Data Processing Agreement
Last updated: May 28, 2026
Effective date: 28 May 2026
This Data Processing Agreement ("DPA") forms part of the SrvBot Terms of Service between you ("Customer") and Clouno Inc. ("Clouno"). It governs the processing of personal data that Clouno carries out on the Customer's behalf when providing the SrvBot service.
This DPA reflects the parties' agreement on the terms governing the processing of personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and, where applicable, the California Consumer Privacy Act ("CCPA").
1. Roles
For personal data processed in connection with the Service:
- The Customer is the Controller (or Processor on behalf of its own Controller).
- Clouno is the Processor (or Sub-Processor where the Customer acts as a Processor).
Clouno processes personal data only on documented instructions from the Customer. Use of the Service in accordance with its documentation constitutes such instructions.
2. Subject matter and duration
The subject matter of processing is the provision of the SrvBot hosting service. Processing continues for as long as the Customer maintains an active subscription, plus the retention periods set out in Section 12.
3. Categories of data subjects and personal data
Data subjects. Visitors and registered users of the Customer's website hosted on SrvBot; the Customer's own staff and authorised users of the SrvBot dashboard.
Personal data. As determined by the Customer through its use of the Service. Typical categories include:
- IP addresses, user agents, and request logs of site visitors (server access logs).
- Contact form submissions, comments, and other content stored in the Customer's WordPress database.
- Authentication metadata for the Customer's own admin accounts.
- Account and billing contact data for the Customer.
The Customer is responsible for the lawful collection of any sensitive or special-category data within their own WordPress database, and for honouring data-subject rights in respect of that content.
4. Customer instructions
Clouno will process personal data only:
- To provide and maintain the Service.
- To comply with the Customer's written instructions, including those issued through the dashboard or by email to [email protected].
- To comply with applicable law, in which case Clouno will inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
If Clouno believes an instruction infringes the GDPR or other applicable data-protection law, it will inform the Customer without delay.
5. Confidentiality
Clouno ensures that all personnel authorised to process the Customer's personal data are bound by a duty of confidentiality, whether through their employment contract or a separate non-disclosure agreement.
6. Security measures
Clouno implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit (TLS 1.2 or higher for all customer-facing endpoints; Let's Encrypt for site certificates; Cloudflare Origin certificates for edge-to-origin links).
- Encryption at rest for backups stored in object storage.
- Network isolation between customer environments at the container and database level.
- Access controls and audit logging for the SrvBot operations team, with least-privilege access by default.
- 24/7 monitoring, automated patching for OS-level security updates, and an internal incident-response runbook.
- Daily off-host, encrypted backups for both plans, with retention as published on the Service (30 days for Site, 90 days for Site Pro).
A summary of current security practices is maintained at https://srvbot.io/security.
7. Sub-Processors
The Customer authorises Clouno to engage the following sub-processors to provide the Service:
- Hetzner Online GmbH — compute and storage infrastructure (Germany and Finland, EU).
- Cloudflare, Inc. — CDN, DDoS protection, edge SSL termination (global, US-headquartered).
- Stripe Payments Europe Ltd. — payment processing (Ireland and US).
- Brevo (Sendinblue SAS) — transactional email (France, EU).
- PostHog Inc. (EU instance) — product analytics with IP truncation (Germany, EU).
- Let's Encrypt (ISRG) — public SSL/TLS certificates (US, non-profit).
Clouno will give the Customer at least 30 days' notice before adding or replacing a sub-processor that processes personal data. The Customer may object to the change in writing within that period on reasonable data-protection grounds, in which case the parties will work together to find a commercially reasonable resolution; if none is reached, the Customer may terminate the affected portion of the Service.
Clouno enters into a written contract with each sub-processor that imposes data-protection obligations substantially the same as those in this DPA.
8. International data transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, Clouno relies on one or more of the following:
- The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum.
- An adequacy decision under Article 45 GDPR.
- Sub-processor participation in the EU-US Data Privacy Framework, where applicable.
Clouno will assist the Customer in implementing supplementary measures where required following a transfer impact assessment.
9. Data subject rights
Clouno will assist the Customer, by appropriate technical and organisational measures, in responding to requests from data subjects to exercise their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). The Customer is responsible for handling and responding to such requests directly.
The SrvBot dashboard provides self-serve tools for backups, exports, and account deletion. For requests that cannot be handled through the dashboard, the Customer may contact [email protected].
10. Personal data breach
Clouno will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting the Customer's personal data. The notification will include, to the extent known:
- The nature of the breach, the categories and approximate number of affected data subjects, and the categories and approximate number of affected records.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and to mitigate its effects.
Clouno does not notify the Customer's own end-users on the Customer's behalf — that responsibility remains with the Customer as Controller.
11. Audit
Clouno will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. This includes:
- The current sub-processor list and their respective security pages.
- A summary of the most recent independent security or penetration testing, where available.
- Written responses to security questionnaires within a reasonable timeframe.
For Customers with documented regulatory obligations, on-site audits may be permitted on reasonable prior notice, during business hours, and at the Customer's expense. Frequency is limited to once per calendar year unless a Personal Data Breach has occurred.
12. Return or deletion of data
On termination of the Service, the Customer may, within 30 days of termination, request a final export of its WordPress database, files, and account data. After that 30-day window:
- WordPress databases and file uploads are deleted from primary storage.
- Backups containing the Customer's data are deleted from backup storage within 60 days, in accordance with the standard backup rotation.
- Account and billing records are retained only as required to comply with tax, accounting, and other legal obligations.
Clouno will provide written confirmation of deletion on request.
13. Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except where applicable law mandates otherwise.
14. Conflict
If anything in this DPA conflicts with the Terms of Service, this DPA controls for the topics it covers. If any GDPR-related obligation in this DPA is held unenforceable, that obligation is severed and the remaining provisions remain in effect.
15. Contact
Questions about this DPA, sub-processor disclosures, or data-subject requests should be sent to [email protected].