General Data Protection Regulation (GDPR) (EU) 2016/679
Tublat Ltd complies with the provisions of
the GDPR.
Every Data Controller who processes personal data (that is, us) must notify the
Information Commissioner, who in turn maintains a public register of data
controllers.
Tublat Ltd’s registration number is ZC021643.
Our Data Protection Officer can be
contacted at hello@tublat.com
or at Tublat
Ltd, 40 Bowling Green Lane, London, United Kingdom, EC1R 0NE.
Data Processing Agreement
Contact Us
Data Protection Regulation: The General Data Protection Regulation ((EU) 2016/679) and any national
implementing law, regulation, and secondary legislation, as amended or updated
from time to time in England, and any subsequent legislation replacing the GDPR
or the Data Protection Act 2018.
Definitions
“Client”
is the purchaser of services from Tublat Ltd.
“Database
Software” is a program or software utility used to create,
modify, and maintain database files or records, such as (by way of example but
not limited to) MySQL and MariaDB.
“Logical
Security” is the protection of the computer software
(“Operating System”) of Tublat Ltd’s platform, including user identification
and password access, authentication, and access rights.
These measures are intended to ensure that only authorized users can perform
actions or access information on our platform.
“Parties”
are Tublat Ltd operating as tublat.com (“tublat.com”) together with the Client.
“Physical
Security” is the protection of hardware, software, network, and
data from physical actions or events that could cause serious loss or damage to
Tublat Ltd’s platform.
This includes protection against fire, flooding, natural disasters, theft, and
vandalism.
“Software”
is defined as (by way of example but not limited to) WordPress, Magento,
spreadsheets, documents, and client code.
1. Data Protection Regulation
Both parties shall comply with all applicable requirements of the Data
Protection Regulation.
This clause is in addition to, and does not relieve, remove, or replace, the
parties’ obligations under the Data Protection Regulation.
2. Roles
1.
The parties acknowledge that, for the
purposes of the Data Protection Regulation, Tublat Ltd operating as tublat.com
(“tublat.com”) is the Data Processor.
2.
This Data Processing Agreement must be
read together with the tublat.com Privacy Policy and General Terms and
Conditions.
3.
The duration of the processing shall
commence on the date of acceptance of this agreement by the Client and continue
until the expiration or termination of the agreement in accordance with the
expiration or termination of the Client’s services with tublat.com.
4.
The categories of data subjects are those
whose personal data are provided or made available to tublat.com by or on behalf
of the Client through the use or provision of the services purchased by the
Client (the “Services”) and shall not include special categories of personal
data or data relating to criminal convictions and offences.
5.
Tublat.com shall process personal data on
behalf of the Client in accordance with Article 4(2) and Article 28 of the
GDPR.
3. Responsibilities
of Tublat.com
1. Tublat.com’s responsibilities in relation to the processing of personal
data provided by the Client during the use of the Services are limited to
providing appropriate security measures to store the data uploaded by the
Client on the hosting platform.
Tublat.com is responsible for the Physical Security of its own platform and the
Logical Security of the Operating System and the Database Software that serves
the Client’s database.
Tublat.com is not responsible for the security of data in any way populated
within such databases and/or the hosting space by the Client, nor for the
Software managed by the Client and the access to data that this entails.
Such
responsibility lies exclusively with the Client.
2.
Tublat.com shall, in relation to any
personal data processed in connection with Tublat.com’s performance of its
obligations under this agreement:
a) process such personal data only on the basis of the Client’s written
instructions, unless tublat.com is otherwise required to do so by the laws of a
Member State of the European Union or by European Union laws applicable to
tublat.com (“Applicable Laws”). Where tublat.com is required by Applicable Laws
to process personal data, it shall promptly inform the Client before carrying
out the required processing, unless those Applicable Laws prohibit tublat.com
from informing the Client;
b) pursuant to Article 32 of the GDPR, ensure that it has appropriate technical
and organisational measures in place to protect against any unauthorised or
unlawful processing of personal data, accidental loss or destruction of
personal data, as well as damage to personal data. Such measures are set out in
Appendix 1 to this agreement;
c) ensure that only personnel necessary for the performance of this agreement
have access to personal data and that all personnel who have access to and/or
process such data are bound by confidentiality obligations;
d) where the Client is unable to access the relevant information, assist the
Client, and in any event, at the Client’s expense, by providing reasonable
assistance in responding to any request from a supervisory authority or a data
subject and in ensuring compliance with the obligations set out in the Data
Protection Regulation regarding security, breach notifications, impact
assessments and consultations with supervisory or regulatory authorities;
e) promptly notify the Client as soon as it becomes aware of a personal data
breach;
f) in accordance with tublat.com’s standard policies, delete or return (at the
Client’s expense), in a format determined by tublat.com, the personal data and
copies thereof upon termination of this agreement, unless it is required by
Applicable Laws to continue to retain them;
g) maintain complete and accurate records and information to demonstrate its
compliance with this clause and permit the Client to carry out audits, only to
the extent necessary to demonstrate compliance, provided that:
(i) the Client gives tublat.com not less than 30 days’ prior notice of such
audit or inspection;
(ii) the Client reimburses tublat.com for all reasonable costs and expenses
incurred as a result of such audit or inspection; and
(iii) both parties agree on the scope, duration and purpose of the audit or
inspection.
