Blue Arctic
WordPress
WordPress Hosting High Performance WordPress
Hosting
Web Hosting Drupal Hosting VPS Hosting Dedicated Servers
Company
Pro Services Pricing Security Why Us
Login Get Started
Legal

Data Processing Addendum

Last updated: April 5, 2026

1. Scope and Applicability

This Data Processing Addendum ("DPA") supplements the Master Service Agreement ("MSA"), Terms of Service, and all related Agreement Documents (collectively, the "Agreement") between Blue Arctic, LLC ("Blue Arctic," "Processor," "we," "us") and the subscribing entity ("Client," "Controller," "you") and governs Blue Arctic's processing of Personal Data on behalf of the Client in connection with the Services.

This DPA applies to the extent that Blue Arctic processes Personal Data that is subject to applicable Data Protection Laws on behalf of the Client. Where the terms of this DPA conflict with the terms of the Agreement regarding the processing of Personal Data, the terms of this DPA shall prevail.

This DPA does not apply to data that Blue Arctic processes as an independent data controller, such as Client account registration information, billing data, and website analytics — the processing of which is governed by the Privacy Policy.

2. Definitions

Capitalized terms not defined herein have the meanings given to them in the Agreement. The following definitions apply throughout this DPA:

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection or privacy legislation.

"Personal Data" means any information relating to an identified or identifiable natural person that Blue Arctic processes on behalf of the Client in connection with the Services. The specific categories of Personal Data are described in Section 4 of this DPA.

"Processing" (and its derivatives "process," "processed," "processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Controller" means the Client, as the entity that determines the purposes and means of the processing of Personal Data.

"Processor" means Blue Arctic, as the entity that processes Personal Data on behalf of the Controller.

"Subprocessor" means any third party engaged by Blue Arctic to process Personal Data on behalf of the Client.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, and any successor clauses approved by the European Commission or other competent authority.

3. Roles of the Parties

With respect to the processing of Personal Data under this DPA, the Client acts as the Data Controller and Blue Arctic acts as the Data Processor. The Client determines the purposes and means of processing Personal Data. Blue Arctic processes Personal Data solely on behalf of the Client and in accordance with the Client's documented instructions as described in this DPA and the Agreement.

Each party shall comply with its respective obligations under applicable Data Protection Laws. The Client is responsible for ensuring that it has a lawful basis for the processing of Personal Data and for providing any required notices to, and obtaining any required consents from, Data Subjects.

4. Processing Details

Blue Arctic processes Personal Data in connection with the provision of hosting, infrastructure management, and related professional services. The details of the processing are as follows:

Subject matter and purpose. The processing is necessary for Blue Arctic to provide the Services as described in the Agreement, including hosting, storing, transmitting, backing up, and maintaining Client Data on Blue Arctic's infrastructure.

Duration. Processing continues for the duration of the Agreement, plus any applicable data retrieval and deletion period as described in Section 12 of this DPA.

Nature of processing. Hosting, storage, transmission, backup, retrieval, deletion, and such other processing as is necessary to provide, maintain, and support the Services.

Categories of Data Subjects. Data Subjects may include, depending on the Client's use of the Services:

  • The Client's customers and end users
  • The Client's employees, contractors, and agents
  • Visitors to websites hosted on Blue Arctic's infrastructure
  • Any other individuals whose Personal Data is stored or processed through the Services

Categories of Personal Data. Depending on the Client's use of the Services, the Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers, mailing addresses)
  • Account and authentication data (usernames, hashed passwords, security questions)
  • Transaction and billing data (order histories, invoices, payment references)
  • Technical data (IP addresses, browser metadata, device identifiers, access logs)
  • Content data (files, databases, emails, and other content stored on the Services)
  • Any other categories of Personal Data that the Client chooses to store or process through the Services

Special categories of data. The Client shall not submit special categories of Personal Data (as defined in Article 9 of the GDPR) to the Services unless the Client has obtained explicit consent from Data Subjects and has provided Blue Arctic with prior written notice. Blue Arctic does not knowingly process special categories of data and makes no representations regarding additional safeguards for such data beyond those described in Section 7.

Location of processing. Personal Data is processed and stored in the United States. Blue Arctic's primary infrastructure is located in its data center facilities in Tampa, Florida, USA.

5. Processor Obligations

Blue Arctic shall:

  • Process Personal Data only on documented instructions from the Client, unless required to do so by applicable law. Where Blue Arctic is required by law to process Personal Data other than on the Client's instructions, Blue Arctic shall inform the Client of that legal requirement before processing, unless prohibited from doing so by law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain commercially reasonable technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.
  • Assist the Client, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
  • Assist the Client in ensuring compliance with the Client's obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Blue Arctic.
  • At the Client's election, delete or return all Personal Data to the Client after the end of the provision of Services, subject to the terms of Section 12, and delete existing copies unless applicable law requires retention.
  • Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, as described in Section 11.
  • Immediately inform the Client if, in Blue Arctic's opinion, an instruction from the Client infringes applicable Data Protection Laws.

6. Subprocessor Usage

The Client provides general authorization for Blue Arctic to engage Subprocessors in connection with the Services.

Categories of Subprocessors. Blue Arctic may engage Subprocessors in connection with the Services. Blue Arctic may provide categories of Subprocessors upon request to privacy@bluearctic.com.

Subprocessor obligations. Blue Arctic shall: (a) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA; and (b) remain liable to the Client for the performance of each Subprocessor's obligations to the extent required by applicable Data Protection Laws.

Changes to Subprocessors. Blue Arctic may update its Subprocessors from time to time as necessary to operate, maintain, secure, support, or improve the Services. Where appropriate, material changes may be communicated in accordance with applicable agreements.

Objection right. If the Client has a reasonable, documented objection to a Subprocessor based on data protection grounds, the Client shall notify Blue Arctic in writing within a reasonable period after becoming aware of the change. The parties shall discuss the objection in good faith. If no commercially reasonable resolution is reached, the Client's sole remedy is to terminate the affected Services upon written notice, and Blue Arctic shall refund any prepaid fees for the unexpired portion of the terminated Services on a pro-rata basis.

7. Security Measures

Blue Arctic implements and maintains commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, without limitation:

  • Access control. Role-based access controls, multi-factor authentication for administrative access, and the principle of least privilege for all personnel with access to systems that process Personal Data.
  • Encryption. Encryption of data in transit using TLS 1.2 or higher. Encryption of data at rest where technically feasible and appropriate to the sensitivity of the data.
  • Network security. Firewalls, intrusion detection and prevention systems, and DDoS mitigation measures to protect infrastructure from unauthorized access and network-based attacks.
  • Physical security. Data center facilities with restricted physical access, including biometric access controls, 24/7 video surveillance, and environmental controls.
  • Monitoring and logging. Continuous monitoring of infrastructure and systems, with logging of access and security events for audit and incident investigation purposes.
  • Personnel security. Background checks for employees with access to Personal Data, mandatory confidentiality agreements, and regular security awareness training.
  • Business continuity. Regular data backups, disaster recovery planning, and redundant infrastructure to support service availability and data integrity.

A detailed description of Blue Arctic's technical and organizational measures is provided in SCC Appendix II. Blue Arctic shall regularly review and update its security measures to reflect changes in technology, industry standards, and the nature of the processing.

8. Breach Notification

Blue Arctic shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client, in accordance with applicable Data Protection Laws. Nothing in this DPA shall be construed to require Blue Arctic to provide notification within a shorter period than that required by applicable law.

The notification shall include, to the extent known at the time:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of Blue Arctic's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects

Where it is not possible to provide all information at the same time, Blue Arctic shall provide the information in phases without further undue delay. Blue Arctic shall cooperate with the Client and take reasonable steps to assist the Client in investigating, mitigating, and remediating the breach.

Blue Arctic's obligation to notify the Client of a Personal Data Breach shall not be construed as an acknowledgment of fault or liability by Blue Arctic.

9. Data Subject Rights

Blue Arctic shall, taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, insofar as this is possible, to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If Blue Arctic receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Client, Blue Arctic shall promptly redirect the Data Subject to the Client and notify the Client of the request, unless otherwise prohibited by law. Blue Arctic shall not respond to such requests directly unless authorized to do so by the Client in writing.

10. International Data Transfers

The Client acknowledges that Blue Arctic processes and stores Personal Data in the United States. To the extent that the Client's use of the Services involves the transfer of Personal Data from the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland to the United States, the parties agree to the following safeguards:

Standard Contractual Clauses. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are hereby incorporated into this DPA by reference and shall apply to transfers of Personal Data from the EEA to the United States where required by applicable Data Protection Laws. For the purposes of the SCCs:

  • Module Two (Controller to Processor) shall apply
  • The Client is the Data Exporter and Blue Arctic is the Data Importer
  • The details required by Annex I of the SCCs are set forth in SCC Appendix I
  • The technical and organizational measures required by Annex II of the SCCs are set forth in SCC Appendix II
  • Clause 9(a) Option 2 (General Written Authorization) shall apply, and the time period for prior notice of Subprocessor changes shall be as set forth in Section 6 of this DPA
  • The optional redress clause (Clause 11) shall not apply
  • The governing law of the SCCs (Clause 17) shall be the law of the EU Member State in which the Data Exporter is established, or where the Data Exporter is not established in any EU Member State, the law of an EU Member State as agreed between the parties
  • Disputes under the SCCs (Clause 18) shall be resolved before the courts of the applicable EU Member State determined in accordance with Clause 17

UK International Data Transfer Addendum. For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is incorporated into this DPA and shall apply where required by UK Data Protection Laws.

Swiss transfers. For transfers of Personal Data from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including references to the FADP in place of the GDPR where applicable.

The incorporation of the SCCs into this DPA does not constitute a representation that SCCs have been individually executed with all third parties. The SCCs apply to the relationship between the Client (as Data Exporter) and Blue Arctic (as Data Importer) with respect to transfers governed by this DPA.

11. Audits

Blue Arctic shall make available to the Client, upon reasonable written request and subject to the terms of this section, information necessary to demonstrate compliance with Blue Arctic's obligations under this DPA. All audit and compliance activities under this section are subject to a frequency limit of once per 12-month period per audit type, unless required by applicable Data Protection Laws or following a confirmed Personal Data Breach affecting the Client's Personal Data.

Third-party reports. Blue Arctic's compliance obligations under this section may be satisfied, in whole or in part, through Blue Arctic's provision of third-party audit reports, security certifications, or attestations (such as SOC 2 Type II reports), which the Client agrees to accept as sufficient evidence of compliance where such reports reasonably address the subject matter of the Client's inquiry. Blue Arctic may also satisfy audit requests through aggregated or summary-level documentation where detailed disclosure is not reasonably necessary to address the inquiry. Blue Arctic shall provide such reports in confidential and redacted form where necessary to protect the security of Blue Arctic's infrastructure or the confidentiality of other clients. The Client shall bear all costs associated with requests for audit materials beyond Blue Arctic's standard documentation.

Documentation-based audits. Where third-party reports do not fully address a compliance inquiry, the Client may submit a written request (no more than once per 12-month period) for: (a) a summary of Blue Arctic's then-current security measures and policies; and (b) written responses to reasonable, specific data protection compliance questions. Blue Arctic shall respond within a commercially reasonable time. The Client shall bear all reasonable costs associated with documentation requests that exceed the scope of standard audit responses.

On-site audits. If the Client reasonably determines that documentation and third-party reports are insufficient to verify compliance with this DPA, the Client may request an on-site audit or inspection. Such audits shall be: (a) conducted no more than once per 12-month period; (b) at the Client's sole expense, including all costs incurred by Blue Arctic in facilitating the audit; (c) during regular business hours and upon at least 30 days' prior written notice; (d) limited in scope to the processing activities described in this DPA, as determined by Blue Arctic in its reasonable discretion; and (e) conducted in a manner that does not unreasonably disrupt Blue Arctic's operations or compromise the security, confidentiality, or privacy of Blue Arctic's other clients or infrastructure. Audits shall not require continuous, real-time, or system-level access to Blue Arctic's infrastructure, networks, or production systems. Blue Arctic may exclude from any audit access to systems, personnel, documentation, or areas unrelated to the processing of the Client's Personal Data, or where disclosure would expose confidential business information or create security risks. Audits may not be conducted by, or on behalf of, any entity that Blue Arctic reasonably determines to be a direct competitor of Blue Arctic. The Client and its auditors shall execute a non-disclosure agreement acceptable to Blue Arctic prior to any on-site audit.

Regulatory audits. Nothing in this section limits the rights of a supervisory authority to conduct audits or inspections as permitted by applicable Data Protection Laws.

12. Data Return and Deletion

Upon termination or expiration of the Agreement for any reason, the Client may retrieve its data through the client portal, cPanel, or other provided interfaces during the Data Retrieval Period of 30 calendar days following the effective date of termination, as described in the MSA.

Upon expiration of the Data Retrieval Period, Blue Arctic shall delete all Personal Data in its possession or control that was processed on behalf of the Client, including all copies, backups, and archived data, using commercially reasonable deletion methods. Blue Arctic shall confirm deletion in writing upon the Client's request.

Blue Arctic may retain Personal Data beyond the Data Retrieval Period only to the extent required by applicable law (such as tax or financial record-keeping obligations) or where retention is necessary for the establishment, exercise, or defense of legal claims. Any retained data shall continue to be protected in accordance with this DPA and shall be deleted when the retention obligation expires.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Master Service Agreement and the Terms of Service.

For the avoidance of doubt, Blue Arctic's total aggregate liability under this DPA and the Agreement combined shall not exceed the aggregate liability cap established in the MSA.

Nothing in this section limits either party's liability for breaches of confidentiality obligations, or to the extent that applicable Data Protection Laws prohibit such limitation.

14. Term and Termination

This DPA shall take effect on the date the Client first subscribes to or uses any Service and shall remain in effect for as long as Blue Arctic processes Personal Data on behalf of the Client. Upon termination of the Agreement, this DPA shall automatically terminate, subject to the data return and deletion provisions of Section 12 and any surviving obligations.

The obligations and rights of the parties under Sections 2 (Definitions), 8 (Breach Notification), 11 (Audits, to the extent necessary to verify compliance with deletion obligations), 12 (Data Return and Deletion), 13 (Liability), and this Section 14 shall survive termination of this DPA.

15. General Provisions

Precedence. In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail. In all other respects, the terms of the Agreement remain in full force and effect.

Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

Amendments. Blue Arctic may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or Blue Arctic's processing activities. Material changes will be communicated to the Client via email at least 30 days before taking effect. Continued use of the Services after the effective date of changes constitutes acceptance of the updated DPA.

Assignment. If Blue Arctic assigns the Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, and such assignment results in a change to the identity of the entity acting as Data Processor, Blue Arctic shall notify the Client of the assignment and the identity of the successor processor. The Client may exercise the same objection rights described in Section 6 (Subprocessor Usage) with respect to such assignment.

Governing law. This DPA shall be governed by and construed in accordance with the governing law provisions of the MSA, except to the extent that mandatory provisions of applicable Data Protection Laws require otherwise. For matters governed by the Standard Contractual Clauses, the governing law and jurisdiction provisions of the SCCs shall apply.

Contact. All notices and requests under this DPA should be directed to legal@bluearctic.com. Privacy-specific inquiries may also be directed to privacy@bluearctic.com.