DATA PROCESSING AGREEMENT
Managed WordPress Hosting Services
| Between (Processor) | Image Concepts (Yorkshire) Ltd (Company No. 08161985) |
| Processor address | Royal House, 110 Station Parade, Harrogate, North Yorkshire, HG1 1EP |
| And (Controller) | [CUSTOMER LEGAL NAME] |
| Controller address | [CUSTOMER REGISTERED ADDRESS] |
| Controller company no. | [COMPANY REGISTRATION NUMBER] |
| Effective date | [DATE OF INCORPORATION INTO HOSTING AGREEMENT] |
| Version | 1.1 (issued 16 April 2026) |
This agreement is incorporated into and forms part of the Hosting Terms and Conditions between the parties.
Background
A. The Controller is a customer of the Processor’s managed WordPress hosting services (the “Services”) pursuant to the Hosting Terms and Conditions (the “Principal Agreement”).
B. In the course of providing the Services, the Processor will process Personal Data on behalf of the Controller. The Controller determines the purposes and means of that processing.
C. UK GDPR Article 28(3) requires that processing by a processor on behalf of a controller shall be governed by a contract setting out the subject matter, duration, nature and purpose of the processing, the type of Personal Data and categories of Data Subjects, and the obligations and rights of the Controller.
D. The parties enter into this Data Processing Agreement (“DPA”) to comply with that requirement and to set out their respective obligations in relation to the processing of Personal Data.
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the meanings given to them in the Principal Agreement.
| Term | Meaning |
| Controller | The customer as identified on the cover page of this DPA, who determines the purposes and means of the processing of Personal Data. |
| Data Protection Laws | UK GDPR, the Data Protection Act 2018, PECR, and any successor or implementing legislation as amended from time to time. |
| Data Subject | An identified or identifiable natural person to whom Personal Data relates. |
| DPA | This Data Processing Agreement, including all Schedules. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1). |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. |
| PECR | The Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), as amended. |
| Principal Agreement | The Hosting Terms and Conditions between the parties governing the provision of the Services. |
| Processing | Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, restriction, erasure or destruction. |
| Processor | Image Concepts (Yorkshire) Ltd (Company No. 08161985), the provider of the Services. |
| Services | The managed WordPress hosting services provided by the Processor to the Controller pursuant to the Principal Agreement. |
| Sub-processor | Any third party engaged by the Processor to process Personal Data on its behalf in connection with the Services. |
| Supervisory Authority | The UK Information Commissioner’s Office (ICO), or any successor body. |
| UK GDPR | The UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. |
2. Scope and Roles
2.1 This DPA applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Services.
2.2 The subject matter, duration, nature and purpose of the Processing, the types of Personal Data processed, and the categories of Data Subjects are set out in Schedule 1 (Details of Processing).
2.3 The Processor shall act only as a processor in respect of Personal Data processed under this DPA. The Controller is the data controller in respect of that Personal Data and is responsible for compliance with its obligations as controller under Data Protection Laws, including ensuring it has a lawful basis for the Processing and that Data Subjects have been provided with appropriate privacy notices.
2.4 Nothing in this DPA shall prevent the Processor from processing Personal Data in its capacity as a data controller in its own right for its own purposes (for example, the personal data of the Controller’s employees as contacts under the Principal Agreement). Such processing is governed by the Processor’s Privacy Policy, not this DPA.
3. Processing on the Controller’s Instructions
3.1 The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Principal Agreement, together with this DPA and any written instructions given by the Controller from time to time, constitutes the Controller’s initial documented instructions.
3.2 The Processor shall promptly notify the Controller if, in its opinion, any instruction given by the Controller under clause 3.1 would infringe Data Protection Laws, provided that the Processor shall not be obliged to carry out a comprehensive legal review of each instruction.
3.3 The Processor shall promptly notify the Controller (to the extent permitted by law) if it is required by applicable law to process Personal Data otherwise than in accordance with the Controller’s instructions.
4. Confidentiality of Processing
4.1 The Processor shall ensure that all persons authorised to process Personal Data under this DPA are subject to appropriate obligations of confidentiality, whether by contract, professional duty, or statutory obligation.
