This Data Processing Agreement ("DPA"), including its schedules and annexes, forms part of the Agreement between Rochen Limited ("Rochen") and Customer for the provision of the Services.
This DPA applies where and to the extent Rochen processes Customer Personal Data on behalf of Customer in connection with the Services. Rochen's Terms of Service ("TOS") incorporate this DPA by reference.
Capitalised terms defined in this DPA apply for purposes of this DPA. Capitalised terms used but not defined in this DPA have the meanings given in the TOS.
This DPA is entered into by and between:
Rochen Limited ("Rochen"), a company incorporated in Scotland, United Kingdom, with company number SC242971 and its registered office at 11 Dudhope Terrace, Dundee, DD3 6TS, United Kingdom, on behalf of itself and its Affiliates involved in providing the Services, including Rochen US, Inc.; and
Customer, the person or entity that has entered into an agreement with Rochen for the Services.
Rochen and Customer are each a “party” and together the “parties”.
In this DPA:
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
Agreement means Rochen’s Terms of Service, together with any applicable order, service agreement, or other written or electronic agreement between Customer and Rochen governing Customer’s use of the Services, including any documents incorporated by reference, such as Rochen’s Acceptable Use Policy and other applicable policies.
Applicable Data Protection Laws means all data protection and privacy laws applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the UK GDPR, the UK Data Protection Act 2018, the EU GDPR, applicable national implementing laws of the European Economic Area, the Swiss Federal Act on Data Protection, and other similar data protection laws.
Personal Data has the meaning given to it in Applicable Data Protection Laws.
Customer Personal Data means Personal Data that Rochen processes on behalf of Customer in connection with the Services, including Personal Data uploaded, submitted, stored, transmitted, or otherwise made available by or on behalf of Customer using the Services.
Customer Relationship Data means Personal Data processed by Rochen as an independent controller in connection with account administration, billing, payments, support, security, and operation of the customer relationship, and not Customer Personal Data processed on behalf of Customer using the Services.
Customer Applications means any applications, websites, software, code, databases, or other components deployed, hosted, or operated by or on behalf of Customer using the Services, including associated content and configurations.
Data Subject, Personal Data Breach, process, processing, controller, processor, and supervisory authority have the meanings given to them in Applicable Data Protection Laws.
Restricted Transfer means a transfer of Personal Data that is subject to transfer restrictions under Applicable Data Protection Laws.
Services means any services provided by Rochen under the Agreement, including web hosting, managed cloud hosting, server, compute, storage, domain registration, content delivery network (CDN), DNS, backup, security, application hosting, email hosting, database hosting, SSL certificate, technical support, migration, professional services, and related services.
Subprocessor means any third party, including Rochen Affiliates, engaged by Rochen to process Customer Personal Data on behalf of Customer in connection with the Services.
UK GDPR means the retained EU law version of the General Data Protection Regulation.
EU GDPR means Regulation (EU) 2016/679.
3.1 This DPA applies only to the extent Rochen processes Customer Personal Data as a processor or subprocessor on behalf of Customer in connection with the Services.
3.2 Customer acts as a controller, or as a processor on behalf of a third-party controller. Rochen acts as a processor, or subprocessor where Customer acts as a processor.
3.3 Rochen processes certain Personal Data as an independent controller. This includes account registration data, billing and payment data, support communications, service usage metadata, abuse and security-related data, and other administrative or operational data relating to the customer relationship ("Customer Relationship Data"). For clarity, Customer Relationship Data does not include data stored, hosted, or processed by Customer using the Services, which remains Customer Personal Data. Where support communications include Customer Personal Data submitted by or on behalf of Customer for the purpose of receiving support, Rochen will process that Customer Personal Data in accordance with this DPA.
3.4 Processing of Customer Relationship Data is governed by Rochen’s Privacy Notice and not this DPA.
3.5 If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data. If there is a conflict between this DPA and the Standard Contractual Clauses or UK Addendum, the Standard Contractual Clauses or UK Addendum will control to the extent of the conflict.
3.6 This DPA is intended to apply globally. Where laws outside the UK GDPR or EU GDPR apply, including laws of the United States, Canada, Brazil, India, or other jurisdictions, the parties agree that this DPA will be interpreted and applied to meet the requirements of such laws to the extent applicable.
