Page Steady | Powering WordPress with Care
Support

Section 1: Introduction and Scope

Purpose of the DPA:

This Data Processing Agreement (“DPA”) outlines the data protection obligations of Page Steady (“Processor”) and its clients (“Controller”) in accordance with applicable data protection laws and regulations. This DPA governs the processing of personal data provided by the Controller to the Processor as part of the web hosting and related services provided under the Principal Agreement.

Parties to the DPA:

  • Data Controller: The entity identified as the “Client” or “Customer” in the Principal Agreement, acting as the data controller. The Controller is responsible for the oversight, primary direction, and governance of the personal data processed under the agreement.
  • Data Processor: Page Steady, a company operating under the laws of the United States, with its registered office at 27300 Center Ridge Rd #45374, Westlake, OH 44145, acting as the data processor. The Processor is responsible for processing personal data on behalf of the Controller, as per the instructions and services outlined in the Principal Agreement.

Scope and Applicability:

This DPA applies to all personal data processing activities undertaken by the Processor on behalf of the Controller as part of the services provided under the Principal Agreement. It specifies the parties’ obligations concerning the protection and secure processing of personal data.

The Controller, being the client, determines the purposes and means of the processing of personal data and entrusts the Processor with the task of processing personal data on its behalf, under the terms and conditions set out in this DPA and the Principal Agreement.

By entering into this DPA, the Controller confirms that it acts as the data controller and acknowledges its obligations as such under applicable data protection laws. The Processor agrees to process personal data solely for the purpose of fulfilling its service commitments under the Principal Agreement and in accordance with the Controller’s lawful instructions.

Section 2: Definitions and Interpretation

2.1 Definitions

For the purposes of this Data Processing Agreement (“DPA”), the following terms shall have the meanings set forth below:

  • “Personal Data” refers to any information relating to an identified or identifiable natural person (‘Data Subject’) that is processed under the scope of the Principal Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • “Processing” (and “Process”) refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “Data Controller” refers to the entity which determines the purposes and means of the Processing of Personal Data.
  • “Data Processor” refers to the entity which Processes Personal Data on behalf of the Data Controller.
  • “Sub-Processor” means any person or entity appointed by or on behalf of the Data Processor to Process Personal Data on behalf of the Data Controller in connection with the DPA.
  • “GDPR” refers to the General Data Protection Regulation ((EU) 2016/679).
  • “Data Protection Laws” means all applicable laws and regulations in any jurisdiction pertaining to the processing, privacy, and use of Personal Data, including, without limitation, the GDPR, as well as any national implementing laws, regulations, and secondary legislation as amended or updated from time to time in the United States and in the European Union, to the extent applicable to the Services provided under the Principal Agreement.

2.2 Interpretation

  • The headings and subheadings used in this DPA are for convenience only and shall not affect the interpretation of this DPA.
  • Any phrase introduced by the terms “including”, “include”, “in particular”, or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
  • References to “Sections” are to sections of this DPA, unless otherwise stated.
  • Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

2.3 Priority

In the event of any inconsistency or conflict between the provisions of this DPA and the Principal Agreement, the provisions of this DPA shall prevail to the extent of such inconsistency or conflict in relation to the Processing of Personal Data.

2.4 Amendments

This DPA may not be modified except by a written amendment signed by duly authorized representatives of the Data Controller and the Data Processor, or as may be necessary to comply with applicable Data Protection Laws or regulations.

This section sets the foundational terms and conditions, ensuring clarity and mutual understanding between the Data Controller and Data Processor on key definitions and the interpretation of this DPA, which is crucial for the lawful and effective management of Personal Data.

Section 3: Data Transfer and International Compliance

3.1 Data Transfer

The Data Processor (Page Steady) acknowledges that, while it operates and provides services exclusively within the United States, the nature of digital services means that data may be accessed or transferred internationally by the Data Controller’s end users. The Data Processor will implement appropriate measures, such as data encryption and secure data transfer protocols, to protect personal data during such transfers.

3.2 Compliance with U.S. Law

The Data Processor commits to complying with applicable U.S. data protection and privacy laws in relation to the personal data of U.S.-based individuals. This compliance includes, but is not limited to, adhering to regulations concerning data security, data breach notifications, and the rights of data subjects.

3.3 International Data Processing Responsibility

The Data Controller (the Client) is responsible for ensuring that any processing of personal data through the use of the Data Processor’s services complies with international data protection laws, such as the General Data Protection Regulation (GDPR) for EU citizens, where applicable. This responsibility includes informing the Data Processor of any specific data protection requirements or restrictions related to international data subjects’ personal data.