4.2 The Processor shall restrict access to Personal Data to those employees, contractors, and agents who require such access in order to perform the Services or to comply with obligations under this DPA.
5. Security of Processing
5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, together with the risk to the rights and freedoms of Data Subjects, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
5.2 The technical and organisational security measures currently maintained by the Processor are set out in Schedule 2 (Technical and Organisational Measures). The Processor may update those measures from time to time provided the overall level of security is not materially reduced.
5.3 The Processor shall not reduce the level of security measures applicable to the Services during the term of this DPA without the prior written consent of the Controller.
5.4 The Controller acknowledges that security measures cannot guarantee the absolute security of Personal Data, and that the Processor’s obligations under this clause are obligations of means, not of result.
6. Sub-processors
6.1 The Controller grants the Processor general written authorisation to engage the Sub-processors listed in Schedule 3 (Approved Sub-processors) as at the date of this DPA.
6.2 The Processor shall give the Controller reasonable prior written notice (of not less than 14 days) before making any changes to the list of approved Sub-processors, whether by adding a new Sub-processor or replacing or removing an existing one. Such notice shall be given by updating the Sub-processor list at www.imageconcepts.co.uk/sub-processors and notifying the Controller’s account contact by email.
6.3 If the Controller objects to any new Sub-processor on reasonable grounds relating to data protection within 14 days of receiving notice under clause 6.2, the parties shall discuss the objection in good faith. If the Controller’s objection cannot be resolved, the Controller may terminate the affected Services on written notice without penalty, subject to the provisions of the Principal Agreement governing termination.
6.4 Where the Processor engages a Sub-processor, it shall:
6.4.1 impose data protection obligations on the Sub-processor that are no less protective than those set out in this DPA, by way of a written contract;
6.4.2 remain fully liable to the Controller for the performance of the Sub-processor’s obligations to the extent the Sub-processor fails to fulfil its data protection obligations; and
6.4.3 ensure that each Sub-processor is appointed on terms that allow the Processor to comply with its obligations under this DPA.
7. Assistance with Data Subject Rights
7.1 Taking into account the nature of the Processing and the information available to it, the Processor shall provide reasonable assistance to the Controller (at the Controller’s cost where that assistance requires significant effort) to enable the Controller to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 If the Processor receives a request directly from a Data Subject purporting to exercise a right under Data Protection Laws in relation to Personal Data processed under this DPA, the Processor shall promptly forward that request to the Controller and shall not respond to the Data Subject directly, unless instructed to do so by the Controller or required to do so by applicable law.
7.3 The Processor shall implement reasonable technical measures (including the ability to search and export data from the hosted environment) to assist the Controller in complying with data subject rights requests.
8. Personal Data Breaches
8.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
8.2 Such notification shall, to the extent available at the time, include:
8.2.1 a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
8.2.2 the name and contact details of the data protection contact at the Processor;
8.2.3 a description of the likely consequences of the Personal Data Breach; and
8.2.4 a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3 Where the information referred to in clause 8.2 is not available in full at the time of initial notification, the Processor shall provide further information as it becomes available.
8.4 The Processor shall co-operate with the Controller and take such reasonable steps as the Controller requires to assist in investigating, mitigating, and remediating any Personal Data Breach.
8.5 The obligation to notify under clause 8.1 is triggered by the Processor becoming aware of a breach affecting Personal Data processed under this DPA. Notification does not constitute an admission of fault or liability.
9. Data Protection Impact Assessments and Prior Consultation
9.1 The Processor shall provide reasonable assistance to the Controller (at the Controller’s cost where that assistance requires significant effort) in carrying out any data protection impact assessment required under UK GDPR Article 35 in respect of Processing carried out under this DPA, taking into account the nature of the Processing and the information available to the Processor.
9.2 The Processor shall provide reasonable assistance to the Controller in relation to any prior consultation with the Supervisory Authority required under UK GDPR Article 36.
