DPA – Data Processing Agreement (GDPR Art. 28)

DATA PROCESSING AGREEMENT (DPA)

1. Contracting Parties

1.1. Data Controller (“Controller”): The client entity subscribing to the ABCDHost service, which determines the purposes and means of the processing of personal data.

1.2. Data Processor (“Processor”): ABCD Brasil, trade name of 48.396.509 ROGER CRAVEIRO GUILHERME, Brazilian Microentrepreneur (MEI), enrolled under CPF No. 48.396.509/0001-21. Address: Rua General Neto, 71 – Bairro Moinhos de Vento – Porto Alegre – RS – 90560-020 – Brazil. Contact E-mail: privacy@abcdhost.net

2. Object of the Agreement

2.1. This Data Processing Agreement (“DPA”) regulates the processing of personal data carried out by ABCD Brasil on behalf of the Controller within the scope of providing the ABCDHost service, including:

  • Hosting of the ABCD system;
  • Technical maintenance;
  • Updates;
  • Infrastructure management;
  • Technical support related to platform operation.
  • 2.2. The Processor does not determine the purposes of the processing and acts exclusively under documented instructions from the Controller.

3. Nature and Purpose of Processing

3.1. The Processor processes personal data only to the extent necessary to:

  • Ensure the functioning of the hosted environment;
  • Perform maintenance and technical monitoring operations;
  • Resolve technical or administrative incidents when requested by the Controller;
  • Execute required additional services (e.g., conversions, field creation, structural adjustments).
  • 3.2. The Processor does not access the collection content, unless the Controller expressly requests technical assistance.

4. Types of Data Processed

4.1. Data types may include:

  • Authorized user data (e.g., identification and credentials);
  • Inventory, cataloging, and collection description data;
  • Metadata;
  • Technical logs generated by the system. 4.2. The Processor does not collect, alter, or validate data provided by the Controller, unless under documented instruction.

5. Categories of Data Subjects

5.1. May include:

  • Internal authorized users;
  • Institutional contributors;
  • End-users, depending on the ABCD system configuration.

6. Processor Obligations

The Processor undertakes to:

6.1. Process personal data only in accordance with documented instructions from the Controller.

6.2. Ensure that authorized persons are bound by confidentiality obligations.

6.3. Implement the Technical and Organizational Measures (TOMs) described in Annex I.

 6.4. Assist the Controller in complying with obligations regarding Articles 32 to 36 of the GDPR, to the extent reasonably possible.

6.5. Notify the Controller of any personal data breach without undue delay and, whenever possible, within 72 (seventy-two) hours of becoming aware of the incident.

6.6. Maintain a security incident log, accessible to the Controller upon request.

6.7. Delete or return all data to the Controller after the termination of the contract, as instructed.

6.8. Not engage new sub-processors without prior information to the Controller.

7. Controller Obligations

The Controller is responsible for:

7.1. Ensuring an adequate legal basis for data processing.

7.2. Configuring the ABCD system in compliance with the GDPR and other applicable laws.

7.3. Defining security, retention, and deletion policies for data entered into the system.

7.4. Providing clear instructions to the Processor when requesting technical assistance.

7.5. Conducting Data Protection Impact Assessments (DPIA), when applicable.

8. Sub-processors

8.1. The Processor uses the following authorized sub-processor:

  • Hostinger International Ltd.
  • Role: Hosting Infrastructure (IaaS).
  • Location: International datacenters used by the ABCDHost service. 8.2. Full details are in Annex II. 8.3. The Processor ensures that the sub-processor adopts guarantees equivalent to those provided in this DPA.

9. Technical and Organizational Measures (TOMs)

9.1. The Processor maintains adequate measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

9.2. The detailed list is in Annex I, including:

  • Encryption in transit (TLS/HTTPS);
  • Access control; Firewall systems;
  • Integrity monitoring;
  • Regular backups;
  • Environment segregation;
  • Patching and continuous updates.

10. Data Breaches

10.1. In the event of a breach, the Processor will notify the Controller:

  • Within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
  • Including a description of the nature, affected data, probable impact, and measures taken.
  • 10.2. The Processor will cooperate with all necessary investigations.

11. International Data Transfers

11.1. Due to the location of the Processor’s infrastructure in Brazil, processing may occur outside the EEA.

11.2. All international transfers will be accompanied by adequate safeguards, including:

  • Standard Contractual Clauses (SCCs);
  • Additional security measures.

12. Audits and Compliance

12.1. The Controller has the right to conduct audits, including by an independent auditor, upon:

  • Reasonable prior notice;
  • Conducted during business hours;
  • Cost borne by the Controller;
  • Without compromising the Processor’s operations.

12.2. The Processor will provide information reasonably necessary to demonstrate compliance with the GDPR.

13. Term and Termination

13.1. This DPA remains in force as long as a contractual relationship exists between the parties.

13.2. Upon termination: Data will be returned or deleted, as instructed; Backups may be deleted automatically in internal cycles.

