA, the Customer is the Data Controller and ServerPoint is the Data Processor with respect to Personal Data that the Customer stores, transmits, or otherwise processes using the Services.

2.2 Scope of Processing

ServerPoint will process Personal Data only:

  • To provide the Services as described in the Terms of Service
  • As necessary to comply with Customer's documented instructions
  • As required by applicable law

2.3 Categories of Data Subjects

Data Subjects may include the Customer's customers, employees, contractors, website visitors, and any other individuals whose Personal Data is processed using the Services.

2.4 Types of Personal Data

The types of Personal Data processed depend on how the Customer uses the Services and may include names, email addresses, IP addresses, contact information, payment information, and any other Personal Data that the Customer or its users upload, store, or transmit using the Services.

3. Obligations of the Processor

3.1 Processing Instructions

ServerPoint shall:

  • Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. In such cases, ServerPoint will inform the Customer of that legal requirement before processing, unless prohibited by law.
  • Immediately inform the Customer if, in ServerPoint's opinion, an instruction infringes Data Protection Laws.

3.2 Confidentiality

ServerPoint shall:

  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Not disclose Personal Data to any third party except as authorized by this DPA, the Terms of Service, or the Customer's written instructions.

3.3 Security Measures

ServerPoint shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • Encryption of Personal Data in transit and, where applicable, at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • The ability to restore availability and access to Personal Data in a timely manner in the event of an incident
  • Regular testing, assessing, and evaluating the effectiveness of security measures
  • Physical security controls at data center facilities
  • Access controls and authentication mechanisms
  • Network security measures including firewalls and intrusion detection
  • Regular security training for personnel

3.4 Sub-processors

The Customer provides general authorization for ServerPoint to engage Sub-processors to process Personal Data. ServerPoint shall:

  • Maintain a list of current Sub-processors, which will be made available upon request
  • Notify the Customer of any intended changes concerning the addition or replacement of Sub-processors, giving the Customer the opportunity to object to such changes
  • Ensure that any Sub-processor is bound by data protection obligations no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of its Sub-processors

If the Customer objects to a new Sub-processor on reasonable grounds related to data protection, the parties will work together in good faith to find a resolution. If no resolution is reached, the Customer may terminate the affected Services without penalty.

3.5 Data Subject Rights

Taking into account the nature of the processing, ServerPoint shall assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Customer's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

If ServerPoint receives a request from a Data Subject directly, ServerPoint will promptly forward the request to the Customer and will not respond to the Data Subject directly unless instructed by the Customer or required by law.

3.6 Security Incidents

ServerPoint shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Customer's Personal Data. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of ServerPoint's point of contact for more information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

ServerPoint shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each such breach.

3.7 Assistance with Compliance

Taking into account the nature of processing and the information available to ServerPoint, ServerPoint shall assist the Customer in ensuring compliance with:

  • Security of processing obligations
  • Data breach notification obligations
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

3.8 Audits

ServerPoint shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Such audits shall be:

  • Conducted with reasonable advance notice (at least 30 days)
  • Subject to reasonable confidentiality obligations
  • Conducted during normal business hours
  • Not unreasonably disruptive to ServerPoint's operations

The Customer shall bear the costs of any audit. ServerPoint may charge reasonable fees for time and resources spent assisting with audits.

4. International Data Transfers

The Customer acknowledges that ServerPoint may transfer Personal Data to and process it in the United States or other countries where ServerPoint or its Sub-processors operate.

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller to Processor) shall apply. By entering into this DPA, the parties are deemed to have signed the Standard Contractual Clauses.

ServerPoint shall implement supplementary measures as necessary to ensure that Personal Data transferred outside the EEA receives an adequate level of protection.

5. Return and Deletion of Data

Upon termination or expiration of the Services, and upon the Customer's request, ServerPoint shall:

  • Return all Personal Data to the Customer in a commonly used, machine-readable format, or
  • Delete all Personal Data and certify such deletion in writing

Unless otherwise specified by the Customer, ServerPoint will retain Personal Data for 30 days following termination to allow for data retrieval, after which all Personal Data will be deleted.

ServerPoint may retain Personal Data to the extent required by applicable law, provided that ServerPoint ensures the confidentiality of such data and processes it only as necessary to comply with legal obligations.

6. Obligations of the Controller

The Customer warrants and agrees that:

  • It has obtained all necessary consents and legal authorizations to process Personal Data and to instruct ServerPoint to process Personal Data on its behalf
  • Its instructions to ServerPoint comply with all applicable Data Protection Laws
  • It has implemented appropriate technical and organizational measures to protect Personal Data within its own systems and operations
  • It will promptly notify ServerPoint of any changes to applicable Data Protection Laws that may affect ServerPoint's processing activities

7. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for breaches of confidentiality obligations, willful misconduct, or liability that cannot be limited under applicable law.

8. Term and Termination

This DPA shall remain in effect for as long as ServerPoint processes Personal Data on behalf of the Customer. The provisions of this DPA that by their nature should survive termination shall survive, including confidentiality obligations and data deletion/return requirements.

9. General Provisions

9.1 Conflict

In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail.

9.2 Amendments

ServerPoint may update this DPA from time to time to reflect changes in legal requirements or our processing practices. Material changes will be notified to affected Customers.

9.3 Governing Law

This DPA shall be governed by the laws of the State of Nevada, USA, without regard to its conflict of laws principles, except to the extent a specific jurisdiction is mandated by Data Protection Laws.

10. Contact Information

For questions about this DPA or to exercise your rights, please contact:

ServerPoint Data Protection
A+ Hosting Inc. DBA ServerPoint.com
10620 S. Highlands Pkwy, Suite 110-491
Las Vegas, NV 89141, USA
Email: [email protected]

Last Updated: January 2026