Personal Data Treatment Conditions

Last Revision: 26.07.2021

This Personal Data Processing Agreement ("PDPA"), an integral part of any agreement for the provision of services, referred to hereinafter as the "Agreement", is entered into between xervers, unipessoal lda. ("xervers"), and the Customer, and sets forth the terms and conditions applicable to the services provided by xervers (the "Services"). This PDPA and other agreements are complementary. However, in the event of a conflict, the PDPA shall prevail.

Terms beginning with a capital letter and not defined in this PDPA shall have the meaning set forth in the Agreement. The expressions "Binding Corporate Rules", "Controller", "Personal Data", "Personal Data Breach", "Processing", "Sub-Contractor", "Supervisory Authority" shall be interpreted as defined in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation" or "GDPR").

Part 1 - Personal Data handled by xervers as a Subcontractor under instructions from the Client 

The objective of this part is to define, in accordance with article 28 of the RGPD, the conditions under which xervers is entitled, as a "Subcontractor" and as part of the Services set out in the Agreement, to process through and on instruction of the Client, personal data under the terms defined in the GDPR ("Personal Data").

For the purposes of this Part, the Customer may act either as "Controller" or "Sub-Processor with respect to Personal Data. If the Customer is acting as a Sub-Contractor on behalf of a third-party Controller, the Parties expressly agree to the following conditions:

  1. The Client must ensure that

  2. all authorizations necessary to enter into this PDPA, including the Client's designation of xervers as a subcontractor, have been obtained from the Controller,

  3. a contract, which is fully in accordance with the terms and conditions of the Agreement including this CTPD, has been entered into with the Controller in accordance with such article 28 of the RGPD,

  4. any instructions received by xervers from the Client in the execution of the Agreement and this CTPD are in full accordance with the instructions provided by the Handler and

  5. all information communicated or made available by xervers pursuant to this CTPD is appropriately communicated to the Controller as necessary.

  6. xervers must

  7. process Personal Data only on the Customer's instructions, and

  8. not receive any instructions directly from the Controller, except in cases where the Client has disappeared or ceased to exist in law, with no successor entity to the Client's rights and obligations.

  9. The Client, who is fully responsible to xervers for the proper performance of the Handler's obligations as set forth in this CTPD, shall indemnify and hold xervers harmless against

  10. any failure of the Controller to comply with applicable law, and

  11. any action, claim or complaint by the Handler relating to the provisions of the Agreement (including this CTPD) or any instruction received by xervers from the Client.

Art 1: Scope

xervers is authorized, as a Subcontractor acting on instruction from the Client, to process the Controller's Personal Data to the extent necessary to provide the Services. The nature of the operations performed by xervers on Personal Data may be computing, storage and/or any other Services as described in the Agreement.

The type of Personal Data and the categories of data subjects are determined and controlled by the Client at its sole discretion.

Treatment activities are performed by xervers for the duration provided in the Contract.

Art 2: Choice of Services

The Customer is solely responsible for the choice of Services. The Customer must ensure that the Services chosen have the features and conditions necessary to comply with the Controller's activities and purposes of processing as well as the type of Personal Data to be processed in the Services, including, but not limited to, when the Services are used to process Personal Data that is subject to specific rules or standards (e.g., health or banking data in some countries). Customer is informed that xervers proposes certain Services with organizational and security measures specifically designed for the processing of health care or banking data.

If the Controller's processing could result in a high risk to the rights and freedom of individuals, the Client should carefully select its Services. In assessing the risk, the following criteria should in particular, but not only, be taken into account:

  • evaluation or scoring of data subjects;

  • automated decision making with significant legal or similar effect;

  • systematic monitoring of data subjects;

  • processing of sensitive data or data of a highly personal nature;

  • large-scale treatment;

  • matching or combination of data sets;

  • handle data relating to vulnerable data subjects;

  • using new, innovative technologies not recognized by the public, for treatment.

xervers will make information available to the Customer, under the conditions set out below in the "Audit" section, regarding the security measures implemented in connection with the Services, to the extent necessary to assess the compliance of these measures with the Controller's processing activities.

Art 3: Compliance with Applicable Rules

Each Party shall comply with applicable data protection legislation (including the General Data Protection Regulation).

