What is the HostingGuru Data Processing Agreement?

The HostingGuru Data Processing Agreement (DPA) is the contract that governs how HostingGuru processes personal data on a customer's behalf as a processor under Article 28 of the EU General Data Protection Regulation (GDPR).

Legal

Data Processing Agreement

Q: Do I need to sign the HostingGuru DPA?

If you are an EU-based customer or you process personal data of EU residents through your HostingGuru-hosted application, GDPR requires a DPA between you (controller) and HostingGuru (processor). All paid plans include the DPA on signup by reference.

Q: Where does HostingGuru store EU customer data?

EU customer data is stored in Frankfurt, Germany by default. Customers may opt into the US (Ashburn) region per workspace. Backups are kept in the same region as the source data and never transferred elsewhere.

Q: Who are HostingGuru's subprocessors?

HostingGuru's current subprocessors are Hetzner Online GmbH (compute and storage, EU/US), Stripe Payments Europe Ltd (billing), and Resend (transactional email). The complete and up-to-date list is in section 4 of the DPA.

Last updated: March 20, 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

Data Controller ("Customer", "you"): The entity or individual who has agreed to the Terms of Service.
Data Processor ("HostingGuru", "we", "us"): HostingGuru, operating the hostingguru.io platform.

This DPA applies when HostingGuru processes Personal Data on behalf of the Customer in the course of providing the Service. It reflects the parties' commitment to comply with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP").

By using the Service, the Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, on behalf of its end users and customers.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Agreement or applicable Data Protection Laws.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by HostingGuru on behalf of the Customer through the Service.
"Data Protection Laws" means all applicable legislation relating to data protection and privacy, including the GDPR, UK GDPR, Swiss FADP, and any national implementing legislation.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, modification, erasure, or destruction.
"Sub-processor" means any third party engaged by HostingGuru to process Personal Data on behalf of the Customer.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Supervisory Authority" means an independent public authority established by an EU/EEA Member State, the UK Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner, as applicable.

2. Scope and Roles

2.1 Customer as Controller

The Customer is the Data Controller and determines the purposes and means of processing Personal Data. The Customer is responsible for ensuring that its use of the Service and any processing instructions comply with applicable Data Protection Laws.

The Customer warrants that:

It has a lawful basis for processing Personal Data through the Service.
It has provided all necessary notices and obtained all necessary consents from Data Subjects.
Its processing instructions to HostingGuru will not cause HostingGuru to violate any applicable law.

2.2 HostingGuru as Processor

HostingGuru acts as a Data Processor and processes Personal Data only on behalf of and in accordance with the documented instructions of the Customer, except where required to do so by applicable law. In such a case, HostingGuru will inform the Customer of the legal requirement before processing, unless prohibited by law.

2.3 Customer Account Data

With respect to Customer account data (name, email, billing information), HostingGuru acts as an independent Data Controller for the purposes of managing the customer relationship, billing, fraud prevention, and compliance with legal obligations. This processing is governed by our Privacy Policy.

3. Details of Processing

3.1 Subject Matter and Duration

HostingGuru processes Personal Data for the duration of the Agreement, plus any period necessary to comply with legal obligations, resolve disputes, or enforce the Agreement.

3.2 Nature and Purpose of Processing

HostingGuru processes Personal Data to provide the Service, which includes: hosting and deploying applications, managing environment variables, processing deployment requests, attaching custom domains, monitoring deployment status, providing workspace collaboration features, and processing database credentials and connections through the optional Database add-on.

3.3 Categories of Data Subjects

Data Subjects may include:

The Customer's end users and customers whose data is processed by Customer's deployed applications.
The Customer's employees, contractors, or team members who access the Service via workspaces.

3.4 Types of Personal Data

Personal Data processed may include (as determined by the Customer's applications and usage):

Names, email addresses, phone numbers, and other contact information.
IP addresses, device identifiers, and browser information.
Database connection credentials (connection strings, passwords, tokens) if the Database add-on is used — encrypted with AES-256-GCM at rest.
Any other Personal Data submitted, stored, or transmitted by the Customer's deployed applications.

