Last
updated: 28-05-2026
1.1 This Data Processing Addendum (the "DPA") forms part of our Terms of Service at
https://speedypage.com/terms-of-service. It applies whenever you use our services to
process personal data of other people (for example, your website visitors, your
customers, your subscribers, or your employees).
1.2 In this DPA:
"You" or "Customer" means the SpeedyPage account holder. You are the controller of the
personal data we process on your behalf.
"We", "us" or "SpeedyPage" means SpeedyPage Ltd. We act as a processor of that personal
data on your behalf.
"Customer Personal Data" means the personal data we process on your behalf when
providing our services.
"Sub-processor" means another organisation we engage to help us process Customer
Personal Data.
"UK GDPR" has the meaning given in the Data Protection Act 2018, and "EU GDPR" means
Regulation (EU) 2016/679. References to "GDPR" mean both, unless we say otherwise.
"Personal data breach" has the meaning given in Article 4(12) of the GDPR.
1.3 If anything in this DPA conflicts with our Terms of Service, this DPA applies for
matters relating to Customer Personal Data.
2.1 This DPA applies only to Customer Personal Data. It does not apply to personal data
we collect about you as our customer (such as your account details, billing information,
or support history). That data is covered by our Privacy Policy and we act as the
controller of it.
2.2 You decide what Customer Personal Data is uploaded, stored or processed using our
services, and why. We process that data only on your instructions.
2.3 You must have a valid lawful basis for processing Customer Personal Data, and you
must give appropriate notices to the people the data relates to.
3.1 Subject matter and duration. We process Customer Personal Data for as long as your
service with us is active, and for any retention period set out in clause 10 (deletion
and return).
3.2 Nature and purpose. We host, store, transmit and back up Customer Personal Data as
part of providing our hosting, WordPress hosting, virtual server, CDN, email and domain
services.
3.3 Types of personal data. Any personal data you choose to upload, store or process
using our services. We do not control or limit what categories you use, but you must
not use our shared hosting services to process special category data (UK GDPR Article 9)
or criminal offence data (UK GDPR Article 10) without first contacting us so we can
advise on a suitable plan.
3.4 Categories of data subjects. The people you decide to collect data about, including
your website visitors, customers, subscribers, employees, suppliers and contacts.
3.5 A fuller description is set out in Appendix A.
4.1 Following your instructions. We will process Customer Personal Data only on your
documented instructions, including for international transfers, unless we are required
to act differently by UK or EU law. If we are required to act differently by law, we
will tell you before we do, unless the law prevents us from doing so.
4.2 Treating these terms as your instructions. You acknowledge that this DPA, our Terms
of Service, and the settings you choose in your client area together form your
documented instructions to us. If you want us to do something different, contact us
first.
4.3 Confidentiality. Anyone we authorise to process Customer Personal Data is bound by
a duty of confidentiality, whether by contract or by statutory duty.
4.4 Security. We take appropriate technical and organisational measures to protect
Customer Personal Data against accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to it. Our current security measures are
summarised in Appendix B. We may update these measures over time, but we will not
reduce the overall level of protection.
4.5 Helping you respond to data subject requests. If we receive a request from a person
whose data you are processing, we will pass it on to you without responding to it
ourselves, except to confirm receipt or to direct them to you. We will give you
reasonable assistance to respond, including by providing access to the data we hold on
your behalf.
4.6 Helping you with your security and breach obligations. We will give you reasonable
assistance to meet your obligations under UK GDPR Articles 32 to 36, taking into
account what we know about the processing.
5.1 You are responsible for the accuracy, quality and legality of Customer Personal
Data, and for the means by which you obtained it.
5.2 You must give us instructions that are lawful, and you must tell us if any
instruction you have given would put us in breach of UK GDPR, EU GDPR or any other
data protection law that applies.
5.3 You are responsible for telling the people whose data you process about your
processing, in line with UK GDPR Articles 13 and 14.
6.1 We use the sub-processors listed in Appendix C to help us provide the services. By
accepting this DPA, you give us general authorisation to use those sub-processors and
to engage others on the terms below.
