Skip to main content
Legal Document

Hosting Data Processing Addendum

How we handle personal data when hosting your website

Last updated: July 2026

Ask AI to explain

Get a quick, plain-language summary of this page without all the jargon.

Effective date: July 2026

When Ziteox hosts a website on behalf of a client, and that website collects personal data from visitors — for example through contact forms, newsletter signups, or PDF submission workflows — Ziteox acts as a data processor and the client acts as the data controller. This Addendum sets out Ziteox's obligations in that role. It applies automatically to all Ziteox managed hosting clients and forms part of the agreement between Ziteox and the client alongside the Terms of Service and Infrastructure Ownership & Continuity Agreement.

What This Addendum Covers

  • This Addendum applies when a website hosted by Ziteox collects, stores, or transmits personal data from end users on behalf of the client
  • It does not apply to Ziteox's own data collection practices, which are covered in the Privacy Policy
  • By using Ziteox managed hosting services, the client accepts this Addendum as part of the service agreement

Roles

  • Client = Data Controller. The client determines what personal data is collected, for what purpose, and for how long. The client is responsible for the legal basis of collection and for maintaining a compliant privacy notice on their website for their visitors.
  • Ziteox = Data Processor. Ziteox processes personal data only as needed to operate the hosted website and only on the documented instructions of the client (i.e. the configuration and functionality of the website as built and agreed).

What Data We Process

The specific personal data processed depends on the website's functionality. Typical categories for Ziteox-hosted websites include:

  • Name and contact details submitted via contact forms
  • Email addresses collected via newsletter signup
  • Content of form submissions, including any documents or files uploaded
  • IP addresses and browser data processed transiently by infrastructure (e.g. Cloudflare for security and rate limiting)

Ziteox does not access, read, or use this data for any purpose other than operating the hosting infrastructure.

How We Handle Personal Data

  • Processing on instructions only. Ziteox processes personal data solely as needed to deliver the hosting service. We do not use client website data for our own purposes, marketing, or AI model training.
  • Confidentiality. All Ziteox personnel with access to hosting infrastructure are bound by confidentiality obligations.
  • EU data residency. For clients on Ziteox managed hosting, all application, database, and file storage runs within the EU (Railway EU West, Amsterdam, Netherlands) by default. Personal data does not leave the EU unless the client explicitly requests a different configuration.
  • Security measures. We implement and maintain technical and organisational security measures appropriate to the risk, including: TLS encryption in transit, encryption at rest on database infrastructure, isolated compute environments, access controls, automated backups, and regular dependency updates. See the Infrastructure Ownership & Continuity Agreement for further detail.
  • Subprocessors. Ziteox uses a small number of trusted infrastructure providers to deliver the hosting service. These are listed on our Subprocessors page. We ensure subprocessors are bound by equivalent data protection obligations. We will notify clients of any material changes to subprocessors.

Security Incidents

If Ziteox becomes aware of a confirmed or reasonably suspected security incident affecting personal data processed under a hosting engagement, Ziteox will:

  • Notify the client without undue delay and in any event within 72 hours of becoming aware
  • Provide sufficient information for the client to assess the incident and meet their own notification obligations under applicable law (including Swiss nDSG/nFADP and GDPR where applicable)
  • Cooperate with the client and any relevant supervisory authority in the investigation and remediation

Notification of an incident does not constitute an admission of fault or liability by Ziteox.

Data Subject Rights

If a visitor to the client's website contacts the client to exercise a data subject right (access, correction, deletion, portability), Ziteox will assist the client in fulfilling that request to the extent that the data is within Ziteox's systems — for example by exporting specific records or deleting identified entries from the database. Routine requests are handled at no additional cost.

Retention and Deletion

  • Ziteox retains personal data in hosted systems for as long as the hosting engagement is active
  • The client is responsible for configuring appropriate data retention and deletion settings within their website (where applicable)
  • On termination of the hosting engagement, Ziteox will within 14 days provide a full database export in a portable format, and then delete all personal data from Ziteox-managed infrastructure, unless retention is required by law
  • Written confirmation of deletion will be provided on request

Audit Rights

The client has the right to request information from Ziteox to verify compliance with this Addendum. Ziteox will respond to reasonable information requests within 14 days. Formal audits may be conducted once per year with 30 days written notice and are subject to reasonable confidentiality obligations. The cost of audits is borne by the client unless a breach is found to have occurred.

  • Processing under this Addendum is carried out on the basis of the client's documented instructions (the configuration and purpose of the hosted website)
  • The client is responsible for establishing and documenting the legal basis for collecting personal data from their website visitors
  • This Addendum is subject to the same governing law as the Terms of Service (Sri Lanka), with the mandatory data protection provisions of Swiss nDSG/nFADP and GDPR applying where relevant by virtue of the client's domicile or the location of data subjects
  • The client retains the right to lodge complaints regarding data protection matters with the relevant supervisory authority (e.g. the Swiss FDPIC)

Contact

For questions about how personal data is handled in your hosted website, contact us at [email protected].

This document is part of our legal framework.

For questions, please contact our legal team.