Data Processing Agreement
Last updated: 2026-05-13
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Customer") and Lifna trading as Lifna ("Lifna"). It applies where Lifna processes personal data on behalf of the Customer in hosted Drupal sites, backups, exports, logs, and support workflows.
Roles
For hosted Drupal site data, the Customer is the controller and Lifna is the processor. For Lifna account, billing, security, and platform administration data, Lifna may act as an independent controller as described in the Privacy Policy.
Processing details
| Subject matter | Managed Drupal hosting, deploys, backups, restores, security updates, monitoring, and support. |
|---|---|
| Duration | For the term of the Customer's use of Lifna and any deletion or retention period that follows. |
| Nature | Storage, hosting, transmission, backup, restoration, deployment, troubleshooting, and deletion. |
| Purpose | To provide Lifna hosting and operational services to the Customer. |
| Data subjects | Customer staff, agency users, Drupal site admins, site visitors, client contacts, and other people whose data is placed in hosted sites. |
| Data types | Drupal account data, content, form submissions, logs, files, database records, configuration, secrets, and metadata. |
Customer instructions
Lifna will process Customer personal data only to provide the service, follow documented Customer instructions, comply with law, or protect the service from urgent security or abuse risk. The Customer is responsible for ensuring its instructions are lawful.
Security measures
- HTTPS for app and tenant traffic.
- Encrypted Laravel secrets and tenant environment variables at rest.
- Role-based access controls and policy checks around sites, exports, deploys, shells, and secrets.
- Tenant isolation through Docker containers and dedicated environment routing.
- Host firewall, fail2ban, queue supervision, and restricted deploy sudoers rules.
- Audit logs for sensitive actions such as downloads, deploys, backups, and environment operations.
- Backup retention, export expiry, and scheduled cleanup jobs to reduce stale sensitive data.
Subprocessors
The Customer gives general authorisation for Lifna to use subprocessors needed to provide the service. Current subprocessors are listed at Subprocessors. Lifna will update the list before adding or replacing material subprocessors, giving Customers a reasonable opportunity to object where required by applicable data protection law.
International transfers
Lifna is designed to host customer site data in EU Hetzner infrastructure. Some subprocessors, such as payment or email providers, may process limited operational data outside the UK or EEA. Where required, Lifna relies on appropriate transfer safeguards such as adequacy regulations, the UK International Data Transfer Addendum, or EU Standard Contractual Clauses.
Assistance
Lifna will provide reasonable assistance for data subject requests, security incidents, DPIAs, and regulator enquiries where they relate to Customer personal data processed by Lifna. The Customer remains responsible for responding to its own data subjects unless otherwise agreed.
Personal data breach
Lifna will notify affected Customers without undue delay after becoming aware of a confirmed personal data breach affecting Customer personal data, and will provide information reasonably available to support Customer notification duties.
Return and deletion
Customers can export site databases, files, and code from Lifna. On deletion, Lifna will delete or anonymise Customer personal data unless retention is required for legal, billing, security, or dispute purposes. Backups and exports are deleted according to configured retention periods.
Audit
Lifna will make reasonable information available to demonstrate compliance with this DPA. Audits must be scoped, scheduled in advance, and conducted without compromising the security or confidentiality of other customers.
Conflict
If this DPA conflicts with the Terms, this DPA controls for the processing of Customer personal data.