3.4 Notification and Cooperation

The Data Controller agrees to notify the Data Processor of any international compliance obligations that may affect the processing of personal data under the terms of this Agreement. The Data Processor agrees to cooperate with the Data Controller in meeting these obligations, provided that such cooperation does not conflict with U.S. law or impose disproportionate technical or financial burdens on the Data Processor.

3.5 Data Transfer Mechanisms

Where the Data Controller’s use of the Data Processor’s services results in the transfer of personal data outside the United States, the Data Controller is responsible for ensuring that such transfers are conducted in compliance with international data protection laws. The Data Controller shall use standard contractual clauses, privacy shield certification, or other legally recognized mechanisms to legalize such data transfers.

3.6 Amendments for International Compliance

The Parties agree to negotiate in good faith amendments to this DPA or adopt additional measures, as necessary, to achieve compliance with any applicable international data protection laws that impact the processing of personal data under this Agreement.

Section 4: Data Security and Breach Notification

4.1 Data Security Measures

The Data Processor (Page Steady) shall implement and maintain comprehensive technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures will include, but are not limited to, encryption of personal data in transit and at rest, access controls to prevent unauthorized access to personal data, and regular security training for employees.

4.2 Security Incident Response

In the event of a security incident that affects the confidentiality, integrity, or availability of personal data, the Data Processor will promptly assess the impact of the incident and take immediate steps to mitigate any adverse effects. The Data Processor will notify the Data Controller without undue delay after becoming aware of the security incident.

4.3 Notification to the Data Controller

The notification to the Data Controller shall include a description of the nature of the security incident, the categories and approximate number of data subjects and data records affected, the likely consequences of the incident, and the measures taken or proposed to address the security incident, including efforts to mitigate its possible adverse effects.

4.4 Cooperation and Assistance

The Data Processor agrees to cooperate with the Data Controller in handling the security incident, including assisting with any required notifications to supervisory authorities and affected data subjects. The Data Processor will provide reasonable assistance to the Data Controller in fulfilling the Data Controller’s data protection obligations with respect to the security of processing, the notification of personal data breaches, and the communication of such breaches to the affected data subjects.

4.5 Documentation and Record-Keeping

The Data Processor will document security incidents and their outcomes. This documentation shall be made available to the Data Controller upon request to enable the Data Controller to comply with its legal obligations under applicable U.S. data protection laws.

4.6 Data Processor’s Personnel

The Data Processor ensures that its personnel engaged in the processing of personal data are informed of the confidential nature of the data, have received appropriate training on their responsibilities, and are under obligations of confidentiality. The Data Processor shall ensure that such confidentiality obligations survive the termination of the personnel’s engagement.

4.7 Audit and Compliance

Upon the Data Controller’s request, and subject to confidentiality restrictions, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Section 4. The Data Processor shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller, respecting the Data Processor’s policies and access restrictions.

Section 5: Data Subject Rights and Requests

5.1 Handling Data Subject Requests

The Data Processor (Page Steady) shall promptly notify the Data Controller upon receiving a request from a data subject under any U.S. data protection law regarding the access to, correction, deletion, or portability of that person’s personal data. The Data Processor shall not respond to the data subject directly without the Data Controller’s prior authorization, unless legally compelled to do so.

5.2 Assistance to the Data Controller

The Data Processor agrees to assist the Data Controller in fulfilling data subject requests. This assistance includes providing necessary information and support to enable the Data Controller to respond effectively to data subject requests for access to, or correction or deletion of personal data, as well as data portability requests, within the timeframes set by U.S. data protection laws.

5.3 Technical and Organizational Measures

The Data Processor shall implement appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in U.S. data protection laws.

5.4 Documentation and Record-Keeping

The Data Processor shall maintain a record of data subject requests and the Processor’s assistance provided to the Data Controller in handling such requests. These records will be provided to the Data Controller upon request to demonstrate compliance with the obligations set forth in this section and under applicable U.S. data protection laws.

5.5 Training and Awareness

The Data Processor shall ensure that its employees are aware of and properly trained to handle data subject requests in accordance with U.S. data protection laws and the terms of the Agreement. Employees shall be instructed on how to forward any data subject requests or inquiries about the data subject’s rights to the Data Controller promptly.

5.6 Limitation of Access

Access to personal data shall be limited to personnel who require such access to perform their job functions and to assist with the handling of data subject requests in accordance with this section.

