Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller (“Controller”, “Customer”, “you”) — the individual or entity that has agreed to the VistoShield Terms of Service and uses the VistoShield Service.
• Data Processor (“Processor”, “we”, “us”) —
  Vistoweb E.E.
  EUID: ELGEMI.153537403000
  VAT: EL801286009
  235 El. Venizelou Ave., P. Faliro 17563, Suite B9, 2nd Floor, Athens, Greece
  Phone: +30 210 300 5000
  Email: [email protected]

Each a “Party” and together the “Parties”.

2. Scope

This DPA supplements the VistoShield Terms of Service and applies whenever Vistoweb processes Personal Data on behalf of the Customer in the course of providing the VistoShield Service. This DPA is incorporated into and forms part of the Terms of Service.

In the event of any conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail with respect to the processing of Personal Data.

3. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Terms not defined here shall have the meanings given in the GDPR or the Terms of Service.

• “Personal Data” — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• “Processing” — any operation or set of operations performed on Personal Data, as defined in GDPR Article 4(2), including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.
• “Data Subject” — an identified or identifiable natural person to whom Personal Data relates.
• “Sub-processor” — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Supervisory Authority” — an independent public authority responsible for monitoring the application of the GDPR, as defined in GDPR Article 4(21).
• “GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• “Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined in GDPR Article 4(12).

4. Subject Matter & Duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the VistoShield security service. This includes processing of:

• WordPress site visitor data (IP addresses, user agents, HTTP request data) for security threat detection and traffic analysis
• WordPress user data (usernames, email addresses, login attempts) for brute-force protection, login monitoring, and activity logging

This DPA shall remain in effect for the duration of the service agreement between the Parties (i.e., as long as the Controller maintains an active VistoShield account) and shall automatically terminate upon deletion of the Controller’s account, subject to any applicable data retention obligations.

5. Nature & Purpose of Processing

The Processor processes Personal Data on behalf of the Controller for the following purposes:

• Security threat detection — analyzing traffic patterns, request data, and user agent strings to identify malicious activity, bots, and attacks
• Malware scanning — scanning WordPress files for malicious code, comparing file checksums against known-good signatures
• Brute-force protection — monitoring login attempts to detect and block brute-force attacks against WordPress login pages
• Bot detection — classifying site visitors as human, good bot, or bad bot based on traffic patterns and behavioral analysis
• Traffic analysis — monitoring and analyzing HTTP request logs to identify security anomalies and potential threats
• Incident response — supporting automated and manual security incident detection, containment, and remediation
• Compliance reporting — generating security reports and audit logs for the Controller’s review

6. Types of Personal Data Processed

The following categories of Personal Data may be processed under this DPA:

• IP addresses of site visitors (collected via the Live Traffic Monitor, Firewall, Bot Detector, and Login Guard modules)
• User agent strings (browser type, version, operating system information of site visitors)
• HTTP request data (request URLs, HTTP methods, response status codes, referrer URLs)
• WordPress usernames and email addresses (from login attempt logs and Activity Log module)
• File checksums and content snippets (from malware scanning — may include fragments of PHP files that contain user data)
• DNS records (domain name system records associated with the Controller’s domains)
• SSL certificate details (issuer, subject, expiration dates, chain information)

7. Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

• Website visitors — individuals who visit the Controller’s WordPress websites (their IP addresses, user agents, and request data are processed for security purposes)
• WordPress administrators and users — individuals with WordPress user accounts on the Controller’s sites (their usernames, email addresses, and login activity are processed for security monitoring)

8. Obligations of the Processor

The Processor shall:

8.1 Documented Instructions

Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law to which the Processor is subject. The instructions are documented in this DPA, the Terms of Service, and the configuration settings chosen by the Controller in the VistoShield dashboard. If the Processor believes an instruction infringes the GDPR, it shall immediately inform the Controller.

8.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their duties.

8.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex: Security Measures (Section 11).

8.4 Sub-processors

Engage Sub-processors only with the prior general authorization of the Controller. The current list of Sub-processors is provided in Section 9. The Processor shall inform the Controller of any intended changes to Sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the Parties shall work in good faith to find an alternative solution. If no resolution is reached, the Controller may terminate the agreement.

8.5 Data Subject Rights

Assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection). The VistoShield dashboard provides self-service tools for data export (JSON format) and account/site deletion.

8.6 Data Protection Impact Assessment

Assist the Controller with Data Protection Impact Assessments (DPIAs) and prior consultation with supervisory authorities where required under GDPR Articles 35 and 36, taking into account the nature of processing and the information available to the Processor.

8.7 Data Deletion or Return

Upon termination of the service agreement, at the Controller’s choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires retention. The Controller may export data via the dashboard before account deletion. The Processor will delete all Personal Data within 30 days of account deletion, except where retention is required by law.

8.8 Audit & Compliance Information

Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (see Section 13).

