Data Processing Agreement (DPA) - Somogy ↔ Business Customer

Somogy is a trade name of Grudanov Werkmaatschappij B.V., having its registered office at Van Moerkerkenlaan 11, 9721 TA Groningen, the Netherlands, registered with the Chamber of Commerce under number 42004919, VAT number NL869244140B01 (hereinafter: “Processor” or “Somogy”).

The customer (the legal entity or natural person acting in the course of a profession or business with whom Somogy has concluded a main agreement for the provision of services - hereinafter: “Controller” or “Customer”).

This Data Processing Agreement is drafted in Dutch. An English translation is provided upon request for ease of reading. In case of any conflict between the language versions, the Dutch text prevails.

This Data Processing Agreement applies exclusively to business customers who act as controller for personal data processed via Somogy. No DPA applies to consumers - for consumers, the privacy statement at somogy.nl/privacy applies, in which Somogy itself acts as controller for its own customer administration.

1. Definitions and legal basis

1.1 In this Data Processing Agreement (hereinafter: “Data Processing Agreement” or “DPA”), the following terms shall have the following meaning:

GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).
Main Agreement: the agreement between the parties for the provision of hosting services by Somogy, including the General Terms and Conditions, the SLA and this Data Processing Agreement.
Personal data, Processing, Data subject, Personal data breach: as defined in art. 4 GDPR.
Sub-processor: a third party engaged by Somogy that processes personal data in the context of the performance of the Main Agreement.
Partners page: somogy.nl/partners - the public, always-current list of sub-processors.

1.2 This Data Processing Agreement has been concluded in accordance with art. 28(3) GDPR and forms an integral part of the Main Agreement.

1.3 In the event of a conflict between this Data Processing Agreement and the other parts of the Main Agreement, this Data Processing Agreement prevails with respect to the processing of personal data.

2. Subject matter and duration of the processing

2.1 The subject matter, nature, purpose and categories of personal data and data subjects are described in Annex A to this Data Processing Agreement.

2.2 This Data Processing Agreement applies for the duration of the Main Agreement and, to the extent necessary for winding-down, for the period after termination referred to in article 13.

3. Nature and purpose of the processing

3.1 Somogy processes personal data solely for the purpose of providing the services described in the Main Agreement (email hosting, WordPress hosting and related services) and solely on the basis of written, documented instructions from Customer, unless a Union or Member State law applicable to Somogy obliges Somogy to process.

3.2 The conclusion of the Main Agreement constitutes a written instruction to carry out the services described therein. Subsequent instructions shall be recorded in writing (an email to support@somogy.nl is sufficient).

3.3 Somogy does not process personal data for its own purposes, with the exception of aggregated data that cannot be traced back to Customer or data subjects, for capacity planning, security and service improvement purposes.

4. Types of personal data and categories of data subjects

4.1 The categories of personal data and data subjects are described in Annex A.

4.2 Customer is aware that the content of mailboxes and WordPress installations is determined by Customer itself. Customer ensures that no special categories of personal data (art. 9 GDPR) or personal data relating to criminal convictions and offences (art. 10 GDPR) are processed via the services without appropriate additional safeguards having been implemented by Customer and, where necessary, coordinated with Somogy.

5. Obligations of Customer

5.1 Customer warrants that it has a lawful basis (art. 6 GDPR) for the processing activities it carries out via the services and that it complies with its own obligations under the GDPR, including the information obligation towards data subjects.

5.2 Customer indemnifies Somogy against claims from third parties, including data subjects and supervisory authorities, arising from Customer’s failure to comply with its obligations under the GDPR.

5.3 Customer shall notify Somogy in good time of any changes to the nature or scope of the processing that are relevant to Somogy.

Somogy shall:

6.1 Processing on instructions (art. 28(3)(a) GDPR): process personal data solely on the basis of documented instructions from Customer, including with regard to transfers to third countries, unless a legal obligation requires Somogy to process; in that case, Somogy shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6.2 Confidentiality (art. 28(3)(b) GDPR): ensure that employees and other persons acting under Somogy’s authority are bound by a duty of confidentiality, both during and after the termination of their employment or assignment (see article 7).

