Skip to main content
Log in Sign up FREE!

Data Processing Agreement (DPA)

About this policy: This Data Processing Agreement is provided by A+ Hosting Inc., a Nevada corporation, and applies to all services purchased through any of our three brand websites: APlusHosting.com, ServerPoint.com, and ColossusCloud.com. The terms below apply identically regardless of which brand website you signed up through. References to "we", "us", or "our" in this document mean A+ Hosting Inc.

1. Scope

This Data Processing Agreement ("DPA") applies where A+ Hosting Inc. processes personal data on behalf of a customer in connection with our services, in accordance with applicable data protection laws.

2. Roles

Where we process personal data on behalf of a customer (such as data the customer's end users provide through a hosted website or application), the customer acts as the data controller and we act as the data processor. For data we collect in our own right, we act as the data controller, as described in our Privacy Policy.

3. Processing instructions

We process customer data only as reasonably necessary to provide our services, in line with the customer's instructions where applicable, and otherwise as required by law.

4. Confidentiality

Our personnel with access to customer data are subject to appropriate confidentiality obligations.

5. Security measures

We apply technical and organisational measures appropriate to the nature of our services and the data being processed. These may be reviewed and updated from time to time.

6. Sub-processors

We may use sub-processors to assist in providing our services. A current list of sub-processors is available on request through your Client Portal or our Contact Us page.

7. Security incidents

Where required by applicable law, we will respond to security incidents affecting customer data and provide reasonable assistance.

8. International transfers

Where personal data of European Union, European Economic Area, or United Kingdom residents is transferred outside its jurisdiction of origin to a country not recognised as providing an adequate level of data protection, Module Two (Controller to Processor) of the European Commission's Standard Contractual Clauses, set out in Commission Implementing Decision (EU) 2021/914 (the "SCCs"), apply between the customer (as data exporter) and A+ Hosting Inc. (as data importer). The SCCs are incorporated into this DPA by reference and are available in their official form at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. The supplementary details required by the SCCs are set out in the Annexes below.

For transfers from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office, available in its official form at the ICO website, which is incorporated into this DPA by reference.

9. Data subject requests

We will provide reasonable assistance, where required by applicable law, in responding to requests from data subjects relating to data processed on behalf of the customer.

10. Return or deletion of customer data

Any return or deletion of customer data will be governed by the terms of the particular services purchased and our Terms of Service.

11. Relationship to Terms of Service

This DPA forms part of and is subject to the limitations and disclaimers in our Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA will control.

12. Modifications

A+ Hosting Inc. reserves the right to modify this DPA at any time in its sole and absolute discretion. Modifications take effect immediately upon posting to this website.

13. Contact

Questions about this DPA can be submitted through your Client Portal or our Contact Us page.

Annex I. List of Parties and Description of Transfer

A. List of Parties

Data exporter: the customer who has entered into our Terms of Service and uses our services to process personal data. The customer's name, address, and contact details are those on file in their Client Portal account.

Data importer: A+ Hosting Inc., a Nevada corporation, 10620 S. Highlands Pkwy, Suite 110-491, Las Vegas, NV 89141, USA. Contact: through the Client Portal or our Contact Us page. The activities relevant to the transfer are the provision of hosting and related services.

B. Description of Transfer

Categories of data subjects: any individuals whose personal data is included in customer content stored on our infrastructure, including the customer's end users, website visitors, employees, and other persons whose data the customer chooses to process through our services.

Categories of personal data: the categories are determined and controlled by the customer in its sole discretion. A+ Hosting Inc. does not require, request, or analyse the content of customer data, and may include any categories the customer chooses to upload or process.

Sensitive data: A+ Hosting Inc. does not request and does not require sensitive data. To the extent the customer chooses to process sensitive data through our services, the customer is solely responsible for ensuring it has a lawful basis to do so and for applying any required additional safeguards.

Frequency of transfer: on a continuous basis, for the duration of the services.

Nature of processing: hosting, storage, transmission, backup, and related technical operations necessary to provide the services. We do not analyse, profile, or otherwise use customer data beyond providing the services.

Purpose of processing and further use: to provide the services purchased by the customer under our Terms of Service. We do not use customer data for our own purposes.

Retention period: as set out in Section 10 of this DPA and our Terms of Service.

C. Competent Supervisory Authority

The competent supervisory authority is the supervisory authority of the European Union or European Economic Area Member State in which the customer (as data exporter) is established, or, where the customer is not established in the Union or European Economic Area, the supervisory authority of the Member State chosen in accordance with Clause 13 of the SCCs. For transfers from the United Kingdom, the competent authority is the Information Commissioner's Office.

Annex II. Technical and Organisational Measures

A+ Hosting Inc. applies, as appropriate to the nature of the services and the risk to the rights and freedoms of data subjects, the following categories of technical and organisational measures. The specific configuration of these measures may be reviewed and updated from time to time.

  • Encryption in transit for connections to our services using industry-standard transport-layer encryption.
  • Access controls based on the principle of least privilege, with role-based permissions for personnel accessing systems that contain customer data.
  • Authentication for administrative access to systems handling customer data, including, where appropriate, multi-factor authentication.
  • Physical security of the data center facilities, including controlled access, monitoring, and environmental safeguards provided by our data center operators.
  • Logging and monitoring of access to systems and network activity, with retention of logs sufficient to support incident response.
  • Patching and vulnerability management for systems and software we operate as part of the services.
  • Personnel confidentiality obligations applied to staff with access to customer data.
  • Incident response procedures covering identification, containment, investigation, and notification of security incidents.
  • Sub-processor management as described in Section 6 of this DPA.
  • Periodic review of the measures applied, to maintain alignment with the nature of the services and the risks involved.

Annex III. List of Sub-processors

A current list of sub-processors authorised to process customer personal data is available on request through your Client Portal or our Contact Us page, and may be updated from time to time as described in Section 6.

Last Updated: May 2026