legal · dpa

Data Processing Agreement

Effective 2026-06-10. This DPA forms part of the Terms of Service between AES Services LLC (processor) and the customer (controller) and governs the processing of personal data when the customer processes their own users' personal data through the Metalhost Service. Defined terms below take precedence over the Terms in case of conflict on data-protection matters.

1. Roles & scope

For Customer Data processed under this DPA, the Customer is the Controller and AES Services LLC is the Processor, as those terms are defined in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the Swiss Federal Act on Data Protection ("FADP").

This DPA applies whenever Metalhost processes personal data on behalf of the Customer in connection with the Service. It supplements the Terms of Service and survives termination of the Terms for as long as Metalhost holds Customer personal data.

Customer Data remains the Customer's. Metalhost claims no ownership of Customer Data and processes it solely on the Customer's instructions as described in this DPA. Metalhost will not use Customer Data to train AI/ML models, sell or "share" Customer Data for cross-context behavioral advertising, or process Customer Data for any commercial purpose other than delivering the Service. The Customer is solely responsible for the legality, accuracy, and content of Customer Data, including ensuring a lawful basis for processing under applicable data-protection law and that the data does not violate the Acceptable Use rules.

2. Subject matter, nature & duration

Subject matter: processing of personal data as necessary to provide the Metalhost Service to the Customer.

Nature of processing: hosting, storage, transmission, duplication, backup, deletion, and access-logging of personal data that the Customer or its users upload to or generate on the Service.

Categories of data subjects: whoever the Customer determines. Typically the Customer's own end-users, employees, or contacts.

Categories of personal data: whatever the Customer chooses to process on the Service. Metalhost does not require any specific category and does not inspect Customer Data beyond what is operationally required.

Duration: for the term of the Service plus the retention period in the Privacy Policy (typically 30 days post-termination for soft delete).

3. Processor obligations

Metalhost will:

  • Process Customer Data only on documented instructions from the Customer, including with regard to international transfers. The Customer's instructions are reflected in the Terms, this DPA, the Privacy Policy, and any configuration the Customer applies through the Service.
  • Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation.
  • Implement appropriate technical and organizational measures (see Section 7) to ensure a level of security appropriate to the risk.
  • Engage sub-processors only on terms substantially equivalent to those in this DPA, and assist the Customer with notifications and objections (see Section 5).
  • Assist the Customer in responding to requests from data subjects exercising their rights under Chapter III of GDPR.
  • Assist the Customer with security, breach notification, impact assessments, and prior consultation with supervisory authorities under Articles 32-36 GDPR, taking into account the nature of processing and information available to the Processor.
  • On termination of the Service or on Customer request, return or delete all Customer Data, subject to legal retention obligations.
  • Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allow audits as described in Section 9.

4. Customer obligations

The Customer:

  • Confirms that it has, and will maintain throughout the processing, all necessary legal bases (consent, contract, legitimate interests, etc.) and notifications to data subjects for personal data it processes through the Service.
  • Will not provide special categories of personal data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) to the Service unless and until adequate measures are in place; Metalhost does not warrant the Service is configured to receive such categories absent a separate written agreement.
  • Is responsible for the security of its own credentials, API keys, and access controls (MFA, scoped keys, member roles), and for promptly notifying Metalhost of any compromise.

5. Sub-processors

The Customer authorizes Metalhost to engage the sub-processors listed below, and such future sub-processors as Metalhost may notify under this Section. Metalhost remains fully liable to the Customer for the acts and omissions of its sub-processors as if they were Metalhost's own.

Sub-processorPurposeRegion
Stripe, Inc. Card and bank payments, payment-method storage, wallet top-ups, auto-recharge, and refunds United States
Coinbase Global, Inc. Cryptocurrency (USDC) wallet top-ups via Coinbase Commerce checkout and webhooks United States
Resend, Inc. Transactional email (account verification, org invites, billing alerts, invoices, support) United States
Cloudflare, Inc. DNS, DDoS mitigation, CDN/edge, marketing-site hosting (Pages), waitlist database (D1), and object storage (R2) for invoice PDFs, image uploads, bare-metal ISO library, and audit exports United States (global edge)
GitHub, Inc. (Microsoft) Optional OIDC single sign-on; public SSH key lookup when you opt in to import from GitHub United States
Google LLC Optional OIDC single sign-on (Google account login) United States

Notification & objection. Metalhost will give at least 30 days' notice (by email to the Customer's billing contact and via the Privacy Policy page) before engaging a new sub-processor that processes Customer Personal Data. The Customer may object in writing within 30 days of the notice on reasonable data-protection grounds. The parties will work in good faith to address the objection; if unable, the Customer may terminate the affected portion of the Service for cause without penalty.

