Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you and Abstract 27 Ltd (company number 07504698), trading as Abstract27. It applies whenever we process personal data on your behalf — typically the data your publication collects about its members and subscribers. For that data you are the data controller and Abstract27 is the data processor. It is entered into under Article 28 of the UK GDPR and EU GDPR.

1. Scope, nature, and purpose

We process personal data only to provide the hosting Service: storing and serving your site, sending newsletters you author, and backing up your data. The subject matter is the operation of your Ghost site; the duration is the term of your subscription; the categories of data subjects are your members, subscribers, and site visitors; and the types of personal data are those your site collects, typically names and email addresses.

2. Our obligations as processor

• Process personal data only on your documented instructions, including those given through the Service, unless required to act otherwise by law.
• Ensure that personnel authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see section 4).
• Assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations.

3. Sub-processors

You authorise us to engage the sub-processors listed below to deliver the Service. We impose data-protection obligations on each that are no less protective than those in this DPA, and we remain responsible for their performance.

• Hetzner — hosting and compute (Germany)
• Vultr — encrypted backups (Netherlands)
• Mailgun — transactional and newsletter email
• Bunny — CDN and media storage
• Porkbun — domain registration
• Creem.io — billing (Merchant of Record)

We will give at least 30 days' notice before adding or replacing a sub-processor. If you reasonably object to a change on data-protection grounds, you may terminate the affected Service.

4. Security measures

We protect personal data with measures appropriate to the risk, including encryption of data in transit (TLS) and of backups at rest, access controls and least-privilege administration, network isolation between tenants, and regular daily backups stored in the EU. We restrict administrative access to what is necessary to operate and support the Service.

5. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information you reasonably need to meet your own notification obligations.

6. Return and deletion

On termination of the Service, and after any export window described in our Terms, we will delete the personal data we process on your behalf, unless we are required by law to retain it. You can export your data at any time during the term.

7. Audits and international transfers

We will make available the information reasonably necessary to demonstrate compliance with this DPA. Personal data is hosted in the EU; where any sub-processor transfers data outside the UK or EEA, we rely on appropriate safeguards such as adequacy decisions or Standard Contractual Clauses.

8. Contact

For any question about this DPA or to raise a data-protection matter, reach us through our contact page.