If the Client comes into possession of any Confidential Information of
tublat.com as a consequence of this clause, it shall keep such Confidential
Information confidential and, save where required by law, shall not make it
available to third parties nor use it for other purposes. The Client
acknowledges that tublat.com will only be required to use reasonable efforts to
assist the Client in obtaining access to any third-party assets, records or
information as part of any audit.
h) provide a list of sub-processors involved in the Services by sending a
request via email to hello@tublat.com.
4. Responsibilities
of the Client
1.
The Client acknowledges that tublat.com
has no knowledge of the type or content of any personal data received, stored,
or transmitted to tublat.com’s platform through the use of the Services.
2.
If tublat.com believes or becomes aware
that the processing of the Client’s personal data may pose a high risk to the
data protection rights and freedoms of data subjects, it shall inform the
Client and provide reasonable cooperation to the Client (at the Client’s
expense) in relation to any data protection impact assessment that may be
required under the Applicable Data Protection Regulation.
3.
In relation to the personal data that the
Client receives, stores, or transmits using the Services, the Client shall:
a) ensure, and represents and warrants, that it has obtained all necessary and
appropriate consents and notices to lawfully transfer the personal data to
tublat.com for the duration and purposes of this agreement;
b) ensure that its use of the Services for the processing of personal data:
(i) complies with the laws or privacy regulations applicable to the processing
of the Client’s personal data; and
(ii) does not cause tublat.com to breach the Applicable Data Protection
Regulation.
The Client shall ensure that it has all necessary consents, notices, and other
requirements in place to allow the lawful processing of the Client’s personal
data by tublat.com for the duration and purposes of this agreement;
c) be, unless otherwise provided in this agreement, solely responsible for the
legality, confidentiality, integrity, availability, accuracy, and quality of
all data it processes;
d) be solely responsible for ensuring the security and protection of all data
it controls and processes.
The Client represents that it has relevant and appropriate security measures in
place to adequately protect the personal data it collects or processes.
The Client must verify the adequacy of tublat.com’s security measures in
relation to the type of personal data it collects, processes, and stores on
tublat.com’s platform.
The Client must refer to the Acceptable Use Policy to ensure it does not
violate tublat.com’s terms and conditions;
e) be solely responsible for responding to any request from a data subject and
for ensuring its own compliance with obligations arising from the Data
Protection Regulation regarding security, breach notifications, impact
assessments, and consultations with supervisory or regulatory authorities;
f) indemnify tublat.com for any claim, action, liability, proceeding, direct
loss, damage, expense, fine, or cost (including, without limitation, reasonable
legal fees and court costs) incurred by tublat.com as a direct result of any
negligence, wilful misconduct, or breach of the Data Protection Regulation by
the Client.
5. Processing by
Third Parties
1.
The Client grants tublat.com authorization
to appoint (and to permit each external processor appointed in accordance with
this Section 5 to appoint) third-party sub-processors, in accordance with the
provisions of this Section 5.
2.
Tublat.com may appoint other third-party
external processors to provide substantially equivalent services to the Client
as part of the Services, provided that:
a) tublat.com enters into a written agreement with such third-party external
processor that includes terms substantially similar to those set out in this
agreement; and
b) such third-party external processor is able to demonstrate a standard of
service quality and compliance at least equal to that of the previously
appointed external processor.
3.
The Client agrees that tublat.com may
grant such sub-processors access to the Client’s data in order to enable
tublat.com to deliver the Services under this agreement.
The Client further agrees that such sub-processors may be located outside the
country in which the Client has chosen to store its personal data, provided
that tublat.com takes appropriate measures to ensure the protection of such
transfers when made to those sub-processors.
Tublat.com requires its sub-processors to maintain data protection and security
practices consistent with those set forth in this agreement.
6. Governing Law
This Addendum and any dispute or claim arising out of or in connection with it
or its subject matter or formation, including non-contractual disputes or
claims, shall be governed by and construed in accordance with the laws of
England.
The parties agree that the courts of London shall have exclusive jurisdiction
to settle any dispute, whether contractual or non-contractual, arising out of
or in connection with this Addendum.
7. Jurisdiction
Each of the parties irrevocably agrees that the courts of London shall have
exclusive jurisdiction to settle any dispute or claim (including
non-contractual disputes or claims) arising out of or in connection with this
agreement or its subject matter or formation.