5.7 Amendments to Data Subject Requests Procedures

The Data Processor may update or modify its procedures for handling data subject requests as it deems necessary to maintain compliance with U.S. data protection laws or to improve efficiency, provided that such changes do not materially diminish the level of protection for personal data or the rights of data subjects. Any such changes will be communicated to the Data Controller in a timely manner.

Section 6: Data Breaches and Notification Procedures

6.1 Data Breach Notification

In the event of a data breach involving personal data processed on behalf of the Data Controller, the Data Processor (Page Steady) shall without undue delay, and no later than 48 hours after becoming aware, notify the Data Controller of the breach. This notification shall, to the extent possible, include the following information:

  • The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records involved.
  • The name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.2 Coordination with Data Controller

The Data Processor shall cooperate with the Data Controller and take such reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation, and remediation of each such personal data breach.

6.3 Data Breach Investigation

The Data Processor shall promptly investigate the data breach if it occurred on its infrastructure or in another area it is responsible for. The investigation shall be thorough and include the breach’s causes, affected data, and any potential for further unauthorized access or leak of personal data.

6.4 Documentation

All data breaches and remedial actions taken shall be documented by the Data Processor. This documentation must be provided to the Data Controller upon request and is to be retained as evidence of compliance with the provisions of this section.

6.5 Regulatory Notification and Communication with Data Subjects

The Data Processor shall notify the Data Controller if it is required to inform a supervisory authority or any other regulatory body about the personal data breach. However, the responsibility for notifying supervisory authorities and communicating with affected data subjects under U.S. data protection laws lies primarily with the Data Controller, unless otherwise required by law. The Data Processor shall provide reasonable assistance to the Data Controller for this purpose, including any necessary information about the breach and the steps taken to mitigate its effects.

6.6 Security Incident Response Plan

The Data Processor agrees to maintain an incident response plan, which includes procedures for responding to personal data breaches. This plan shall be reviewed and updated regularly to ensure its effectiveness and compliance with current U.S. data protection laws and best practices.

6.7 Limitation of Liability

The obligations set forth in this section shall not apply to incidents that are caused by the Data Controller or the Data Controller’s users. The Data Processor’s liability in the event of a data breach shall be determined in accordance with the liability provisions outlined in the Agreement.

Section 7: Data Subject Rights

7.1 Assistance to Controller:

The Data Processor acknowledges its role in assisting the Data Controller in ensuring the fulfillment of data subjects’ rights under applicable data protection laws. The assistance provided by the Data Processor shall include, but not be limited to, the following aspects:

  • Access Requests: The Data Processor shall implement efficient procedures to facilitate the Data Controller’s response to requests from data subjects seeking access to their personal data processed under the terms of this Agreement. The Data Processor shall promptly notify the Data Controller upon receiving any such requests directly from the data subjects and shall await instructions from the Data Controller on how to proceed.
  • Rectification and Deletion: When data subjects exercise their rights to correction or deletion of their personal data, the Data Processor shall assist the Data Controller by providing the necessary technical and organizational means to fulfill these requests. The assistance shall include the identification and isolation of the relevant data, making the required adjustments or removals, and confirming the completion of these actions to the Data Controller.
  • Data Portability: In cases where data subjects request the transfer of their data to another entity, the Data Processor shall support the Data Controller by facilitating the transfer of such data in a structured, commonly used, and machine-readable format, as dictated by applicable laws.
  • Restrictions on Processing: If a data subject requests a restriction on the processing of their personal data, the Data Processor shall implement the necessary measures to comply with this request and ensure that the restricted data is not processed further without explicit consent from the Data Controller.
  • Objections to Processing and Automated Decision Making: The Data Processor shall support the Data Controller in addressing objections from data subjects regarding the processing of their personal data and any concerns related to automated decision-making processes, including profiling. This includes ceasing the challenged processing activities until the Data Controller reviews and decides on the matter.

7.2 Notification and Communication:

The Data Processor shall establish communication channels to efficiently relay information between data subjects, the Data Controller, and itself. This ensures that all parties are informed of the requests and the actions taken in response.

7.3 Documentation and Record-Keeping:

The Data Processor shall maintain detailed records of all data subject requests and the subsequent actions taken. These records will be made available to the Data Controller upon request, to demonstrate compliance with the obligations set forth in this section and applicable data protection laws.

7.4 Training and Awareness:

The Data Processor commits to training its staff involved in the processing of personal data on the importance of protecting data subjects’ rights and on the procedures for identifying and addressing data subject requests in accordance with this Agreement.