Art 4: Obligations of xervers

xervers commits to:

  1. treat Personal Data uploaded, stored and used by the Customer within the Services only to the extent necessary and proportionate to provide the Services as set out in the Agreement,

  2. not to access or use Personal Data for any purpose other than that necessary to provide the Services (especially in relation to Incident Management purposes),

  3. establish the technical and organizational measures described in the Agreement to ensure the security of the Personal Data in the provision of the Service;

  4. ensure that xervers employees authorized to handle Personal Data under the Agreement are bound by an obligation of confidentiality and are adequately trained in the protection of Personal Data,

  5. inform the Customer, if, in its opinion and given the information at its disposal, an instruction of the Customer infringes the data protection provisions of the GDPR or other provision of the European Union or of a Member State of the European Union,

  6. in case of requests received from a competent authority and relating to Personal Data processed in this context, to inform the Customer (unless prohibited by applicable laws or by a precautionary decision of the competent authority) and to limit the communication of data to what the authority has expressly requested.

Upon written request from the Client, xervers will provide the Client with reasonable assistance in conducting data protection impact assessments and prior consultation with the competent supervisory authority, if the Client is required to do so under applicable data protection rules and, in each case, only to the extent that such assistance is necessary and relates to the processing by xervers of Personal Data of this CTPD. Such assistance will consist of providing transparency about the security measures implemented by xervers in the provision of its Services.

xervers undertakes to implement the following technical and organizational measures:

  1. Physical security measures designed to prevent unauthorized persons from accessing the infrastructure where Customer data is stored;

  2. identity and access checks using an authentication system as well as a password policy,

  3. An access management system that limits access to the facilities to persons who need access to the facilities in the course of their duties and responsibilities;

  4. security personnel responsible for monitoring the physical security of xervers' facilities;

  5. a system that physically and logically isolates Clients from each other,

  6. authentication processes for users and administrators, as well as measures to protect access to administration functions,

  7. an access management system for support and maintenance operations that operates on the principles of "least privilege" and "need to know", and

  8. processes and measures to track actions performed in your information system.

These technical and organizational measures are described in detail on the xervers page.

Art 5: Personal Data Breach

If xervers becomes aware of an incident affecting the Controller's Personal Data (such as unauthorized access, loss, disclosure or alteration of data), xervers will notify the Customer without undue delay.

The notification must

  1. describe the nature of the incident,

  2. describe the likely consequences of the incident,

  3. describe the actions taken or proposed by xervers in response to the incident and

  4. provide the xervers contact point. 

Art 6: Location and Transfer of Personal Data

In cases where the Services allow the Customer to store Content and especially Personal Data, the location or geographic area of the available Data Center is specified on xervers website. If several locations or geographical areas are available, the Customer must select the chosen one when submitting his Order. Subject to any provision to the contrary in the applicable Special Terms and Conditions, xervers shall not modify, without Customer's consent, the location or geographic area chosen when submitting its Order.

Personal Data stored by the Customer shall not be transferred by xervers to a country not recognized by the European Commission as providing an adequate level of protection ("Adequacy Decision") unless

  1. such transfer is expressly provided for in the applicable Terms and Conditions, or that

  2. the Customer selects a data center located outside the European Union in a country that is not subject to an Adequacy Decision, or

  3. with the Client's consent.

Subject to the Data Center location provision above, xervers and Subcontractors, in accordance with section 7 below, may, excluding the United States of America, remotely process Customer Content, provided that such access occurs only to the extent necessary for the performance of the Services and, in particular, is related to security and incident management.

If, pursuant to this Agreement, Personal Data processed under this PDPA are transferred outside the European Union to a country which is not subject to an Adequacy Decision, a data transfer agreement shall be implemented in accordance with the Standard Contractual Clauses adopted by European Commission Decision No. 2010/87/EU, dated February 5, 2010, or at xervers' discretion, any other appropriate safeguards shall be implemented under Chapter V "Transfers of personal data to third countries or international organizations" of the GDPR. The Client hereby mandates xervers to agree the Standard Contractual Clauses with the Importer of Personal Data on behalf of and representing the Exporter of Personal Data, and represents and warrants that you have all authorizations to do so.