Appendix 1
Technical
and Organisational Measures in accordance with Article 32 of the GDPR
1. Confidentiality
1.1. Building Security and Access Control:
• Tublat.com has external and internal CCTV surveillance systems, with a
dedicated security team operating 24 hours a day, 365 days a year.
All members of this team are vetted in accordance with SIA and BS7858
standards.
• Tublat.com uses an Automatic Number Plate Recognition (ANPR) entry system,
electronic tags for access to all internal and external building doors,
together with a retinal scanner and a secure dual-door (“man trap”) access
system for all external or customer access areas.
This applies exclusively to Tublat.com’s Data Center.
2. Electronic Access Control
2.1. For dedicated servers, VPS, self-managed Cloud, colocation servers,
and custom server solutions for clients:
• Root passwords for servers are known only to Tublat.com, both at the time of
the initial server setup and when the Client provides details to Tublat.com for
troubleshooting assistance.
• Tublat.com does not retain Clients’ passwords.
It is the Client’s responsibility to ensure that passwords are secure and
changed when necessary.
2.2. For managed dedicated servers, VPS, or Cloud:
• Root passwords for servers are known only to Tublat.com.
• Passwords are restricted to authorised personnel and managed through
authentication systems such as LDAP, Radius, and cryptographic keys.
• Clients access the servers using a third-party control panel.
2.3. For Control Panel / Web Hosting (FTP/SFTP):
• Root passwords for servers are known only to Tublat.com.
• Passwords are restricted to authorised personnel and controlled through
authentication systems such as LDAP, Radius, and cryptographic keys.
• Clients access the servers through a third-party control panel.
• Before Client Account access is enabled through the Client Area, unique
usernames and passwords must meet Tublat.com’s minimum security requirements,
and passwords are encrypted.
• Tublat.com stores Client passwords only in encrypted form.
• Access to the Client Account is restricted by IP range/country and login
frequency, configurable in the Security Settings section of the Client’s Client
Area.
• When Clients upload data via FTP, they can also control access by IP address
and set time limits via the Client Area.
2.4. For Websites (Website Builder, E-commerce, or WordPress):
• All Client passwords are encrypted and known only to the Client.
2.5. For Email Accounts:
• All Client passwords are encrypted and known only to the Client.
3. Internal Access Control
3.1. For dedicated servers, VPS, self-managed Cloud, colocation servers,
and custom server solutions for clients:
• Responsibility for access control lies with the Client.
3.2. For managed dedicated servers, VPS, or Cloud:
• Tublat.com prevents unauthorized access by regularly applying necessary
security updates.
• It is the Client’s responsibility to ensure that access is limited only to
authorized individuals.
• Tublat.com ensures that access is restricted solely to employees who need to
access the system to perform their duties within the organization.
3.3. For Control Panel / Web Hosting (FTP/SFTP):
• Tublat.com provides, within its Client Area, the necessary tools for the
Client to limit the locations from which the account can be accessed.
These settings can be managed in the Security section of the Client’s Client
Area.
• The Client can control which IP addresses are permitted to access via FTP and
can set time limits through their Client Area.
• Tublat.com ensures that access is restricted solely to employees who need to
access the system to perform their duties within the organization.
3.4. For Websites (Website Builder, E-commerce, or WordPress):
• Tublat.com ensures that access is restricted solely to employees who need to
access the system to perform their duties within the organization.
3.5. For Email Accounts:
• Responsibility for access control lies with the Client.
• Tublat.com ensures that access is restricted solely to employees who need to
access the system to perform their duties within the organization.
4. Transfer Control
4.1. For Control Panel / Web Hosting / Website Builder, E-commerce, or
WordPress / Email Accounts:
• When a Client’s service is not renewed and/or is cancelled with tublat.com,
the Client’s hosting and data stored on the hosting account are deleted,
including, but not limited to, any databases created by the Client for use with
the Service.
• It is the Client’s responsibility to delete all data from their hosting
space, databases, or servers before the end of the Service period.
4.2. For dedicated servers / VPS / self-managed Cloud, colocation servers,
and custom server solutions for clients:
• When a Client terminates their rental contract with tublat.com, the server is
placed into the decommissioning procedure, during which the data on the disks
is securely destroyed.
4.3. For managed dedicated servers / VPS / Cloud:
• When a Client terminates their rental contract with tublat.com, the server is
placed into the decommissioning procedure, during which the data on the disks
is securely destroyed.
4.4. For defective disks out of warranty / disks over 3 years old:
• Defective disks and those over three years old are removed.
• Tublat.com uses an external company that operates on-site at the Data Center
to drill security holes into each disk directly on-site.
• Subsequently, the disks are removed from the premises to be securely
destroyed at a specialized external facility.
