Which Reseller/VPS Hosts provide Data Processing Agreements (hello GDPR) for their products?
Currently, I am only hosting friends and family for free on idle resources and focusing on Web Design Services. I might, in the future, have a need for a Reseller/VPS again where I will host clients, depending on how things will go. I am just curious to know which Reseller Hosting/VPS providers you know that provide a DPA to act in line with GDPR. Afaik it's not really possible to offer Hosting Services (wheter on a vps or reseller) in Europe without having signed a DPA with your provider. This is because, obviously, server logs are being kept, which can and will include personal data of clients such as IP addresses etc.
These are the "big providers" I know that are offering a DPA: Hetzner, Contabo, All-Inkl, OVH, Netcup, DO, Strato, 1&1, IP-Projects, Alfa-Hosting, Mittwald.. (some of these, however, I'd probably never touch).
There is a great list with providers regarding the support of a DPAs/AV-Contract over at Blogmojo (some 200+ providers in the list), but naturally, not many of the forum favorites are included in that list.
I recently saw a reseller offer from @WSCallum that also implied DPA was available? Happy to see that being offered more frequently (since it's becoming quite essential here in Germany). HostMantis (where I am currently at with my Reseller plan) replied they are not harvesting any crucial data. However, they are operating out of US jurisdiction so they don't really do DPA anyway. Also, speaking of jurisdiction, the US is a whole different story now with GDPR regulations in place.
What about some of the favorites here? @MikePT @SmallWeb @AnthonySmith @seriesn @Clouvider @Francisco @Nick_A ? Do you offer a DPA?
Comments
While our privacy policy is GDPR compliant, being an usa based business, technically we don't need to sign DPA. Not that I would not mind to sign one, just don't want to spend 200 bucks on lawyer fees right now for something that is not mandatory.
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Can totally relate. Glad to hear you wouldn't mind signing one in general
Anyway, I am in no way opposed to the idea of advocating privacy, however it seems like this DPA thing, for example, is yet another pita that was not really necessary imho. I mean, most providers would already state in their Privacy Policy that IP-Addresses etc can be logged for technical purposes and/or by the datacenter. This DPA is just yet another cash grab for lawyers on top. And we all know that many customers won't even read past the two first lines of the ToS/Privacy Policy, anyway.
Appears like Ramnode @Nick_A are also offering a DPA
That's pretty smooth from Ramnode tbh
"GDPR Data Processing Agreement
Customers who require a Data Processing Agreement (DPA) in order to comply with GDPR may view and download our DPA here.
You do not need to sign the DPA. By agreeing to our Terms of Service and using our products and services, you are automatically accepting our DPA. If you choose to sign it, you may send a copy to xxx."
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Never had a single customer asking for it, but can provide it should you need!
Well, GDPR enforcement is relatively "new", I guess. It requires you to sign a DPA with any party that is processing crucial/personal data of your clients (so to speak with the Reseller/VPS Provider you base your services on). You then, also need to list such party in your privacy policy and state what they are processing.
Good to hear! Will open a ticket about this. Better get ut done with so it's outa the way
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Sounds like I need to find a DPA and edit it, which is ok. Should be similar to any DPAs around!
Guess that is not enough any more?
I do have customer-controlled GDPR backups also through jetbackup.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
If you are e.g. reselling Hetzner or having a Dedi at Hetzner you need their DPA because they are processing personal data such as IPs for tech logs etc. At least that's my understanding. There's an english sample over at https://www.gdd.de/gdd-arbeitshilfen/praxishilfen-ds-gvo/praxishilfen-ds-gvo iirc.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
It is not afaik. It's really a pita now.
Technically, and this is my understanding,
it is quite clear that any third party (party aside you and your customer) that processes personal or crucial data from your client such as IP addresses, tech logs etc.. you need to sign a DPA with. So if you are hosting your shared hosting on OVH servers, you need one with OVH for example. You might also need one with Jetbackup for that matter. And one with any domain Registrar if you offer domains.
There's two things you need to do:
1st: Sign a DPA with every single data processor that applies to the above (basically all).
2nd: in your privacy policy state every single data processor and state what data they are processing. Check @WSCallum privacy policy as an example
Oh, with US based data processors it's a different story. I think you don't need one, but using them needs to be green-lit in some random EU law iirc which is problematic now that EU declared US privacy shield void (kinda) and US wont comply with GDPR.
In my next life I'll become a lawyer. No way you'd run out of work to do and since german lawyers are required to have insurance, you can basically fuck up ever so often and the one suffering is your client at best.
Oh, and ofc there are fines
Read about a german small-ish company which didn't list the data processors in their privacy policy. Fine was 5k. Not listing data processors is probably worse than no signed DPA because, technically, OVH etc will probably abide by GDPR but not listing them is on you.
And now thing about how many clients will actually read the pro-longed privacy policy. Right
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
yeah... I won't be doing that
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
I'm from Germany, so I guess I will if I was to offer hosting again. I have to say though, it's not getting easier. For neither party tbh. Luckily, most german provider already offer AV Verträge (what it's called here). I will, however, have to drop some potential hosts from LE forums I liked because they likely won't offer this which is kinda sad, too. What's more reseller hosting in Germany mostly uses Plesk or a custom panel from the provider. Both not options I'm too fond of. So at least for (german) providers trying to comply with GDPR reseller/vps hosts with a DPA will have to be the go-to.
On a positive note, I might soon get a consulting flatrate for legal advice which is paid monthly but should make stuff much easier with chat+e-mail support and phone available. Although each consultation will be limited to a "first advice/pointing into a direction" for each specific case it's good to know which direction to head for. It's also unlimited queries so you can consult them again and again with anything that troubles you. And that their first advice on the case still makes them legally acountable. So if it turns out to be wrong it's on them.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
The Hamster/Hostens also supports DPA. You can get it in their client area. One more reliable provider addes to the mix
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
@WSCallum did you remove the list of data processors from the privacy policy? I believe when I opened this thread under your GDPR Data Processor statement in the Privacy Policy you listed HostMantis for Singapore and other data processors respectively. Poli on HB just tagged me and the information seems indeed to be gone.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
@AnthonySmith @MikePT maybe this template can be of use to you
https://gdpr.eu/data-processing-agreement/
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Pass me that via link, can save on lawyer costs. :P
I think I did send you the link in the ticket
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
I will at the very least try to push an updated privacy/data policy in the coming weeks.
Michael from DragonWebHost & OnePoundEmail
Great to hear! Maybe this can help you:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/
Found the article a while ago. I think the ICO is some UK institution for this kinda legal stuff, so probably helpful (I hope)?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.