The Customer is solely responsible for determining the types and sensitivity of Personal Data processed through its applications. HostingGuru does not intentionally access or inspect the content of Customer applications or databases.

3.5 Sensitive Data

The Customer should not process special categories of Personal Data (as defined in Article 9 of the GDPR) through the Service unless appropriate safeguards and a lawful basis are in place. HostingGuru does not provide specific controls for processing sensitive data and shall not be liable for any non-compliance arising from the Customer's processing of such data.

4. Obligations of HostingGuru

HostingGuru shall:

Process Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data outside the EU/EEA, unless required by law.
Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
Implement and maintain appropriate technical and organizational security measures as described in Section 7.
Assist the Customer, taking into account the nature of the processing, in responding to Data Subject requests to exercise their rights under Data Protection Laws.
Assist the Customer in ensuring compliance with its obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities.
At the Customer's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless storage is required by applicable law (see Section 9).
Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA.

5. Sub-processors

5.1 Authorized Sub-processors

The Customer provides general authorization for HostingGuru to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is as follows:

Sub-processor	Purpose	Location
Cloud infrastructure provider	Application hosting and compute	Germany (EU)
Stripe, Inc.	Payment processing	United States
GitHub, Inc.	Source code access and webhooks	United States
Resend, Inc.	Transactional email delivery	United States
Platform database provider	HostingGuru platform database (internal)	United States
Neon, Inc.	Customer database hosting (Database add-on)	EU (Frankfurt), US (Ohio)

5.2 Notification of Changes

HostingGuru will notify the Customer at least 14 days in advance before engaging a new Sub-processor or replacing an existing one, by email to the address associated with the Customer's account.

5.3 Objection Rights

The Customer may object to a new Sub-processor on reasonable data protection grounds by notifying HostingGuru in writing within 14 days of receiving the notification. If HostingGuru cannot reasonably accommodate the objection, the Customer may terminate the affected Service without penalty.

5.4 Sub-processor Obligations

HostingGuru shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. HostingGuru remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6. Data Subject Rights

HostingGuru shall:

Promptly notify the Customer if HostingGuru receives a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, portability, restriction, or objection).
Not respond directly to such requests unless authorized by the Customer or required by law.
Provide reasonable technical and organizational assistance to enable the Customer to respond to Data Subject requests, taking into account the nature of the processing.

The Customer is responsible for responding to Data Subject requests. Any costs incurred by HostingGuru in providing assistance shall be borne by the Customer.

7. Technical and Organizational Security Measures

HostingGuru implements and maintains the following security measures, appropriate to the risk of the processing:

7.1 Encryption

In transit: All data transmitted to and from the Service is encrypted using TLS 1.2 or higher.
At rest: Environment variables, database connection strings, database passwords, and other sensitive credentials are encrypted using AES-256-GCM.

7.2 Access Control

Role-based access control (RBAC) at the workspace level with four roles: Owner, Admin, Developer, Viewer.
API authentication via JWT tokens.
GitHub integration uses short-lived installation tokens, not personal access tokens.

7.3 Infrastructure Security

Applications are deployed on ISO/IEC 27001:2022 certified European data centers.
Container-level isolation between customer deployments.
Container health checks with automatic restart on failure.

7.4 Data Minimization

HostingGuru does not inspect or access the content of Customer applications or databases.
Source code is not stored by HostingGuru; repository access is real-time via the GitHub API.
Only metadata necessary for deployment is stored (repository name, branch, framework, build status).
Database credentials are stored encrypted and decrypted only when displayed to authenticated users in the dashboard.

7.5 Personnel

All personnel with access to Personal Data are bound by confidentiality obligations.
Access to production infrastructure is limited to authorized personnel on a need-to-know basis.

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Customer, HostingGuru shall:

Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, via the email address associated with the Customer's account.
Provide the following information (to the extent available):
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address and mitigate the breach.
- A contact point for further information.
Take reasonable steps to contain, investigate, and mitigate the effects of the breach.
Provide reasonable cooperation and assistance to the Customer in fulfilling its own breach notification obligations to Supervisory Authorities and affected Data Subjects.

