Which Reseller/VPS Hosts provide Data Processing Agreements (hello GDPR) for their products?

YmpkerYmpker OGContent Writer
edited July 2020 in General

Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.

These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).

There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.

I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.

What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?

Thanked by (2)WSCallum MikePT

Comments

  • While our privacy policy is GDPR compliant, being an usa based business, technically we don't need to sign DPA. Not that I would not mind to sign one, just don't want to spend 200 bucks on lawyer fees right now for something that is not mandatory.

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer
    edited July 2020

    @seriesn said:
    While our privacy policy is GDPR compliant, being an usa based business, technically we don't need to sign DPA. Not that I would not mind to sign one, just don't want to spend 200 bucks on lawyer fees right now for something that is not mandatory.

    Can totally relate. Glad to hear you wouldn't mind signing one in general :) Anyway, I am in no way opposed to the idea of advocating privacy, however it seems like this DPA thing, for example, is yet another pita that was not really necessary imho. I mean, most providers would already state in their Privacy Policy that IP-Addresses etc can be logged for technical purposes and/or by the datacenter. This DPA is just yet another cash grab for lawyers on top. And we all know that many customers won't even read past the two first lines of the ToS/Privacy Policy, anyway.

    Appears like Ramnode @Nick_A are also offering a DPA :)

    That's pretty smooth from Ramnode tbh :)

    "GDPR Data Processing Agreement

    Customers who require a Data Processing Agreement (DPA) in order to comply with GDPR may view and download our DPA here.

    You do not need to sign the DPA. By agreeing to our Terms of Service and using our products and services, you are automatically accepting our DPA. If you choose to sign it, you may send a copy to xxx."

    Thanked by (2)seriesn Nick_A
  • MikePTMikePT Hosting ProviderOGServices Provider

    @Ympker said:
    Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.

    These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).

    There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.

    I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.

    What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?

    Never had a single customer asking for it, but can provide it should you need! :)

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer
    edited July 2020

    @MikePT said:

    @Ympker said:
    Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.

    These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).

    There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.

    I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.

    What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?

    Never had a single customer asking for it, but can provide it should you need! :)

    Well, GDPR enforcement is relatively "new", I guess. It requires you to sign a DPA with any party that is processing crucial/personal data of your clients (so to speak with the Reseller/VPS Provider you base your services on). You then, also need to list such party in your privacy policy and state what they are processing.
    Good to hear! Will open a ticket about this. Better get ut done with so it's outa the way :)

    Thanked by (1)MikePT
  • MikePTMikePT Hosting ProviderOGServices Provider

    @Ympker said:

    @MikePT said:

    @Ympker said:
    Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.

    These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).

    There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.

    I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.

    What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?

    Never had a single customer asking for it, but can provide it should you need! :)

    Well, GDPR enforcement is relatively "new", I guess. It requires you to sign a DPA with any party that is processing crucial/personal data of your clients (so to speak with the Reseller/VPS Provider you base your services on). You then, also need to list such party in your privacy policy and state what they are processing.
    Good to hear! Will open a ticket about this. Better get ut done with so it's outa the way :)

    Sounds like I need to find a DPA and edit it, which is ok. Should be similar to any DPAs around!

    Thanked by (1)Ympker
  • InceptionHostingInceptionHosting Hosting ProviderOG
    edited July 2020

    Controlling your information.

    Even though you may have consented to the use of your personal data in certain ways you can change the permissions or you can withdraw your consent to personal data processing by Inception Hosting Limited at any time, by visiting https://clients.inceptionhosting.com You also have certain other legal rights in respect of your personal data when not contradicting any other legal requirements including the right to have access to it, rectify it, erase it, restrict processing of it, and move it. To exercise one or more of these rights please contact [email protected] In the event you have a concern or complaint about our processing of your personal data please contact [email protected] You also have the right to complain to the UK’s Information Commissioner at https://ico.org.uk.

    Guess that is not enough any more?

    I do have customer-controlled GDPR backups also through jetbackup.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • YmpkerYmpker OGContent Writer
    edited July 2020

    @MikePT said:

    @Ympker said:

    @MikePT said:

    @Ympker said:
    Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.

    These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).

    There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.

    I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.

    What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?

    Never had a single customer asking for it, but can provide it should you need! :)

    Well, GDPR enforcement is relatively "new", I guess. It requires you to sign a DPA with any party that is processing crucial/personal data of your clients (so to speak with the Reseller/VPS Provider you base your services on). You then, also need to list such party in your privacy policy and state what they are processing.
    Good to hear! Will open a ticket about this. Better get ut done with so it's outa the way :)

    Sounds like I need to find a DPA and edit it, which is ok. Should be similar to any DPAs around!

    If you are e.g. reselling Hetzner or having a Dedi at Hetzner you need their DPA because they are processing personal data such as IPs for tech logs etc. At least that's my understanding. There's an english sample over at https://www.gdd.de/gdd-arbeitshilfen/praxishilfen-ds-gvo/praxishilfen-ds-gvo iirc.

