This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("TOS") between MVPS LTD ("MVPS", "Processor") and the customer ("Customer", "Controller"). This DPA applies only to the extent that the General Data Protection Regulation (EU) 2016/679 ("GDPR") is applicable to the processing of personal data.
1.1 The Customer acts as the Data Controller within the meaning of the GDPR.
1.2 MVPS acts as the Data Processor and processes personal data solely on behalf of and in accordance with the documented instructions of the Customer.
1.3 Nothing in this DPA shall be construed as granting MVPS any ownership, control, or decision-making authority over the Customer Data. MVPS does not determine the purposes or the means of the processing of Customer Data.
2.1 Subject Matter: Provision of unmanaged infrastructure services, including but not limited to virtual private servers (VPS), storage, networking, backups, snapshots, and related hosting services.
2.2 Duration: For the duration of the active service agreement and any retention period required by applicable law.
2.3 Nature and Purpose: Processing necessary to host, store, transmit, and secure Customer Data as part of providing the services.
2.4 Categories of Data Subjects: End users, employees, contractors, customers, or other individuals whose personal data is processed by the Customer.
2.5 Types of Personal Data: Any personal data uploaded, stored, or otherwise processed by the Customer within the services, the exact categories of which are determined solely by the Customer. MVPS does not require, request, or intentionally process special categories of personal data within the meaning of Article 9 GDPR and has no knowledge of the specific content of Customer Data.
2.6 Special Categories of Data: The Customer shall not process special categories of personal data (including but not limited to health data, biometric data, genetic data, data concerning criminal convictions, or similar sensitive information) unless strictly necessary, lawful, and fully compliant with applicable data protection laws. Any such processing is performed at the Customer’s sole risk and responsibility.
3.1 The Customer is solely responsible for determining the lawfulness of the processing, providing all required notices to data subjects, obtaining all necessary consents, and ensuring data minimization and accuracy.
3.2 The Customer is responsible for implementing appropriate technical and organizational measures within the virtual machine or application layer, including but not limited to:
3.3 The Customer warrants that its instructions comply with applicable data protection laws.
3.4 The Customer shall indemnify and hold harmless MVPS from and against any claims, damages, fines, or penalties arising out of or related to the Customer’s unlawful processing of personal data or instructions that are not compliant with applicable data protection laws.
4.1 MVPS shall:
4.2 MVPS does not monitor, inspect, or validate the content of Customer Data. The provision of the Services does not constitute instructions regarding the content, lawfulness, or purposes of the Customer Data.
5.1 MVPS implements security measures appropriate to the risk, including physical security, network isolation, access control, and host-level hardening.
5.2 MVPS does not guarantee absolute security and shall not be responsible for vulnerabilities arising from Customer-managed software, configurations, or credentials.
6.1 The Customer authorizes MVPS to engage sub-processors, including datacenter providers, connectivity providers, and infrastructure partners.
6.2 MVPS shall ensure that sub-processors are subject to contractual obligations no less protective than this DPA.
6.3 MVPS may update or replace sub-processors from time to time. The Customer provides a general authorization for the engagement of such sub-processors, without the requirement for individual notice or approval.
7.1 MVPS shall notify the Customer without undue delay after becoming aware of a confirmed personal data breach directly resulting from a security incident affecting the MVPS-managed infrastructure components (such as host systems, storage, or network layers) and not arising from vulnerabilities, misconfigurations, credentials, software, or actions within the Customer’s virtual machines or applications.
8.1 To the extent required by applicable data protection laws, MVPS shall provide limited and reasonable assistance, strictly confined to information reasonably available to MVPS and solely relating to the infrastructure operated by MVPS.
8.2 MVPS shall not be required to:
8.3 Any assistance provided under this Section shall be:
9.1 Upon termination of the services, Customer Data will be deleted or rendered inaccessible from live systems in accordance with MVPS retention policies, unless retention is required by applicable law.
9.2 Backup systems are used solely for disaster recovery and business continuity purposes. Backup data is not intended to be accessed, searched, restored, or modified for the purpose of responding to data subject access, rectification, or erasure requests.
9.3 Customer Data contained in backups will be deleted automatically through routine backup rotation and overwriting processes. The Customer acknowledges that residual copies may remain in backups for a limited period, typically not exceeding ninety (90) days.
9.4 MVPS is not required to restore, access, or modify backup data in order to comply with requests under Articles 15 to 21 of the GDPR, where doing so would require disproportionate effort or compromise the security or integrity of the infrastructure.
10.1 The Customer waives any right to on-site audits.
10.2 MVPS may provide relevant compliance documentation upon reasonable written request.
10.3 Documentation and information provided under this Section shall be limited to existing materials and shall be considered confidential.
10.4 MVPS may refuse or limit requests that are manifestly unfounded, excessive, repetitive, or disproportionate in nature, including repeated requests for the same information within a reasonable timeframe.
10.5 Any additional assistance, explanations, or materials requested beyond existing documentation may, at MVPS’s discretion, be subject to reasonable fees at MVPS’s then-current professional services rates, unless otherwise required by mandatory law.
11.1 MVPS shall not be liable for indirect, incidental, special, or consequential damages arising out of this DPA.
11.2 MVPS’s total liability related to data protection shall be limited to the fees paid by the Customer to MVPS during the three (3) months preceding the event giving rise to the claim.
11.3 MVPS shall not be liable for fines, penalties, or damages arising from the Customer’s failure to comply with GDPR.
12.1 Customer Data is processed primarily within the European Union.
12.2 Where transfers outside the EU occur, appropriate safeguards shall be applied as required by law, including where applicable the use of Standard Contractual Clauses (SCCs).
13.1 This DPA shall be governed by the laws of Cyprus, without regard to conflict of law principles.
14.1 MVPS may disclose Customer Data where required by applicable law, regulation, or a binding order of a competent authority. Where legally permitted, MVPS will notify the Customer of such disclosure.
14.2 This DPA applies automatically and does not require a separate signature.
14.3 In case of conflict between this DPA and the TOS, this DPA shall prevail with respect to data protection matters.