3.7 To the extent applicable under United States privacy laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Customer is a "business" or "controller" and Rochen is a "service provider" or "processor". Rochen will not sell or share Customer Personal Data as those terms are defined under applicable US state privacy laws, except as permitted by such laws.
4.1 Rochen will process Customer Personal Data only on Customer’s documented instructions, unless required to do so by applicable law. The Agreement, this DPA, Customer’s use and configuration of the Services, and Customer’s instructions provided through the My Rochen portal, support channels, or other agreed means constitute Customer’s documented instructions.
4.2 Rochen is not obligated to assess or monitor the legality of Customer’s use of the Services or instructions, except to the extent required by Applicable Data Protection Laws. Rochen will inform Customer if, in Rochen’s reasonable opinion and based on information available to it, an instruction clearly infringes Applicable Data Protection Laws, unless prohibited from doing so by law.
4.3 Customer is responsible for ensuring that its instructions are lawful and that Customer has provided all required notices and obtained all required rights, permissions, and lawful bases for the processing of Customer Personal Data using the Services.
5.1 Rochen processes Customer Personal Data to provide, secure, support, maintain, monitor, improve, and troubleshoot the Services; to perform backups and restores; to prevent abuse and security incidents; to comply with Customer’s instructions; and as otherwise described in the Agreement and this DPA.
5.2 Details of the subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are set out in Schedule 1.
6.1 Customer is responsible for:
6.2 For clarity, Customer is solely responsible for the security, configuration, updates, patching, removal, and management of Customer Applications hosted or processed using the Services, including any Customer Personal Data processed by or within Customer Applications. This responsibility applies even where Customer Applications are installed, configured, migrated, updated, or otherwise assisted using tools, features, or support provided by Rochen as part of the Services, unless the Agreement expressly provides otherwise.
6.3 Customer acknowledges that Rochen does not control the categories or volume of Customer Personal Data that Customer chooses to upload, store, transmit, or otherwise process using the Services.
Rochen will ensure that personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional, and that they process Customer Personal Data only as necessary to provide the Services or as otherwise permitted by this DPA.
8.1 Rochen will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
8.2 The measures will take into account the nature, scope, context, and purposes of processing, the risks presented by the processing, the state of the art, implementation costs, and the nature of the Services.
8.3 Rochen’s security measures include, as applicable to the Services and limited to the infrastructure and platform managed by Rochen:
8.4 For clarity, Rochen’s security measures do not extend to Customer Applications. Rochen does not perform application-level security testing, including vulnerability scanning or penetration testing of Customer Applications, unless the Agreement expressly provides otherwise.
8.5 Additional details are set out in Schedule 2.
9.1 Rochen will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
9.2 Rochen’s notification will, to the extent reasonably available, include information to help Customer meet its own breach-notification obligations, including the nature of the incident, the categories and approximate number of Data Subjects and records affected where known, likely consequences, and measures taken or proposed to address the incident.
9.3 Rochen’s notification of or response to a Personal Data Breach is not an acknowledgement of fault or liability.
9.4 Customer is responsible for determining whether a Personal Data Breach must be notified to a supervisory authority, Data Subjects, or any other party, unless Applicable Data Protection Laws require Rochen to notify directly.
10.1 Customer gives Rochen general authorisation to engage Subprocessors to process Customer Personal Data in connection with the Services.
10.2 Rochen will maintain a list of Subprocessors at https://rochen.com/legal/subprocessors. The list will identify the Subprocessor, purpose of processing, entity location, and, where applicable, processing location. The same page may also identify other third-party providers used by Rochen in connection with Customer Relationship Data, business operations, billing, communications, fraud prevention, analytics, marketing, or other controller-side processing described in Rochen’s Privacy Notice.
10.3 Rochen will impose written data protection obligations on each Subprocessor that are no less protective in substance than those imposed on Rochen under this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.
10.4 Rochen remains responsible to Customer for the performance of its Subprocessors’ obligations to the extent required by Applicable Data Protection Laws.
