GDPR - Data Processing Agreement
LAST UPDATED: 02 JAN 2021Legal
GDPR / UK GDPR – Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of, and is an addendum to, the Terms & Conditions (the “Agreement”) between Fast Moose (“Fast Moose”, “Processor”) and you (“Customer”, “Controller”).
This DPA applies to the Processing of Personal Data by Fast Moose on behalf of Customer in connection with the Services.
This DPA is effective from 24 January 2026 and replaces any previously applicable data processing and security terms for the Services.
1. Definitions
“Customer Data” means data submitted, stored, sent, or received by or on behalf of Customer (including Customer End Users) through the Services.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Processor” means the entity that Processes Personal Data on behalf of the Controller.
“Data Protection Laws” means all applicable data protection and privacy laws and regulations, including (as applicable) the EU GDPR and UK GDPR, and any implementing or successor legislation.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679.
“UK GDPR” means the EU GDPR as incorporated into United Kingdom law (as amended from time to time).
“Personal Data” means any Customer Data relating to an identified or identifiable natural person that is protected as personal data under applicable Data Protection Laws.
“Processing” has the meaning given to it under applicable Data Protection Laws; “process”, “processes” and “processed” shall be interpreted accordingly.
“Sub-Processor” means any third party authorised under this DPA to Process Personal Data to provide parts of the Services.
“Services” means the products and services provided by Fast Moose to Customer under the Agreement.
2. Roles and Scope
- Customer is the Controller of Personal Data.
- Fast Moose is the Processor of Personal Data Processed on behalf of Customer.
3. Processing Instructions
Fast Moose will Process Personal Data only on documented instructions from Customer (“Instructions”), unless required to do otherwise by applicable law.
The Instructions at the time of entering into this DPA are for Fast Moose to Process Personal Data solely to provide, secure, support, and maintain the Services under the Agreement.
If Customer issues additional written Instructions, such Instructions must be consistent with the Agreement and this DPA. Customer is responsible for ensuring that only authorised persons provide Instructions.
Fast Moose will notify Customer if it reasonably believes an Instruction infringes Data Protection Laws and may suspend execution of the relevant Instruction until it is clarified or modified.
4. Confidentiality
Fast Moose shall treat Customer Data as confidential and will ensure that persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.
5. Sub-Processing
Customer provides Fast Moose with general authorisation to engage Sub-Processors to Process Personal Data as necessary to provide the Services.
Fast Moose will ensure Sub-Processors are bound by written terms that provide a level of protection for Personal Data no less protective than this DPA.
Fast Moose remains responsible for the performance of its Sub-Processors to the same extent as for its own Processing.
Fast Moose will provide notice of material changes to Sub-Processors (e.g., new Sub-Processor engagement) via the account email address and/or control panel where reasonably practicable.
Customer is responsible for maintaining accurate account contact details.
If Customer objects to a new Sub-Processor on reasonable grounds relating to data protection, Customer may terminate the affected Service in accordance with the Agreement (where available), as Customer’s sole remedy.
6. Security
Fast Moose will implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, as required by Data Protection Laws (including Article 32 EU GDPR / UK GDPR).
Security measures may be updated from time to time to reflect technological developments, provided such updates do not materially reduce the overall security of the Services.
7. Personal Data Breach Notification
If Fast Moose becomes aware of a Personal Data Breach affecting Personal Data Processed on behalf of Customer, Fast Moose will notify Customer without undue delay and provide information reasonably required to support Customer’s compliance obligations.
Breach notifications will be sent to the account email address. Customer is responsible for ensuring contact details are current.
Customer agrees that notifications do not include unsuccessful attempts or activities that do not compromise the security of Personal Data (e.g., unsuccessful logins, pings, port scans, and certain denial-of-service attempts).
8. Data Subject Requests
If Fast Moose receives a request from a Data Subject relating to Personal Data Processed on behalf of Customer, Fast Moose will, to the extent permitted by law, forward the request to Customer.
Customer is responsible for responding within applicable legal timeframes.
Fast Moose will provide reasonable assistance (including available controls) to enable Customer to respond to Data Subject requests, taking into account the nature of Processing and the information available to Fast Moose.
9. International Data Transfers
Customer acknowledges that Fast Moose may Process Personal Data in multiple locations depending on the Services selected and infrastructure required to provide the Services (including locations inside and outside the EEA and/or the United Kingdom).
Where Personal Data is transferred outside the EEA and/or the UK to a country not recognised as providing an adequate level of protection, Fast Moose will implement appropriate safeguards as required by Data Protection Laws, such as:
- the European Commission Standard Contractual Clauses (“SCCs”); and/or
- the UK International Data Transfer Addendum to the SCCs or the UK International Data Transfer Agreement (“UK IDTA”), as applicable; and/or
- other lawful transfer mechanisms permitted under Data Protection Laws.
10. Compliance and Audit
Fast Moose will make available information reasonably necessary to demonstrate compliance with this DPA.
Customer may request an audit no more than once per 12-month period, with at least 30 days’ written notice, and subject to reasonable confidentiality and security requirements.
Fast Moose may satisfy audit requests by providing third-party audit reports, summaries, certifications, or similar documentation where appropriate.
11. Return or Deletion of Data
Upon termination or expiry of the Services, Fast Moose will delete or return Personal Data in accordance with the Agreement, unless retention is required by law.
Backup data, where applicable, will be protected and retained only for the period defined by Fast Moose’s backup and retention procedures, after which it will be securely deleted in the ordinary course.
12. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.
For the avoidance of doubt, Fast Moose is not responsible for losses arising from Customer’s violation of the Agreement or Customer’s failure to maintain appropriate access control, security, or lawful bases for Processing.
13. Governing Law
This DPA is governed by and construed in accordance with the laws specified in the Agreement. Where the Agreement specifies Singapore law, the parties submit to the exclusive jurisdiction of the courts of Singapore, unless otherwise required by mandatory applicable law.
Annex 1 – Sub-Processors
The following Sub-Processors may be used to provide parts of the Services (as applicable to Customer’s selected products):
| Company | Service |
|---|---|
| Stripe | Credit/Debit Card Payments |
| PayPal | PayPal and Credit/Debit Card Payments |
| Dreamscape Networks International Pte Ltd | Domain Names |
| Nominet | Domain Names |
| Tucows (OpenSRS) | Domain Names |
| GeoTrust (Symantec) | SSL/TLS Certificates |
| Sectigo Group, Inc. | SSL/TLS Certificates |
| OVH Singapore Pte. Ltd. | Servers / Infrastructure |
| Vultr Holdings Corporation | Servers / Infrastructure |
| DigitalOcean, LLC | Servers / Infrastructure |
| 20i Ltd | Servers / Infrastructure |
| Google Analytics | Website analytics (where enabled). Data may be anonymised/configured by Customer. |
Annex 2 – Security Measures
Fast Moose maintains technical and organisational measures appropriate to the risks, which may include (as applicable to the Services):
- Logical access controls and least-privilege access
- Encryption in transit (TLS) where supported
- Regular patching and vulnerability management processes
- Backups and recovery procedures (where included in the Services)
- Monitoring, logging, and incident response procedures
- Physical security controls at datacentre facilities operated by Fast Moose and/or its infrastructure providers