HomeLegalGDPR DPA

Data Processing Agreement

Terms of ServicePrivacy PolicyGDPR DPA

This document is a draft and is currently under legal review. The final version will be published before the official launch of HummingTribe services. To request a signed DPA, contact hello@hummingtribe.com.

1. Scope & Purpose

This Data Processing Agreement ("DPA") supplements the HummingTribe Terms of Service and applies where HummingTribe processes personal data on behalf of the Customer (the "Controller") in the course of providing hosting services. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

  • Processor: HummingTribe, acting as the entity processing personal data on behalf of the Controller.
  • Controller: The Customer who determines the purposes and means of processing personal data stored on HummingTribe services.
  • Personal Data: Any data relating to an identified or identifiable natural person, as stored by the Controller on HummingTribe infrastructure.

3. Processing Details

  • Nature of processing: Storage and transmission of data uploaded by the Controller to S3-compatible object storage or shared hosting infrastructure.
  • Purpose: Providing the hosting services described in the Terms of Service.
  • Duration: For the term of the service agreement plus 30 days after termination.
  • Data subjects: Determined by the Controller (may include employees, customers, or end users of the Controller).
  • Categories of data: Determined by the Controller (HummingTribe does not inspect stored content).

4. Obligations of the Processor

HummingTribe shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures (encryption in transit, access controls, ZFS snapshots, Tailscale-only admin access).
  • Not engage sub-processors without prior written consent of the Controller.
  • Assist the Controller in responding to data subject access requests.
  • Delete or return all personal data upon termination of services, at the choice of the Controller.
  • Make available all information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

HummingTribe currently uses the following sub-processors:

  • Hetzner Online GmbH — Dedicated server infrastructure, Falkenstein, Germany
  • Stripe, Inc. — Payment processing (USA, EU Standard Contractual Clauses)
  • Brevo (Sendinblue) — Transactional email, EU

6. Data Location

All customer data is stored exclusively on servers located in Falkenstein, Germany (Hetzner data centre). Data does not leave the European Union except where sub-processors (Stripe) operate under EU Standard Contractual Clauses.

7. Security Measures

  • TLS encryption for all data in transit
  • ZFS RAIDZ-1 storage with automated snapshots (hourly, daily, monthly)
  • Admin access restricted to Tailscale VPN — no public management interfaces
  • ModSecurity WAF with OWASP Core Rule Set for web hosting
  • Automated SSL certificate provisioning and renewal

8. Data Breach Notification

In the event of a personal data breach, HummingTribe shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing: the nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken to mitigate the breach.

9. Governing Law

This DPA is governed by the laws of Romania and the GDPR. Any disputes shall be resolved in the competent courts of Bucharest, Romania.

Last updated: Draft — pending legal review