6.3 Security (art. 28(3)(c) in conjunction with art. 32 GDPR): implement appropriate technical and organisational measures as described in article 8 and Annex B.

6.4 Sub-processors (art. 28(3)(d) in conjunction with (2) and (4) GDPR): engage sub-processors only in accordance with article 9.

6.5 Assistance with data subject rights (art. 28(3)(e) GDPR): reasonably assist Customer in fulfilling its obligations under chapter III GDPR (rights of data subjects), in accordance with article 11.

6.6 Assistance with security, breaches, DPIA and prior consultation (art. 28(3)(f) in conjunction with art. 32–36 GDPR): assist Customer with personal data breaches (article 12), with a data protection impact assessment (DPIA) and with a prior consultation of the Dutch Data Protection Authority, to the extent that this can reasonably be expected of Somogy and taking into account the nature of the processing and the information available to Somogy.

6.7 Return or deletion (art. 28(3)(g) GDPR): after termination of the Main Agreement, return or delete the personal data in accordance with article 13.

6.8 Information and audit (art. 28(3)(h) GDPR): make available to Customer all information necessary to demonstrate compliance with art. 28 GDPR and allow for audits in accordance with article 8.5.

7. Confidentiality

7.1 Somogy shall impose a duty of confidentiality on every employee, contractor or other person processing personal data on behalf of Somogy, which duty shall continue both during and after the termination of the relationship.

7.2 Somogy shall not disclose Customer’s personal data to third parties except where (a) Customer has given written instructions to that effect, (b) Somogy is obliged to do so by Union or Dutch statutory law, or (c) the third party is a sub-processor in accordance with article 9.

7.3 In the event of a legitimate request from a competent government authority for the disclosure of Customer’s personal data, Somogy shall inform Customer as soon as possible, unless mandatory law prohibits such notification, and shall limit the disclosure to what is strictly necessary.

8.1 Somogy implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the likelihood and severity of the risks to the rights and freedoms of data subjects.

8.2 A description of the measures applied by Somogy is set out in Annex B (Technical and Organisational Measures - TOMs).

8.3 Somogy evaluates the effectiveness of the measures periodically and in any event after a relevant incident; where necessary, Somogy shall adjust the measures. Material changes to Annex B shall be notified to Customer through the amendment procedure (article 15).

8.4 Customer is responsible for the security of its own systems and credentials, including (without limitation) the strength and management of passwords of accounts created by Customer, the security of its workstations, and the maintenance of its own WordPress installation (core, plugins, themes) unless a maintenance contract has been concluded for this purpose.

8.5 Somogy shall provide Customer, upon reasonable request, with the information necessary to demonstrate compliance with art. 28 and 32 GDPR. An on-site audit by Customer or by an independent auditor mandated by Customer and bound by confidentiality is permitted, provided that:

(a) it is announced in writing with a notice period of at least thirty (30) days;
(b) it is conducted during office hours and without unreasonable disruption of the services;
(c) it takes place at most once per calendar year, except where there are indications of a concrete incident or a reasonable indication of a deficiency;
(d) it is at Customer’s expense, unless the audit reveals a material deficiency on the part of Somogy.

Somogy may initially respond to a reasonable audit request by providing available certifications, assurance reports or comparable documentation of itself or of its sub-processors (including Hetzner’s ISO 27001 and BSI C5 certifications); an on-site audit is complementary, not a substitute.

9.1 Customer grants Somogy general written authorisation for the engagement of the sub-processors listed on the Partners page (somogy.nl/partners), summarised in Annex C.

9.2 Somogy shall impose on each sub-processor, by contract, the same data protection obligations as those set out in this Data Processing Agreement, in particular the obligation to implement appropriate security measures. If a sub-processor fails to fulfil its obligations, Somogy shall remain fully liable to Customer for the sub-processor’s performance, in accordance with art. 28(4) GDPR.

