Data Processing Agreement (DPA)
Last updated: June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between HOSTIM.DEV UG (haftungsbeschränkt), Schwanenstraße 9, 42697 Solingen, Germany ("Hostim", "we", "Processor") and the customer agreeing to those terms ("Customer", "you", "Controller"). It governs the processing of personal data by Hostim on the Customer's behalf under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
By accepting the Terms of Service, the Customer enters into this DPA on behalf of itself and, to the extent required, in the name of and on behalf of its own controllers. No physical signature is required for this DPA to be binding. A countersigned copy is available on request to support@hostim.dev.
1. Roles and scope
1.1. For personal data that the Customer submits to, stores on, or processes through the Hostim platform ("Customer Personal Data"), the Customer acts as Controller (or as a processor acting on behalf of a third-party controller) and Hostim acts as Processor.
1.2. This DPA applies only to Hostim's processing of Customer Personal Data as a Processor. Hostim's processing of account, billing, and support data relating to the Customer itself — where Hostim acts as a controller — is described in our Privacy Policy (Datenschutzerklärung), not here.
1.3. The Customer is solely responsible for the personal data it chooses to deploy and process on the platform, including its lawful basis, the information provided to data subjects, and the legality of the content. Hostim provides only the technical hosting infrastructure and has no knowledge of, or control over, the specific contents of Customer applications and databases.
2. Subject matter and details of processing
The subject-matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in Annex 1.
3. Obligations of Hostim as Processor
Hostim shall, in accordance with Article 28(3) GDPR:
-
(a) Documented instructions. Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to third countries, unless required to do otherwise by Union or Member State law; in such a case, Hostim shall inform the Customer of that legal requirement before processing, unless the law prohibits it. The Customer's instructions are set out in this DPA and the Terms of Service; the Customer may issue further reasonable instructions in writing. Hostim shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
-
(b) Confidentiality. Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
-
(c) Security. Implement the technical and organisational measures set out in Annex 2 in accordance with Article 32 GDPR.
-
(d) Sub-processors. Engage sub-processors only under the conditions set out in Section 4.
-
(e) Data subject rights. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR.
-
(f) Assistance. Assist the Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Hostim.
-
(g) Deletion or return. At the choice of the Customer, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage. See Section 6.
-
(h) Audits. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. See Section 7.
4. Sub-processors
4.1. The Customer grants Hostim general authorisation to engage sub-processors to process Customer Personal Data. The current sub-processors are listed in Annex 3.
4.2. Where Hostim engages a sub-processor, it shall impose on that sub-processor, by contract, data protection obligations equivalent to those set out in this DPA. Hostim remains fully liable to the Customer for the performance of that sub-processor's obligations.
4.3. Hostim shall inform the Customer of any intended addition or replacement of a sub-processor at least 30 days in advance, giving the Customer the opportunity to object on reasonable data-protection grounds. Notice is given by updating Annex 3 and notifying the Customer by email. If the Customer objects and the parties cannot resolve the objection, the Customer may terminate the affected services.
5. International transfers
All Customer Personal Data is processed and stored within the European Union (Germany). Hostim does not transfer Customer Personal Data to a third country. Should this change, Hostim will only do so under a valid transfer mechanism under Chapter V GDPR (such as the European Commission's Standard Contractual Clauses) and will update Annex 3 accordingly.
6. Deletion and return
6.1. On termination of the Customer's account, or on deletion of a specific project, app, database, or volume, the corresponding Customer Personal Data is deleted from the platform automatically and without undue delay. This deletion is irreversible.
6.2. On request made before deletion, Hostim will, where technically feasible, make Customer Personal Data available for export to allow the Customer to retrieve it.
6.3. Backups containing Customer Personal Data are retained on a rolling basis (see Annex 2) and expire automatically; Hostim does not retain Customer Personal Data beyond the backup retention window after deletion, except where Union or Member State law requires retention.
7. Audits
Hostim shall make available the information necessary to demonstrate compliance with Article 28 GDPR, including this DPA, the description of technical and organisational measures in Annex 2, and the sub-processor list. Where the Customer reasonably requires a further audit, the parties shall agree in advance on its scope, timing, and reasonable cost, conducted so as not to compromise the security or confidentiality of other customers' data.
8. Personal data breaches
Hostim shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and shall provide the Customer with the information reasonably available to enable the Customer to meet its obligations under Articles 33 and 34 GDPR. Notifications are sent to the Customer's account email address.
9. Liability and term
9.1. This DPA takes effect when the Customer accepts the Terms of Service and remains in force for as long as Hostim processes Customer Personal Data.
9.2. The liability of each party under this DPA is governed by the limitations of liability in the Terms of Service, to the extent permitted by law.
9.3. This DPA is governed by German law. If any provision conflicts with the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails.
Annex 1 — Details of processing
| Item | Description |
|---|---|
| Subject-matter | Provision of the Hostim cloud hosting platform (deployment and operation of containerised applications, managed databases, and storage). |
| Duration | For the term of the Customer's use of the services, until deletion of the relevant data (see Section 6). |
| Nature and purpose | Hosting, storage, transmission, computation, logging, and backup of Customer applications and their data, as instructed by the Customer through the platform. |
| Types of personal data | Any personal data the Customer chooses to deploy or store, including application database contents, files on persistent volumes, and application logs. The specific categories are determined and controlled solely by the Customer. |
| Categories of data subjects | Determined solely by the Customer (e.g. the Customer's own end users, customers, or employees). |
| Special categories | Hostim does not request special-category data (Article 9 GDPR). If the Customer chooses to process such data, it remains responsible for ensuring an appropriate legal basis. |
Annex 2 — Technical and organisational measures (Article 32)
Hostim maintains the following measures. These may be updated as the platform evolves, provided the level of protection is not reduced.
Infrastructure and physical security
- All processing takes place in data centres operated by Hetzner Online GmbH in Falkenstein, Germany (EU). Hetzner's facilities are ISO/IEC 27001 certified and subject to access control, environmental, and physical-security controls.
Tenant isolation
- Each Customer project runs in a dedicated, isolated Kubernetes namespace.
- Network policies enforce default-deny traffic rules between tenants, restricting communication to explicitly permitted paths.
- Untrusted workloads run under hardware-virtualised container isolation (Kata Containers).
Access control
- Role-based access control (RBAC) governs access to platform resources.
- Administrative access to the production infrastructure is restricted to authorised personnel under the principle of least privilege and subject to confidentiality obligations.
- Credentials and secrets are stored in dedicated secret stores, separated from application code.
Encryption in transit
- All connections to the platform and console use TLS (HTTPS). Certificates are issued and renewed automatically via Let's Encrypt.
Availability and resilience
- Managed databases are backed up automatically on an hourly schedule with a 7-day rolling retention, stored within the EU.
- Platform health, capacity, and security are continuously monitored (metrics, logs, and alerting).
Pseudonymisation and minimisation
- Hostim does not access the contents of Customer applications or databases in the ordinary course of operating the platform; data is processed as opaque workloads on the Customer's instructions.
Annex 3 — Sub-processors
| Sub-processor | Service provided | Location of processing | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany | Cloud infrastructure (compute, storage, networking, object storage for backups and logs) — hosts all Customer Personal Data | Germany (EU) | Not applicable (EU) |
This list reflects the sub-processors engaged to process Customer Personal Data. Third-party services used by Hostim to operate its own business (e.g. payment, transactional email, support chat) process Hostim's account and billing data rather than Customer Personal Data, and are described in the Privacy Policy.