Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between Eyecay ("Processor") and the client ("Controller") for services including web hosting, maintenance, and digital marketing where Eyecay processes personal data on behalf of the client.

1. Definitions

  • Controller: The client who determines the purposes and means of processing personal data
  • Processor: Eyecay, acting on the Controller's instructions to process personal data
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, or deletion
  • Data Subject: The natural person to whom personal data relates

2. Scope and Nature of Processing

Eyecay processes personal data on behalf of the Controller in connection with the provision of:

  • Web hosting services (where the hosted website collects visitor data)
  • Website maintenance (access to website files and databases containing user data)
  • Email hosting (where mailboxes contain personal communications)
  • Digital marketing services (where campaign data includes identifiable individuals)

3. Types of Data Processed

The categories of personal data processed may include:

  • Contact details (name, email address, phone number)
  • Customer purchase and order history
  • Website usage data (IP addresses, session data)
  • Email communications
  • Any other personal data stored on hosted websites or systems

4. Controller's Instructions

Eyecay will process personal data only on documented instructions from the Controller, and will not process data for purposes other than those agreed. Eyecay will inform the Controller if any instruction infringes applicable data protection law.

5. Confidentiality

Eyecay ensures that all persons authorised to process personal data have committed to confidentiality obligations. Access to personal data is restricted to those who need it to deliver the agreed services.

6. Security Measures

Eyecay implements appropriate technical and organisational security measures including:

  • Encryption of data in transit (TLS/SSL) and at rest where applicable
  • Access controls and authentication requirements for all systems
  • Regular security scanning and vulnerability assessments
  • Incident detection and response procedures
  • Regular backups with secure off-site storage

7. Sub-Processors

Eyecay uses the following categories of sub-processors to deliver its services:

  • Cloud infrastructure providers (for server hosting)
  • CDN providers (for content delivery)
  • Backup storage providers
  • Email infrastructure providers
  • Security monitoring services

Eyecay will notify the Controller of any intended changes to sub-processors with reasonable advance notice. Current sub-processor list available on request.

8. Data Subject Rights

Eyecay will assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection) insofar as possible given the nature of the processing. The Controller remains responsible for responding to data subjects directly.

9. Data Breach Notification

Eyecay will notify the Controller without undue delay (and in any case within 72 hours) upon becoming aware of a personal data breach affecting data processed on behalf of the Controller. Notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

10. Data Deletion and Return

Upon termination of services, at the Controller's choice, Eyecay will either return all personal data to the Controller or securely delete it, within 30 days of service termination, unless applicable law requires longer retention.

11. Audit Rights

Eyecay will provide information necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Controller or an auditor appointed by the Controller, subject to reasonable notice and confidentiality obligations.

12. Governing Law

This DPA is governed by the laws of the Cayman Islands. Where the Controller is subject to GDPR or UK GDPR, this DPA is intended to meet the requirements of Article 28 of those regulations.

Contact

For DPA enquiries: info@eyecay.ky