9.3 Somogy shall announce an intended change (addition or replacement) of sub-processors at least thirty (30) days in advance, by means of:

(a) email to the primary contact address provided by Customer; and
(b) publication on the Partners page.

9.4 Customer may object to the intended change on data-protection grounds, with reasons, within the announcement period. If the parties cannot reach a solution acceptable to both, Customer has the right to terminate the parts of the Main Agreement relating to the service concerned free of charge and without observing a notice period as of the effective date of the change.

9.5 WordPress hosting sub-processor - Cloudflare: Cloudflare, Inc. (based in the United States) is a standing sub-processor for the WordPress hosting service (CDN / WAF / reverse proxy / TLS termination at the edge). Cloudflare on this layer is necessary to protect the shared WordPress infrastructure and all customer sites hosted on it against DDoS and application-layer attacks. For customers who only take email hosting, Cloudflare is not a sub-processor and no transfer to the United States takes place in that context. Cloudflare is not used for somogy.nl itself.

10. Transfers outside the European Economic Area (EEA)

10.1 Somogy primarily operates on infrastructure within the EEA (Hetzner data centres in Germany).

10.2 If and to the extent that a transfer outside the EEA takes place, Somogy relies on the safeguards referred to in chapter V GDPR (art. 44 et seq.).

10.3 Structural transfer to a country with an adequacy decision (art. 45 GDPR) - rsync.net (Switzerland, Zurich), for off-site backup storage. Switzerland is listed by the European Commission as a third country providing an adequate level of data protection (Commission Decision 2000/518/EC, confirmed under the GDPR), so this transfer is permitted without additional safeguards such as Standard Contractual Clauses. In addition, backups are client-side encrypted with borg (BorgBackup) before they leave the Somogy environment; the encryption keys are managed exclusively within the Somogy environment, meaning that rsync.net (or any US parent entity) cannot decrypt the content of the backups.

10.4 Structural transfer to a country without an adequacy decision (art. 46 GDPR) - Cloudflare, Inc. (United States), for all WordPress hosting customers (see article 9.5). For this transfer, Somogy relies on:

(a) the Standard Contractual Clauses (SCC) included in Cloudflare’s Data Processing Addendum (Implementing Decision (EU) 2021/914); and
(b) Cloudflare’s certification under the EU-US Data Privacy Framework, to the extent valid at the time of processing.

10.5 Somogy maintains a Transfer Impact Assessment (TIA) for transfers to third countries without an adequacy decision and updates it in response to relevant legal or factual developments.

11. Rights of data subjects - assistance to Customer

11.1 If a data subject contacts Somogy directly with a request to exercise its rights under chapter III GDPR (access, rectification, erasure, restriction, portability, objection), Somogy shall not respond to that request independently but shall forward it to Customer without undue delay, together with the context available.

11.2 Somogy shall provide Customer - taking into account the nature of the processing - with reasonable technical and organisational assistance in handling such requests, including providing an export of a data subject’s data, deleting data, or restricting processing upon instruction from Customer.

11.3 Assistance that goes beyond a normal request and requires a demonstrably additional effort may be charged on a time-and-materials basis in accordance with article 4.5 of the General Terms and Conditions.

12.1 Somogy shall notify Customer without undue delay after becoming aware of a personal data breach affecting or potentially affecting Customer’s personal data, in accordance with art. 33(2) GDPR. The notification shall be made sufficiently promptly to enable Customer to comply with its own 72-hour notification obligation to the Dutch Data Protection Authority (art. 33(1) GDPR) and - where applicable - its notification obligation to data subjects (art. 34 GDPR). A personal data breach also qualifies as a significant security incident as referred to in article 6.5 of the General Terms and Conditions.

12.2 The notification shall contain at least the following information, to the extent reasonably available at the time of notification:

(a) the nature of the breach, including where possible the categories and approximate number of data subjects and personal data records concerned;
(b) the contact details of the person or function designated within Somogy from whom further information can be obtained;
(c) the likely consequences of the breach;
(d) the measures taken or proposed to be taken by Somogy to mitigate the breach and to prevent recurrence.