When Standard Contractual Clauses are implemented, the following applies:

  1. For clauses 5(f) and 12(2) of the Standard Contractual Clauses, the provisions of section 12 of this PDPA apply.

  2. For clause 11 of the Standard Contractual Clauses, the Client consents to xervers and the Data Importer to involve subcontractors under the conditions referred to in section 7 of this PDPA.

  3. For clause 12 (1) of the Standard Contractual Clauses, the Data Importer shall, under the conditions provided in the Contract, in particular section 10 "Erasure and Return of Personal Data" of this PDPA,

  4. help the Data Exporter to recover your data and

  5. delete the data from the Data Exporter.

  6. If the Data Importer is held liable for breach of obligation owed to it under the Standard Contractual Clauses, any liability provision of the Contract, in particular, but without limitation, section 11 of this PDPA, shall apply and be fully binding and enforceable against the Data Importer and the Data Exporter. 

The purpose of the preceding paragraph is to specify how the Parties agree to apply the Standard Contractual Clauses and not to derogate from or conflict with the Standard Contractual Clauses. In case of conflict, the Standard Contractual Clauses shall prevail.

The Controller shall complete all necessary assessments (such as data protection impact assessments) and obtain all necessary consents (including from data subjects or competent data protection authorities, if required) to transfer Personal Data within the scope of the Agreement.

Art 7: Hiring a subcontractor for the treatment

Subject to the provisions of the "Location and Transfer of Personal Data" section above, xervers is authorized to subcontract for assistance in providing the Services. As part of such assistance, subcontractors may participate in data processing activities performed by xervers on the instructions of the Client.

The list of subcontractors who are authorized to participate in the processing activities performed by xervers on Customer's instructions ("Subcontractors"), including the Services concerned and the location from which they may process Customer Personal Data in accordance with this Agreement, is provided

  1. on xervers website or,

  2. when a Subcontractor participates only in a specific Service, in the applicable Specific Terms and Conditions.

If xervers decides to change a Subcontractor or add a new Subcontractor ("Subcontractor Change"), xervers will notify Customer by email (to the email address registered in Customer's Account)

  1. with thirty (30) days' notice if the Subcontractor is an Affiliate of xervers located in the European Union or in a country subject to an Adequacy Decision or

  2. ninety (90) days notice in any other case.

The Customer has the right to object to a Change of Subcontractor pursuant to the GDPR. The objection must be notified to xervers within fifteen (15) days of xervers' notice of a Change of Subcontractor to the Customer and specifying the reason for the objection. Such objection must be notified by Customer through its Management Interface using the category "Data Protection Request" or in writing to the Data Protection Officer, xervers, unipessoal lda, Estrada Nacional 229-2, 2, 3505-245 Viseu, Portugal. xervers shall under no circumstances be obliged to waive a change of Subcontractor. If, after a Customer's objection, xervers does not waive the change of Subcontractor, the Customer has the right to terminate the affected Services.

xervers shall ensure that Subcontractor is, at a minimum, capable of fulfilling the obligations assumed by xervers in this CTPD with respect to the processing of Personal Data performed by Subcontractor. To this end, xervers shall enter into a contract with Subcontractor. xervers shall remain fully liable to Customer for the performance of any obligation that Subcontractor fails to perform.

xervers is hereby authorized to engage third party providers (such as energy providers, network providers, network interconnection point managers or data center facilities, material and software providers, carriers, technical providers, security companies), regardless of where they are located, without having to inform Customer or obtain Customer's prior approval, provided that such third party providers do not process Customer Personal Data.

Art 8: Customer Obligations

For the processing of Personal Data as provided for in the Agreement, the Client shall provide xervers in writing

  1. all relevant instructions and

  2. any information necessary for the creation of the Subcontractor's records of processing activities.

The Client is solely responsible for such handling information and instructions communicated to xervers.