9. Sub-processors

The Controller provides general authorization for the Processor to engage the following Sub-processors. By using the Service, the Controller consents to the engagement of these Sub-processors:

Sub-processor	Location	Purpose	Data Processed
Hetzner Online GmbH	Germany (EU)	Cloud infrastructure hosting (servers, databases, storage)	All Personal Data stored and processed by the Service
Paddle.com Market Limited	United Kingdom / EU	Payment processing (Merchant of Record — billing, VAT, invoicing)	Controller’s billing data (name, email, payment method, transaction records)
Plausible Insights OÜ	Estonia (EU)	Website analytics for vistoshield.com	No Personal Data processed (cookie-free, privacy-first analytics using aggregate data only)

The Controller will be notified by email at least 30 days before the Processor engages any new Sub-processor or replaces an existing one. The notification will include the name, location, and purpose of the new Sub-processor.

10. International Data Transfers

All processing of Personal Data under this DPA takes place within the European Economic Area (EEA). The primary data processing location is Hetzner Cloud datacenters in Germany.

If any transfer of Personal Data outside the EEA is required in the future (for example, due to the engagement of a new Sub-processor), the Processor shall ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914)
• An adequacy decision by the European Commission under GDPR Article 45
• Binding Corporate Rules approved under GDPR Article 47

The Processor shall inform the Controller before any such transfer takes place and shall not proceed without the Controller’s consent.

11. Annex: Technical & Organizational Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data in accordance with GDPR Article 32:

11.1 Data Center Security

• All data is hosted in Hetzner Online GmbH datacenters in Germany
• Hetzner is ISO 27001 and SOC 2 certified
• Physical access controls: biometric access, 24/7 security personnel, CCTV monitoring
• Redundant power supply and cooling systems

11.2 Encryption

• In transit: All data transmitted between clients, the WordPress plugin, and our servers is encrypted using TLS 1.2 or higher
• At rest: Sensitive data is encrypted at rest using AES-256 where applicable
• Backups: All database backups are encrypted

11.3 Access Control

• Role-based access control (RBAC) for all internal systems with the principle of least privilege
• Two-factor authentication (2FA) required for all administrative access
• Individual user accounts for all staff — no shared credentials
• Access reviews conducted periodically

11.4 Authentication

• User passwords hashed using Argon2ID (memory-hard, resistant to GPU and brute-force attacks)
• JWT-based authentication with token versioning and revocation capabilities
• HMAC-SHA256 authentication for all plugin-to-API communication

11.5 Network Security

• Private network between application and database servers (database not exposed to public internet)
• Cloudflare DDoS protection and WAF for all public-facing services
• Firewall rules restricting access to essential ports and services only

11.6 Monitoring

• 24/7 automated infrastructure monitoring with 2-minute health check intervals
• Automated alerting for anomalous activity, performance degradation, and security events
• Public status page at vistoshield.com/status

11.7 Backup & Recovery

• Daily automated database backups with encryption
• 7-day rolling backup retention
• Point-in-time recovery capability
• Backup restoration testing conducted periodically

11.8 Incident Response

• Documented incident response procedures
• Personal Data Breach notification within 72 hours per GDPR Article 33
• Post-incident analysis and remediation for all security events

12. Data Breach Notification

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification shall include:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Data Protection Officer or other contact point where more information can be obtained
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall also assist the Controller in fulfilling its obligation to notify the supervisory authority and affected Data Subjects where required under GDPR Articles 33 and 34.

13. Audit Rights

The Controller may audit the Processor’s compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days’ written notice prior to any audit.
• Audits shall be conducted during normal business hours (Monday through Friday, 09:00–18:00 EET) and shall not unreasonably interfere with the Processor’s business operations.
• Audits shall be conducted at the Controller’s expense.
• The Processor shall cooperate with the auditor and provide access to relevant documentation, systems, and personnel as reasonably necessary.
• The auditor must agree to confidentiality obligations no less restrictive than those in this DPA.
• Audit frequency shall not exceed once per 12-month period, unless required by a supervisory authority or following a Personal Data Breach.

As an alternative to on-site audits, the Processor may provide the Controller with relevant certifications, audit reports (e.g., SOC 2 reports from infrastructure providers), or summaries of security assessments to demonstrate compliance.

14. Termination & Data Return

Upon termination of the service agreement (whether by cancellation, account deletion, or expiry):

• The Controller may export all data from the VistoShield dashboard in JSON format prior to account deletion.
• The Processor shall delete all Personal Data processed on behalf of the Controller within 30 days of account deletion.
• Security event data, traffic logs, and scan results are automatically purged according to the data retention schedule (3/14/30 days depending on plan).
• Billing records are retained only as required by applicable tax law (typically 7 years under Greek law) and are not deleted upon account termination.
• The Processor shall provide written confirmation of data deletion upon request.

15. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits either Party’s liability for breaches of the GDPR to Data Subjects as prescribed by GDPR Article 82.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of Greece, consistent with the governing law provisions of the Terms of Service. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Athens, Greece, without prejudice to the rights of Data Subjects under GDPR Article 79 to bring proceedings before the courts of the Member State where the Data Subject has their habitual residence.

17. Contact

For questions about this DPA or to exercise data protection rights:

• Data Protection Officer: [email protected]
• General support: [email protected]
• Phone: +30 210 300 5000

Vistoweb E.E.
235 El. Venizelou Ave., P. Faliro 17563
Suite B9, 2nd Floor
Athens, Greece
VAT: EL801286009