Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms of Service Agreement between Celko Limited, trading as Canagon (“Processor”), and the customer (“Controller”) who purchases or uses our services.

This DPA applies when Celko Limited processes personal data on behalf of the customer in connection with the provision of hosting, domain, DNS, email, Google Workspace, Microsoft 365, or any other services provided by Celko Limited.

1. Roles of the Parties
The customer acts as the data controller. Celko Limited acts as the data processor when processing personal data on behalf of the customer. For services where Celko Limited resells third-party products such as Google Workspace or Microsoft 365, Celko Limited may act as a subprocessor and the third party’s own terms and data protection agreements also apply.

2. Subject Matter and Duration
The subject matter of the processing is the personal data stored, transmitted, or otherwise processed by the customer through the services. Processing continues for the duration of the services and until all personal data has been deleted or returned in accordance with this DPA.

3. Nature and Purpose of Processing
Celko Limited processes personal data only as necessary to provide the services purchased by the customer, including hosting, storage, transmission, backup, technical support, account management, and billing.

4. Categories of Data and Data Subjects
The personal data may include account data, contact data, email data, files, website content, and other information chosen by the customer. Data subjects may include the customer’s employees, clients, suppliers, or other individuals whose personal data is processed through the services.

5. Processor Obligations
Celko Limited shall:

• Process personal data only on documented instructions from the customer, unless required by law.
• Implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access.
• Ensure that persons authorised to process personal data are bound by confidentiality.
• Notify the customer without undue delay after becoming aware of a personal data breach.
• Assist the customer in fulfilling obligations regarding data subject rights, data protection impact assessments, and breach notifications, to the extent reasonably possible.
• Delete or return personal data at the end of the provision of services, unless retention is required by law.
• Make available to the customer information necessary to demonstrate compliance with this DPA and GDPR.

6. Sub-processors
The customer authorises Celko Limited to engage sub-processors as necessary for the provision of services, including but not limited to data centre operators, backup providers, and third-party SaaS vendors such as Google and Microsoft. Celko Limited will maintain a list of sub-processors and will notify customers of material changes.

7. International Data Transfers
Where personal data is transferred outside the European Economic Area, Celko Limited shall ensure that such transfer is subject to an adequacy decision of the European Commission or safeguarded by appropriate legal mechanisms such as Standard Contractual Clauses.

8. Customer Responsibilities
The customer is responsible for ensuring that it has a lawful basis for processing personal data and for the accuracy, quality, and legality of the data provided to Celko Limited. The customer remains responsible for compliance with its obligations as controller under applicable data protection law.

9. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service Agreement between the parties.

10. Governing Law
This DPA is governed by and shall be construed in accordance with the laws of Ireland.