  • YmpkerYmpker OGContent Writer
    edited July 2020

    @AnthonySmith said:

    Controlling your information.

    Even though you may have consented to the use of your personal data in certain ways you can change the permissions or you can withdraw your consent to personal data processing by Inception Hosting Limited at any time, by visiting https://clients.inceptionhosting.com You also have certain other legal rights in respect of your personal data when not contradicting any other legal requirements including the right to have access to it, rectify it, erase it, restrict processing of it, and move it. To exercise one or more of these rights please contact [email protected] In the event you have a concern or complaint about our processing of your personal data please contact [email protected] You also have the right to complain to the UK’s Information Commissioner at https://ico.org.uk.

    Guess that is not enough any more?

    I do have customer-controlled GDPR backups also through jetbackup.

    It is not afaik. It's really a pita now.
    Technically, and this is my understanding,
    it is quite clear that any third party (party aside you and your customer) that processes personal or crucial data from your client such as IP addresses, tech logs etc.. you need to sign a DPA with. So if you are hosting your shared hosting on OVH servers, you need one with OVH for example. You might also need one with Jetbackup for that matter. And one with any domain Registrar if you offer domains.

    There's two things you need to do:

    1st: Sign a DPA with every single data processor that applies to the above (basically all).

    2nd: in your privacy policy state every single data processor and state what data they are processing. Check @WSCallum privacy policy as an example :)

    Oh, with US based data processors it's a different story. I think you don't need one, but using them needs to be green-lit in some random EU law iirc which is problematic now that EU declared US privacy shield void (kinda) and US wont comply with GDPR.

    In my next life I'll become a lawyer. No way you'd run out of work to do and since german lawyers are required to have insurance, you can basically fuck up ever so often and the one suffering is your client at best.

    Oh, and ofc there are fines ;) Read about a german small-ish company which didn't list the data processors in their privacy policy. Fine was 5k. Not listing data processors is probably worse than no signed DPA because, technically, OVH etc will probably abide by GDPR but not listing them is on you.

    And now thing about how many clients will actually read the pro-longed privacy policy. Right :)

    Thanked by (1)WSCallum
  • InceptionHostingInceptionHosting Hosting ProviderOG

    yeah... I won't be doing that :)

    Thanked by (2)Ympker MichaelCee

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • YmpkerYmpker OGContent Writer
    edited July 2020

    @AnthonySmith said:
    yeah... I won't be doing that :)

    I'm from Germany, so I guess I will if I was to offer hosting again. I have to say though, it's not getting easier. For neither party tbh. Luckily, most german provider already offer AV Verträge (what it's called here). I will, however, have to drop some potential hosts from LE forums I liked because they likely won't offer this which is kinda sad, too. What's more reseller hosting in Germany mostly uses Plesk or a custom panel from the provider. Both not options I'm too fond of. So at least for (german) providers trying to comply with GDPR reseller/vps hosts with a DPA will have to be the go-to.

    On a positive note, I might soon get a consulting flatrate for legal advice which is paid monthly but should make stuff much easier with chat+e-mail support and phone available. Although each consultation will be limited to a "first advice/pointing into a direction" for each specific case it's good to know which direction to head for. It's also unlimited queries so you can consult them again and again with anything that troubles you. And that their first advice on the case still makes them legally acountable. So if it turns out to be wrong it's on them.

  • YmpkerYmpker OGContent Writer

    The Hamster/Hostens also supports DPA. You can get it in their client area. One more reliable provider addes to the mix :)

  • YmpkerYmpker OGContent Writer
    edited August 2020

    @WSCallum did you remove the list of data processors from the privacy policy? I believe when I opened this thread under your GDPR Data Processor statement in the Privacy Policy you listed HostMantis for Singapore and other data processors respectively. Poli on HB just tagged me and the information seems indeed to be gone.

  • YmpkerYmpker OGContent Writer
    edited August 2020
  • MikePTMikePT Hosting ProviderOGServices Provider

    @Ympker said:
    @AnthonySmith @MikePT maybe this template can be of use to you :)

    https://gdpr.eu/data-processing-agreement/

    Pass me that via link, can save on lawyer costs. :P

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer

    @MikePT said:

    @Ympker said:
    @AnthonySmith @MikePT maybe this template can be of use to you :)

    https://gdpr.eu/data-processing-agreement/

    Pass me that via link, can save on lawyer costs. :P

    I think I did send you the link in the ticket :)

  • MichaelCeeMichaelCee OGServices Provider

    I will at the very least try to push an updated privacy/data policy in the coming weeks. :)

    Thanked by (1)Ympker
  • YmpkerYmpker OGContent Writer
    edited August 2020

    @SmallWeb said:
    I will at the very least try to push an updated privacy/data policy in the coming weeks. :)

    Great to hear! Maybe this can help you:

    https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/

    Found the article a while ago. I think the ICO is some UK institution for this kinda legal stuff, so probably helpful (I hope)? ;)

    Thanked by (1)MichaelCee
Sign In or Register to comment.