Data Processing Agreement
Last updated 01/01/2026
This Data Processing Agreement (“DPA”) is entered into between Cloudsonic Hosting (“Cloudsonic”, “we”, “us”, “our”), a brand operated by Brisbane Agency (ABN: 20 039 689 628) of Yuggera Country, The Gap QLD 4061, Australia (“Data Processor”), and the customer using our Services (“Customer”, “Data Controller”).
This DPA forms part of and is incorporated into the Terms of Service between Cloudsonic and the Customer. By using our Services, the Customer agrees to the terms of this DPA.
This DPA applies where Cloudsonic processes personal data on behalf of the Customer in connection with the provision of our Services, and where such processing is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the Australian Privacy Act 1988 (Cth), or other applicable data protection law.
1. Definitions
In this DPA, the following terms have the meanings set out below:
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Cloudsonic on behalf of the Customer in connection with the Services.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion.
- “Data Controller” means the Customer, who determines the purposes and means of processing Personal Data.
- “Data Processor” means Cloudsonic, which processes Personal Data on behalf of the Customer.
- “Sub-processor” means any third party engaged by Cloudsonic to process Personal Data in connection with the Services.
- “Applicable Data Protection Law” means the GDPR, UK GDPR, Australian Privacy Act 1988 (Cth), CCPA, and any other data protection legislation applicable to the relevant processing.
- “Data Subject” means the individual to whom Personal Data relates.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Role of the Parties
2.1 The Customer is the Data Controller of any Personal Data it stores or processes through our Services. Cloudsonic acts as a Data Processor in relation to that Personal Data.
2.2 This DPA applies to the processing of Personal Data by Cloudsonic in connection with the provision of hosting, managed WordPress, VPS/cloud server, and email hosting services.
2.3 Each party agrees to comply with its obligations under Applicable Data Protection Law in connection with such processing.
3. Customer’s Obligations
3.1 The Customer represents and warrants that it has a lawful basis for processing the Personal Data it submits to our Services and that it has provided all necessary notices and obtained all necessary consents from Data Subjects.
3.2 The Customer is responsible for the accuracy, quality, and legality of Personal Data submitted to the Services.
3.3 The Customer must ensure that its instructions to Cloudsonic regarding the processing of Personal Data comply with Applicable Data Protection Law.
4. Cloudsonic’s Obligations
4.1 Cloudsonic will process Personal Data only on the documented instructions of the Customer, as set out in these Terms and this DPA, or as required by applicable law.
4.2 Cloudsonic will ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
4.3 Cloudsonic will implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, destruction, or alteration, taking into account the nature of the data and the risks involved.
4.4 Cloudsonic will assist the Customer, as reasonably practicable and at the Customer’s cost, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
4.5 Cloudsonic will assist the Customer in meeting its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, to the extent required by Applicable Data Protection Law and taking into account the nature of the processing and information available to Cloudsonic.
4.6 Upon termination or expiry of the Terms of Service, Cloudsonic will, at the Customer’s choice, delete or return Personal Data to the Customer, and delete existing copies, unless applicable law requires retention.
4.7 Cloudsonic will make available to the Customer information reasonably necessary to demonstrate compliance with the obligations in this DPA and will permit and contribute to audits conducted by the Customer or an auditor appointed by the Customer, subject to reasonable prior notice, confidentiality obligations, and agreement on scope and cost.
5. Sub-processors
5.1 The Customer provides general authorisation for Cloudsonic to engage sub-processors in connection with the provision of the Services. Cloudsonic will maintain a list of current sub-processors and make it available to the Customer on request via our contact page.
5.2 Cloudsonic will impose data protection obligations on sub-processors that are equivalent to those set out in this DPA. Cloudsonic remains liable to the Customer for the acts and omissions of sub-processors to the same extent as if Cloudsonic had performed the processing itself.
5.3 Where Cloudsonic intends to engage a new sub-processor, it will provide reasonable prior notice to the Customer. If the Customer objects on reasonable data protection grounds, the parties will work together in good faith to resolve the objection. If no resolution can be reached, the Customer may terminate the affected Services on written notice.
6. International Data Transfers
6.1 Cloudsonic stores Personal Data in the geographic region selected by the Customer at signup. Available regions include Australia, the European Economic Area, and the United States.
6.2 Where Personal Data of EEA or UK Data Subjects is transferred outside the EEA or UK, Cloudsonic will ensure that appropriate safeguards are in place in accordance with the GDPR and UK GDPR, including by implementing Standard Contractual Clauses (“SCCs”) as adopted by the European Commission, where required.
6.3 Where Personal Data of Australian individuals is transferred outside Australia, Cloudsonic will take reasonable steps to ensure the recipient is subject to obligations that are substantially similar to the Australian Privacy Principles, or will otherwise comply with Australian Privacy Principle 8.
6.4 Customers who require a copy of the applicable Standard Contractual Clauses or further information about our international transfer mechanisms may contact us.
7. Security Incidents
7.1 Cloudsonic will notify the Customer without undue delay upon becoming aware of a Security Incident affecting Personal Data processed on the Customer’s behalf. Such notice will include, to the extent known at the time:
- A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
- The likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
7.2 Cloudsonic will cooperate with the Customer and take reasonable steps to assist in investigating, mitigating, and remediating any Security Incident.
7.3 The Customer is responsible for determining whether it is required to notify relevant supervisory authorities or Data Subjects of a Security Incident and for making any such notifications.
8. Data Subject Rights
8.1 Cloudsonic will promptly notify the Customer if it receives a request from a Data Subject in relation to Personal Data processed under this DPA.
8.2 Cloudsonic will not respond directly to Data Subject requests relating to the Customer’s Personal Data, except on the Customer’s documented instructions or as required by applicable law.
8.3 The Customer is responsible for responding to Data Subject rights requests in accordance with Applicable Data Protection Law.
9. Audit Rights
9.1 Cloudsonic will make available to the Customer, upon request, documentation and information reasonably necessary to demonstrate compliance with this DPA.
9.2 Where an audit of Cloudsonic’s processing facilities is requested by the Customer, it must be conducted during normal business hours, with reasonable prior written notice (no less than 30 days), and in a manner that minimises disruption to Cloudsonic’s operations. Audits are subject to confidentiality obligations and will be conducted at the Customer’s expense.
10. Liability
10.1 Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, to the fullest extent permitted by Applicable Data Protection Law.
10.2 Nothing in this DPA limits the liability of either party for breaches of Applicable Data Protection Law to the extent that such liability cannot be limited under that law.
11. Term and Termination
11.1 This DPA takes effect on the date the Customer first uses our Services and remains in force for as long as Cloudsonic processes Personal Data on behalf of the Customer.
11.2 This DPA will terminate automatically upon termination or expiry of the Terms of Service, subject to any obligations that survive termination.
12. Contact
For any questions regarding this DPA, data protection matters, or to request a copy of our Standard Contractual Clauses, please contact us.
Cloudsonic Hosting, operated by:
Brisbane Agency
Yuggera Country, The Gap QLD 4061, Australia
ABN: 20 039 689 628
brisbaneagency.com