Legal

Data Processing Agreement

Last updated: May 2026

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of the General Terms and Conditions between RDPCORE DC LTD (“Processor”, “we”, “us”) and you (“Controller”, “you”, “your”) and governs the processing of personal data by RDPCore on your behalf.

This DPA is automatically incorporated into your agreement with RDPCore when you use our services to process personal data of third parties (e.g., your customers’ data hosted on our infrastructure). No separate signature is required — accepting the General Terms constitutes acceptance of this DPA.

This DPA is entered into in accordance with Article 28 of the UK GDPR and Article 28 of the EU GDPR.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the services.
  • “Processing” means any operation performed on Personal Data, including storage, retrieval, transmission, erasure, and any other operation as defined in the UK GDPR / EU GDPR.
  • “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Terms not defined herein have the meanings given in the UK GDPR, EU GDPR, or our General Terms and Conditions.

3. Roles and Responsibilities

3.1 Controller

You are the Data Controller for all Personal Data that you (or your users) store, transmit, or process using our services. You determine the purposes and means of processing. You are responsible for:

  • Ensuring you have a lawful basis for processing Personal Data;
  • Providing appropriate privacy notices to Data Subjects;
  • Responding to Data Subject rights requests;
  • Ensuring the security of data within your control (application-level security, access management);
  • Complying with all applicable data protection laws.

You are solely responsible for determining the legal basis for processing and ensuring compliance with all applicable data protection laws. You must not process special categories of personal data (as defined under Article 9 UK GDPR / EU GDPR) using our services unless you have implemented appropriate safeguards and have a valid legal basis for doing so.

Our services are not specifically designed for the processing of highly sensitive or regulated data (such as health records, biometric data, or data subject to sector-specific regulations) unless explicitly agreed in writing.

3.2 Processor

RDPCore is the Data Processor. We process Personal Data solely on your documented instructions and only to the extent necessary to provide the services you have ordered. Your use of the services, including configurations made through the client portal or API, constitutes your documented instructions. We do not access, use, or disclose your Personal Data except as instructed by you, required to provide the service, or compelled by law.

We do not actively monitor or access Personal Data stored on your services except where necessary to provide the services, maintain infrastructure security, or as required by law.

4. Details of Processing

4.1 Subject Matter and Duration

The subject matter of processing is the provision of infrastructure services (VPS, web hosting, colocation, IP services) as described in your service order. Processing continues for the duration of the service agreement and ceases upon termination, subject to any legally required retention.

4.2 Nature and Purpose

The nature of processing is the storage, transmission, and hosting of data on our infrastructure as directed by you through your use of the services. The purpose is to enable you to operate your applications, websites, and services.

4.3 Types of Personal Data

The types of Personal Data processed depend entirely on what you choose to store on our infrastructure. This may include but is not limited to: names, email addresses, IP addresses, financial data, health data, or any other category of personal data you process using our services.

4.4 Categories of Data Subjects

Data Subjects may include your customers, employees, users, website visitors, or any other individuals whose data you process using our services.

5. Processor Obligations

As your Data Processor, we will:

  • Process Personal Data only on your documented instructions, unless required by law (in which case we will inform you before processing, unless prohibited from doing so);
  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 6);
  • Assist you, taking into account the nature of processing, in responding to Data Subject rights requests where technically feasible;
  • Assist you in ensuring compliance with your obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities;
  • At your choice, delete or return all Personal Data upon termination of the service, unless retention is required by law;
  • Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 9).

6. Security Measures

We implement and maintain appropriate technical and organisational measures to protect Personal Data, including:

  • Physical security: access-controlled data centre facility with CCTV, biometric access, and 24/7 monitoring;
  • Network security: firewalls, intrusion detection, DDoS mitigation, network segmentation;
  • Encryption: TLS 1.2+ for data in transit; encryption at rest available where supported by the service;
  • Access controls: role-based access, principle of least privilege for staff;
  • Monitoring: logging of administrative access to infrastructure systems;
  • Staff: confidentiality agreements, security awareness training;
  • Business continuity: redundant power, cooling, and network connectivity.

You remain responsible for security measures within your own environment (application security, OS patching, access credentials, encryption of data at the application level). No system or transmission over the internet can be guaranteed to be 100% secure.

