Data Processing Agreement (DPA) & Data Breach Response Procedure
This Data Processing Agreement (“Agreement”) forms part of the service agreement between the Client/Customer and On Target Web Design LTD.
Version: [v2.0] | Effective date:01 March 2026
Updated to reflect change in server locations from UK to EU in 2021 - see section 9
1. Parties
- Controller
- The Client/Customer purchasing services from On Target Web Design LTD (the “Controller”).
- Processor
- On Target Web Design LTD, Ireland (the “Processor”).
2. Definitions
Terms such as personal data, processing, controller, processor, data subject, and personal data breach have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
3. Scope and Purpose
The Processor will process personal data on behalf of the Controller only as necessary to provide the services agreed between the parties, which may include (as applicable):
- Website hosting and application hosting
- Website maintenance and technical support
- Database hosting, administration, and troubleshooting
- Backup, restore, and disaster recovery support
- Security monitoring related to service delivery
The Processor will not process personal data for its own purposes (except as strictly necessary to provide the services) and will not sell personal data.
4. Controller Instructions
- The Processor shall process personal data only on documented instructions from the Controller.
- If the Processor believes an instruction infringes the GDPR or other applicable law, it will inform the Controller without undue delay.
5. Confidentiality
- The Processor shall ensure persons authorised to process personal data are bound by confidentiality obligations.
- Access to personal data shall be limited to those who require it for the performance of the services.
6. Security of Processing (GDPR Article 32)
The Processor shall implement appropriate technical and organisational measures to protect personal data, taking into account the nature, scope, context, and purposes of processing and the risks to data subjects.
Measures may include (as appropriate):
- Encrypted connections (HTTPS/TLS) for web services and administrative access
- EU/EEA-based hosting infrastructure and restricted administrative access
- Firewalls, server hardening, and least-privilege access control
- Patch management and timely security updates for supported software
- Backups and tested restore procedures (subject to the Controller’s selected service level)
- Logging/monitoring of relevant system events and access activity (where enabled/available)
- Procedures to manage credentials and secure remote access
7. Personal Data Breach Notification
- The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s personal data.
- The Processor shall provide available information reasonably required to assist the Controller in meeting obligations under GDPR, including (where known) the nature of the breach, categories and approximate number of data subjects concerned, and likely consequences.
- The Processor’s detailed operational steps for breach handling are set out in the Data Breach Response Procedure below.
8. Sub-processors
The Controller authorises the Processor to engage sub-processors where necessary to deliver the services. The Processor will ensure sub-processors are subject to data protection obligations equivalent to those in this Agreement.
Categories of sub-processors may include (as applicable):
- EU/EEA hosting infrastructure providers
- EU/EEA backup and storage providers
- Monitoring, security, and uptime services
- Email delivery or transactional messaging providers (if provided as part of the services)
The Processor remains responsible to the Controller for the performance of its sub-processors.
9. International Transfers
EU/EEA Hosting: The Processor’s hosting infrastructure used for these services is located within the European Union / European Economic Area (EU/EEA).
The Processor will not transfer the Controller’s personal data outside the EU/EEA unless:
- Authorised by the Controller in writing; and
- Appropriate safeguards are implemented in accordance with the GDPR.
10. Assistance to the Controller
The Processor shall assist the Controller, to the extent reasonably possible and taking into account the nature of processing, with:
- Responding to data subject requests (access, rectification, erasure, restriction, portability, objection)
- Security and breach-related obligations (Articles 32–34)
- Data protection impact assessments (where applicable)
- Regulatory inquiries relating to the Processor’s services
11. Data Return and Deletion
On termination of the services, the Processor shall, at the Controller’s request, delete or return personal data (and delete existing copies) unless retention is required by applicable law.
Backups: Data may remain in secure backups for a limited retention period in line with the Processor’s backup cycle or the Controller’s selected service level. Backup data is protected by access controls and is overwritten/expired in the normal course.
12. Audit and Compliance Information
The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement. Any audit requests must be reasonable, proportionate, and subject to confidentiality and security restrictions.
13. Responsibility and Liability
Each party remains responsible for complying with its obligations under applicable data protection law. Nothing in this Agreement relieves either party of its direct responsibilities under the GDPR.
