High Frequency Compute
Redundant NVMe Storage
Optimized for Performance
1-Click CDN and LSCache
Proactive Server Monitoring
99.9% Uptime, 24/7 Support
Offsite Backup, SSL
IP Blacklist Protection
Last Updated: August 23, 2023
This Data Processing Agreement ("DPA"), as updated from time to time, supplements and its term and conditions are subject to MechanicWeb's Terms of Service ("TOS"), by and between MechanicWeb and Customer, which are incorporated herein by this reference, and governs MechanicWeb's use of Customer's Data (as defined herein) (as a controller of such data). MechanicWeb and Customer may be individually referred to as a "Party" or collectively, the "Parties."
The Parties have agreed to enter into this DPA to safeguard Personal Data with respect to the requirements of the General Data Protection Regulation ("GDPR") of the European Union.
The following definitions are used in this DPA. Unless otherwise defined herein, all capitalized terms used in this DPA will have the meanings given in the TOS:
1.1. "Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
1.2. "Authorized Affiliate" means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Terms of Service.
1.3. "Agreement" means the TOS and all other written or electronic agreement(s) between MechanicWeb and Customer, which govern use of the Website, Products, or Order Form (as applicable), as such terms or agreement may be updated from time to time. For the avoidance of doubt, all references to the “Agreement” shall also include the Standard Contractual Clauses (where applicable, as defined herein).
1.4. “Customer” means a Website visitor, user and/or the party set forth in the related Order Form.
1.5. "Customer Data" means the Personal Data MechanicWeb and/or its Affiliates process on behalf of Customer in the course of providing, or via Services, as more particularly described in this DPA.
1.6. "Personal Data" means any information about, or related to, an identifiable natural person, which includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person.
1.7. "Data Subject" is defined as the person associated with the Personal Data.
1.8. "Controller" means an entity that determines the purposes and means of the processing of Personal Data.
1.9. "Processor" means an entity that processes Personal Data on behalf of the Controller.
1.10. "Sub-processor" means any Processor engaged by MechanicWeb or its Affiliates to assist in fulfilling its obligations with respect to serving or providingthe Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of MechanicWeb but shall exclude MechanicWeb's employees, contractors, or consultants.
1.11. "Processing" means any operation performed upon Personal Data, such as using, accessing, retrieving, collecting, recording, securing, storing, adapting or altering, disclosing by transmission, disseminating or otherwise making available, blocking, erasing, or destroying. "Processes" and "Process" shall be construed accordingly.
1.12. "Data Protection Laws" means all data protection laws, regulations, and legislation relating to data protection and privacy related to processing of Customer Data under the Agreement, including without limitation, where applicable, EU Data Protection Laws, in each case as amended, repealed, consolidated or replaced from time to time.
1.13. "Europe" means the European Economic Area and its member states ("EEA"), Switzerland and the United Kingdom ("UK").
1.14. "EU Data" means Personal Data under this DPA from the European Union (EU), the European Economic Area (EEA) and/or their member states, Switzerland and/or the United Kingdom.
1.15. "EU Data Protection Laws" means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, "UK Data Protection Law"); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("Swiss DPA").
1.16. "Sensitive Data" means (i) social security number, passport number, driver’s license number, tax file number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the last four digits of a credit or debit card, and/or as required for processing payment); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; or (v) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
1.17. "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by MechanicWeb.
1.18. "Standard Contractual Clauses" or "SCCs" means (i) the currently effective standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “Controller-to-Processor Clauses”); or (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “Processor-to-Processor Clauses”); as applicable in accordance with the applicable term(s) herein.
The Parties acknowledge and agree to comply with this DPA where and only to the extent of either Party's processing of Customer Data, which is subject to Data Protection Laws of the European Union (EU), the European Economic Area (EEA), and/or their member states, Switzerland and/or the United Kingdom.
MechanicWeb shall process Customer Data as "Processor" to Customer or any Affiliate of Customer who may act either as "Controller" or "Processor" with respect to Customer Data. Nothing in this DPA shall prevent MechanicWeb from using or sharing any data that MechanicWeb may otherwise collect and process independently of Customer's use of the Services.
