2.1 When We Act as Data Controller

GeekCloud acts as a data controller for:

• Customer account information and billing data
• Service usage metrics and technical logs
• Support communications and correspondence
• Identity verification data processed through Stripe Identity
• Marketing and communication preferences

2.2 When We Act as Data Processor

GeekCloud acts as a data processor for:

• Customer data stored on VPS instances and block storage
• Database content managed by customers
• Files and applications deployed by customers
• Any personal data within customer-controlled infrastructure

When acting as a processor, we process data only according to documented customer instructions and our Data Processing Agreement (DPA).

3.1 Customer DPA

All customers who process personal data using our services are covered by our comprehensive Data Processing Agreement, which includes:

• Standard Contractual Clauses (SCCs) for international data transfers
• Data subject rights fulfillment procedures
• Security incident notification protocols
• Subprocessor notification and consent mechanisms
• Data return and deletion procedures upon termination

3.2 Subprocessor Management

We maintain strict oversight of all subprocessors who may access customer data:

• Comprehensive due diligence before engagement
• Contractual obligations equivalent to our DPA commitments
• Regular compliance audits and security assessments
• Customer notification of any subprocessor changes

4.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Multi-factor authentication and role-based permissions
• Network Security: Firewalls, intrusion detection, and network segmentation
• Monitoring: 24/7 security monitoring and incident response
• Backup Security: Encrypted backups with tested restoration procedures

4.2 Organizational Measures

• Staff Training: Regular GDPR and security awareness training
• Access Limitation: Need-to-know basis for data access
• Confidentiality: Contractual confidentiality obligations for all staff
• Incident Response: Defined procedures for security and data breaches
• Vendor Management: Due diligence and ongoing oversight of suppliers

4.3 Regular Assessments

• Annual external security audits and penetration testing
• Quarterly internal security reviews and policy updates
• Continuous vulnerability scanning and patch management
• Regular backup testing and disaster recovery exercises

5.1 Rights Fulfillment Process

We provide comprehensive support for data subject rights exercises:

1. Request verification within 72 hours
2. Identity confirmation using secure procedures
3. Data location and impact assessment
4. Response preparation and customer coordination
5. Implementation of requested actions
6. Confirmation and documentation

5.2 Customer Support Tools

• API endpoints for automated data subject request handling
• Administrative tools for data identification and extraction
• Secure deletion verification and certification
• Data portability in standard formats (JSON, CSV)

6.1 EU Data Residency

Our primary commitment is to EU data residency:

• All customer infrastructure hosted in EU data centers
• Customer data processing within the European Economic Area
• EU-based staff for data access and support operations
• EU vendors preferred for critical service components

6.2 Limited Third Country Transfers

When third country transfers are necessary, we ensure adequate protection:

• Standard Contractual Clauses (Module 2 - Controller to Processor)
• Additional safeguards beyond SCC requirements
• Regular adequacy assessments for third country risks
• Encryption and pseudonymization for transferred data

7.1 Incident Response Timeline

• 0-4 hours: Initial detection and containment
• 4-24 hours: Impact assessment and risk evaluation
• 24-72 hours: Supervisory authority notification (if required)
• 72+ hours: Data subject notification (if high risk)
• Ongoing: Remediation, monitoring, and prevention measures

7.2 Customer Notification

Customers are promptly notified of any personal data breaches affecting their data, including:

• Description of the breach and affected data categories
• Likely consequences and potential risks to data subjects
• Measures taken to address the breach and mitigate harm
• Recommendations for customer actions and communications

8.1 Internal Compliance Program

• Quarterly GDPR compliance reviews and assessments
• Annual Data Protection Impact Assessments (DPIAs)
• Regular policy updates based on regulatory guidance
• Staff compliance training and certification programs

8.2 External Audits and Certifications

• Annual external GDPR compliance audits
• ISO 27001 information security certification
• SOC 2 Type II security and availability controls
• Regular penetration testing and vulnerability assessments

8.3 Customer Audit Rights

Customers have the right to audit our data processing activities through:

• Access to compliance certifications and audit reports
• Questionnaire-based compliance assessments
• On-site audits (with reasonable notice and scope)
• Third-party audit coordination and facilitation

9.1 Data Protection Office

For all GDPR-related inquiries and requests:

• Email: dpo@vortcloud.com
• Subject Line: "GDPR Inquiry - [Type of Request] "
• Response Time: Initial response within 72 hours
• Resolution Time: Complete response within 30 days

9.2 Technical Support for GDPR

Our technical support team can assist with:

• Data location and mapping within your infrastructure
• Implementation of data subject request procedures
• Configuration of privacy-enhancing technologies
• Integration with GDPR compliance tools and APIs