5. Isolation Control
5.1. For Control Panel / Web Hosting / Website Builder, E-commerce or
WordPress / Email Accounts:
• The Client is responsible for isolation control.
5.2. For dedicated servers / VPS / self-managed Cloud, colocation
servers, and custom server solutions for clients:
• The Client is responsible for isolation control.
5.3. For managed dedicated servers / VPS / Cloud:
• Data must be physically or logically isolated.
• Data backups must be performed using an equivalent system of physical and
logical isolation.
6. Pseudonymisation
6.1. For Tublat.com internal systems:
• Tublat.com ensures that all non-production systems contain pseudonymised
data.
6.2. For Control Panel / Web Hosting / Website Builder, E-commerce or
WordPress / Email Accounts:
• The Client is responsible for pseudonymisation.
6.3. For dedicated servers / VPS / self-managed Cloud, colocation
servers, and custom server solutions for clients:
• The Client is responsible for pseudonymisation.
6.4. For managed dedicated servers / VPS / Cloud:
• The Client is responsible for pseudonymisation.
7. Integrity
7.1. Data Transfer Control:
• Tublat.com employees are trained to ensure that personal data is processed in
compliance with current data protection regulations.
• Data is removed in accordance with Tublat.com’s Data Retention Policy when a
Client’s contract is not renewed or is cancelled.
• The Client is responsible for ensuring that transmitted data is encrypted.
8. Data Input Control
8.1. For Tublat.com internal systems managing data collection:
• Data is entered or collected by the Client.
• Changes to data are logged in the appropriate Tublat.com system.
8.2. For Control Panel / Web Hosting / Website Builder, E-commerce or
WordPress / Email Accounts:
• The Client is responsible for data input control.
• Data is entered or collected by the Client.
8.3. For dedicated servers / VPS / self-managed Cloud, colocation
servers, and custom server solutions for clients:
• The Client is responsible for data input control.
• Data is entered or collected by the Client.
8.4. For managed dedicated servers / VPS / Cloud:
• The Client is responsible for data input control.
• Data is entered or collected by the Client.
9. Availability and Resilience (Article 32, Paragraph 1, Clause b of the
GDPR)
9.1. For Tublat.com internal systems:
• Daily backups of all relevant data, aligned for the provision of Services.
• Implementation of security measures (antivirus scanning, firewall, data
encryption where appropriate, anti-spam filters).
• Use of RAID protection on all relevant servers.
• Continuous monitoring of all relevant servers.
• Protection against DDoS attacks.
• Protection of the Data Center’s power supply (generators and uninterruptible
power supplies – UPS).
9.2. For Control Panel / Web Hosting / Website Builder, E-commerce or
WordPress / Email Accounts:
• The Client is responsible for their own data backups.
When the Client purchases a backup service, Tublat.com provides the necessary
tools for the Client to configure their backup routine.
Client backups are performed on-site.
• Tublat.com guarantees DDoS protection for its systems.
• Tublat.com is responsible for the Data Center’s electrical protection
(generators and UPS).
9.3. For dedicated servers / VPS / self-managed Cloud, colocation
servers, and custom server solutions for clients:
• The Client is responsible for their own data backups.
When the Client purchases a backup service, Tublat.com provides the necessary
tools for the Client to configure their backup routine.
• The Client must use software firewalls and restrict access ports.
• Tublat.com guarantees DDoS protection for its systems.
If the Client suffers a DDoS attack, they may purchase DDoS protection to
maintain the service online.
• Tublat.com is responsible for the Data Center’s electrical protection
(generators and UPS).
9.4. For managed dedicated servers / VPS / Cloud:
• The Client is responsible for their own data backups.
When the Client purchases a backup service, Tublat.com provides the necessary
tools for the Client to configure their backup routine.
• The Client must use software firewalls and restrict access ports.
• Tublat.com guarantees DDoS protection for its systems.
If the Client suffers a DDoS attack, they may purchase DDoS protection to
maintain the service online.
• Tublat.com is responsible for the Data Center’s electrical protection
(generators and UPS).
9.5. Measures for Rapid Recovery (Article 32, Paragraph 1, Clause c of
the GDPR):
• Tublat.com has a defined escalation chain that is followed in the event of
known issues to address them promptly.
10. Procedure for Regular Testing, Assessment, and Evaluation (Article
25, Paragraph 1 of the GDPR)
10.1. Tublat.com has implemented a DIMS (Data Protection Information Security
Management System).
10.2. Tublat.com has implemented Incident Response Policies.
10.3. In accordance with Article 25, Paragraph 2 of the GDPR, data protection
settings by default are considered in the development of Tublat.com software.
10.4. Contract / Agreement Control:
• Tublat.com’s General Conditions, together with its Privacy Policy, define the
scope of data processing and the use of Clients’ personal data.
• Tublat.com has appointed a Data Protection Officer (DPO) and an Information
Security Officer (ISO).