The Client is responsible for ensuring that:

  1. the processing of Personal Data in execution of the Service has an appropriate legal basis (e.g. consent of the data subject, consent of the Controller, legitimate interests, authorization by the relevant competent authority, etc.),

  2. all required procedures and formalities are implemented (such as data protection impact assessment, request for notification and authorization to the competent authority or other competent body, where necessary),

  3. Data subjects are informed about the processing of their Personal Data in a concise, transparent, intelligible and easily accessible manner, using clear and simple language, as provided for in the GDPR,

  4. data subjects are informed and shall at all times have the possibility to easily exercise their rights as provided for in the GDPR directly to the Controller.

The Customer is responsible for implementing technical and organizational measures in the field of security of resources, systems, applications and operations that are outside the scope of xervers responsibility as defined in the Agreement (namely, any systems and software implemented and run by the Customer or Users under the Services).

 Art 9: Data subject rights

The Controller is fully responsible for informing data subjects of their rights, and for respecting those rights, including the rights of access, rectification, deletion, limitation, portability or removal.

xervers will provide reasonable cooperation and assistance as reasonably required for the purpose of responding to data subject requests. Reasonable cooperation and assistance may consist of

  1. communicate to the Customer any request received directly from the Data Subject, and

  2. allow the Controller to design and implement the necessary technical and organizational measures to respond to the requests of Data Subjects.

The Controller will be solely responsible for responding to such requests.

Customer acknowledges and agrees that in the event that such cooperation and assistance require significant resources on the part of Subcontractor, this effort will be required upon notice to and agreed upon with Customer. 

Art 10: Deletion and return of Personal Data

Upon termination of a Service (namely, in the event of termination or non-renewal), xervers agrees to delete, under the conditions provided in the Agreement, all Content (including information, data, files, systems, applications, websites and other items) that is reproduced, stored, hosted or otherwise used by Customer in connection with the Services, unless a request issued by a competent legal or judicial authority, or the applicable law in the European Union or of a Member State of the European Union, requires otherwise.

The Customer is solely responsible for ensuring that the necessary operations (such as backup, transfer to a third-party solution, Snapshots, etc.) for the preservation of Personal Data are performed, in particular, before termination or expiration of the Services, and before proceeding with any operations to remove, update, or reinstall the Services.

In this regard, Customer is advised that termination and expiration of a Service for any reason (including, but not limited to, non-renewal), as well as certain operations to update or reinstall the Services, may automatically result in the irreversible removal of all Content (including information, data, files, systems, applications, websites and other items) that is reproduced, stored, hosted or otherwise used by Customer within the scope of the Services, including any potential backup.

Art 11: Responsibility

xervers can only be held liable for damage caused in treatment for which

  1. has not complied with GDPR obligations specifically relating to data processing by Subcontractors, or

  2. has acted contrary to the Client's lawful written instructions.

In such cases, the liability provision of the Contract will apply.

If xervers and the Client are involved in processing under this Agreement that has caused damage to the Data Subject, the Client shall first assume the full compensation (or any other compensation) that is due to the Data Subject and then claim from xervers the portion of the Data Subject's compensation corresponding to the portion of xervers' liability for damages, provided that no limitation of liability under the Agreement shall apply.

 Art 12: Audit

xervers will make available to the Customer all information necessary to

  1. demonstrate compliance with the requirements of the GDPR and

  2. allow audits to be performed.

This information is available in the standard documentation on the xervers website. Additional information may be communicated to the Customer upon request to xervers Support.

If a Service is certified, complies with a code of conduct, or is subject to specific audit procedures, xervers will make the corresponding certificates and audit reports available to Customer upon written request.

If the aforementioned information, report and certificate prove insufficient to allow the Client to demonstrate compliance with the obligations established by the GDPR, xervers and the Client will meet to agree on the operational, security and financial conditions of an on-site technical inspection. In all circumstances, the conditions of this inspection shall not affect the security of other xervers' Clients.

Such on-site inspection, as well as the reporting of certificates and audit reports, may result in reasonable additional billing.

Any information that is communicated to the Client pursuant to this section that is not available on xervers website will be considered xervers confidential information under the Agreement. Prior to communicating such information, the Client may be required to enter into a specific confidentiality agreement.

Notwithstanding the foregoing, the Client is authorized to respond to requests from the relevant supervisory authority provided that any disclosure of information is strictly limited to what is requested by such supervisory authority. In such case, and unless prohibited by applicable law, the Client must first consult xervers regarding any required disclosure.

