Data Processing Agreement (DPA) - RaiaWeb
Version 1.0 - Last updated: 11 June 2026
Courtesy translation. This English version is provided for convenience only. In the event of any discrepancy, the Portuguese version prevails.
This Data Processing Agreement ("DPA") is entered into under Article 28 of Regulation (EU) 2016/679 ("GDPR") between:
- Processor: Alex Nabais Gomes, sole trader, operating under the commercial name "RaiaWeb", NIF 268386625, Rua da Fonte Mestre, N.º 22, 6320-637 Soito, Portugal ("RaiaWeb"); and
- Controller: the Client, as identified in the account and in the Terms and Conditions of Service ("Terms").
1. Scope and Automatic Application
1.1. This DPA forms an integral part of the Terms (clause 20.2) and applies automatically, without the need for separate signature, whenever the provision of the Services involves the processing of personal data by RaiaWeb on behalf of the Client - in particular the hosting of websites, applications, databases, email or other content including third parties' personal data.
1.2. This DPA does not cover the processing of the Client's own personal data carried out by RaiaWeb as controller (account, billing, support), which is governed by the Privacy Policy.
1.3. If the Client itself acts as processor for a third-party controller, the Client warrants that the instructions it gives RaiaWeb reflect that controller's instructions, RaiaWeb acting as sub-processor. For the purposes of this DPA, references to the "Client" include that capacity.
1.4. In matters of data protection within the controller–processor relationship, this DPA prevails over the Terms.
2. Definitions
The terms "personal data", "processing", "controller", "processor", "data subject" and "personal data breach" have the meaning given to them by Article 4 GDPR. Other capitalised terms have the meaning defined in the Terms.
3. Subject Matter, Nature and Duration of the Processing
3.1. The subject matter, nature, purpose and duration of the processing, as well as the categories of data subjects and of personal data, are set out in Annex I.
3.2. The Client, as controller, determines the purposes and means of the processing and warrants that it has a lawful basis for the data it hosts, being responsible for compliance with information duties and for handling data subjects' rights.
3.3. Special categories of data: shared hosting Services are not intended for large-scale processing of special categories of data (Article 9 GDPR) or of data relating to criminal convictions. The Client must not host such data without RaiaWeb's prior written agreement on appropriate measures.
4. Client Instructions
4.1. RaiaWeb processes personal data only on documented instructions from the Client, including with regard to international transfers, unless required to do so by law - in which case it informs the Client before processing, unless the law prohibits this on important grounds of public interest.
4.2. Documented instructions comprise: the Terms, this DPA, the configurations and actions performed by the Client in the Services (panel, Client Area, APIs) and reasonable additional written instructions compatible with the nature of the Services.
4.3. RaiaWeb shall immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other data protection provisions, and may suspend its execution pending clarification.
5. Confidentiality
RaiaWeb ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they access the data only to the extent necessary for the provision of the Services.
6. Security of Processing
6.1. RaiaWeb implements the appropriate technical and organisational measures set out in Annex II, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks for data subjects (Article 32 GDPR).
6.2. Annex II may be updated by RaiaWeb provided that this does not materially reduce the overall level of security.
6.3. For services where the Client administers the environment (in particular VPS), the security of the configuration, the operating system and the installed applications is the Client's responsibility, under the AUP.
7. Sub-Processors
7.1. The Client grants RaiaWeb general authorisation to engage the sub-processors identified in Annex III.
7.2. RaiaWeb shall inform the Client of any addition or replacement of sub-processors at least 30 days in advance (by email), and the Client may raise reasoned objections within that period. If no reasonable solution is possible, the Client may terminate the affected service, with a proportional refund of the prepaid period not enjoyed.
7.3. RaiaWeb imposes on each sub-processor, by contract, data protection obligations equivalent to those of this DPA and remains liable to the Client for the performance of those obligations.
8. Assistance to the Client
8.1. Data subject rights: taking into account the nature of the processing, RaiaWeb provides the Client with reasonable assistance, through appropriate technical and organisational measures, to enable the Client to respond to requests for the exercise of rights. If a data subject contacts RaiaWeb directly regarding data hosted by the Client, RaiaWeb does not respond on the merits and forwards the request to the Client, where possible.