12.3 Where it is not possible to provide all information at once, Somogy shall provide it in separate, timely successive notifications, without further undue delay.

12.4 Somogy provides Customer with reasonable assistance in meeting Customer’s own notification obligations to the Dutch Data Protection Authority (art. 33 GDPR) and, where applicable, to data subjects (art. 34 GDPR).

12.5 The assessment of whether a personal data breach must be notified to the Dutch Data Protection Authority or to data subjects lies with Customer as controller. Somogy does not independently notify the Dutch Data Protection Authority or data subjects of a breach occurring in Customer’s systems.

12.6 Somogy records every (suspected) personal data breach in its internal breach register.

13. Termination - return or deletion of data

13.1 After termination of the Main Agreement, for whatever reason, Customer’s data shall be retained for a further thirty (30) days (grace period), in accordance with article 8.7 of the General Terms and Conditions. Within that period, Customer chooses whether the personal data is returned to Customer or deleted by Somogy; in the absence of a choice, the data is deleted upon expiry of the grace period.

13.2 Within that thirty (30) day period, Customer may request Somogy in writing to:

(a) export or return the data in a commonly used format; and/or
(b) extend the retention period to complete the migration.

13.3 Any export or migration work shall be performed on a time-and-materials basis in accordance with article 4.5 of the General Terms and Conditions.

13.4 After expiry of the grace period (or after completion of the export, if extended), Somogy shall delete Customer’s personal data from the production systems.

13.5 Backups that still contain the data shall not be actively deleted from the backup archives but shall follow the rolling retention period for backups (see Annex B). During this period, the data remains subject to the security measures set out in this Data Processing Agreement and shall not be used for any other purpose.

13.6 Somogy shall provide Customer, upon request, with a written confirmation of deletion.

13.7 The obligations under this Data Processing Agreement that are intended by their nature to continue after termination (including confidentiality and security of any remaining backup copies) shall remain in force thereafter.

14. Liability

14.1 The liability of Somogy under or in connection with this Data Processing Agreement is governed by article 10 of the General Terms and Conditions. No separate liability regime applies to this Data Processing Agreement.

14.2 Customer indemnifies Somogy against third-party claims arising from Customer’s failure to comply with its own obligations under the GDPR, including the absence of a lawful basis for processing activities carried out by Customer via the services.

15. Amendment, governing law and disputes

15.1 Amendments to this Data Processing Agreement shall be notified to Customer in accordance with the amendment procedure set out in article 9 of the General Terms and Conditions (30 days’ notice, right of termination in the event of a materially disadvantageous change).

15.2 This Data Processing Agreement is governed exclusively by Dutch law. Disputes shall be submitted exclusively to the District Court of Noord-Nederland, location Groningen, subject to mandatory rules of jurisdiction.

15.3 The Dutch version of this Data Processing Agreement prevails over any translation.

Annex A - Specific description of the processing

Subject matter of the processing The processing of personal data that takes place as part of the hosting services provided by Somogy to Customer under the Main Agreement.

Duration of the processing The duration of the Main Agreement, plus the grace period referred to in article 13 and the retention periods for backups (see Annex B).

Nature of the processing Storage, consultation, use, transmission (to the extent of sending/receiving email or serving website content), organisation, structuring, modification and deletion of personal data, carried out by automated systems managed by Somogy.

Purpose of the processing Making email and WordPress hosting services available as described in article 4 of the General Terms and Conditions, including activities related to the service (anti-spam / anti-virus filtering, backups, security, deliverability).

Types of personal data Depending on Customer’s use, potentially:

identification data (name, username, email address);
contact details (telephone number, postal address);
content of email messages, including attachments;
content of website databases and uploaded media (for WordPress hosting);
traffic and logging data (IP address, timestamp, user-agent);
authentication data (password hashes of accounts created by Customer).

Customer is aware that it determines itself which data is stored in mailboxes and WordPress installations. Somogy has no direct influence over this choice.

