data processing agreement.

last updated 9 May 2026

this DPA is part of the agreement between vøiddo ("Provider", "we") and you, the Customer ("Controller"), and applies whenever we process personal data on your behalf as part of a Job. for sites we build that you own, you are the Controller of any visitor data the new site processes; we are a Processor when we operate the site for you, or until hand-over.

1. roles

• Controller: the Customer who buys the Job.
• Processor: vøiddo, when we host or operate the resulting site on your behalf.

2. nature, purpose, and duration

processing is limited to: hosting your website, sending transactional email if configured, storing form submissions, and providing analytics. duration is the term of your subscription, plus 30 days for backup purges.

3. types of data and data subjects

typical: visitor IPs, contact-form name/email/message, browser strings. we do not process special-category data unless explicitly contracted for it.

4. obligations of the Processor

• process personal data only on documented instructions from the Controller.
• ensure all team members with access are bound by confidentiality.
• implement appropriate technical and organisational measures (encryption in transit and at rest, access logs, breach detection).
• not engage sub-processors without prior written consent. our current sub-processor list is below; we notify 14 days before any change.
• assist the Controller in responding to data subject requests (access, deletion, rectification, portability) within 5 business days.
• notify the Controller of any breach within 24 hours of becoming aware.
• delete or return all personal data within 30 days of termination, on Controller's choice.

5. sub-processors

• Hetzner Online GmbH (Germany) — datacentre hosting.
• Paddle.com Market Ltd (UK) — payment processing only; no other personal data.
• Google LLC (USA) — workspace and infrastructure services where required for normal business operations.

6. international transfers

any transfer outside the EEA uses Standard Contractual Clauses (Module 3 — Processor to Sub-Processor) where applicable, plus supplementary measures (encryption-in-transit, no plaintext PII in logs).

7. audit

once per 12 months on 30 days' written notice, the Controller (or its independent auditor) may audit our compliance with this DPA, on reasonable terms and at the Controller's cost.

8. termination

this DPA terminates automatically when the underlying agreement does. upon termination, we delete or return all personal data within 30 days at the Controller's choice.

9. signing

by paying for a Job that includes hosting or any service in which we process personal data on your behalf, you accept this DPA. for explicit signature, email urweb@voiddo.com; we counter-sign within 2 business days.