 Art 13: Contact xervers

For any question related to their personal data (incidents, conditions of use, etc.), Clients may contact xervers through the following communication channels:

  1. Creating a ticket through the Customer Account Management Interface;

  2. Using the contact form available for this purpose on the xervers website;

  3. By contacting xervers Support Service;

  4. By mail to the following address: xervers, unipessoal lda, Estrada Nacional 229-2, 2, 3505-245 Viseu, Portugal.

Part 2 - Data Processing by xervers as Data Controller

The purpose of this Part is to define the conditions under which xervers processes Personal Data as a Data Controller.

Art 1: Purpose of the Data Treatment

As part of the implementation of the Agreement, personal data relating to the Client and the use of the Services are processed by xervers acting as a Data Controller, for the purposes of

  1. managing your customer relationship (managing commercial activities, customer information and support, claims, invoicing, accounting, payment management, debt collection, improving order processing, loyalty program, etc.),

  2. provision of the services (delivery, maintenance, development and quality and safety management of the Services, etc...),

  3. prevent fraud, payment default, and use of the Services that is not in compliance with applicable law or the Terms and Conditions of Service;

  4. comply with applicable laws and regulations (obligation to archive and retain data such as connection logs and user identification) and

  5. enforce your rights as a service provider. 

Art 2: Data Type

The Personal Data handled by xervers are

  1. personal data relating to the Customer (first name, last name, address, e-mail address, telephone numbers, identification number (customer ID), etc.),

  2. interaction between the Client and xervers (support contacts, exchanges, minutes, etc.),

  3. accounting and financial information (order history, invoices, credit notes, payment methods including payment holder, etc.),

  4. technical information regarding the use of services (connection ID, service ID, connection logs, use of Service history, etc.).

Such processing activities are performed in compliance with applicable law, in particular the GDPR.

 Art 3: Treatment Conditions

xervers Affiliates participate in the above processing activities and xervers relies on third party providers, such as security services, payment services, network services and other service providers (correspondence, research, carriers, marketing analysis, analysis of xervers website activities, etc.) acting as subcontractors according to xervers' instructions (the "Subcontractors"). In such cases, an agreement complying with applicable law is concluded between the Subcontractor and xervers, and appropriate technical and organizational measures are implemented in accordance with Articles 28 and 32 of the GDPR.

If Personal Data is transferred (including by remote access) outside the European Union to a country which is not subject to an Adequacy Decision, appropriate safeguards will be provided in accordance with Chapter V of the GDPR, such as (at xervers discretion) a data transfer agreement that complies with standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the review procedure referred to in Article 93(2) or adopted by the European Commission pursuant to the review procedure referred to in Article 93(3). The data transfer agreement shall be deemed to comply with the standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2), or adopted by the European Commission pursuant to the examination procedure referred to in the same Article, or binding corporate rules or any other protective measures recognized as ensuring an adequate level of protection by the European Commission.

The above personal data processing conditions are detailed on xervers' websites. xervers reserves the right to update these conditions periodically and communicate relevant changes.

xervers undertakes not to use the aforementioned Personal Data for any purpose that is not compatible with the aforementioned purposes, provided, however, that xervers may be required to communicate such Personal Data in response to a request or decision by authorities (such as judicial authorities and/or administrative authorities). In such a case, xervers undertakes to inform the Customer (unless prohibited by applicable law or authority) and to communicate only the necessary Personal Data.

Notwithstanding the foregoing, xervers reserves the right to anonymize the Data referred to herein. Such anonymized Data may be retained, processed and used in this anonymized format for any purpose (primarily to produce statistics, develop and improve services, perform marketing analysis, develop business, etc.).

 Art 4: Data Subject Rights

In accordance with the provisions of the RGPD, the Customer may lodge a complaint with the competent supervisory authority and exercise its right of access, rectification, removal, limitation, portability and opposition to personal data relating to it.

The Client may exercise this right and obtain such information from xervers using the form for that purpose available on xervers' website or by mail at: xervers, unipessoal lda, Estrada Nacional 229-2, 2, 3505-245 Viseu, Portugal. Any requests must include proof of identity. All such requests must be responded to within thirty (30) days of receipt.