This section of the DPA ensures a collaborative approach between the Data Processor and Data Controller in respecting and fulfilling the rights of data subjects, thereby adhering to the principles of transparency, accountability, and data subject empowerment mandated by data protection regulations.

Section 8: International Data Transfers

Given the exclusive operation within the United States and provision of services to U.S.-based customers, the Data Processor acknowledges that the primary scope of data processing activities under this Agreement will not inherently involve the international transfer of personal data. However, to accommodate potential future needs and ensure compliance with applicable laws, the following provisions are established regarding international data transfers:

8.1 Transfer Mechanisms:

  • Within U.S. Jurisdiction: All personal data processed under this Agreement will be stored and processed within the United States unless otherwise agreed upon in writing by the Data Controller and Data Processor. This practice is designed to minimize the risk and complexity associated with cross-border data transfers.
  • Potential International Transfers: In the event that the Data Processor must transfer personal data outside the United States, whether to sub-processors or for other legitimate business needs, such transfers will be executed only upon securing explicit consent from the Data Controller and in strict compliance with applicable U.S. laws and regulations governing international data transfers.
  • Legal Mechanisms for Data Transfer: Should any international transfer of personal data become necessary, the Data Processor commits to employing legally recognized mechanisms to ensure the protection of personal data. These mechanisms may include, but are not limited to, Standard Contractual Clauses (SCCs) approved by relevant authorities, adherence to recognized frameworks such as the Privacy Shield (where applicable), or reliance on an adequacy decision by competent regulatory bodies.

8.2 Documentation and Record-Keeping:

The Data Processor shall maintain detailed documentation of any international data transfers, including the rationale for the transfer, the destination of the data, and the protective mechanisms in place. This documentation will be made available to the Data Controller upon request and to regulatory authorities as required by law.

8.3 Sub-Processor Agreements:

If the Data Processor engages sub-processors located outside the United States, it shall ensure that such sub-processors are bound by data protection obligations that provide an equivalent level of protection as those stipulated in this Agreement and applicable U.S. data protection laws. The Data Processor will incorporate Standard Contractual Clauses or equivalent legal instruments in agreements with sub-processors to safeguard international data transfers.

8.4 Compliance and Liability:

The Data Processor assumes responsibility for ensuring that any international transfer of personal data complies with this section and applicable legal requirements. The Data Processor shall be liable for any breaches of this section resulting in unauthorized or unlawful transfers of personal data.

This section outlines the Data Processor’s commitment to managing international data transfers responsibly and in accordance with legal standards, despite the primary focus on serving U.S.-based customers. It ensures preparedness for potential scenarios that may necessitate cross-border data movement while prioritizing the protection of personal data.

Section 9: Audit and Compliance

In recognition of the importance of transparency and accountability in the processing of personal data, this section outlines the provisions for audits and compliance inspections related to the Data Processing Agreement (DPA) and adherence to applicable data protection laws.

9.1 Right to Audit:

  • Audit Rights: The Data Controller shall have the right to conduct audits and inspections of the Data Processor’s data processing activities to ensure compliance with the terms of this DPA, the overarching Agreement, and applicable data protection laws. These audits may be conducted through physical inspections, remote assessments, or review of relevant documentation, as deemed appropriate by the Data Controller.
  • Notification and Scheduling: To minimize disruption to the Data Processor’s operations, the Data Controller shall provide reasonable advance notice of its intent to conduct an audit. The parties will mutually agree on the timing, scope, and duration of the audit to ensure minimal impact on the Data Processor’s service delivery.

9.2 Conduct of Audits:

  • Cooperation: The Data Processor agrees to cooperate fully with the Data Controller during audits and inspections, providing access to relevant facilities, employees, contractors, and documentation related to the processing of personal data under this Agreement.
  • Confidentiality: Audits shall be conducted in a manner that protects the confidentiality of the Data Processor’s proprietary information, ensuring that any findings or reports generated as a result of the audit are treated as confidential information under the terms of the Agreement.

9.3 Third-Party Auditors:

  • Use of Independent Auditors: The Data Controller may elect to use independent third-party auditors to conduct the audit, provided such auditors are bound by confidentiality obligations and do not have a conflict of interest with the Data Processor.
  • Audit Costs: The Data Controller shall bear the cost of the audit unless the audit reveals material non-compliance by the Data Processor with the DPA or applicable data protection laws. In such cases, the Data Processor may be required to reimburse the Data Controller for the costs of the audit.