6.2 Before we add or replace a sub-processor:
(a) we will update the sub-processor list at
https://speedypage.com/dpa and notify you by email at least 30 days before the change
takes effect;
(b) if you object to the change for a reasonable data protection
reason, you may end the affected service by writing to us before the change takes
effect. We will refund any prepaid fees for the period after termination on a
pro-rata, calendar-day basis; and
(c) we will require the new sub-processor to enter into written terms
with us that include obligations equivalent to those in this DPA, and we remain
responsible to you for the sub-processor's performance.
7.1 Where we transfer Customer Personal Data outside the United Kingdom or the
European Economic Area, we will use a valid transfer mechanism. Depending on the
destination and the nature of the transfer, this will be one or more of:
(a) the UK International Data Transfer Addendum to the EU Standard
Contractual Clauses (the "UK IDTA");
(b) the EU Standard Contractual Clauses (Module 2 controller-to-
processor or Module 3 processor-to-processor), as approved by the European Commission
on 4 June 2021;
(c) an adequacy decision by the UK government or the European
Commission; or
(d) another mechanism approved under UK GDPR Chapter V or EU GDPR
Chapter V.
7.2 The transfer mechanism that applies to each sub-processor is shown in Appendix C.
If you ask, we will provide a copy of the relevant clauses.
7.3 You may indicate any data residency requirements when you order your service. If
your requirements change, contact us and we will work with you to find a suitable
option.
8.1 If we become aware of a personal data breach affecting Customer Personal Data, we
will notify you without undue delay and in any event within 48 hours.
8.2 Our notification will include, to the extent we know it at the time:
(a) the nature of the breach, the categories of data, and the
approximate number of records and data subjects affected;
(b) the likely consequences of the breach;
(c) the measures we have taken or propose to take in response,
including measures to limit any possible harm; and
(d) a contact at SpeedyPage who can give you more information.
8.3 If we do not have all of this information within 48 hours, we will send what we
have and update you as we learn more.
8.4 You are responsible for deciding whether the breach must be notified to a
supervisory authority or to data subjects, and for making any such notification. We
will give you reasonable assistance to do this.
9.1 You may audit our compliance with this DPA once in any 12-month period. Where we
have a recent independent audit report or certification that covers the matters you
want to audit, we may meet this obligation by giving you a copy of that report under a
confidentiality undertaking.
9.2 If no suitable report is available, or it does not cover what you need to audit, we
will work with you on a reasonable on-site or remote audit, subject to:
(a) at least 30 days' written notice (or shorter notice where the
audit follows a personal data breach or a regulator request);
(b) an agreed scope and timetable that does not unreasonably
interfere with our operations;
(c) the auditor signing reasonable confidentiality undertakings; and
(d) you bearing your own audit costs, and our reasonable costs if the
audit goes beyond what is needed to verify compliance.
10.1 On termination of the affected service, we will delete or return Customer
Personal Data at your choice, except where retention is required by law.
10.2 If you do not tell us which you want within 30 days of termination, we will delete
the data.
10.3 Backups will be deleted in line with our backup retention cycle (which is normally
not more than 30 days from the date the live data is deleted).
10.4 You are responsible for downloading and keeping your own copy of any data you want
to retain before your service ends.
11.1 Liability. The liability of each party under this DPA is subject to the liability
provisions of our Terms of Service.
11.2 Term. This DPA applies for as long as we process Customer Personal Data on your
behalf. Clauses that by their nature should continue (including clauses 8, 9, 10 and
11) survive termination.
11.3 Governing law. This DPA is governed by English law and is subject to the
jurisdiction provisions in clause 17.6 of our Terms of Service. Where the EU Standard
Contractual Clauses or the UK IDTA apply to a transfer, the law and jurisdiction
specified in those clauses govern that transfer.
Subject matter: Provision of hosting, WordPress hosting, virtual server, CDN,
email and domain services to the Customer.
Duration: For as long as the Customer's service is active, plus any retention
period set out in clause 10.
Nature and purpose of processing: Hosting, storage, transmission, backup, and
related technical operations needed to provide the services. We do not access the
content of Customer Personal Data except as needed to provide the services, to comply
with law, or at the Customer's request.
Types of personal data: Any personal data the Customer chooses to upload, store
or process using the services. This typically includes contact details, account
credentials, transaction records, communications, and content the Customer chooses to
publish or transmit.
Categories of data subjects: The Customer's website visitors, customers,
subscribers, employees, suppliers and contacts, and any other people whose data the
Customer chooses to process.