14. Commercial Provisions

14.1. Payments made are non-refundable, except where required by applicable consumer protection laws.

14.2. Service termination implies only non-renewal in the following cycle.

15. Applicable Law and Forum

15.1. This DPA is governed by the GDPR and, subsidiarily, by applicable Brazilian law.

15.2. For conflict resolution, the following may be used: The Controller’s forum in the EU, or The forum of Porto Alegre/RS – Brazil, if mutually agreed.

ANNEX I — Technical and Organizational Measures (TOMs)

This annex describes the measures implemented by ABCD Brasil, as Processor, to protect personal data processed within the scope of the ABCDHost service.

1. Physical and Infrastructure Security

1.1. The service is hosted in professional datacenters operated by Hostinger International Ltd., which guarantee: 24/7 physical access control; CCTV and surveillance systems; Energy redundancy and climate control; Protection against fire and environmental disasters; Internationally recognized security certifications.

1.2. ABCD Brasil does not maintain its own physical servers on-site.

2. Logical and Network Security

2.1. Perimeter firewall and protections against common attacks (DDoS, brute force, scanning).

2.2. Mandatory TLS/HTTPS for all communications between users and the application.

2.3. Environment segmentation and isolation between client accounts.

2.4. Logging and monitoring of accesses and relevant events.

2.5. Administrative access only by authorized users.

3. Access Management and Authentication

3.1. Administrative access granted only to essential technicians.

3.2. Principle of least privilege applied.

3.3. Passwords managed according to best practices (minimum complexity, internal rotation, no reuse).

3.4. Immediate management and revocation of access when necessary.

4. Data Protection in Transit and at Rest

4.1. Communication encrypted via TLS 1.2 or higher.

4.2. Data stored in infrastructure protected against unauthorized access.

4.3. Backups performed regularly and stored in a way that prevents unauthorized access.

4.4. Credentials and keys stored with appropriate hashing/encryption.

5. Backup, Continuity, and Recovery

5.1. Automatic backups performed at variable intervals according to the contracted plan.

5.2. Redundant storage.

5.3. Internal procedures for point-in-time restoration in case of failures.

5.4. Periodic backup integrity tests.

6. Monitoring and Vulnerability Management

6.1. Basic availability and performance monitoring.

6.2. Regular application of updates and security patches to the ABCD system and associated environments.

6.3. Continuous review of publicly disclosed vulnerabilities.

6.4. Internal incident response processes.

7. Activity Logs

7.1. Log of administrative accesses.

7.2. Log of structural changes to the system.

7.3. Log and documentation of security incidents.

8. Confidentiality and Training

8.1. All collaborators involved in processing are subject to a duty of confidentiality.

8.2. ABCD Brasil ensures continuous training in security and data protection best practices.


ANNEX II — Authorized Sub-processors

This annex lists all sub-processors authorized to process personal data on behalf of the Processor.

1. Hostinger International Ltd.

  • Role: Hosting Infrastructure (IaaS).
  • Services provided: Virtual servers; Storage; Network and connectivity.
  • Possible locations: Multiple international datacenters (Europe, America, Asia), according to the contracted plan.
  • Certifications (public): ISO/IEC 27001; PCI-DSS (partial, for certain operations).
  • Role in processing: Responsible for the physical and virtual environment where data is stored. Does not access data content processed by the Controller.

2. Other sub-processors (optional)

Currently, no other sub-processor is used. Any change will be communicated to the Controller before implementation.

ANNEX III — Data Processing Flow and Architecture

This annex clearly and auditably describes the general data flow within the ABCDHost service.

1. Overview

ABCD Brasil operates as a Processor, providing a hosting and technical support environment. The Controller inserts, manages, and removes data directly on the ABCD platform.

2. General Data Flow

2.1. Data Insertion:

The Controller (client) creates or imports data into the ABCD system. Data is stored directly in the database hosted on Hostinger infrastructure. Technical metadata (logs and configurations) are managed automatically by the system.

2.2. Storage:

Data remains stored on the contracted virtual server. The physical infrastructure is controlled by Hostinger. Technical management (software, updates, support) is performed by ABCD Brasil.

2.3. Access:

The Controller and its authorized users access the system via web browser (HTTPS). ABCD Brasil only accesses data if requested for technical support.

2.4. Processing (use of the ABCD system):

The ABCD system executes: Indexing; Search; Collection management; Structural changes as defined by the Controller. None of these operations are performed autonomously by ABCD Brasil.

2.5. Backups:

Generated automatically according to internal policy. Stored on Hostinger infrastructure. Can be requested or restored by the Controller.

2.6. Data Return or Deletion:

Upon contract termination: The Controller may request a copy of the data. ABCD Brasil may support the export. Upon Controller instruction, data is deleted from the active environment. Residual backups will be deleted according to the internal cycle.

Scroll to Top