MechanicWeb shall process Customer Data in the course of providing the Services in accordance with Customer’s Documented Instructions as outlined in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing. MechanicWeb provides Customer with several controls, including security features and functionalities, to retrieve, correct, delete or restrict Customer Data. Without prejudice to Section 5.1, Customer may use these controls as technical and organizational measures to assist it concerning its obligations under the GDPR and all other applicable Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.
Customer will not provide (or cause to be provided) any Sensitive Data to MechanicWeb for processing. MechanicWeb will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise, and this DPA does not apply to Sensitive Data.
The Parties agree that the TOS and this DPA, including the provision of instructions via configuration tools such as any MechanicWeb control panel, management console, and APIs made available by MechanicWeb to provide Services, constitute Customer's Documented Instructions regarding MechanicWeb's processing of Customer Data ("Documented Instructions"). MechanicWeb will process Customer Data only in accordance with Documented Instructions. Additional instructions concerning processing Customer Data outside the scope of the Documented Instructions (if any) require a prior written agreement between Customer and MechanicWeb.
2.6.1. MechanicWeb shall comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
2.6.2. Customer shall comply with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to MechanicWeb.
2.6.3. Customer agrees that it has provided all notice and has obtained and will continue to obtain all consents and rights necessary under Data Protection Laws for MechanicWeb to process Customer Data to provide the Services for the purposes described in the TOS and this DPA. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and how Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any other content created, sent, or managed through MechanicWeb, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
MechanicWeb shall process Customer Data, on behalf of Customer, submitted by or for Customer or collected and processed by or for Customer in the course of providing the Services, as a Processor only for the following purposes:
2.7.1. To provide the Services and support in accordance with the TOS.
2.7.2. To perform any steps necessary for the performance of the TOS.
2.7.3. To comply with any other reasonable instructions provided by Customer to the extent they are consistent with this DPA, and the TOS, in accordance with the Customer's Documented Instructions.
2.7.4. Customer Data may be subject to storage and other processing necessary to improve, provide, and maintain the Services provided to Customer
MechanicWeb will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to provide the Services, or as necessary, to comply with the law or a valid and binding order of a governmental body (such as a preservation request, warrant, subpoena or court order). If compelled to disclose Customer Data to a government body, MechanicWeb will notify Customer unless MechanicWeb is legally prohibited from doing so. If the SCCs apply, nothing in this Section varies or modifies the SCCs.
MechanicWeb restricts its personnel, including staff and Sub-processors, from processing Customer Data without authorization by MechanicWeb. MechanicWeb shall ensure that any personnel authorized by MechanicWeb to process Customer Data (including its employees, agents, and subcontractors) shall be under appropriate obligations, including relevant obligations regarding confidentiality, data protection, and data security (whether a contractual or statutory duty).
Notwithstanding anything to the contrary in the TOS and this DPA, Customer acknowledges that MechanicWeb has the right to use and disclose data related to and/or obtained in the course of providing the Services for its legitimate business purposes, such as sales, billing, support, account management, and marketing. MechanicWeb shall process such data in compliance with Data Protection Laws to the extent any such data is considered Customer Data under Data Protection Laws.
MechanicWeb shall implement and maintain adequate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data. In assessing the security level, MechanicWeb shall consider the risks from a Personal Data breach that Processing presents.
Customer acknowledges that the Security Measures are subject to technical progress and development, and that MechanicWeb may update or modify the Security Measures from time to time.
MechanicWeb shall promptly take reasonable steps to contain and investigate any Security Incident upon becoming aware of such. MechanicWeb's notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by MechanicWeb of any fault or liability concerning the Security Incident.
MechanicWeb shall notify Customer without undue delay, and where feasible, within forty-eight (48) hours of awareness of a Security Incident or a Personal Data breach affecting Customer’s Personal Data, with timely information related to the Security Incident as it becomes known or as is reasonably requested by Customer, to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws.
Customer agrees that, except as provided by this DPA, Customer is responsible for its secure use of the Services, securing Customer Account authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and to securely encrypt or backup any Customer Data uploaded to the Services.
Customer consents that MechanicWeb may engage Sub-processors to carry out Processing activities on Customer Data on behalf of Customer to fulfill contractual obligations or to provide Services on its behalf. The Sub-processors list can be found here.