HostingGuru's notification of a Data Breach shall not be construed as an admission of fault or liability.

9. Data Return and Deletion

Upon termination or expiration of the Agreement, HostingGuru shall, at the Customer's choice:

Return all Personal Data to the Customer in a commonly used, machine-readable format; or
Delete all Personal Data, including all existing copies, within 30 days.

If no instruction is received from the Customer within 30 days of termination, HostingGuru shall delete the Personal Data.

For customers using the Database add-on, databases are only deleted by explicit user action. Upon termination of the Agreement, if databases have not been deleted by the Customer, HostingGuru may permanently remove them after 30 days. Point-in-time recovery snapshots are retained for a maximum of 3 days during the add-on's active lifetime and are automatically deleted thereafter.

HostingGuru may retain Personal Data to the extent required by applicable law, provided that such data is protected in accordance with this DPA and processed only for the purpose required by law.

10. International Data Transfers

Customer applications are hosted on infrastructure located in the European Union (Germany). Customer databases (if using the Database add-on) are hosted by Neon in the EU (Frankfurt) or US (Ohio) based on the Customer's region selection. Platform data (account information, billing) may be processed by Sub-processors located outside the EU/EEA, including the United States.

For transfers of Personal Data outside the EU/EEA, HostingGuru relies on the following mechanisms:

Standard Contractual Clauses (SCCs) — as adopted by the European Commission (Decision 2021/914), incorporated by reference into this DPA.
Adequacy decisions — where the European Commission has determined that a third country provides an adequate level of data protection.
EU-U.S. Data Privacy Framework — for Sub-processors that are certified under the DPF.

For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the Information Commissioner's Office) shall apply.

For transfers from Switzerland, the EU SCCs shall apply with the modifications required by the Swiss FADP.

11. Audit Rights

HostingGuru shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may exercise its audit rights as follows:

Documentation review: The Customer may request copies of relevant security certifications, audit reports, or compliance documentation held by HostingGuru.
Third-party audit: The Customer may, at its own expense and with at least 30 days' prior written notice, engage an independent third-party auditor to conduct an audit of HostingGuru's processing activities. Such audits shall be limited to once per calendar year, conducted during normal business hours, and shall not unreasonably interfere with HostingGuru's operations.

The Customer shall treat all information obtained through audits as confidential and use it solely for the purpose of verifying compliance with this DPA.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

The Customer shall indemnify HostingGuru against any costs, claims, damages, or expenses arising from the Customer's processing instructions that violate applicable Data Protection Laws, or from the Customer's failure to comply with its obligations under this DPA.

13. Term and Termination

This DPA takes effect on the date the Customer agrees to the Terms of Service and remains in effect for the duration of the Agreement. Sections 8, 9, 11, and 12 shall survive termination of this DPA.

14. General Provisions

Conflicts: In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
Governing law: This DPA is governed by the laws of France, consistent with the Agreement.
Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions shall remain in full force and effect.
Amendments: This DPA may be updated by HostingGuru to reflect changes in Data Protection Laws. Material changes will be communicated to the Customer at least 30 days in advance.

15. Contact

For questions about this DPA or to exercise data protection rights, contact us at:

Email: hello@hostingguru.io
Contact form: hostingguru.io/contact

Common DPA questions

A Data Processing Agreement is a contract under GDPR Article 28 between a controller (you) and a processor (HostingGuru) describing how the processor handles personal data on the controller's behalf.

Do I need to sign the HostingGuru DPA?

If you are an EU-based customer or process personal data of EU residents through your HostingGuru application, GDPR requires a DPA. All paid plans include the DPA on signup by reference.

Where does HostingGuru store EU customer data?

In Frankfurt, Germany by default. Workspaces can opt into Ashburn (US-East) per project. Backups stay in the same region as the source data.

Who are HostingGuru's subprocessors?

Hetzner Online GmbH (compute, EU/US), Stripe Payments Europe Ltd (billing), and Resend (transactional email). The full and current list is in section 4 of the agreement.