10. International Transfers
10.1 The Processor shall not transfer Personal Data to a country outside the United Kingdom except:
10.1.1 where the transfer is to a country, territory or sector that benefits from UK adequacy regulations under UK GDPR Article 45;
10.1.2 where the Processor has entered into appropriate safeguards with the recipient, such as an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, as approved by the Secretary of State; or
10.1.3 where the transfer is otherwise authorised by Data Protection Laws.
10.2 The Processor’s current Sub-processors and the countries in which they process data are identified in Schedule 3. Where applicable, the transfer mechanism relied upon in respect of each Sub-processor is noted.
10.3 The Processor shall promptly notify the Controller of any change to the transfer mechanisms relied upon under this clause and shall provide the Controller with copies of the relevant IDTA or SCCs upon written request.
11. Return and Deletion of Personal Data
11.1 Upon termination or expiry of the Principal Agreement (or upon written request from the Controller), the Processor shall, at the Controller’s election:
11.1.1 return to the Controller a complete copy of all Personal Data processed under this DPA in a commonly used, machine-readable format; and/or
11.1.2 securely delete or destroy all Personal Data processed under this DPA, including copies held by Sub-processors.
11.2 The Controller shall notify the Processor of its election under clause 11.1 within 30 days of termination or expiry of the Principal Agreement. If no election is made within that period, the Processor shall securely delete all Personal Data.
11.3 Following completion of the return or deletion under clause 11.1, the Processor shall provide written confirmation to the Controller that all Personal Data has been returned or securely deleted, as applicable.
11.4 Notwithstanding the above, the Processor may retain Personal Data to the extent and for the period required by applicable law, provided that the Processor shall ensure the confidentiality of such retained Personal Data and shall process it only to the extent required by applicable law.
11.5 The Controller is responsible for taking its own copy of the hosted website and its data prior to termination. The Processor shall make reasonable efforts to facilitate a data export but does not guarantee the availability of export functionality for all website content or database formats.
12. Audit Rights and Information
12.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and with the obligations imposed on processors by Data Protection Laws.
12.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to the following:
12.2.1 the Controller shall give the Processor reasonable prior written notice of not less than 30 days before any audit;
12.2.2 audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor’s business and the services provided to other customers;
12.2.3 audits shall be limited to information, systems and personnel reasonably relevant to the Processing under this DPA;
12.2.4 the Controller (and any mandated third-party auditor) shall enter into appropriate confidentiality obligations before any audit is conducted; and
12.2.5 the costs of any audit shall be borne by the Controller, unless the audit reveals a material non-compliance by the Processor, in which case costs shall be shared equally.
12.3 The parties acknowledge that the Processor may satisfy its obligations under clause 12.1 by providing copies of relevant third-party security certifications (such as ISO 27001 certifications held by Sub-processors) or audit reports in lieu of conducting a direct audit, where these are reasonably sufficient to demonstrate compliance.
13. Liability
13.1 Each party’s liability under this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement, which are incorporated into this DPA by reference.
13.2 Each party shall indemnify and hold harmless the other party in respect of any fines, penalties, or regulatory enforcement action imposed directly on the indemnifying party by the Supervisory Authority arising from that party’s material breach of its obligations under Data Protection Laws, to the extent that such breach is not attributable to the acts or omissions of the other party.
13.3 Where a Data Subject makes a claim against a party under UK GDPR Article 82, and that claim arises in whole or in part from the other party’s breach of Data Protection Laws, the parties shall co-operate in good faith to apportion liability between them in proportion to their respective responsibility for the damage.
14. Term
14.1 This DPA shall come into force on the Effective Date and shall continue in force for so long as the Principal Agreement remains in force.
14.2 Upon termination or expiry of the Principal Agreement, this DPA shall automatically terminate, subject to clauses 11 (Return and Deletion) and 14.3.
14.3 Clauses 1 (Definitions), 4 (Confidentiality), 11 (Return and Deletion), 12 (Audit Rights), 13 (Liability), and 15 (General) shall survive termination or expiry of this DPA.
15. General
15.1 Precedence. In the event of any conflict or inconsistency between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA shall prevail to the extent of the conflict.
