Legal
Data Processing Addendum (DPA)
Processor terms for customers using cPBackup to store backups that may contain personal data.
Last updated
12 January 2026
Parties and scope
This DPA forms part of the agreement between:
- Customer (the “Controller”), and
- HostXNow (trading as cPBackup / cpbackup.net) (the “Processor”).
It applies where the Processor processes Personal Data on behalf of the Controller in connection with the Services.
- Customer (the “Controller”), and
- HostXNow (trading as cPBackup / cpbackup.net) (the “Processor”).
It applies where the Processor processes Personal Data on behalf of the Controller in connection with the Services.
1) Definitions
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in applicable data protection law.
“Data Protection Laws” means (as applicable): UK GDPR, the Data Protection Act 2018, EU GDPR, and any related successor laws.
“Data Protection Laws” means (as applicable): UK GDPR, the Data Protection Act 2018, EU GDPR, and any related successor laws.
2) Roles and instructions
The Controller determines the purposes and means of processing. The Processor processes Personal Data only as needed to provide the Services and only on documented instructions from the Controller.
3) Processor obligations
The Processor will:
- Process Personal Data only on documented instructions
- Ensure authorised persons are bound by confidentiality
- Implement appropriate technical and organisational measures (see TOMs below)
- Notify the Controller if an instruction appears to infringe Data Protection Laws (unless prohibited by law)
- Process Personal Data only on documented instructions
- Ensure authorised persons are bound by confidentiality
- Implement appropriate technical and organisational measures (see TOMs below)
- Notify the Controller if an instruction appears to infringe Data Protection Laws (unless prohibited by law)
4) Sub-processors
The Controller authorises the Processor to use sub-processors to deliver the service (e.g., infrastructure, storage, support tooling). The Processor will impose protections no less protective than this DPA and remains responsible for sub-processor performance.
A list of key sub-processors can be provided on request (or published on a dedicated page).
A list of key sub-processors can be provided on request (or published on a dedicated page).
5) International transfers
Choosing a backup destination may involve international transfers. Where required, the Parties will rely on appropriate safeguards such as EU SCCs (Controller→Processor) and/or the UK IDTA / UK Addendum, completed as necessary for the Services.
6) Security measures
The Processor will maintain appropriate TOMs. The Controller remains responsible for its own source systems (access controls, patching, token hygiene, and overall security posture).
7) Personal data breaches
The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, and provide reasonable information to support the Controller’s compliance obligations.
8) Assistance with compliance
The Processor will provide reasonable assistance with data subject requests and compliance tasks (e.g., DPIAs) where applicable. If the Processor receives a data subject request directly, it will (unless prohibited) direct the requester to the Controller and notify the Controller.
9) Audits and information
On reasonable written request, the Processor will make available information necessary to demonstrate compliance. The Controller may conduct an audit no more than once per 12 months, with 30 days’ notice, during business hours, and subject to confidentiality and security requirements.
10) Return and deletion
During the term, the Controller can retrieve data using service features. After termination/cancellation, the Processor will delete Personal Data.
Annex 1 — Processing details
Subject matter: Offsite backup, storage, integrity verification, download/restore access, usage metering, and support.
Duration: Term of the Services + retention per Controller configuration.
Categories of data subjects: Controller’s end users/customers, employees, contractors, and any individuals whose data is stored on Controller systems.
Categories of personal data: Depends on what Controller stores (may include names, emails, addresses, IPs, account data, files, database content, emails).
Locations: [UK/EU/US LOCATIONS] depending on destination selected.
Duration: Term of the Services + retention per Controller configuration.
Categories of data subjects: Controller’s end users/customers, employees, contractors, and any individuals whose data is stored on Controller systems.
Categories of personal data: Depends on what Controller stores (may include names, emails, addresses, IPs, account data, files, database content, emails).
Locations: [UK/EU/US LOCATIONS] depending on destination selected.
Annex 2 — Technical and organisational measures (TOMs)
Measures may include:
- Encryption in transit (HTTPS for web/API; SSH/SCP for transfers)
- Access controls, least privilege, MFA/2FA where available
- Segmentation between customer environments
- Logging/monitoring for abuse prevention
- Integrity checks (e.g., hashes)
- Secure download mechanisms (e.g., expiring/single-use links where supported)
- Vulnerability and patch management
- Incident response procedures and confidentiality obligations
- Encryption in transit (HTTPS for web/API; SSH/SCP for transfers)
- Access controls, least privilege, MFA/2FA where available
- Segmentation between customer environments
- Logging/monitoring for abuse prevention
- Integrity checks (e.g., hashes)
- Secure download mechanisms (e.g., expiring/single-use links where supported)
- Vulnerability and patch management
- Incident response procedures and confidentiality obligations