7. Sub-processors

7.1 Authorisation

You provide general authorisation for us to engage sub-processors to assist in providing the services. We will ensure that any sub-processor is bound by data protection obligations no less protective than those in this DPA. We remain responsible for the performance of our sub-processors to the extent required by applicable law.

7.2 Current Sub-processors

Our current sub-processors include:

  • Data centre facility operator (Prague, Czech Republic) — physical hosting infrastructure;
  • Stripe, LLC (USA) — payment processing (Stripe acts as an independent controller for payment data);
  • Upstream network providers — network transit and connectivity.

7.3 Changes to Sub-processors

We will inform you of any intended changes to sub-processors (additions or replacements) by updating this page or notifying you by email at least thirty (30) days before the change takes effect. If you have a reasonable objection to a new sub-processor, you may notify us within fourteen (14) days of being informed. We will work with you to address your concerns. If we cannot resolve the objection, you may terminate the affected service without penalty.

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data we process on your behalf, we will:

  • Notify you without undue delay after becoming aware of the breach, and use reasonable efforts to do so within seventy-two (72) hours where feasible;
  • Provide you with sufficient information to enable you to meet your own notification obligations to supervisory authorities and Data Subjects;
  • Cooperate with you in investigating and mitigating the breach;
  • Document the breach, its effects, and remedial actions taken.

Our notification will include, to the extent reasonably available: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed. We may provide information in phases as our investigation progresses.

9. Audits and Compliance

We will make available to you information reasonably necessary to demonstrate our compliance with this DPA. You may request an audit of our data processing practices, subject to the following:

  • Audit requests must be submitted in writing with at least thirty (30) days’ notice;
  • Audits are limited to once per twelve (12) month period unless required by a supervisory authority or following a Data Breach;
  • Audits must be conducted during normal business hours and must not unreasonably disrupt our operations;
  • You bear the costs of any audit conducted by you or your appointed auditor;
  • Auditors must be bound by confidentiality obligations and must not be a competitor of RDPCore;
  • We may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation where available;
  • We reserve the right to refuse or limit audit requests that are excessive, duplicative, or pose a security risk to our infrastructure.

10. International Data Transfers

Personal Data processed under this DPA is primarily stored within the European Economic Area (Prague, Czech Republic). Where transfers outside the EEA or UK occur (e.g., payment processing via Stripe in the USA), we ensure appropriate safeguards are in place, including:

  • EU-US / UK-US Data Privacy Framework certification;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • UK International Data Transfer Agreement (IDTA) where applicable.

We will not transfer Personal Data to a country outside the UK/EEA without appropriate safeguards unless required by law. Where such safeguards are not available, transfers will only occur where legally permitted under applicable data protection law.

11. Data Subject Requests

If we receive a request from a Data Subject regarding Personal Data we process on your behalf, we will promptly redirect the request to you (unless prohibited by law). We will not respond to Data Subject requests directly unless instructed by you or required by law.

We will provide you with reasonable technical assistance to fulfil Data Subject requests (access, rectification, erasure, portability, restriction) to the extent that such assistance is within our technical capability as an infrastructure provider. Data return may be limited to what is technically feasible within the service environment.

12. Data Return and Deletion

Upon termination of the service agreement, we will:

  • At your choice (communicated before or within fourteen (14) days of termination): return your Personal Data in a commonly used format, or delete all Personal Data in our possession;
  • If no instruction is received within fourteen (14) days of termination, we will proceed with deletion;
  • Deletion will be completed typically within forty-eight (48) hours of the deletion date and will be performed using methods appropriate to the storage medium;
  • Residual copies may remain in backup systems for a limited period before being overwritten in the normal course of operations;
  • We may retain Personal Data where required by applicable law, in which case we will inform you of the legal basis and limit processing to what is required by that law.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the General Terms and Conditions. This DPA does not create any additional or independent liability beyond what is provided in the General Terms. Nothing in this DPA shall expand the Processor’s liability beyond the limits set in the General Terms.

14. Governing Law

This DPA is governed by the laws of England and Wales, consistent with the General Terms and Conditions. Where EU GDPR applies to the processing, the relevant provisions of EU law shall apply to the extent required.

15. Contact

For questions about this DPA or data processing matters:

  • Privacy: privacy@rdpcore.com
  • Legal: legal@rdpcore.com