Data Processor Agreement

Last updated: March 24, 2026

This Data Processor Agreement (“DPA”) is entered into between you (“Data Controller,” “you,” or “your”) and WPCloud Inc. (“Data Processor,” “WPCloud,” “we,” “us,” or “our”) and forms part of the Terms of Service between you and WPCloud.

This DPA sets out the terms under which WPCloud processes personal data on your behalf in connection with the provision of managed WordPress hosting services (“Services”). This DPA is intended to ensure compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation, and, where applicable, the General Data Protection Regulation (GDPR).

1. Definitions

In this DPA, the following terms have the meanings set out below:

• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by WPCloud in connection with the Services
• “Data Controller” means the entity that determines the purposes and means of the processing of Personal Data (you, the customer)
• “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller (WPCloud)
• “Sub-Processor” means a third-party service provider engaged by WPCloud to process Personal Data on behalf of the Data Controller
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transmission, and deletion
• “Data Breach” means any unauthorised access to, acquisition of, use of, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of the data

2. Scope of Processing

WPCloud processes Personal Data solely for the purpose of providing the Services as described in our Terms of Service. The nature of processing includes hosting, storage, caching, backup, transmission, and technical administration of WordPress websites and their associated databases.

The categories of Personal Data processed and the categories of Data Subjects are described in Appendix A of this DPA. WPCloud will not process Personal Data for any purpose other than the provision of the Services unless required by law, in which case WPCloud will inform the Data Controller before processing (unless prohibited by law from doing so).

3. Data Controller Obligations

As Data Controller, you are responsible for:

• Ensuring that you have a lawful basis for collecting and processing Personal Data
• Providing appropriate privacy notices to Data Subjects
• Obtaining any necessary consents from Data Subjects
• Ensuring that your instructions to WPCloud regarding the processing of Personal Data comply with all applicable privacy laws
• Notifying WPCloud promptly of any data subject access requests, complaints, or regulatory inquiries that relate to data processed by WPCloud

4. Data Processor Obligations

Confidentiality

WPCloud ensures that all personnel authorised to process Personal Data are bound by obligations of confidentiality. Access to Personal Data is restricted to those employees and contractors who require access to perform their duties in connection with the Services.

Security

WPCloud implements and maintains appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Server-level firewalls and intrusion detection systems
• Imunify360 malware scanning and web application firewalls
• CloudLinux account isolation
• Role-based access controls
• Daily automated backups with off-premise redundancy
• 15-minute VM replication for disaster recovery
• Regular security audits and vulnerability assessments

Data Breach Notification

In the event of a Data Breach, WPCloud will:

1. Notify the Data Controller without undue delay and in any event within 72 hours of becoming aware of the breach
2. Provide a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
3. Describe the likely consequences of the breach
4. Describe the measures taken or proposed to address the breach and mitigate its effects
5. Cooperate with the Data Controller in investigating and remediating the breach
6. Maintain a record of all Data Breaches, including the facts, effects, and remedial actions taken

Data Subject Rights

WPCloud will assist the Data Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable privacy law, including rights of access, rectification, erasure, restriction, portability, and objection. WPCloud will promptly notify the Data Controller if it receives a request directly from a Data Subject and will not respond to the request without the Data Controller’s prior authorisation, unless required by law.

Audit Rights

WPCloud will make available to the Data Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by the Data Controller or an independent auditor appointed by the Data Controller. Audit requests must be submitted in writing at least 30 days in advance. Audits will be conducted during normal business hours and will not unreasonably interfere with WPCloud’s operations. The Data Controller is responsible for the costs of any audit.

5. Data Transfers

All Personal Data processed by WPCloud’s primary infrastructure is stored within Canada. WPCloud’s data centres are located in Montreal (Quebec), Toronto (Ontario), and Coquitlam (British Columbia).

Some Sub-Processors engaged by WPCloud may process data outside of Canada (for example, CDN edge nodes or transactional email services). Where data is transferred outside of Canada, WPCloud ensures that:

• The transfer is subject to appropriate contractual safeguards
• The receiving party provides a level of protection comparable to that required under Canadian privacy law
• The transfer is limited to the minimum data necessary for the Sub-Processor to perform its function

Details of Sub-Processors and their locations are provided in Appendix B.

6. Sub-Processors

The Data Controller authorises WPCloud to engage the Sub-Processors listed in Appendix B for the purposes described therein. WPCloud will:

• Enter into written agreements with each Sub-Processor that impose data protection obligations no less protective than those in this DPA
• Remain fully liable for the acts and omissions of its Sub-Processors
• Notify the Data Controller at least 30 days in advance of any intended addition or replacement of Sub-Processors, providing the Data Controller with an opportunity to object

If the Data Controller reasonably objects to a new Sub-Processor, WPCloud will make reasonable efforts to provide an alternative or allow the Data Controller to terminate the affected Services without penalty.

7. Duration and Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination of the Services:

• WPCloud will, at the Data Controller’s election, return or delete all Personal Data within 30 days of termination, unless retention is required by applicable law
• WPCloud will provide the Data Controller with a reasonable opportunity to retrieve their data before deletion
• WPCloud will certify in writing that all Personal Data has been deleted upon request

8. Limitation of Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not create any additional liability beyond that established in the Terms of Service.

9. Contact

For questions about this Data Processor Agreement or to exercise any rights under this DPA, please contact us:

WPCloud Inc.
41 John Street #10
Port Hope, Ontario L1A 2Z3
Canada

Email: privacy@wpcloud.ca

---

Appendix A: Categories of Personal Data and Data Subjects

Categories of Data Subjects

• Website visitors: individuals who visit websites hosted by the Data Controller on WPCloud infrastructure
• End users: individuals who create accounts, submit forms, or otherwise interact with the Data Controller’s WordPress site
• Customers: the Data Controller’s customers whose data may be stored in the WordPress database
• Employees and contractors: individuals whose data the Data Controller may store or process through their WordPress site

Categories of Personal Data

• Contact information (names, email addresses, phone numbers, mailing addresses)
• Account credentials (usernames, hashed passwords)
• Usage data (IP addresses, browser information, page views, form submissions)
• Transaction data (order details, payment records, invoices)
• Communication data (comments, support tickets, contact form submissions)
• Any other personal data stored by the Data Controller in the WordPress database, uploaded files, or site content

Sensitive data: WPCloud does not intentionally process special categories of personal data (health data, biometric data, etc.) as part of its standard hosting services. If the Data Controller stores sensitive personal data (including personal health information subject to PHIPA), the Data Controller is responsible for ensuring appropriate safeguards and consent. WPCloud’s Canadian-only infrastructure is designed to support PHIPA compliance requirements for data residency.

---

Appendix B: Approved Sub-Processors

The following third-party service providers are authorised Sub-Processors engaged by WPCloud in the delivery of the Services:

This list is current as of the effective date of this DPA. Changes to the Sub-Processor list will be communicated to the Data Controller at least 30 days in advance, as described in Section 6.