Data Processing Agreement
Last updated: July 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between R Software & Consulting LLC dba Candor Host ("Processor," "we") and the Customer identified in the applicable subscription ("Controller," "you"). It applies where you use Candor Host to process personal data as defined under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, or the Swiss Federal Act on Data Protection ("FADP").
By using Candor Host to process personal data, you accept this DPA. If your organization requires a signed copy, download it from your client portal or request one at legal@candorhost.com.
1. Definitions
Terms used in this DPA have the meanings given to them under the GDPR unless defined otherwise. In particular, "Controller," "Processor," "Personal Data," "Processing," "Sub-processor," and "Data Subject" have the meanings given in Article 4 GDPR.
2. Roles and scope
You are the Controller of the Personal Data that you upload, transmit, or otherwise process through Candor Host ("Customer Data"). Candor Host is the Processor of Customer Data. This DPA applies for the duration of your subscription and until all Customer Data has been returned or deleted.
3. Subject matter, nature, and purpose of Processing
Subject matter: provision of managed hosting services as described in the Terms of Service, including storage, transmission, and computation on Customer Data.
Nature and purpose: to host and serve websites, applications, databases, and email associated with the Customer's account.
Duration: for the duration of the subscription and any post-termination retention period specified in the Cancellation Policy.
Types of Personal Data: as determined by Controller, and may include identifiers (names, emails, IP addresses), account credentials, transaction records, communications, and any other Personal Data Controller chooses to place on the Candor Host platform.
Categories of Data Subjects: as determined by Controller, and may include Controller's customers, users, employees, prospects, and website visitors.
4. Processor obligations
We will:
- Process Customer Data only on documented instructions from you, including with regard to international transfers, unless legally required to do otherwise. If we believe an instruction violates data protection law, we will inform you promptly.
- Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality.
- Implement appropriate technical and organizational security measures (see Section 8).
- Assist you, taking into account the nature of Processing and the information available, in fulfilling your obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
- Assist you, insofar as possible, in responding to Data Subject requests under Chapter III GDPR.
- Not engage a Sub-processor without prior authorization (see Section 6).
- Delete or return all Customer Data at the end of the provision of services (see Section 12).
- Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits (see Section 11).
5. Controller instructions
Your acceptance of the Terms of Service, this DPA, and your use of Candor Host constitute your general written instructions for Processing. Additional or specific instructions must be provided in writing and may be subject to change management. We will not use Customer Data for any purpose other than providing the services described in the Terms.
6. Sub-processors
You authorize us to engage the Sub-processors listed at candorhost.com/subprocessors/ to process Customer Data for the purposes described in this DPA.
We will inform you of any intended change to the Sub-processor list at least 30 days before the change takes effect, by updating the Sub-processor page and, where you have subscribed, sending notice to the email on file. You may object to a proposed Sub-processor within 30 days by written notice to legal@candorhost.com. If we cannot accommodate your objection, you may terminate the affected service and receive a pro-rata refund of prepaid fees.
We enter into written contracts with each Sub-processor imposing data protection obligations no less protective than those in this DPA. We remain responsible for Sub-processor performance.
7. Data Subject requests
We will, taking into account the nature of Processing, assist you with appropriate technical and organizational measures in responding to Data Subject requests. If we receive a request from a Data Subject directly, we will not respond substantively but will forward the request to you promptly.
Standard assistance is included in your subscription. Substantial or repeated requests may be subject to additional professional-service fees, communicated in advance.
8. Security measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption: TLS 1.2 or higher for data in transit; at-rest encryption for backups.
- Access control: role-based access; multi-factor authentication for staff; audit logs.
- Container isolation: per-site cgroups with kernel-enforced CPU, memory, and namespace boundaries.
- Backups: daily automated backups with off-site copies; documented restore procedures.
- Network security: stateful firewalls, DDoS mitigation via upstream provider, restricted internal networks.
- Personnel: confidentiality obligations, security training, background checks where legally permitted.
- Vulnerability management: regular patching, security advisories, external reporting channel per our Vulnerability Disclosure Policy.
- Business continuity: documented incident response and disaster recovery procedures.
We may update these measures over time provided they do not materially reduce the security of Customer Data.
9. Personal data breach notification
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and in any event within 72 hours. The notification will include, to the extent known:
- Nature of the breach, categories and approximate number of Data Subjects and records concerned.
- Name and contact details of our contact point for further information.
- Likely consequences of the breach.
- Measures taken or proposed to address the breach, including where appropriate to mitigate its adverse effects.
10. International transfers
Our servers are located in the United States. Where Customer Data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States or another country outside those jurisdictions, transfers are made under the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) ("SCCs"), which are incorporated into this DPA by reference. The parties agree to Module Two (Controller to Processor) for direct transfers, and Module Three (Processor to Processor) for onward transfers to Sub-processors.
For UK transfers, the UK Addendum to the SCCs (Version B1.0) applies. For Swiss transfers, the SCCs are amended to reference the FADP and Swiss Federal Data Protection and Information Commissioner as required.
11. Audits
We provide the following to demonstrate compliance with Article 28:
- This DPA and the Sub-processor list.
- Any SOC 2 or ISO 27001 reports we obtain, on request under NDA.
- Written responses to reasonable audit questionnaires.
- On-site audit, no more than once every 12 months and at your expense, on 60 days' written notice, provided the audit does not disrupt operations or compromise other customers' data. On-site audits may be replaced at our option by an equivalent third-party audit report.
12. Return or deletion at end of service
Upon termination of your subscription, we will make Customer Data available for export for 30 days, then permanently delete Customer Data, backups excepted, in accordance with the Cancellation Policy. Backups are overwritten on a rolling 30-day cycle. Records required to be retained by law (billing records, DMCA notice log, security logs) are excluded from deletion for the applicable statutory period.
13. Liability
The liability limits set forth in the Terms of Service apply to this DPA. Nothing in this DPA limits liability that cannot be limited under applicable data protection law.
14. Term and termination
This DPA is effective for the duration of the subscription and continues until Customer Data has been returned or deleted in accordance with Section 12. Sections 8, 9, 10, 12, and 13 survive termination.
15. Conflicts
In case of conflict between this DPA and the Terms of Service regarding the Processing of Personal Data, this DPA prevails. In case of conflict between this DPA and the SCCs, the SCCs prevail.
16. Contact
Data protection inquiries: legal@candorhost.com.