6. International transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a country that is not the subject of an adequacy decision, the parties agree:

  • EEA: the Standard Contractual Clauses set out in Annex to Commission Implementing Decision (EU) 2021/914 ("EU SCCs") are incorporated by reference, with the parties adopting Module Two (controller-to-processor). The choice-of-law and forum clauses are governed by Irish law and Irish courts solely for the purposes of the SCCs.
  • UK: the UK International Data Transfer Addendum (Version B1.0, in force from 21 March 2022) is incorporated by reference, supplementing the EU SCCs.
  • Switzerland: the EU SCCs apply with the Swiss FDPIC amendments — references to GDPR are read as references to the FADP, the competent supervisory authority is the FDPIC, and "Member State" includes Switzerland.

For the SCCs Annex content (descriptions of the parties, processing, technical and organizational measures), the Customer's executed Order Form and this DPA together constitute the Annex. Where the Customer has not executed an Order Form, the Customer's account record (organization name, contact email, billing address) serves as the Customer-side party description.

7. Security measures

Metalhost implements and maintains technical and organizational measures appropriate to the risk, including:

  • Encryption in transit for all customer-facing endpoints (TLS 1.2+).
  • Encryption at rest on the storage tier where technically supported.
  • Access controls on internal systems following the principle of least privilege; MFA for staff; just-in-time elevated access for production debugging.
  • Audit logging for every administrative action on Customer-affecting systems.
  • Network segmentation between customer tenants (per-network OVN UDNs, OVN ACLs, KubeVirt isolation).
  • Secrets management for credentials accessed by the platform.
  • Vulnerability management with regular patching and dependency monitoring.
  • Incident response plan with named on-call rotation.
  • Staff training on data-protection obligations.
  • Background checks for personnel with production access where lawful.

Detail on the security program is at /security. Metalhost may update its security measures from time to time, provided that the updated measures do not materially reduce the level of security.

8. Personal data breach

Metalhost will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address it.

Metalhost will cooperate with the Customer's reasonable requests in connection with the Customer's own notification obligations to supervisory authorities and affected data subjects.

9. Audits

The Customer (or an independent auditor mandated by the Customer, subject to confidentiality) may audit Metalhost's compliance with this DPA. Audits are subject to:

  • Reasonable advance notice (at least 30 days), no more than once per 12 months absent a triggering event (breach, regulator inquiry).
  • Conduct during normal business hours, in a manner that does not unreasonably interfere with Metalhost's operations.
  • Compliance with Metalhost's reasonable security and confidentiality requirements.
  • The Customer bearing its own costs and Metalhost's reasonable costs of supporting the audit.

Metalhost may satisfy audit requests by providing recent third-party audit reports (e.g., SOC 2 once available) or summary documentation, where these reasonably address the audit scope.

10. Return & deletion

On termination of the Service, the Customer may request export of its data through standard Service tooling (snapshots, object-store export, usage CSV export). After the 30-day soft-delete window described in the Privacy Policy, Metalhost will permanently delete or anonymize Customer Personal Data, except where retention is required by law (e.g., 7-year retention of billing records under US tax law). Records retained for legal reasons are not used for any other purpose and are deleted at the end of the legal retention period.

11. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where such limitations are not enforceable under applicable data-protection law.

12. Governing law

This DPA is governed by the law of the State of Texas, except that the SCCs and the UK Addendum continue to be governed by the laws designated within those instruments.

Contact & signing

By using the Service, the Customer accepts this DPA. Customers who require a separately executed copy (with custom Annex content, named Order Form, or additional signatory blocks) can email legal@metalhost.net to request one.

AES Services LLC
Texas, USA
dpo@metalhost.net · data-protection officer
legal@metalhost.net · DPA signing & interpretation
security@metalhost.net · breach notifications