Categories of data subjects

employees and contact persons of Customer;
end-users of Customer (email recipients, website visitors);
clients or relations of Customer, to the extent that their data is processed by Customer in the services.

Special categories (art. 9 GDPR) / criminal offence data (art. 10 GDPR) Not envisaged. Customer shall implement appropriate additional safeguards if such data is processed via the services (see article 4.2).

Annex B - Technical and Organisational Measures (TOMs)

This annex describes the measures applied by Somogy at the time of signing. Somogy may adjust the measures pursuant to article 8.3 of the Data Processing Agreement, provided that the level of security remains at least equivalent.
Confidentiality: this annex describes the measures at a high level. Detailed configuration, network topology, version information and other data whose disclosure could undermine security shall be shared upon Customer’s reasonable request under confidentiality (NDA or equivalent). Customer shall not disclose this annex or the detailed information received under NDA without prior coordination with Somogy; inclusion of the measures described herein in Customer’s own processing register or internal documentation is permitted.

B.1 Infrastructure

Hosting: physical servers and cloud resources are obtained from Hetzner Online GmbH in data centres in Germany (Falkenstein, Nürnberg), within the EEA.
Data centre certifications: the data centres used by Hetzner are ISO 27001 certified and comply with the German BSI C5 framework. Somogy itself does not claim ISO 27001 certification at organisational level; for the data centre layer, Somogy relies on Hetzner’s certifications and on the organisational measures set out in this Annex.

B.2 Access control and authentication

Administrative server access: exclusively via SSH with public-key authentication; password login is disabled.
Administrative accounts: person-specific, least-privilege principle; no shared accounts.
Multi-factor authentication (MFA): enabled on all management portals where supported (Hetzner Cloud Console, OpenProvider, Moneybird, DNS management, registrar accounts, founder’s email management).
Network segmentation: management interfaces are not directly exposed to the open internet; SSH access is restricted to an IP allowlist or via a jump host.
Brute-force protection: fail2ban or equivalent mechanisms on SSH and mail services.

B.3 Encryption

In transit: all external connections to hosting services use TLS 1.2 or higher; HTTP traffic is redirected to HTTPS. For email hosting, certificates are issued via Let’s Encrypt; for WordPress hosting, TLS is terminated at the edge by Cloudflare and origin connections use Cloudflare Origin Certificates.
Email in transit: STARTTLS is offered mandatorily to clients; MX-to-MX traffic accepts opportunistic TLS in line with RFC 8461/8460 (MTA-STS / TLS-RPT are configured where practically feasible).
At rest: server disks in cloud contexts make use of the encryption mechanisms offered by Hetzner where available. Passwords of accounts created by Customer are stored solely as salted hashes (bcrypt or equivalent).

B.4 Availability, backup and recovery

Snapshot strategy: hourly snapshots with a retention of twenty-four (24) hours, and daily snapshots with a retention of thirty (30) days. This strategy applies to both WordPress hosting and mailboxes, subject to plan-specific deviations.
Off-site replication: snapshots are replicated off-site to two independent destinations: rsync.net and Hetzner Storage Box. Both destinations are physically separated from the production environment.
Backup encryption: backups are client-side encrypted with borg (BorgBackup) before they leave the Somogy environment. The encryption keys are managed exclusively within the Somogy environment; the off-site destinations (rsync.net and Hetzner Storage Box) retain only encrypted chunks and have no access to the plaintext. Transport additionally runs over SSH/SFTP.
Restore tests: at least once per quarter a sample restore is performed and logged.
Monitoring: uptime and error monitoring on production services; security monitoring (failed-login alerts, resource anomalies).

B.5 Logging and detection

Mail server: send and receive headers are logged for deliverability, abuse and debugging; retention in accordance with .
Web server: access and error logs are retained for a maximum of thirty (30) days.
Administrative actions: administrative actions on production servers are logged (shell history, auditd or equivalent).