10.5 Rochen will provide notice of new or replacement Subprocessors by updating the Subprocessor list or by another appropriate method. Where reasonably practicable, such notice will be provided in advance of the change. Customer may object to a new or replacement Subprocessor on reasonable data protection grounds by notifying Rochen in writing within 30 days after notice. The parties will work in good faith to resolve the objection. If the parties cannot resolve the objection, Customer may terminate the affected Services, and Rochen will refund any prepaid fees for the unused portion of the terminated Services, unless the Agreement provides otherwise.
11.1 Customer may select the data centre region for each website or service where region selection is available. Rochen currently offers hosting regions in the United States, Canada, United Kingdom, Germany, Australia, India, and Brazil, subject to availability and service configuration.
11.2 Customer acknowledges that some Services, including content delivery, DNS, security, monitoring, support, email routing, remote administration, billing, fraud prevention, backups, off-site backup storage, disaster recovery, and other operational functions, may involve processing or access from locations outside the selected hosting region.
11.3 Rochen personnel and Affiliates may process Customer Personal Data from the United Kingdom, United States, Canada, Brazil, India, and other locations where Rochen or its approved Subprocessors operate, as necessary to provide, support, secure, and maintain the Services.
11.4 For Restricted Transfers subject to the EU GDPR, the parties agree that the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the “Standard Contractual Clauses”) are incorporated by reference into this DPA and apply as follows:
11.5 For Restricted Transfers subject to the UK GDPR, the parties agree that the UK International Data Transfer Addendum to the EU Standard Contractual Clauses applies as set out in Schedule 4.
11.6 For transfers from Switzerland, the parties agree that the Standard Contractual Clauses apply with appropriate Swiss-specific modifications.
11.7 Where an adequacy decision or other lawful transfer mechanism applies, Rochen may rely on that mechanism instead of, or in addition to, the Standard Contractual Clauses or UK Addendum.
11.8 Rochen will take reasonable steps designed to ensure that international transfers of Customer Personal Data are protected in accordance with Applicable Data Protection Laws across all jurisdictions where the Services are provided, including the United States and Canada.
12.1 Taking into account the nature of the processing, Rochen will provide reasonable assistance to Customer, through appropriate technical and organisational measures, to help Customer respond to Data Subject requests under Applicable Data Protection Laws.
12.2 If Rochen receives a request from a Data Subject relating to Customer Personal Data, Rochen will, unless legally prohibited, direct the Data Subject to Customer or notify Customer. Rochen will not respond to the request except on Customer’s documented instructions or as required by law.
12.3 Customer is responsible for using the available controls in the Services to access, correct, export, delete, or restrict Customer Personal Data where those controls are available.
Taking into account the nature of processing and the information available to Rochen, Rochen will provide reasonable assistance to Customer with Customer’s obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, to the extent required by Applicable Data Protection Laws and where Customer does not otherwise have access to the relevant information.
Such assistance will be provided on a reasonable basis. To the extent such assistance requires significant additional resources or effort beyond the standard provision of the Services, Rochen may charge Customer for such assistance at its standard rates.
14.1 During the term of the Services, Customer may access, export, modify, and delete Customer Personal Data using the tools and protocols made available through the Services.
14.2 Upon termination or expiry of the Services, Rochen will delete or return Customer Personal Data in accordance with the Agreement, the applicable service configuration, and Customer’s documented instructions, unless applicable law requires retention.
14.3 Customer acknowledges that deleted Customer Personal Data may remain in backups for a limited period until overwritten or deleted in accordance with Rochen’s backup lifecycle. Backup data is isolated from ordinary processing and is not restored except as part of backup restoration, business continuity, security, or legal compliance processes.
15.1 Rochen will make available information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.
15.2 Customer may request an audit no more than once per calendar year, unless required by a supervisory authority or following a confirmed Personal Data Breach affecting Customer Personal Data. Any audit must be subject to reasonable confidentiality, security, timing, and scope requirements, and must not unreasonably interfere with Rochen’s business operations.
15.3 Rochen may satisfy audit obligations by providing relevant third-party certifications, audit reports, summaries, policies, questionnaires, or other documentation demonstrating compliance, where appropriate.
15.4 Audits will be conducted primarily through the provision of documentation and remote means. On-site audits are not permitted except where required by Applicable Data Protection Laws and where no reasonable alternative is available.
