Data Processing Agreement
How we handle your data as an infrastructure provider.
Last update: 2026-03-14
This Data Processing Agreement ("DPA") forms part of the Terms of Service between VIRTUA SYSTEMS ("Virtua.Cloud", "we", "us", "our") and the Customer ("you", "your") and governs the processing of personal data by Virtua.Cloud on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
By using our services, you agree to the terms of this DPA. This agreement supplements our Privacy Policy and Terms of Service.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- Processing: Any operation performed on personal data, as defined in Article 4(2) of the GDPR.
- Controller: The natural or legal person which determines the purposes and means of the processing of personal data. In this DPA, the Customer acts as the Controller.
- Processor: The natural or legal person which processes personal data on behalf of the Controller. In this DPA, Virtua.Cloud acts as the Processor.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose personal data is processed.
- Supervisory Authority: An independent public authority responsible for monitoring the application of the GDPR.
2. Scope and Roles
Virtua.Cloud provides Infrastructure as a Service (IaaS) hosting. Our customers receive full administrative access to their virtual private servers and are solely responsible for the data they store and process on that infrastructure.
Virtua.Cloud does not access, monitor, or process data stored on customer servers. We act as a data processor only for customer account data necessary to deliver our services (such as contact information, billing details, and support communications).
For any personal data that customers choose to store or process on their Virtua.Cloud servers, the customer is the data controller and bears full responsibility for compliance with applicable data protection laws.
3. Processing Details
| Element | Description |
|---|---|
| Nature of processing | IaaS hosting, account management, billing, customer support |
| Categories of personal data | Customer contact information (name, email, phone), billing data (address, payment references), support ticket content, server access logs |
| Categories of data subjects | Customer employees and authorized contacts |
| Purpose of processing | Service delivery and contract fulfillment |
| Duration | For the duration of the service agreement, plus applicable retention periods as described in our Privacy Policy |
4. Obligations of Virtua.Cloud
As a data processor, Virtua.Cloud shall:
- Process personal data only on documented instructions from the Customer, unless required by law.
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Physical security of owned and leased rack space with controlled access
- Network security including DDoS protection and firewalls
- Encryption of data in transit
- Strict access controls and authentication
- Self-hosted monitoring and alerting systems
- Assist the Customer in responding to requests from data subjects exercising their rights under Chapter III of the GDPR.
- Assist the Customer in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments.
- At the choice of the Customer, delete or return all personal data upon termination of the service agreement.
- Make available to the Customer all information necessary to demonstrate compliance with this DPA.
5. Obligations of the Customer
As a data controller, the Customer shall:
- Ensure that a valid lawful basis exists for all processing of personal data.
- Comply with all applicable data protection laws and regulations.
- Be solely responsible for any personal data stored or processed on their Virtua.Cloud servers.
- Provide processing instructions that are consistent with applicable law.
6. Sub-processors
Virtua.Cloud uses the following sub-processors. All other services (monitoring, ticketing, email) are operated entirely in-house on our own infrastructure.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing | Billing data, card details | EU / US |
| PayPal | Payment processing | Billing data, email address | EU / US |
| Mollie | Payment processing | Billing data | EU |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object within 30 days. If you object and we cannot reasonably accommodate your objection, either party may terminate the affected services.
7. Data Breach Notification
In the event of a personal data breach affecting data processed on behalf of the Customer, Virtua.Cloud will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification will include:
- The nature of the personal data breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Virtua.Cloud will cooperate with the Customer to fulfill the Customer's own notification obligations under Articles 33 and 34 of the GDPR.
8. Data Location
All customer account data (contact information, billing, support tickets) is stored exclusively in our European Union datacenters. There are no international transfers of customer personal data.
Customers may choose to deploy servers in any of our available locations, including locations outside the EU. The choice of server location and any resulting data transfers are the sole responsibility of the Customer as data controller.
9. Data Retention and Deletion
Virtua.Cloud retains customer account data in accordance with the retention schedule described in our Privacy Policy.
Upon termination of the service agreement, customer account data will be deleted in accordance with the retention periods set out in the Privacy Policy. Customers are responsible for retrieving or deleting any data stored on their servers prior to termination.
10. Audit Rights
The Customer may audit Virtua.Cloud's compliance with this DPA, subject to the following conditions:
- The Customer must provide at least 30 days' advance written notice.
- Audits shall be conducted during normal business hours.
- No more than one audit per calendar year, unless required by a supervisory authority.
- The Customer shall bear the costs of the audit, unless the audit reveals a material breach of this DPA by Virtua.Cloud.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of France. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Paris, France.
12. Contact
For questions about this Data Processing Agreement or to exercise your rights, please contact us: