GDPR Compliance

Overview & Commitment

Envosta is committed to protecting the privacy and security of personal data for all users, including those in the European Economic Area (EEA), the United Kingdom, and Switzerland. We comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

This page outlines how we meet our obligations as both a data controller (when we process your account and billing information) and a data processor (when we host and manage your WordPress sites and handle data on your behalf).

Scope & Applicability

This GDPR compliance page applies to all personal data processed by Envosta in connection with our managed WordPress hosting services, including:

• Visitors to our website at envosta.com
• Customers who sign up for and use our hosting plans
• Contacts who reach out to our sales or support teams
• End users of websites hosted on the Envosta platform

If you are an Envosta customer hosting a website that collects personal data from your own visitors, you act as the data controller for that data, and Envosta acts as the data processor. Our Data Processing Agreement governs that relationship.

Lawful Basis for Processing

Under GDPR, we must have a valid legal basis for processing your personal data. Depending on the context, we rely on one or more of the following:

• Contractual Necessity (Article 6(1)(b)): Processing required to deliver the hosting services you have purchased, manage your account, and provide technical support.
• Legitimate Interest (Article 6(1)(f)): Processing needed to maintain platform security, prevent fraud, improve our services, and communicate relevant product updates. We balance our interests against your rights and freedoms.
• Consent (Article 6(1)(a)): When you opt in to receive marketing emails, participate in surveys, or enable optional analytics. You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): Processing required to comply with applicable laws, such as tax regulations, anti-money laundering requirements, and law enforcement requests.

Data We Collect & Process

We collect only the data necessary to provide our services. For a detailed breakdown of the specific data points, please refer to our Privacy Policy. In summary:

As a Data Controller

• Account details — name, email address, company name
• Billing information — processed securely via PCI-compliant payment providers
• Support communications — tickets, emails, and live chat transcripts
• Usage and analytics data — aggregated platform usage to improve our services

As a Data Processor

• Website content and databases hosted on your Envosta server
• Visitor data collected by your WordPress site (e.g., form submissions, comments, WooCommerce orders)
• Server logs generated by traffic to your hosted sites

We do not access, use, or share the data stored on your hosted sites unless explicitly instructed by you (for example, during a support request or migration).

Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, the GDPR grants you the following rights over your personal data. You can exercise any of these by contacting us at privacy@envosta.com.

We respond to all data subject requests within 30 days. If we need more time due to the complexity of the request, we will notify you within the initial 30-day period and may extend by up to two additional months as permitted under GDPR.

To verify your identity and protect against unauthorized requests, we may ask you to confirm your account details before processing your request.

Data Protection Measures

We implement comprehensive technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or destruction:

Technical Measures

• Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.
• Infrastructure: Our servers are hosted in SOC 2 Type II certified data centers in the EU and US.
• Access Controls: Role-based access with multi-factor authentication for all internal systems.
• Monitoring: 24/7 intrusion detection, DDoS mitigation, and real-time security monitoring.
• Backups: Automated daily backups with encrypted offsite storage and tested disaster recovery procedures.

Organizational Measures

• Regular data protection training for all employees and contractors
• Internal data protection policies and incident response procedures
• Periodic security audits and penetration testing by independent third parties
• Data minimization practices — we only collect and retain what is strictly necessary

International Data Transfers

Envosta operates data centers in the European Union and the United States. When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place as required by GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to countries without an adequacy decision.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on the EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations.
• Data residency options: Customers on Business and Enterprise plans can choose to keep all data within EU-based data centers exclusively.

You can request information about the specific safeguards applied to transfers of your data by contacting privacy@envosta.com.

Sub-Processors & Third Parties

We use a limited number of sub-processors to help deliver our services. Each sub-processor is vetted for GDPR compliance and bound by a Data Processing Agreement. Key sub-processors include:

• Cloud Infrastructure: Data center and server providers located in the EU and US
• Payment Processing: PCI DSS Level 1 certified payment processors
• CDN & Performance: Content delivery network providers with global edge locations
• Support Tools: Helpdesk and communication platforms for customer support
• Analytics: Privacy-focused analytics tools for aggregated platform insights

We maintain an up-to-date list of sub-processors. Customers who have signed a DPA will be notified at least 30 days in advance of any new sub-processor being added, giving you the opportunity to object.

Data Retention & Deletion

We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected:

• Active accounts: Data is retained for the duration of your account and service agreement.
• After account closure: Core account data is deleted within 90 days. Backups containing account data are purged within 180 days.
• Billing records: Retained for up to 7 years as required by tax and financial regulations.
• Support tickets: Retained for 2 years after resolution for quality assurance purposes, then deleted.
• Server logs: Automatically rotated and deleted after 90 days.

If you request erasure of your data under Article 17, we will delete your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims.

Data Breach Notification

In the event of a personal data breach, Envosta follows a strict incident response protocol in line with GDPR Articles 33 and 34:

• Supervisory Authority: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals.
• Affected Individuals: If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.
• Customers (as processor): If a breach affects data we process on your behalf, we will notify you within 48 hours so you can fulfill your own controller obligations.

All breach notifications will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the incident.

Data Protection Officer

Envosta has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance program. You can contact our DPO for any questions or concerns about how we handle personal data:

• Email: dpo@envosta.com
• Mail: Data Protection Officer, Envosta Inc., 123 Hosting Lane, Suite 400, San Francisco, CA 94105

Our DPO is responsible for monitoring compliance, conducting Data Protection Impact Assessments (DPIAs) where required, and serving as the point of contact for supervisory authorities.

Complaints & Supervisory Authority

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may contact:

• The supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement
• The Irish Data Protection Commission (DPC), which serves as our lead supervisory authority in the EU
• The UK Information Commissioner's Office (ICO) if you are based in the United Kingdom

Before filing a complaint, we encourage you to contact us first at dpo@envosta.com so we can address your concerns directly and resolve any issues promptly.

Data Processing Agreement

If you are an Envosta customer and require a Data Processing Agreement (DPA) for GDPR compliance, we provide a pre-signed DPA that covers:

• The nature and purpose of data processing
• Categories of personal data and data subjects
• Obligations and rights of the controller and processor
• Sub-processor management and notification procedures
• Data security obligations and breach notification commitments
• Data return and deletion upon termination of services
• Standard Contractual Clauses (SCCs) as an annex for international transfers

Updates to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices, our sub-processor list, or applicable regulations. When material changes are made, we will notify affected customers by email and post a notice on our website at least 30 days before the changes take effect.

We encourage you to review this page periodically. For any questions about updates, please contact dpo@envosta.com.