15.5 Customer is responsible for reasonable costs incurred by Rochen in supporting audits, including time, resources, and any third-party costs, unless such audit is required due to Rochen’s breach of this DPA or Applicable Data Protection Laws.
16.1 If Rochen receives a legally binding request from a public authority for Customer Personal Data, Rochen will, unless legally prohibited, notify Customer and direct the requesting authority to Customer.
16.2 Rochen will review such requests and challenge or narrow requests where Rochen reasonably determines that the request is unlawful, overbroad, or otherwise inappropriate, taking into account the circumstances and applicable law.
17.1 Rochen may provide the Services through Rochen Affiliates, including Rochen US, Inc. Where a Rochen Affiliate processes Customer Personal Data on behalf of Customer, Rochen will ensure that the Affiliate is bound by obligations consistent with this DPA.
17.2 Rochen remains responsible for the performance of Rochen Affiliates under this DPA to the extent required by Applicable Data Protection Laws.
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent prohibited by Applicable Data Protection Laws or the Standard Contractual Clauses.
This DPA begins when Customer agrees to the Agreement or starts using the Services and continues until Rochen no longer processes Customer Personal Data on behalf of Customer.
Rochen may update this DPA from time to time to reflect changes in law, regulatory guidance, the Services, or Rochen’s processing activities. Rochen will provide notice of material changes by appropriate means, such as posting an updated version on its website, email, or notice through the customer portal.
Rochen will process Customer Personal Data as necessary to provide, support, secure, maintain, administer, and improve the Services under the Agreement, including related technical support and customer requests, and as otherwise instructed by Customer through its use of the Services.
For the term of the Agreement and any period during which Rochen processes Customer Personal Data as part of backup retention, account closure, legal compliance, dispute resolution, or other lawful purposes permitted by the Agreement and Applicable Data Protection Laws.
Rochen processes Customer Personal Data as necessary to provide, support, secure, maintain, administer, and improve the Services under the Agreement, and as otherwise instructed by Customer through its use of the Services.
This includes, as applicable:
Customer determines the categories of Data Subjects. They may include:
Customer determines the categories of Personal Data. They may include:
The Services are not specifically designed for processing special categories of Personal Data, criminal offence data, protected health information, payment card data stored by Customer, or similarly sensitive data unless the Agreement provides otherwise or unless Customer has configured the Services and its own applications to meet applicable legal and security requirements.
Continuous for the duration of the Services.
Customer can choose the hosting region for each website or service where region selection is available. Some processing may still occur outside the selected hosting region, including support access, account administration, security monitoring, content delivery, DNS, email routing, payment processing, fraud prevention, backups, off-site backup storage, disaster recovery, and other operational processing.
Rochen maintains technical and organisational measures appropriate to the nature of the Services, including where applicable:
Rochen engages Subprocessors to provide certain aspects of the Services.
Rochen maintains an up-to-date list of Subprocessors, including their identity, purpose, and location, at: https://www.rochen.com/legal/subprocessors
This list may be updated from time to time in accordance with Section 10 of this DPA.
This Schedule 3 forms part of the information required under Applicable Data Protection Laws and, where applicable, the Standard Contractual Clauses.
This Schedule 4 forms part of the Data Processing Agreement (DPA) and applies to Restricted Transfers subject to the UK GDPR.
The parties agree that the UK International Data Transfer Addendum ("UK Addendum"), version B1.0 issued by the UK Information Commissioner’s Office and in force as of 21 March 2022, is incorporated into this DPA and applies to the EU Standard Contractual Clauses ("EU SCCs") as completed below.
The details of the parties, including contact information, are set out in the Agreement and this DPA. Rochen Affiliates and approved Subprocessors may participate in processing as described in this DPA.
Either party may end this UK Addendum as set out in Section 19 of the UK Addendum.
Where there is any conflict between this Schedule 4 and the EU SCCs or the UK Addendum, the EU SCCs and UK Addendum shall prevail to the extent of the conflict.
This Schedule 4 forms part of the safeguards for Restricted Transfers under Applicable Data Protection Laws.
Last updated: 29 April 2026