Last updated: February 2026

Data Processing Addendum (DPA)

1. Roles Under GDPR

For infrastructure services:

  • Customer = Data Controller
  • WebPod = Data Processor

Customers determine:

  • What data is processed
  • Why it is processed
  • How it is used

WebPod processes data only to provide infrastructure services.

2. Subject Matter and Duration

Processing occurs for the duration of the customer's use of the Services.

Nature of processing:

  • Storage
  • Transmission
  • Backup replication
  • Security monitoring

Categories of data subjects may include:

  • Customers
  • Employees
  • Website visitors
  • Application users

Types of personal data are determined by the Customer.

3. Processor Obligations

WebPod shall:

  • Process data only on documented instructions from the Customer
  • Ensure staff are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist with GDPR obligations where reasonably possible
  • Notify customers of personal data breaches without undue delay

4. Security Measures

Measures include:

  • Logical access controls
  • Infrastructure monitoring
  • Network segmentation
  • Encryption in transit
  • Vulnerability management
  • Incident response procedures

5. Sub-processors

WebPod may use sub-processors such as:

  • Data centre providers
  • Payment processors
  • Monitoring and support tools

We ensure sub-processors are bound by data protection obligations.

A current sub-processor list should be made available on request.

6. International Transfers

Where sub-processors operate outside the UK, WebPod ensures appropriate safeguards such as:

  • IDTA
  • Standard Contractual Clauses

7. Data Subject Rights Assistance

WebPod will assist customers, where technically feasible, with:

  • Data access requests
  • Erasure requests
  • Rectification requests

Customers remain responsible for responding to requests.

8. Data Breach Notification

If WebPod becomes aware of a personal data breach affecting customer data, we will notify affected customers without undue delay and provide relevant information.

9. Deletion or Return of Data

Upon termination of services:

  • Customer data is deleted in accordance with our retention policies
  • Recovery after deletion is not guaranteed

Customers are responsible for exporting data before termination.

10. Audit Rights

Customers may request reasonable information to demonstrate GDPR compliance.

Formal audits must be reasonable, limited in scope, and agreed in advance.

11. Liability

Liability is governed by the main Terms of Service.