EN | SV
My Account

Data Processing Agreement

Last updated: March 11, 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between POISE ("Processor", "CloudBeem") and the customer ("Controller", "you") for the provision of domain registration, web hosting, and related services.

1. Scope and Purpose

This DPA applies to the processing of personal data by CloudBeem on behalf of the Controller in connection with the provision of services. The Processor processes personal data only in accordance with the Controller's documented instructions and applicable data protection law, including the GDPR.

2. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing": Any operation performed on personal data, as defined in Article 4(2) of the GDPR.
  • "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council.

3. Processing Details

3.1 Subject Matter

The processing relates to the provision of domain registration, DNS management, web hosting, email hosting, and related infrastructure services.

3.2 Duration

Processing will continue for the duration of the service agreement and for such additional period as required for data deletion or return.

3.3 Nature and Purpose

The Processor provides hosting infrastructure and domain management services. Personal data is processed solely for the purpose of delivering these services to the Controller.

3.4 Types of Personal Data

  • Website visitor data (IP addresses, access logs)
  • Email data (email content, sender/recipient addresses)
  • Database content (as stored by the Controller's applications)
  • File content (as uploaded by the Controller)

3.5 Categories of Data Subjects

Data subjects include the Controller's website visitors, email correspondents, customers, and users as determined by the Controller's use of the services.

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures in accordance with Article 32 of the GDPR.
  • Assist the Controller in responding to data subject rights requests.
  • Assist the Controller with data protection impact assessments where required.
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • Delete or return all personal data upon termination of the service agreement, at the Controller's choice.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Security Measures

The Processor implements the following technical and organisational measures:

  • Encryption of data in transit (TLS/SSL)
  • Regular security updates and patching
  • Access control and authentication mechanisms
  • OS-level account isolation for shared hosting
  • Daily automated backups
  • Firewall protection and intrusion detection
  • Physical security of data centre facilities (EU-based)
  • Regular security assessments

6. Sub-processing

The Processor may engage sub-processors for the delivery of services. The Controller provides general authorisation for the engagement of sub-processors, subject to the following conditions:

  • The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
  • Sub-processors shall be bound by data protection obligations no less protective than those in this DPA.
  • The Processor remains fully liable for the acts and omissions of its sub-processors.
  • All sub-processors shall be located within the EU/EEA.

7. Data Transfers

The Processor does not transfer personal data outside the European Economic Area. All data processing and storage occurs within the EU.

8. Audits

The Processor shall, upon reasonable request and at the Controller's expense, allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable notice and during normal business hours.

9. Data Return and Deletion

Upon termination of the services:

  • The Controller may request return of all personal data in a common format.
  • The Processor shall delete all personal data within 30 days of service termination, unless EU or Swedish law requires further storage.
  • The Processor shall certify deletion upon request.

10. Governing Law

This DPA is governed by the laws of Sweden and the GDPR. Any disputes shall be resolved by the courts of Sweden.

11. Contact

For questions regarding this DPA, please contact: info@cloudbeem.com