9.4 Compliance Documentation:

  • Evidence of Compliance: The Data Processor shall maintain documentation evidencing compliance with its data processing and protection obligations under this DPA and shall make such documentation available to the Data Controller upon request.
  • Rectification of Non-Compliance: If an audit reveals any non-compliance with the DPA or applicable data protection laws, the Data Processor agrees to promptly address and rectify such issues, providing the Data Controller with a detailed plan of corrective actions to be taken.

This section ensures that the Data Controller has the necessary oversight mechanisms to verify the Data Processor’s compliance with data protection obligations, thereby fostering trust and accountability in the handling of personal data.

Section 10: Termination and Deletion of Data

This section of the Data Processing Agreement (DPA) specifies the conditions under which the DPA may be terminated and outlines the obligations of the Data Processor regarding the deletion or return of personal data upon the termination of the DPA or services provided under the main service agreement.

10.1 Termination Clauses:

  • Termination of Agreement: This DPA shall automatically terminate upon the expiration or termination of the main service agreement between the Data Controller and the Data Processor.
  • Breach of DPA: Either party may terminate this DPA with immediate effect by giving written notice to the other party if there are reasonable grounds to believe that the other party has breached any of its obligations under this DPA, and such breach is not remedied within a reasonable period specified in the notice.

10.2 Deletion or Return of Data:

  • Obligation to Delete or Return: Upon termination of the DPA or at the request of the Data Controller, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data processed on behalf of the Data Controller. This includes copies of the data, except as required to be retained by law or regulation.
  • Certification of Deletion: If the Data Controller opts for deletion of the personal data, the Data Processor shall provide the Data Controller with a written certification confirming that all personal data has been deleted from its systems and any sub-processors’ systems in accordance with applicable data protection laws and the terms of this DPA.
  • Format and Timing of Return: If the Data Controller opts for the return of personal data, the Data Processor shall return all requested data in a commonly used electronic format, unless otherwise agreed upon, within a reasonable timeframe specified by the Data Controller.

10.3 Survivability of Obligations:

  • Surviving Provisions: The obligations of confidentiality, data protection, and any other obligations intended by their nature to survive termination of the DPA shall remain in effect beyond the termination or expiration of this DPA.

10.4 Legal Requirement to Retain Data:

  • Exemption for Legal Requirements: Notwithstanding the obligations to delete or return personal data, the Data Processor may retain personal data to the extent required by applicable laws, provided that the Data Processor ensures the confidentiality of all such retained data and processes such data only as necessary for the purpose(s) specified in the laws requiring its retention.

This section ensures that upon the termination of the DPA, the Data Controller has full control over the disposition of personal data, thereby safeguarding the rights of data subjects and maintaining compliance with data protection regulations.

11. Governing Law and Jurisdiction

11.1 Applicable Law: This Data Processing Agreement (DPA) shall be governed by and construed in accordance with the laws of the State of Ohio, United States, without regard to its conflict of law principles.

11.2 Dispute Resolution:

  • Amicable Resolution: The Parties agree to attempt to resolve any dispute arising out of or related to this DPA through friendly discussions. If the matter is not resolved by negotiation within 60 days, the Parties agree to proceed to mediation as a mandatory first step before arbitration or litigation.
  • Mediation: If the dispute cannot be resolved through amicable discussions within 60 days, the Parties agree to submit the dispute to mediation in accordance with the mediation rules of the American Arbitration Association (AAA). The mediation shall take place in Westlake, Ohio, and be conducted in English. The Parties agree to share equally the costs of the mediation process.
  • Arbitration: If the dispute is not settled by mediation within 60 days of the initiation of mediation, then the dispute shall be submitted to arbitration in accordance with the arbitration rules of the American Arbitration Association (AAA), and such arbitration shall take place in Westlake, Ohio. The language of the arbitration shall be English. The decision of the arbitrator(s) shall be final and binding on the Parties, and the Parties agree to bear their own costs related to the arbitration proceedings.
  • Litigation: Only if mediation and arbitration do not resolve the dispute, the Parties may pursue claims in the courts of Ohio. The Parties hereby consent to the exclusive jurisdiction of the state and federal courts located in Westlake, Ohio, for the resolution of any disputes arising out of or related to this DPA.

This structured approach to dispute resolution aims to ensure that any disagreements arising from the DPA can be resolved effectively, starting with the most collaborative forms of resolution and progressing to more formal proceedings if necessary. By specifying a 60-day period for both negotiation and mediation, the Parties are given a reasonable timeframe to resolve disputes amicably before moving to arbitration or litigation.