This Data Processing Agreement ("DPA") is an addendum to the Terms of Service ("Agreement") between Magic Pages ("Service Provider", Jannis Fedoruk-Betschki) and the Customer ("Customer"), which incorporates by reference the Privacy Policy of Magic Pages (collectively, the "Agreement"). This DPA governs the processing of personal data under the Agreement.
1. Subject Matter of the Agreement
The subject of this DPA is the provision of Ghost CMS hosting services by the Service Provider to the Customer, which includes, but is not limited to, hosting and providing an internet site based on the open-source Content Management System "Ghost" (https://ghost.org), including the dispatch of newsletters.
This DPA supplements the general terms and conditions available at https://magicpages.co/legal/terms/.
2. Definitions
- "Personal Data" refers to any data relating to an identified or identifiable natural person processed on behalf of the Customer in the course of providing the Services.
- "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
- "Processor" means the entity which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any Processor engaged by the Service Provider to assist in fulfilling its obligations with respect to providing the Services under this DPA.
- "Data Protection Laws" means all applicable laws and regulations in relation to data protection and privacy that apply to the respective parties.
3. Duration of the Agreement
This DPA is entered into for an indefinite duration and may be terminated by either party at the end of a given billing period. The right to terminate for cause remains unaffected.
4. Roles and Responsibilities of the Parties
As between the Customer and Service Provider, the Customer is the Controller of Personal Data and the Service Provider is the Processor.
The Service Provider shall process Personal Data only on documented instructions from the Customer, unless required by law to act without such instructions.
5. Sub-processors
The Customer consents to the engagement of Sub-processors by the Processor. The Processor shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-processors and give the Customer the opportunity to object to such changes.
6. Data Transfer
The Processor shall not transfer Personal Data to a third country or an international organization without the prior written consent of the Customer. Where Personal Data is transferred outside the EU/EEA, the Processor shall ensure that appropriate safeguards are in place.
7. Security
7.1. Security Measures
Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk to the rights and freedoms of natural persons, the Service Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
7.2. Confidentiality of Processing
The Service Provider shall ensure that any person authorised to process Personal Data is under an appropriate obligation of confidentiality.
7.3. Security Incident Response
Upon becoming aware of a Security Incident, the Service Provider shall notify the Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as reasonably requested by the Customer.
8. Cooperation
To the extent that the Customer is unable to independently access the relevant Personal Data within the Services, the Service Provider shall provide reasonable cooperation to assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to any requests from data subjects or data protection authorities relating to the processing of Personal Data under the Agreement.
9. Miscellaneous
9.1. Liability
Each party shall be liable for damages it causes by processing the Personal Data subject to this DPA.
9.2. Governing Law
This DPA is governed by the laws of Austria. Any changes to this DPA require the written consent of both parties. This DPA prevails over any conflicting terms of the Agreement.
9.3. Legal Effects
This DPA is intended to supplement the terms of the Agreement. Except as explicitly modified or supplemented by this DPA, the terms of the Agreement remain unchanged and in full force and effect. In the event of any conflict between this DPA and the Agreement, the terms of this DPA will prevail to the extent of the conflict.
9.4. Compliance with GDPR
This DPA is designed to ensure compliance with the strict standards of data protection in the European Union, specifically the GDPR.