Data Processing Agreement
The data processing terms that apply where AIvikings processes personal data on behalf of a customer.
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between AIvikings and the customer. It applies where AIvikings processes personal data on behalf of the customer as a processor. Where AIvikings determines the purposes of processing (for example, its own account and security data), it acts as a controller and the Privacy Policy applies instead.
1. Roles
For personal data the customer submits to register or manage domains on behalf of third parties, the customer is the controller (or itself a processor for its own customer) and AIvikings is the processor. AIvikings processes that data only on the customer's documented instructions, including those set out in the Terms, unless required to act by law.
2. Subject matter and details
Subject matter: provision of domain registration and management services. Duration: the term of the Terms and Conditions. Nature and purpose: registering, renewing, and managing domains and meeting related legal obligations. Types of data: registrant contact data (name, email, postal address, phone). Categories of data subjects: the customer's registrants and contacts.
3. Processor obligations
AIvikings will: process personal data only on documented instructions; ensure persons authorised to process it are bound by confidentiality; implement appropriate technical and organisational security measures; assist the customer, taking into account the nature of processing, with data-subject requests and with the controller's obligations on security, breach notification, and impact assessments; and make available information needed to demonstrate compliance.
4. Sub-processors
The customer authorises AIvikings to engage sub-processors. AIvikings imposes data-protection obligations on each sub-processor equivalent to those in this DPA, and remains liable for their performance. AIvikings will inform the customer of any intended change of sub-processor and give the customer the opportunity to object. The current sub-processors are: OR Solutions FZ LLC (upstream accredited registrar partner), Stripe (card payments), Nicky (crypto-asset payments), and Hetzner (hosting).
5. International transfers
Personal data is stored within the EU where reasonably possible. Hetzner provides EU-based hosting. Stripe, Nicky, and OR Solutions FZ LLC may involve processing or remote access outside the EU/EEA. Where a transfer outside the EU/EEA takes place, AIvikings ensures an appropriate safeguard is in place, such as an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism under Chapter V GDPR.
6. Security
AIvikings implements measures appropriate to the risk, including encryption in transit, access control, MFA on administrative access, logging and audit trails, and backups, consistent with its obligations under NIS-2 and Article 32 GDPR.
7. Personal data breaches
AIvikings will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer's data, and will provide the information the customer reasonably needs to meet its own notification obligations.
8. Return or deletion
On termination, AIvikings will, at the customer's choice, delete or return the personal data processed on the customer's behalf, unless retention is required by law (including ICANN and registry retention rules).
9. Audits
AIvikings will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, on reasonable notice and subject to confidentiality.
10. Order of precedence
In case of conflict on data protection, this DPA prevails over the rest of the Terms and Conditions.