HostEngine
Start free trial
Legal · Last updated April 2026

Data Processing Addendum

This Data Processing Addendum ('DPA') is incorporated into the HostEngine Terms of Service and applies whenever HostEngine processes personal data on behalf of a customer ('Customer Personal Data'). It is signed automatically when you accept the Terms; a counter-signed copy is available from your dashboard.

Section 01

Definitions

Capitalized terms not defined here have the meaning given in the Terms or in Article 4 of Regulation (EU) 2016/679 (the GDPR). "Customer Personal Data" means personal data that HostEngine processes on Customer's behalf in providing the Service. "Sub-processor" means a third party engaged by HostEngine to process Customer Personal Data.

Section 02

Subject matter & duration

HostEngine processes Customer Personal Data only to provide the Service as described in the Terms. Processing continues for the term of the agreement and for any post-termination period required to return or delete data.

Section 03

Customer instructions

HostEngine will process Customer Personal Data only on documented instructions from Customer, including the Terms, the published documentation, and any additional instructions Customer provides through the dashboard or the API. HostEngine will inform Customer if, in its opinion, an instruction infringes applicable data protection law.

Section 04

Sub-processors

Customer authorizes HostEngine to engage Sub-processors listed in the Annex. HostEngine maintains a current list at hostengine.com/legal/trust and provides at least thirty (30) days' advance notice of changes. Customer may object to changes for documented compliance reasons.

HostEngine remains liable for the acts and omissions of its Sub-processors to the same extent as for its own.

Section 05

Security measures

HostEngine implements and maintains the security measures set out in Annex 2 of this DPA, including encryption in transit and at rest, role-based access control, audit logging, sealed access reviews, vulnerability management, and an annual penetration test by an independent third party.

Section 06

Incident notification

HostEngine will notify Customer without undue delay (and in any event within 48 hours) of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include the nature of the incident, categories and approximate number of records involved, likely consequences, and the measures taken or proposed.

Section 07

International transfers

Where Customer Personal Data is transferred from the EEA, UK or Switzerland to a country without an adequacy decision, HostEngine relies on the Standard Contractual Clauses (Module Two) and equivalent UK/Swiss addenda, which are incorporated by reference into this DPA.

Section 08

Audit rights

Customer may audit HostEngine's compliance with this DPA once per twelve-month period at Customer's expense, on thirty (30) days' written notice. HostEngine will provide its most recent SOC 2 Type II and ISO 27001 certifications, which Customer agrees will satisfy audit requirements absent specific cause.

Section 09

Return & deletion

Within thirty (30) days of termination of the Service, HostEngine will, at Customer's choice, return or delete all Customer Personal Data. Backup copies are deleted on a rolling 90-day cycle thereafter. Certificates of destruction are available on request.

Section 10

Annex — Sub-processors

HostEngine's current Sub-processors include:

  • Stripe Payments Europe Ltd — payment processing (IE)
  • Postmark / ActiveCampaign Inc. — transactional email (US)
  • Intercom R&D Unlimited Co. — customer support messaging (IE)
  • Datadog Inc. — internal observability (US, EU)
  • Cloudflare Inc. — DNS, edge security (US, global)
  • Equinix Inc. — colocation facilities for owned hardware (global)

The full and current list, including processing purposes and locations, is published in the Trust Center.