Data Processing Agreement

Last updated: 9 July 2026 · UKBox Ltd (Company No. 15154892) · ICO registration ZC191675

This Data Processing Agreement ("DPA") applies where UKBox Ltd ("we", "us") processes personal data on your behalf as a processor under UK GDPR — typically, personal data contained in the websites, databases, files and mailboxes you host on our services. It forms part of our Terms & Conditions (clause 24.2). For data we process as a controller (your account, billing and support data), see our Privacy & Cookie Policy.

1. Processing details

Subject matterHosting, storage, transmission, backup and technical support of the content and data you place on our infrastructure.
DurationThe term of your services, plus the backup retention period described in clause 6.
Nature and purposeProvision of web hosting, email hosting, domain and related services as described in our Terms & Conditions.
Types of personal dataDetermined by you. Typically: names, contact details, account records, correspondence and any other personal data contained in your hosted sites, databases and mailboxes.
Categories of data subjectsDetermined by you. Typically: your customers, staff, suppliers and website visitors.

2. Our obligations as processor

2.1 We process hosted personal data only on your documented instructions — which, for these services, means providing, securing, backing up and supporting the services you have ordered — unless UK law requires otherwise, in which case we will tell you before processing unless the law prevents it.

2.2 We ensure that persons authorised to access hosted data are bound by obligations of confidentiality.

2.3 We implement appropriate technical and organisational security measures (UK GDPR Article 32), including: UK data centres in Coventry and Maidenhead with physical monitoring; encryption in transit (SSL/TLS); server-level security (Imunify360, firewalling, malware scanning); access controls; and daily encrypted off-site backups.

2.4 We do not access the content of your hosted data except as necessary to provide and support the services, to comply with law, or at your request.

3. Personal data breaches

3.1 If we become aware of a personal data breach affecting the personal data we process on your behalf, we will notify you without undue delay and in any event within 48 hours of becoming aware, and will provide the information reasonably required for you to meet your own obligations under UK GDPR Articles 33 and 34.

4. Assistance

4.1 Taking into account the nature of the processing, we will assist you with reasonable measures to respond to data subject rights requests concerning hosted data, and with your obligations regarding security, breach notification and data protection impact assessments, insofar as the information is available to us. Assistance that goes beyond the reasonable scope of the services may be chargeable at our standard rates, quoted first.

5. Sub-processors

5.1 You give general authorisation for us to use sub-processors in delivering the services. Our current sub-processors for hosted data are: the operators of our UK data centre facilities (Coventry and Maidenhead) and our UK off-site backup storage provider. We do not transfer hosted data outside the United Kingdom in the ordinary course of the services.

5.2 We will give at least 30 days' notice of any intended change of sub-processor affecting hosted data (via our website or email), during which you may object on reasonable data-protection grounds; if we cannot resolve the objection, you may cancel the affected service without penalty.

5.3 We impose data protection obligations on sub-processors materially equivalent to those in this DPA and remain responsible for their performance.

6. Deletion and return

6.1 On termination of a service, you may export your hosted data before the end date. Following termination, hosted data is deleted from live systems, and falls out of our backup rotation within 30 days, after which it is unrecoverable. On written request before deletion, we will provide a copy of hosted data in a standard format.

7. Audit

7.1 We will make available the information reasonably necessary to demonstrate compliance with this DPA. No more than once in any 12-month period, and on at least 14 days' written notice, you (or an auditor you appoint who is not our competitor) may audit our compliance at your cost, during business hours, in a manner that does not compromise the security or service of other customers.

8. Your obligations

8.1 You are the controller (or an authorised processor) of the hosted data and are responsible for: having a lawful basis for the processing; the accuracy and legality of the data you place on the services; providing any required notices to your own data subjects; and keeping the software, applications and credentials under your control secure.

9. Liability and general

9.1 The liability provisions of our Terms & Conditions (clause 22) apply to this DPA. This DPA is governed by the law of England and Wales.

Questions about this DPA: support@ukbox.co.uk · 0330 088 2279 · UKBox Ltd, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ.