Legal

Data Processing Agreement (DPA)

Last updated: 2026-01-05

1. Parties

This DPA is between the Customer (Controller) and SIA Coma Cloud (Processor) and applies when Coma Cloud processes personal data on behalf of the Customer in connection with the Services.

2. Definitions

Terms such as “personal data”, “processing”, “controller”, and “processor” have the meaning given in GDPR.

3. Subject matter and duration

The subject matter is the processing of personal data within Customer Content to provide the Services. This DPA applies for the duration of the Services and until Customer data is deleted or returned as described herein.

4. Nature and purpose of processing

  • Hosting and storage of Customer Content.
  • Transmission of data at the Customer’s request.
  • Backups and disaster recovery, where purchased and enabled.
  • Security monitoring and incident handling.
  • Support operations (at Customer request).

5. Categories of data subjects and personal data

Categories depend on the Customer’s use of the Services and may include website visitors, end-users, employees, and customers. Personal data types may include identifiers, contact details, online identifiers (IP), and content submitted by end-users.

6. Controller obligations

The Customer is responsible for ensuring a lawful basis for processing, providing notices to data subjects, and handling data subject requests, unless otherwise agreed.

7. Processor obligations

  • Process personal data only on documented instructions from the Customer.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures.
  • Assist the Customer with data subject requests and compliance obligations where reasonably possible.
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Content.
  • At the Customer’s choice, delete or return personal data at end of Services, unless EU/Latvian law requires retention.

8. Subprocessors

The Customer authorises Coma Cloud to use subprocessors to deliver the Services. A current list is maintained at: Subprocessors.

Coma Cloud will impose data protection obligations on subprocessors consistent with this DPA.

9. International transfers

If processing involves transfers outside the EEA, Coma Cloud will use appropriate safeguards such as adequacy decisions or Standard Contractual Clauses, as applicable.

10. Audits

Upon reasonable request, Coma Cloud will make available information necessary to demonstrate compliance with this DPA. Audit requests must be proportionate, confidentiality-protected, and not unreasonably disrupt operations.

11. Liability

Liability under this DPA follows the limitation of liability provisions in the Hosting Terms, except where prohibited by applicable law.

Appendix A – Technical and organisational measures

  • Access controls and least-privilege administration.
  • Encryption in transit where supported (TLS).
  • Logging and monitoring for security events.
  • Segmentation and isolation controls appropriate to the service.
  • Backup procedures where enabled, and restoration testing practices as applicable.
  • Incident response process and vulnerability management.

Appendix B – Contact points

Processor contact: [email protected]
Security contact: [email protected] (or [email protected] if not available)