MechanicWeb shall:
6.2.1. Enter into a written agreement with each Sub-processor imposing at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and
6.2.2. Remain responsible for Sub-processor's compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that may cause MechanicWeb to breach any of its obligations under this DPA.
MechanicWeb shall notify Customer with reasonable advance notice if it adds or removes Sub-processors. MechanicWeb may update the Sub-processor list and may provide Customer with a mechanism to obtain notice of that update.
Customer may object in writing to MechanicWeb of any new Sub-processors on reasonable data protection grounds within five (5) calendar days of receiving such notice following Section 6.3 of this DPA. The Parties shall discuss such concerns in good faith to achieve a commercially reasonable resolution. If no solution can be achieved, either Party may terminate the affected Services per the termination provisions in the TOS without liability to either Party and without prejudice to any fees incurred by Customer prior to termination.
Taking into account the nature of the Processing, MechanicWeb shall, in so far as is possible, at Customer's expense, provide reasonable cooperation to assist Customer by appropriate technical and organizational measures, to the extent that Customer is unable to independently access the relevant Customer Data within the Services, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data as per the TOS. In the event that any such request is made to MechanicWeb directly, MechanicWeb shall not respond to such communication directly without Customer’s prior authorization, except legally required. If MechanicWeb is required to respond to such a request, MechanicWeb shall, unless legally prohibited from doing so, where Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent MechanicWeb from responding to any Data Subject or data protection authority requests in relation to personal data for which MechanicWeb is a controller.
To the extent required under applicable Data Protection Laws, MechanicWeb shall, at Customer's expense, provide all reasonably requested information regarding MechanicWeb's processing of Customer Data to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
Customer agrees that MechanicWeb may process, transfer and store Customer Data to and in the United States and anywhere else in the world where MechanicWeb, its Affiliates, and/or its Sub-processors maintain data processing operations in accordance with the requirements of Data Protection Laws and this DPA. MechanicWeb shall ensure that such Processing complies with the requirements of Data Protection Laws and this DPA to protect Customer Data.
Notwithstanding Section 8.1, to the extent that MechanicWeb processes or transfers Customer Data from the European Union (EU), the European Economic Area (EEA) and/or their member states, Switzerland and/or the United Kingdom, whether directly or via onward transfer, in or to countries that do not ensure an appropriate level of data protection in respect to applicable Data Protection Laws, MechanicWeb shall be deemed to take adequate measures by having aligned its operational policies with the requirements of applicable Data Protection Laws and this DPA to protect Customer Data. Customer hereby authorizes any transfer to, or access to Customer Data from such destinations outside the EU subject to any of these measures having been taken.
Upon termination or deactivation of the Services, MechanicWeb shall store Customer Data for no longer than 10 years from receipt, subject to an individual's right to be forgotten at any time, except that this requirement shall not apply to the extent MechanicWeb is required by applicable law to retain some or all of Customer Data, or to Customer Data it has archived on back-up systems, which such Customer Data MechanicWeb shall securely isolate, protect from any further processing, except to the extent required by applicable law.
In the event of any conflict or inconsistency between this DPA and the TOS, the provisions of the following documents (in order of precedence) shall prevail to the extent of the conflict: this DPA; and then the TOS.
This DPA is a part of and incorporated into the TOS. References to TOS in the TOS shall include this DPA.
No one other than a Party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
13.1. Each Party's and its Affiliates' liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
13.2. Any claims made against MechanicWeb or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by Customer.
13.3. In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
This DPA is entered into with effect from the earlier date of use of the Services.
This DPA shall remain in effect for as long as MechanicWeb carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement.
This DPA may be amended in any respect at any time by MechanicWeb upon the posting of the amended DPA on the mechanicweb.com website. Your continued use of the Services will be deemed consent to any such amended DPA. If you do not wish to continue to use the Services as a result of any such amendments, you may provide notice of your wish to terminate your Services to MechanicWeb.
We use cookies to enable essential site functionality, remember your preferences and repeat visits, and analyze our traffic. By clicking "Accept", you consent to our use of cookies. Learn more.
Accept