15.2 Entire agreement. This DPA, together with the Principal Agreement and the Schedules, constitutes the entire agreement between the parties in relation to the Processing of Personal Data under the Services, and supersedes all prior agreements, representations, and understandings relating to that subject matter.
15.3 Amendments. No amendment to this DPA shall be valid unless made in writing and signed by authorised representatives of both parties. The Processor may update Schedule 3 (Sub-processors) in accordance with clause 6.2 without requiring a formal amendment to this DPA.
15.4 Governing law. This DPA shall be governed by and construed in accordance with the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising out of or in connection with this DPA.
15.5 Severability. If any provision of this DPA is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable, and the validity, legality, and enforceability of the remaining provisions shall not be affected.
15.6 Notices. Notices under this DPA shall be given in writing and sent to the addresses set out on the cover page (or such other address as a party may notify in writing). Notices sent by email are effective on the date of transmission provided no delivery failure notification is received.
15.7 No waiver. Failure or delay by either party to exercise any right or remedy under this DPA shall not constitute a waiver of that right or remedy.
Execution
This DPA has been entered into by the duly authorised representatives of the parties as of the Effective Date specified on the cover page.
| Signed for and on behalf of the Processor: Image Concepts (Yorkshire) Ltd | |
| Signed: | |
| Name: | |
| Title: | |
| Date: | |
| Signed for and on behalf of the Controller: [CUSTOMER LEGAL NAME] | |
| Signed: | |
| Name: | |
| Title: | |
| Date: | |
| Schedule 1 Details of Processing |
This Schedule sets out the particulars of the processing of Personal Data carried out by the Processor on behalf of the Controller, as required by UK GDPR Article 28(3).
| Subject matter | The provision of managed WordPress hosting services, including website hosting, email relay, staging environments, backups (where included in the service tier or purchased as an add-on), and associated support services. |
| Duration | For the term of the Principal Agreement (and as required for the purposes of return/deletion of data under clause 11). |
| Nature of processing | Storage, hosting, retrieval, and incidental processing of Personal Data contained within the Controller’s hosted website environment, including website databases, file storage, email logs, and server access logs. |
| Purpose of processing | To deliver the hosting services, including: hosting and serving the Controller’s website; processing transactional emails sent by the Controller’s website via Postmark; maintaining server access and error logs; and providing backup and recovery services (where applicable). |
| Types of Personal Data | The types of Personal Data will vary depending on the nature of the Controller’s website and its functionality. They may include, but are not limited to: • Website visitors’ names, email addresses, postal addresses, and telephone numbers (e.g., submitted via contact forms) • E-commerce customer data (names, billing/delivery addresses, order history) if the website includes an online shop • Registered user account data (usernames, email addresses, hashed passwords) • IP addresses and browsing data recorded in server access logs • The content of emails transmitted via Postmark on behalf of the Controller • Any other Personal Data stored in the Controller’s website database or file system |
| Categories of Data Subjects | Website visitors and users of the Controller’s website; customers and prospective customers of the Controller; subscribers and registered account holders; any other individuals whose Personal Data is stored in the hosted environment by or on behalf of the Controller. |
| Special category data | The Processor does not knowingly process special category Personal Data (as defined in UK GDPR Article 9) under this DPA. The Controller warrants that it will not store special category Personal Data in the hosted environment without first notifying the Processor in writing and agreeing additional safeguards where necessary. |
| Schedule 2 Technical and Organisational Measures |
The following technical and organisational measures are implemented by the Processor (and, where applicable, by its Sub-processors) in relation to the Processing of Personal Data under this DPA. These measures may be updated from time to time provided the overall level of security is not materially reduced.
1. Infrastructure Security
- Physical servers are hosted in DigitalOcean data centres in the United Kingdom, which maintain ISO 27001 and SOC 2 Type II certifications.
- Network traffic is protected by server-level and application-level firewalls managed through Cloudways.
- Unused network ports are closed by default. Access to server infrastructure is restricted to authorised personnel via SSH with key-based authentication.
- DDoS protection is provided at the network level by the hosting infrastructure provider.
2. Application-Level Security
- Web Application Firewall (WAF) is deployed on all hosted websites to detect and block common application-layer attacks (OWASP Top 10).