B.6 Development, staging and change management

Staging environments: use exclusively anonymised or synthetic data; production data is not copied to staging without explicit masking.
Change management: changes to production servers are recorded in version control (Git) where possible; high-risk changes are performed outside office hours.
Patching: critical security updates at the OS and middleware level are applied as soon as possible, typically within seven (7) days after publication; emergency patches also outside that window.

B.7 Organisational measures

Confidentiality: every person processing personal data on behalf of Somogy signs a confidentiality statement (or is contractually bound to confidentiality via the employment or service contract). As of the effective date of this Data Processing Agreement, Somogy is a one-person business; the founder/director is personally bound by confidentiality through the statutory director relationship and through this Data Processing Agreement.
Security awareness: the founder keeps up with relevant developments (CVEs, Dutch DPA news, Hetzner/Cloudflare security advisories). Upon team expansion, a structured security awareness programme will be introduced.
Incident logging: all (suspected) personal data breaches and material security incidents are logged in an internal breach register.
Processing register: Somogy maintains a processing register in accordance with art. 30 GDPR.
Review: Annex B is reviewed at least annually and updated where necessary; material changes are announced in accordance with article 15.

B.8 Access to customer data by Somogy personnel

Access to customer data by Somogy personnel is limited to what is necessary for:

(a) operational management and troubleshooting;
(b) handling of a support request from Customer;
(c) investigation of a (suspected) security incident or abuse (AUP enforcement);
(d) compliance with a legal obligation.

For support requests that require access to mailbox or WordPress content, Somogy, where possible, requests explicit authorisation from Customer before such access takes place.

Annex C - List of approved sub-processors

The current, always-valid list of sub-processors is published at somogy.nl/partners. That list prevails over the summary below if the summary lags behind changes announced in accordance with article 9. The internal source data is kept in .

As of the effective date of this Data Processing Agreement, the following sub-processors apply:

#	Sub-processor	Legal form / registered seat	Service	Country of processing	Applicable
1	Hetzner Online GmbH	GmbH, Germany (Gunzenhausen)	Server and cloud hosting (infrastructure for email and WordPress environments), including Hetzner Storage Box as the destination for encrypted off-site backups	Germany (EEA)	Always
2	Cloudflare, Inc.	Inc., United States (San Francisco, CA)	CDN / WAF / reverse proxy / TLS termination at the edge for WordPress hosting	United States (with EU edge)	Standing for all WordPress hosting customers; not applicable for email-only hosting
3	rsync.net, Inc.	California Corporation, United States; service delivered from Equinix ZH4, Zurich	Off-site destination for encrypted backups; receives only borg client-side encrypted chunks and has no access to the plaintext (see Annex B.4)	Switzerland (Zurich - adequacy decision, art. 45 GDPR)	Always
4	Moneybird B.V.	B.V., the Netherlands (Enschede)	Invoicing and bookkeeping - exclusively Customer’s own name and billing data, no personal data of Customer’s data subjects	The Netherlands (EEA)	Always (only for the invoicing relationship with Customer)
5	Hosting Concepts B.V. (trading as OpenProvider) - KvK 24277249, Hofplein 20, 3032 AC Rotterdam	B.V., the Netherlands (Rotterdam)	Domain registrar reseller for the management of customer domains (registrant = Customer itself, see General Terms article 4.2)	The Netherlands (EEA)	Only if Somogy registers or manages a domain on behalf of Customer

Transfer outside the EEA: see article 10. Switzerland (rsync.net) is covered by an adequacy decision and requires no SCCs; the United States (Cloudflare, for WordPress hosting) does - based on the SCC in Cloudflare’s DPA and the EU-US Data Privacy Framework (to the extent valid).

Purpose per sub-processor: the processing by each sub-processor is limited to the service set out in the table above and is contractually bounded such that the sub-processor does not use the data for its own purposes.

Sub-processors’ DPAs: the DPAs (or equivalent processor agreements) with the sub-processors listed above have been concluded by Somogy and are available for Customer’s inspection on request, with any commercially confidential passages redacted.