Legal

Data Processing Agreement

Last updated: 31 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Aftora Limited ("Processor", "Aftora"). It governs the processing of personal data carried out by Aftora on your behalf in connection with the Cascade platform, in accordance with UK GDPR Article 28. Defined terms used but not defined here have the meaning given in the Terms of Service.

1. Definitions

"Controller" — you, the Cascade customer who determines the purposes and means of processing.
"Processor" — Aftora Limited, which processes personal data on your behalf.
"Data Subject" — any identified or identifiable natural person whose personal data is processed.
"Personal Data" — any information relating to a Data Subject as defined in UK GDPR Art. 4(1).
"Processing" — any operation performed on Personal Data as defined in UK GDPR Art. 4(2).
"Sub-processor" — any third party engaged by Aftora to process Personal Data on your behalf.
"UK GDPR" — the UK General Data Protection Regulation as incorporated into UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
"DPA 2018" — the Data Protection Act 2018.

2. Subject matter and nature of processing

Aftora processes Personal Data solely to provide the Cascade platform services as described in the Terms of Service. Processing activities include:

Storing and displaying customer account records you create within Cascade
Processing service requests and provisioning actions you initiate
Generating invoices and financial records on your behalf
Storing support ticket communications
Maintaining audit logs of administrative actions

3. Categories of personal data and data subjects

3.1 Data subjects

Your end customers (individuals who purchase hosting services from you via Cascade).

3.2 Categories of personal data

Identity data (name, username)
Contact data (email address, phone number, postal address)
Financial data (billing address, payment method references — not full card numbers)
Technical data (IP address, service usage logs)
Communications (support tickets and messages)

Cascade is not designed to process special categories of data (Art. 9 UK GDPR). You must not input such data into the platform.

4. Processor obligations

Aftora shall:

Process Personal Data only on your documented instructions, unless required to do so by UK law (in which case we will notify you where legally permitted).
Ensure that all personnel authorised to process the Personal Data are bound by appropriate confidentiality obligations.
Implement and maintain appropriate technical and organisational security measures as set out in Schedule 1.
Not engage Sub-processors without your prior written authorisation (general authorisation is granted for the Sub-processors listed in Schedule 2).
Assist you, insofar as reasonably practicable, in responding to Data Subject rights requests under UK GDPR Chapter III.
Assist you in meeting your obligations under Arts. 32–36 UK GDPR (security, breach notification, DPIAs).
Notify you without undue delay (and in any event within 48 hours of becoming aware) of any personal data breach affecting the data we process on your behalf.
At your choice, delete or return all Personal Data on termination of the service, and delete existing copies unless UK law requires retention.
Make available all information reasonably necessary to demonstrate compliance with this DPA, and permit and contribute to audits.

5. Controller obligations

You warrant and undertake that:

You have a valid legal basis under UK GDPR Art. 6 (and Art. 9 where applicable) for all Personal Data you input into Cascade.
You have provided all required notices and obtained all required consents from Data Subjects.
Your instructions to Aftora comply with applicable data protection law.
You will not input special category data (Art. 9) or criminal records data (Art. 10) unless expressly agreed in writing.

6. Sub-processors

You grant general authorisation for Aftora to engage the Sub-processors listed in Schedule 2. Aftora will inform you of any intended changes (additions or replacements) to Sub-processors by updating Schedule 2 and providing at least 14 days' notice via email or in-platform notification.

If you reasonably object to a new Sub-processor on data protection grounds, you must notify us within 14 days of the notice. If we are unable to accommodate your objection, you may terminate the relevant service with a pro-rata refund of prepaid fees.

Aftora imposes data protection obligations on Sub-processors equivalent to those in this DPA and remains liable to you for Sub-processor performance.

7. International data transfers

Processing takes place primarily within the EEA (Germany — Hetzner infrastructure). Where Sub-processors transfer data outside the UK/EEA, Aftora ensures appropriate safeguards are in place, including the UK IDTA or equivalent adequacy mechanisms.

8. Data subject rights

Where you receive a Data Subject rights request relating to Personal Data processed in Cascade, you may fulfil the request directly using the platform's admin tools. Where platform tooling is insufficient, contact us at privacy@aftora.io and we will assist within the statutory timeframe.

9. Security and breach notification

Our security measures are described in Schedule 1. In the event of a Personal Data breach, we will notify you within 48 hours of becoming aware, providing (to the extent known): the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

10. Term and termination

This DPA is effective for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA. Obligations of confidentiality and those that by their nature should survive (including data deletion obligations) shall survive termination.

11. Governing law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

12. Order of precedence

In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA takes precedence.

Schedule 1 — Technical and organisational security measures

Access control

Role-based access control (RBAC) with least-privilege principles
Multi-factor authentication required for all Aftora staff with access to production systems
All access to production data is logged and auditable

Encryption

All data in transit encrypted with TLS 1.2 or higher
Data at rest encrypted using AES-256
Encryption keys managed separately from encrypted data

Infrastructure security

Infrastructure hosted in ISO 27001-certified data centres (Hetzner, Germany)
Network segmentation and firewalling between production environments
DDoS mitigation via Cloudflare
Regular vulnerability scanning and patching

Operational security

Incident response procedure with defined escalation paths
Staff data protection training on onboarding and annually
Background checks for staff with access to production systems
Penetration testing at least annually

Business continuity

Automated daily backups with geographic redundancy
Recovery time objective (RTO): 4 hours; Recovery point objective (RPO): 24 hours

Schedule 2 — Approved Sub-processors

Sub-processor	Location	Purpose
Hetzner Online GmbH	Germany (EEA)	Primary infrastructure and data storage
Cloudflare, Inc.	USA (SCCs / adequacy)	CDN, DDoS protection, DNS
Stripe, Inc.	USA (SCCs / adequacy)	Payment processing
PayPal Holdings, Inc.	USA (SCCs / adequacy)	Payment processing

This schedule will be updated with at least 14 days' notice before any addition or replacement. Current version: 31 March 2026.

Contact

For DPA-related enquiries:
Aftora Limited
Email: privacy@aftora.io