8.2. Impact assessments and prior consultations: RaiaWeb provides reasonable assistance to the Client in complying with Articles 32 to 36 GDPR, to the extent of the information available to it.
8.3. Reasonable assistance is included in the Services; manifestly disproportionate requests or requests requiring specific work may be quoted as an additional service.
9. Personal Data Breaches
9.1. RaiaWeb notifies the Client without undue delay - and in any case within a maximum of 72 hours - after becoming aware of a personal data breach affecting data processed on behalf of the Client.
9.2. The notification includes, to the extent of the information available: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences and the measures taken or proposed; the information may be provided in phases.
9.3. It is for the Client, as controller, to assess and make the notifications to the supervisory authority and to data subjects (Articles 33 and 34 GDPR). RaiaWeb provides reasonable cooperation for that purpose.
10. Deletion and Return of Data
10.1. During the term of the contract, the Client may export its data at any time using the available tools (panel, FTP, backups).
10.2. Upon termination of the contract, the courtesy period of 15 days provided for in clause 23.3 of the Terms applies, during which the Client may export the data. After that period, RaiaWeb permanently deletes the personal data, except where retention is required by law.
10.3. Backups expire through the normal retention cycle (7 days), so deletion from all systems, including backups, is completed within a maximum of 30 days after termination. At the Client's request, RaiaWeb confirms the deletion in writing.
11. Demonstration of Compliance and Audits
11.1. RaiaWeb makes available to the Client the information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, in particular through this DPA, its Annexes and responses to reasonable security questionnaires.
11.2. The Client may carry out audits, including inspections, directly or through a mandated auditor (who must not be a competitor of RaiaWeb), under the following conditions: minimum 30 days' prior notice; a maximum of one per calendar year, except following a relevant data breach or at the requirement of a supervisory authority; during business hours and without disrupting operations; without access to other clients' data or third parties' confidential information; with the Client bearing the respective costs.
11.3. Wherever possible, audits are satisfied, in the first instance, by the documentation and information referred to in 11.1.
12. International Transfers
Processing under this DPA is carried out in datacenters located in the European Union (Portugal and France - Annex III). RaiaWeb does not transfer the data outside the European Economic Area; should this become necessary, it will do so only with adequate safeguards (adequacy decision or Standard Contractual Clauses) and upon prior information to the Client under clause 7.2.
13. Liability and Term
13.1. The parties' liability is governed by Article 82 GDPR and by clause 22 of the Terms.
13.2. This DPA remains in force for as long as RaiaWeb processes personal data on behalf of the Client and ends upon completion of the deletion obligations provided for in clause 10.
Annex I - Description of the Processing
| Element | Description |
|---|---|
| Subject matter | Provision of web hosting, virtual private server, email and related services |
| Nature of the processing | Storage, retention, transmission, backup, restore and deletion; technical execution of the applications installed by the Client |
| Purpose | Provision of the hosting infrastructure; RaiaWeb does not use the data for its own purposes |
| Duration | Term of the service contract, plus the periods in clause 10 |
| Categories of data subjects | Determined by the Client - typically: visitors, users and customers of the hosted sites/applications; subscribers; the Client's staff |
| Categories of data | Determined by the Client - typically: identification and contact details, account data, submitted content, technical logs. Large-scale special categories are excluded (clause 3.3) |
Annex II - Technical and Organisational Measures
- Encryption in transit (TLS) on exposed services; SSL certificates available for all hosted domains;
- Isolation between hosting accounts at platform level;
- Daily backups with 7-day retention;
- Access control under the least-privilege principle; two-factor authentication available in the Client Area;
- Regular security updates and patches to the hosting platform, managed jointly with the infrastructure providers;
- Logging of relevant access and security events;
- Datacenters located in the European Union, with physical access control managed by the infrastructure providers (Annex III);
- Internal incident response and notification procedure (clause 9).
Annex III - Authorised Sub-Processors
| Entity | Country | Service |
|---|---|---|
| Innov4web | Portugal | Shared hosting infrastructure (cPanel) and datacenter |
| OVH SAS | France (EU) | Virtual private server (VPS) infrastructure |
Changes to this list are communicated under clause 7.2.
