Back to Lifna

Data Processing Agreement

Last updated: 2026-05-13

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Customer") and Lifna trading as Lifna ("Lifna"). It applies where Lifna processes personal data on behalf of the Customer in hosted Drupal sites, backups, exports, logs, and support workflows.

Roles

For hosted Drupal site data, the Customer is the controller and Lifna is the processor. For Lifna account, billing, security, and platform administration data, Lifna may act as an independent controller as described in the Privacy Policy.

Processing details

Subject matter Managed Drupal hosting, deploys, backups, restores, security updates, monitoring, and support.
Duration For the term of the Customer's use of Lifna and any deletion or retention period that follows.
Nature Storage, hosting, transmission, backup, restoration, deployment, troubleshooting, and deletion.
Purpose To provide Lifna hosting and operational services to the Customer.
Data subjects Customer staff, agency users, Drupal site admins, site visitors, client contacts, and other people whose data is placed in hosted sites.
Data types Drupal account data, content, form submissions, logs, files, database records, configuration, secrets, and metadata.

Customer instructions

Lifna will process Customer personal data only to provide the service, follow documented Customer instructions, comply with law, or protect the service from urgent security or abuse risk. The Customer is responsible for ensuring its instructions are lawful.

Security measures

  • HTTPS for app and tenant traffic.
  • Encrypted Laravel secrets and tenant environment variables at rest.
  • Role-based access controls and policy checks around sites, exports, deploys, shells, and secrets.
  • Tenant isolation through Docker containers and dedicated environment routing.
  • Host firewall, fail2ban, queue supervision, and restricted deploy sudoers rules.
  • Audit logs for sensitive actions such as downloads, deploys, backups, and environment operations.
  • Backup retention, export expiry, and scheduled cleanup jobs to reduce stale sensitive data.

Subprocessors

The Customer gives general authorisation for Lifna to use subprocessors needed to provide the service. Current subprocessors are listed at Subprocessors. Lifna will update the list before adding or replacing material subprocessors, giving Customers a reasonable opportunity to object where required by applicable data protection law.

International transfers

Lifna is designed to host customer site data in EU Hetzner infrastructure. Some subprocessors, such as payment or email providers, may process limited operational data outside the UK or EEA. Where required, Lifna relies on appropriate transfer safeguards such as adequacy regulations, the UK International Data Transfer Addendum, or EU Standard Contractual Clauses.

Assistance

Lifna will provide reasonable assistance for data subject requests, security incidents, DPIAs, and regulator enquiries where they relate to Customer personal data processed by Lifna. The Customer remains responsible for responding to its own data subjects unless otherwise agreed.

Personal data breach

Lifna will notify affected Customers without undue delay after becoming aware of a confirmed personal data breach affecting Customer personal data, and will provide information reasonably available to support Customer notification duties.

Return and deletion

Customers can export site databases, files, and code from Lifna. On deletion, Lifna will delete or anonymise Customer personal data unless retention is required for legal, billing, security, or dispute purposes. Backups and exports are deleted according to configured retention periods.

Audit

Lifna will make reasonable information available to demonstrate compliance with this DPA. Audits must be scoped, scheduled in advance, and conducted without compromising the security or confidentiality of other customers.

Conflict

If this DPA conflicts with the Terms, this DPA controls for the processing of Customer personal data.