1. Introduction and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Data Controller") and Lineserve Cloud ("Lineserve", "Data Processor", "we", "us", or "our") and governs our processing of personal data on your behalf.
1.1 Definitions
The following terms have the meanings defined in the General Data Protection Regulation (GDPR) and Data Protection Act:
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data, such as collection, storage, use, or deletion
- Data Controller: The entity that determines the purposes and means of processing personal data
- Data Processor: The entity that processes personal data on behalf of the Data Controller
- Data Subject: The individual to whom personal data relates
- Sub-processor: A third-party processor engaged by the Data Processor
2. Scope and Applicability
This DPA applies when:
- You use our Services to process personal data
- You act as a Data Controller
- We act as a Data Processor on your behalf
- The personal data is subject to GDPR or similar data protection laws
3. Roles and Responsibilities
3.1 Customer as Data Controller
As Data Controller, you are responsible for:
- Ensuring lawful basis for processing personal data
- Obtaining necessary consents from data subjects
- Providing privacy notices to data subjects
- Determining what data is collected and how it is used
- Complying with data protection laws and regulations
- Instructing us on how to process the data
- Ensuring data subjects can exercise their rights
3.2 Lineserve as Data Processor
As Data Processor, we will:
- Process personal data only on your documented instructions
- Ensure that persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Assist you in ensuring compliance with data protection obligations
- Delete or return personal data at the end of the processing relationship
- Make available information necessary to demonstrate compliance
4. Nature and Purpose of Processing
4.1 Processing Details
| Subject Matter | Provision of cloud infrastructure services |
| Duration | For the term of the service agreement |
| Purpose | To provide cloud hosting, storage, and computing services as requested by Customer |
| Nature of Processing | Storage, hosting, backup, and technical maintenance of Customer data |
4.2 Categories of Data Subjects
The personal data processed may relate to the following categories of data subjects:
- Customer's employees and contractors
- Customer's end users and customers
- Any other data subjects whose data Customer uploads to our Services
4.3 Categories of Personal Data
The types of personal data processed depend on Customer's use of Services and may include:
- Contact information (names, email addresses, phone numbers)
- Account credentials and authentication data
- IP addresses and device identifiers
- Usage data and logs
- Any other data uploaded by Customer to our infrastructure
5. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
5.1 Technical Measures
- Encryption of data in transit (TLS 1.3)
- Encryption of data at rest (AES-256)
- Network segmentation and firewalls
- Intrusion detection and prevention systems
- Regular security updates and patch management
- DDoS protection
- Secure key management
5.2 Organizational Measures
- ISO 27001 certified information security management system
- SOC 2 Type II compliance
- Access controls based on principle of least privilege
- Multi-factor authentication for administrative access
- Background checks for employees with data access
- Regular security awareness training
- Incident response procedures
- Business continuity and disaster recovery plans
5.3 Data Center Security
- 24/7 physical security and surveillance
- Biometric access controls
- Mantrap entry systems
- Environmental controls and monitoring
- Redundant power and cooling systems
6. Sub-processors
6.1 Authorization
Customer authorizes us to engage sub-processors to process personal data on Customer's behalf. We will:
- Impose the same data protection obligations on sub-processors
- Remain fully liable to Customer for sub-processor performance
- Conduct due diligence before engaging sub-processors
6.2 Current Sub-processors
We currently use the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | Various (configurable) |
| Stripe | Payment processing | United States |
| Intercom | Customer support | United States |
| SendGrid | Email delivery | United States |
6.3 Sub-processor Changes
We will notify you at least 30 days before adding or replacing a sub-processor. You may object to the change by notifying us within 30 days. If we cannot accommodate your objection, you may terminate the affected Services.
7. Data Subject Rights
We will assist you in fulfilling data subject requests, including:
- Right of Access: Providing access to personal data
- Right to Rectification: Correcting inaccurate data
- Right to Erasure: Deleting personal data
- Right to Data Portability: Exporting data in a portable format
- Right to Object: Objecting to processing
- Right to Restriction: Restricting processing
If we receive a data subject request directly, we will promptly forward it to you.
8. Data Breach Notification
In the event of a personal data breach, we will:
- Notify you without undue delay and within 72 hours of becoming aware
- Provide details of the nature of the breach
- Identify affected categories and approximate numbers of data subjects and records
- Describe the likely consequences of the breach
- Describe measures taken or proposed to address the breach
- Provide contact information for further inquiries
Notification will be sent to: [email protected] or your designated security contact.
9. Data Transfers
9.1 International Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Processing in countries with adequacy decisions
- Additional technical measures (encryption, pseudonymization)
9.2 Data Location
You can choose the geographic location for your data through our region selection:
- Europe (Frankfurt, Amsterdam, London)
- United States (Virginia, California, Oregon)
- Asia Pacific (Singapore, Tokyo, Sydney)
- Africa (Nairobi, Johannesburg, Lagos)
10. Audits and Compliance
We will:
- Make available to you information necessary to demonstrate compliance with this DPA
- Undergo regular third-party audits (SOC 2, ISO 27001)
- Provide audit reports upon request (subject to confidentiality)
- Allow for and contribute to audits by you or an appointed auditor (with reasonable notice and at your expense)
11. Data Retention and Deletion
11.1 During Service Term
During the term of the agreement, you can delete your data at any time through the control panel or API.
11.2 End of Service
Upon termination or expiration of Services, we will:
- Provide you with 30 days to export your data
- Delete or return all personal data at your choice
- Delete existing copies unless required by law to retain
- Provide certification of deletion upon request
11.3 Backup Retention
Personal data in backups will be securely deleted within 90 days of termination in accordance with our backup retention schedule.
12. Liability and Indemnification
Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement, except as required by applicable data protection law.
13. Term and Termination
This DPA will remain in effect for the duration of the service agreement. Upon termination, the provisions regarding data deletion and return will survive.
14. Governing Law and Jurisdiction
This DPA is governed by the same law as the main service agreement. For GDPR purposes, the supervisory authority with jurisdiction is determined by your establishment location.
15. Changes to This DPA
We may update this DPA to reflect changes in data protection laws or our practices. Material changes will be communicated at least 30 days in advance.
16. Contact Information
For questions about this DPA or data protection matters:
- Email: [email protected] (Data Protection Officer)
- Email: [email protected]
- Phone: +254 709 080 380
- Address: Nairobi, Kenya