- Varnish Cache and OPcache are used to serve content efficiently, reducing direct database exposure.
- Redis Object Cache (included on Business plans and above) reduces repeated database queries.
- Malware scanning and removal tools are available as part of the managed hosting service.
- SSL/TLS certificates are provisioned and managed for all hosted websites, ensuring all data in transit is encrypted.
3. Access Control
- Access to hosting management infrastructure (Cloudways) is controlled by individual account credentials with two-factor authentication enforced for Processor staff.
- Customer-facing access to hosting control panels is protected by username/password authentication.
- The principle of least privilege is applied: access rights are limited to the minimum necessary for each role.
- Customer hosting environments are logically separated; one customer cannot access another customer’s data.
4. Backup and Recovery
- Daily automated backups are included as standard on Dedicated plans. Shared hosting plans (Starter, Business, Ecommerce) require the backup add-on.
- Where backups are in place, backup data is retained for a minimum of 14 days.
- Backup restoration requests are handled via the Processor’s support system.
- The Processor recommends that all Controllers maintain their own independent copy of website data.
5. Breach Detection and Response
- Server access logs are retained and monitored. Anomalous activity generates alerts.
- The Processor maintains an internal incident response procedure covering identification, containment, notification, and review of Personal Data Breaches.
- In the event of a Personal Data Breach affecting data processed under this DPA, the Processor will notify the Controller in accordance with clause 8 of this DPA.
6. Email Security (Postmark)
- Transactional emails from hosted websites are sent via Postmark, which enforces SPF, DKIM, and DMARC authentication.
- Email transmission between Postmark’s servers and recipient mail servers uses TLS encryption where supported.
- Postmark retains email logs for 45 days. Email content is not retained beyond that period by default.
7. Organisational Measures
- All Processor staff and contractors with access to Personal Data are required to maintain confidentiality as a condition of their engagement.
- Staff with access to hosting infrastructure receive appropriate data protection and security training.
- Sub-processors are selected on the basis of their ability to implement appropriate technical and organisational measures, and are contractually required to maintain data protection standards consistent with UK GDPR.
- The Processor maintains a Record of Processing Activities in accordance with UK GDPR Article 30.
| Schedule 3 Approved Sub-processors |
The following Sub-processors are approved as at the date of this DPA. The Processor will give at least 14 days’ prior notice of any changes to this list in accordance with clause 6.2 of this DPA.
| Sub-processor | Role | Data location | Transfer basis | Privacy info |
| Cloudways Ltd Managed cloud hosting platform | Hosting management interface; server provisioning; Cloudways platform services | EU / EEA — confirmed by Cloudways: no data stored outside the EU (confirmed April 2026) | EU / EEA only — no international transfer required | cloudways.com/privacy-policy |
| DigitalOcean LLC Cloud infrastructure provider | Physical server hosting; storage; network infrastructure | United Kingdom (LON1 data centre) | UK — no international transfer; data stored within the UK | digitalocean.com/legal/privacy-policy |
| AC PM LLC (Postmark) Transactional email service | Sending and logging of transactional emails from hosted websites | United States (primary); EU region available on request | UK Extension to EU-US Data Privacy Framework (UK-US Data Bridge) — AC PM LLC certified | postmarkapp.com/privacy-policy |
| Schedule 4 Controller Details (to be completed by Controller) |
The Controller shall complete this Schedule and return a signed copy to the Processor at info@imageconcepts.co.uk prior to, or at the time of, executing this DPA.
| Legal name of Controller | |
| Registered address | |
| Company / charity reg. no. | |
| ICO registration number | |
| Primary data protection contact name | |
| Data protection contact email | |
| Data protection contact telephone | |
| Description of website(s) hosted | |
| Categories of Personal Data stored in hosted environment | (please describe the types of data collected/stored by your website, e.g. customer names and email addresses via contact form, WooCommerce order data, etc.) |
| Does your website process special category data? (Art. 9 UK GDPR) | Yes / No If yes, please describe: |
| Does your website collect data relating to children under 13? | Yes / No |
| Approximate number of Data Subjects |