14. Governing Law
This Agreement is governed by the laws of Ireland.
Schedule 1 — Description of Processing
- Subject matter
- Provision of hosting, maintenance, and technical services for the Controller’s website(s) and related systems.
- Duration
- For the term of the service agreement, plus any limited backup retention period.
- Nature of processing
- Storage, hosting, access (as needed for support), backup, restore, maintenance, and troubleshooting.
- Purpose(s) of processing
- Delivering the contracted services to the Controller and maintaining availability, integrity, and security.
- Categories of data subjects
- Website users, customers/clients of the Controller, registrants, staff, contractors (depending on the Controller’s system).
- Categories of personal data
- May include names, email addresses, usernames, contact details, IP addresses, registration data, and content submitted via forms. The Controller determines which personal data is collected and stored through its website/system.
- Special category data
- Not intended to be processed unless explicitly agreed in writing and appropriate safeguards are in place.
Data Breach Response Procedure
On Target Web Design LTD (Processor Procedure)
1. Purpose
This procedure describes how On Target Web Design LTD (“Processor”) detects, manages, investigates, and notifies the Controller of personal data breaches affecting personal data processed on behalf of clients, in line with GDPR obligations.
2. What is a Personal Data Breach?
A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Common examples in web/hosting contexts include:
- Exposure of backups or files (e.g., misconfigured public directory)
- Compromised credentials leading to unauthorised access
- Malware/ransomware affecting hosted systems
- SQL injection or application vulnerability exposing records
- Email misdelivery containing personal data
3. Roles and Contacts
- Breach Lead (Processor)
- Huw Roberts / Director /
This email address is being protected from spambots. You need JavaScript enabled to view it. / +353861091183 - Technical Lead (Processor)
- Huw Roberts / Director /
This email address is being protected from spambots. You need JavaScript enabled to view it. / +353861091183
4. Response Principles
- Act quickly: contain first, then investigate.
- Preserve evidence: logs, timestamps, access records, affected files.
- Minimise exposure: revoke access, isolate systems, patch vulnerabilities.
- Communicate clearly: notify the Controller without undue delay.
- Document everything: actions taken, findings, and final outcomes.
5. Breach Response Steps
Step A — Detection and Initial Triage
- Identify the incident source (alert, customer report, monitoring, logs, unusual activity).
- Decide if personal data could be involved (yes/no/unknown).
- Start an incident record (date/time discovered, reporter, systems affected).
Step B — Containment
- Disable compromised accounts / rotate credentials / revoke tokens.
- Isolate affected service (temporary firewall rule, suspend site, block IPs where appropriate).
- Remove exposed public files or restrict access immediately.
- Apply urgent patches or configuration fixes.
Step C — Assessment and Investigation
- Determine what happened and the likely attack/incident vector.
- Identify what data may be affected (categories, approximate volume, time window).
- Review relevant logs (web server, application, database, authentication, backups) where available.
- Check whether data was exfiltrated or merely exposed (best-effort based on evidence).
Step D — Notification to Controller (Processor Duty)
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s personal data.
The notification will include, where known:
- Description of the incident and date/time range
- Systems/services affected
- Categories of personal data and data subjects affected
- Mitigation steps already taken
- Recommended next steps for the Controller
- Point of contact for follow-up
Step E — Remediation and Recovery
- Remove malware/backdoors; re-secure systems; patch root causes.
- Restore from clean backups where appropriate.
- Enhance controls to prevent recurrence (WAF rules, hardening, MFA, etc.).
- Validate that services are stable and secure before resuming normal operations.
Step F — Post-Incident Review
- Complete an incident report with timeline, root cause, and corrective actions.
- Record lessons learned and preventative measures.
- Update policies, procedures, and technical controls as needed.
6. Controller Responsibilities (for clarity)
The Controller is responsible for determining whether notification to a supervisory authority and/or affected data subjects is required. The Processor will assist with information reasonably required for the Controller to meet those obligations.
7. Incident Records and Retention
- Maintain an internal incident record including actions taken, evidence gathered, and outcomes.
- Retain records for 2 years or as required by law/contract, subject to confidentiality and security controls.
8. Review
This procedure is reviewed at least annually and after significant incidents or changes to services or infrastructure.