Special category data and criminal offence data: Not permitted on our shared
hosting services without prior agreement (see clause 3.3).
We take appropriate technical and organisational measures to protect
Customer Personal Data, having regard to the state of the art, the costs
of implementation, and the risks involved. These measures are aligned with
the requirements of UK GDPR Article 32 and include:
Encryption in transit. Customer access to our services and to the
client area is protected by TLS 1.2 or higher. Connections to control
panels (cPanel, WHM, webmail) and SSH/SFTP use industry-standard
encryption.
Password storage. Customer passwords are stored using salted
one-way hashes, not in plain text.
Access control. Role-based access to production systems on a
least-privilege, need-to-know basis. Multi-factor authentication is
required for all staff with access to production. Access permissions are
reviewed at least quarterly and on any change of role.
Network security. Perimeter firewalls, isolation of customer
environments, network segmentation between production and corporate
systems, and intrusion-detection monitoring on production networks. DDoS
protection is provided through our upstream providers and Cloudflare.
Vulnerability and patch management. Production systems are
monitored for vulnerabilities. Security patches are assessed by severity
and applied within defined timeframes; critical patches are applied
without undue delay.
Logging and monitoring. Access to production systems is logged.
Logs are retained for at least 90 days, and longer where required for
investigation. Anomalies and suspicious activity trigger alerts to our
operations team.
Resilience and backup. Backups are taken in line with the
customer's plan, encrypted, and stored offsite within the same region as
the live service by default. We test our restore procedures regularly.
Incident response. We maintain a documented incident-response
procedure. Personal data breaches are handled in line with clause 8 of
this DPA, including notification to the controller within 48 hours.
Personnel. All staff with access to Customer Personal Data are
bound by written confidentiality obligations and receive security and
data-protection training on joining and at least annually thereafter.
Sub-processor diligence. Sub-processors are subject to written
data-protection terms equivalent to those in this DPA, and their security
posture is reviewed before engagement and on a periodic basis.
Testing and review. We carry out regular testing and assessment of
the effectiveness of these measures, and update them in light of new
risks, vulnerabilities, and industry guidance. We do not reduce the
overall level of protection over time.
Certifications and assurance. Where we hold relevant certifications
or third-party audit reports (such as Cyber Essentials, ISO 27001, or
SOC 2), we will make them available to controllers under a
confidentiality undertaking on reasonable request.
We use the following sub-processors to help us provide the services. This list is kept
up to date on this page. We will notify you of changes in line with clause 6.
Vultr Holdings, LLC. Cloud infrastructure provider used to operate hosting,
virtual server and related compute services. Processing locations: depends on the
region you select at order (global). Transfer mechanism for transfers outside the UK
or EEA: UK IDTA and EU Standard Contractual Clauses (Module 3).
BunnyWay d.o.o. (Bunny.net). Content delivery and edge storage services used to
power our CDN product and to host operational data on our behalf. Processing
locations: EU (Slovenia headquarters); global edge network. Transfer mechanism for
transfers outside the EEA: UK IDTA for UK personal data; EU Standard Contractual
Clauses (Module 3) where applicable.
Google Ireland Limited and Google LLC. Google Workspace, used by our support
team for business email and document handling. Customer Personal Data contained in
support emails you send us is processed by Google as part of this service. Processing
locations: EU and US. Transfer mechanism: EU Standard Contractual Clauses (Module 3)
and the EU-U.S. Data Privacy Framework for transfers to the United States.
Notes: This list does not include providers we use only as a controller (for
example, payment processors, Cloudflare in front of our own websites, or Google
Analytics on speedypage.com). Those are covered in our Privacy Policy.
For questions about this DPA, contact our Data Protection Officer:
Name: Hardeep Singh
Email: hello@speedypage.com
Telephone: 0330 229 2199
Postal address: SpeedyPage Ltd, Newstead House, Pelham Road, Nottingham, NG5 1AP,
United Kingdom.
If you have a complaint about how we handle personal data and we cannot resolve it,
you can complain to the Information Commissioner's Office at https://ico.org.uk or on
0303 123 1113. Our ICO registration number is ZB117039.
+44 330 229 2199
hello@speedypage.com
About
Client Area
Support