Data Processing Agreement

Last updated: April 6, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TwanIT, trading as deploybase ("Processor", "we", "us"), and the customer ("Controller", "you") who uses the deploybase platform.

This DPA applies when deploybase processes personal data on your behalf in the course of providing the hosting service. By using a paid deploybase plan, you accept the terms of this DPA.

2. Definitions

"Personal Data"
Any information relating to an identified or identifiable natural person that the Controller uploads to or processes through the Service.
"Processing"
Any operation performed on Personal Data, including storage, retrieval, transmission, and deletion.
"Sub-processor"
A third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach"
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service.

3. Scope and purpose

Nature of processing

deploybase hosts and serves static websites on your behalf. In doing so, we may process personal data that your end-users submit through your websites, or that is contained in the content you deploy.

Types of personal data

  • Content you deploy through the Service (HTML, JavaScript, assets)
  • Build logs and deployment metadata
  • CDN access logs (IP addresses, user agents of site visitors)

Categories of data subjects

  • Your end-users who visit sites hosted on deploybase
  • Your team members who use the deploybase platform

Duration

Processing continues for the duration of the service agreement between you and deploybase, plus any retention period specified in section 11.

4. Obligations of the processor

deploybase will:

  • Process Personal Data only on your documented instructions, unless required by EU or member state law. If such a legal requirement exists, we will inform you before processing (unless prohibited by law).
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see section 8).
  • Assist you in fulfilling your obligations regarding data subject requests (see section 7).
  • Assist you in ensuring compliance with your obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments).
  • At your choice, delete or return all Personal Data after the end of the service, and delete existing copies unless EU or member state law requires storage (see section 11).
  • Make available information necessary to demonstrate compliance with GDPR Article 28 obligations (see section 10).

5. Sub-processors

You provide general authorization for us to engage the sub-processors listed below. We maintain an up-to-date list on our Security page.

Sub-processorPurposeLocation
ScalewayInfrastructure hosting (servers, storage, Kubernetes)Paris, France (EU)
Bunny.netCDN content deliveryLjubljana, Slovenia (EU)
VatlyPayment processing (Merchant of Record)EU
LettermintTransactional email deliveryEU

We will notify you at least 30 days before adding or replacing a sub-processor. If you object to a new sub-processor, you may terminate the affected service by providing written notice within those 30 days.

We impose data protection obligations on each sub-processor that are no less protective than those in this DPA.

6. International data transfers

We do not transfer Personal Data outside the European Economic Area (EEA). All sub-processors listed in section 5 are located within the EU.

If a transfer outside the EEA ever becomes necessary, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses approved by the European Commission) and will inform you in advance.

7. Data subject rights

We will assist you in responding to data subject requests under GDPR Articles 15 to 22 (access, rectification, erasure, portability, restriction, objection).

If we receive a request directly from one of your data subjects, we will promptly redirect them to you, unless we are legally required to respond directly.

8. Security measures

We implement the following technical and organizational measures. For full details, see our Security page.

  • Encryption in transit: TLS 1.2+ for all communications.
  • Encryption at rest: Database and storage encryption via Scaleway managed encryption.
  • Access control: Role-based access (Owner, Admin, Member, Viewer) with multi-tenant isolation.
  • Authentication: Self-hosted Zitadel (OIDC) with passkey support. No third-party credential access.
  • Build isolation: Each build runs in a dedicated Kubernetes pod with resource limits, destroyed after completion.
  • Secrets management: Encrypted via Scaleway Secret Manager, never logged.
  • Monitoring: Structured logging with audit trails. Log retention: 30 days (server logs), 90 days (build logs, API audit logs).
  • Infrastructure: Hosted in Scaleway ISO 27001 certified datacenters, Paris, France.

9. Data breach notification

We will notify you of a Data Breach without undue delay and no later than 72 hours after becoming aware of it. The notification will include:

  • The nature of the breach, including categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • Contact details for further information

We will cooperate with you and take reasonable steps to assist in mitigating the effects of the breach.

10. Audits

Upon reasonable request and subject to confidentiality obligations, we will provide you with information necessary to demonstrate compliance with our obligations under this DPA and GDPR Article 28.

We will allow and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audit requests should be submitted with at least 30 days' notice to support@deploybase.eu. We may charge reasonable fees for time spent assisting with audits beyond initial compliance verification.

11. Data deletion

Upon termination of the service agreement, you have 30 days to export your data. After this period, we will delete all Personal Data processed on your behalf, including backups, within 30 additional days.

Exceptions: We may retain data where required by EU or member state law (e.g., billing records retained for 7 years under Dutch tax law, Art. 52 AWR). We will inform you of any such retention and limit processing to the legally required purpose.

12. Duration and termination

This DPA is effective for the duration of the service agreement between you and deploybase, as governed by the Terms of Service. It automatically terminates when the service agreement ends, subject to any surviving obligations (particularly data deletion under section 11).

13. Governing law

This DPA is governed by and construed in accordance with the laws of the Netherlands, consistent with the Terms of Service. Any disputes shall be submitted to the competent court in Zwolle, Netherlands.

14. Contact

For questions about this DPA or data processing:

Email
support@deploybase.eu
Postal address
KVK
71667415