Legal & company

Data processing addendum

How Armorbullet Host processes personal data on behalf of customers who use our hosting and related services.

Last updated: July 10, 2026

These documents apply to armorbullet.host and related Armorbullet Host services. They are provided for transparency and operational clarity. For binding advice in your jurisdiction, consult a qualified professional.

1. Overview

This Data Processing Addendum (“DPA”) supplements our Terms of service and Privacy policy. It applies when you (“Customer”, “Controller”) use Armorbullet Host services in a way that requires us (“Processor”) to process personal data on your behalf — for example, content and application data stored on hosting accounts, email mailboxes you operate, or databases you provision.

2. Roles

  • Customer is the controller (or a processor acting for another controller) of Customer Content personal data.
  • Armorbullet Host is a processor for Customer Content stored or transmitted via the Covered Services.
  • For account, billing, and marketing data about you as our customer, we act as an independent controller under our Privacy policy — that data is not “Customer Content” under this DPA.

3. Covered Services

Covered Services include web hosting, VPS, email hosting, related storage/databases we provide as part of a plan, and support access required to deliver those services. Domain registration WHOIS/RDAP data may be processed under registry/ICANN rules and our Privacy policy rather than solely as Customer Content.

4. Nature and purpose of processing

We process Customer Content only to provide, maintain, secure, and support the Covered Services; to prevent abuse and fraud; to comply with law; and on documented Customer instructions that are consistent with the service (e.g. restore a backup, migrate a site, or delete an account).

5. Types of data and data subjects

Customer Content may include any personal data Customer or its end users choose to store or transmit (e.g. site visitors, newsletter subscribers, e-commerce customers, employees). Categories of data subjects and data types are determined by Customer. We do not control what Customer uploads.

6. Customer instructions and responsibilities

  • Customer warrants it has a lawful basis to process personal data and to instruct us to process it.
  • Customer is responsible for notices, consents, and rights requests from its end users for Customer Content.
  • Customer must not instruct us to process data in violation of applicable law.
  • Customer configures applications, access controls, encryption of sensitive fields, and retention within the services.

7. Our obligations as processor

  • Process Customer Content only on documented instructions (including configuration of the services and tickets/support requests) unless required by law.
  • Ensure personnel authorized to process Customer Content are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Security policy).
  • Assist Customer, where reasonably practicable and considering the nature of processing, with data subject requests and security assessments related to Customer Content.
  • Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Content, with information reasonably available to us.
  • Delete or return Customer Content after end of service, subject to legal retention, backups in rotation, and abuse/legal holds.

8. Sub-processors

Customer authorizes us to use sub-processors (e.g. data centre operators, backup storage, email delivery, DDoS protection, payment infrastructure supporting the platform) as needed to deliver the Covered Services. We remain responsible for their performance under this DPA. We will use commercially reasonable efforts to impose data protection terms no less protective than those in this DPA. A current high-level list can be requested via privacy@armorbullet.host.

9. International transfers

Customer Content may be processed in the regions where we or our sub-processors operate infrastructure. Where transfers require safeguards under applicable law (e.g. standard contractual clauses), we will implement appropriate mechanisms available to us as a processor. Customer is responsible for assessing whether our service locations are suitable for its data.

10. Security

Measures include access control, encryption in transit where offered, network monitoring, and operational security practices described in our Security policy. Customer remains responsible for application-level security, passwords, SSH keys, CMS patches, and end-user data handling.

11. Audits

Upon reasonable written request (no more than once per year unless a breach or regulatory demand), and subject to confidentiality, we will provide security documentation or written answers reasonably necessary to demonstrate compliance. On-site audits require mutual agreement, advance notice, and cost allocation if they exceed standard evidence packages.

12. Liability and term

Liability under this DPA is subject to the limitations in the Terms of service unless mandatory law provides otherwise. This DPA lasts for the duration of processing of Customer Content under the Covered Services and survives for residual copies until deleted per our retention practices.

13. Contact

Privacy / DPA: privacy@armorbullet.host · Legal: legal@armorbullet.host

Questions? Contact us or email legal@armorbullet.host