Data Processing Agreement (DPA)

Effective: January 14, 2026 | Version 1.0

This Data Processing Agreement ("DPA") forms part of the Secondary DNS Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in compliance with Regulation (EU) 2016/679 (GDPR).

1. Definitions

Terms used in this DPA have the meanings set forth in the GDPR. Specifically:

• "Personal Data": Email addresses, domain names, primary DNS server IP addresses, API keys
• "Processing": Zone hosting, zone data storage, DNS query responses, zone transfer operations
• "Data Subjects": Domain owners, administrators, end users querying hosted zones
• "Controller": The customer who registers domains for secondary DNS hosting
• "Processor": le_dns (Maiko BOSSUYT, EI), providing secondary DNS hosting infrastructure

2. Scope and Purpose of Processing

2.1. Purpose

The Processor shall process Personal Data solely for the purpose of providing Secondary DNS Hosting services, which includes:

• Receiving zone transfers from Customer's primary DNS servers
• Storing DNS zone data (including any personal data within DNS records)
• Responding to DNS queries for hosted zones
• Managing Customer account information (email, zone list, TSIG keys)

2.2. Duration

Processing shall continue for the duration of the service agreement and until all Personal Data is deleted as specified in Section 9.

2.3. Nature of Processing

• Operations: Collection, storage, retrieval, dissemination (DNS query responses), erasure
• Categories of Data: Contact data (email), technical data (IP addresses, domain names, DNS records)
• Special Categories: None (no sensitive personal data processing)

3. Data Processor Obligations (GDPR Article 28(3))

The Processor shall:

• Process only on instructions: Only process Personal Data based on documented instructions from the Controller (zone transfer requests, API commands)
• Personnel confidentiality: Ensure all personnel with access to Personal Data are bound by confidentiality obligations
• Implement security measures: Maintain appropriate technical and organizational measures as described in Section 4
• Respect sub-processor requirements: Comply with Section 5 regarding sub-processors
• Assist with data subject rights: Provide reasonable assistance to enable the Controller to respond to Data Subject requests (Section 6)
• Assist with compliance: Help the Controller comply with GDPR obligations regarding security, breach notification, and impact assessments
• Delete or return data: Upon termination, delete or return all Personal Data as specified in Section 9
• Make information available: Provide information necessary to demonstrate compliance with Article 28 obligations

4. Security Measures (GDPR Article 32)

The Processor implements the following technical and organizational security measures:

4.1. Access Control

• Authentication: API key-based authentication with bcrypt-hashed keys
• TSIG keys: HMAC-SHA256 authentication for zone transfers
• SSH keys: Server access restricted to SSH key authentication (no passwords)
• Role-based access: Internal access controls limit personnel access to necessary data only

4.2. Transmission Security

• TLS encryption: All HTTPS/API traffic encrypted with TLS 1.2+ (Let's Encrypt certificates)
• DNSSEC: Zone integrity protection via DNSSEC signatures
• TSIG-secured transfers: Zone transfers authenticated and encrypted

4.3. Storage Security

• Encrypted volumes: Server volumes encrypted at rest (provider-level encryption)
• Database security: PostgreSQL with password authentication, restricted network access
• Backup encryption: Backups (if implemented) encrypted and access-controlled

4.4. Organizational Measures

• Regular updates: Security patches applied promptly
• Monitoring: Prometheus/Grafana monitoring for anomaly detection
• Logging: Operational logs retained 7 days for security incident investigation
• Incident response: Documented breach notification procedure (Section 7)

5. Sub-Processors (GDPR Article 28(2) & (4))

5.1. Authorized Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors:

• OVHcloud (OVH SAS) – Server / IaaS – ovhcloud.com
• Scaleway (Scaleway SAS) – Server / IaaS – scaleway.com
• Hetzner (Hetzner Online GmbH) – Server / IaaS – hetzner.com

All sub-processors are EU-based. No data is transferred outside the European Economic Area (EEA).

5.2. Sub-Processor Changes

The Processor shall:

• Notify the Controller of any intended changes to sub-processors at least 30 days in advance via email
• Allow the Controller to object to new sub-processors on reasonable data protection grounds
• If the Controller objects and the Processor cannot accommodate, either party may terminate the service with 30 days notice

6. Data Subject Rights

6.1. Controller Responsibility

The Controller is responsible for responding to Data Subject requests (access, rectification, erasure, etc.). The Processor shall assist by:

• Providing zone data export via API within 7 days of request
• Deleting zones upon Controller request (processed immediately)
• Rectifying account data (email address changes) via API or web UI

6.2. Direct Requests

If the Processor receives a Data Subject request directly, it shall:

• Forward the request to the Controller within 48 hours
• Not respond directly to the Data Subject unless legally required to do so

7. Data Breach Notification (GDPR Articles 33-34)

7.1. Processor Notification to Controller

In the event of a Personal Data breach, the Processor shall notify the Controller within 24 hours of becoming aware, including:

• Nature of the breach (unauthorized access, data loss, etc.)
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Contact point for further information: security@ledns.eu
• Likely consequences of the breach
• Measures taken or proposed to address the breach

7.2. Cooperation

The Processor shall cooperate with the Controller to investigate and remediate the breach, including providing access to relevant logs and forensic data.

8. Audits and Compliance (GDPR Article 28(3)(h))

8.1. Audit Rights

The Controller may conduct audits or inspections to verify GDPR compliance, subject to:

• Notice: At least 30 days advance written notice
• Frequency: Once per year (more frequently if required by law or in case of breach)
• Scope: Limited to processing of Controller's Personal Data
• Confidentiality: Auditor must sign confidentiality agreement

8.2. Audit Alternatives

The Processor may satisfy audit requirements by:

• Providing attestation reports (if available in the future)
• Completing security questionnaires
• Granting read-only access to relevant documentation

9. Data Retention and Deletion

9.1. Active Zones

While zones are active, Personal Data is retained as necessary to provide the service.

9.2. Deleted Zones

• Zones moved to archive table for 30 days (accidental deletion recovery)
• Permanently deleted (including TSIG keys) after 30-day retention
• Controller may request immediate deletion via support@ledns.eu

9.3. Operational Logs

• Application logs: 7 days retention (abuse detection, debugging)
• Aggregated metrics: 31 days retention (no PII, query volume statistics)

9.4. Termination

Upon service termination, the Processor shall:

• Delete all Customer Personal Data within 30 days (or immediately upon request)
• Provide data export before deletion if requested
• Certify deletion in writing if requested

10. International Data Transfers

No international transfers: All processing occurs within the European Union (France, Germany). No data is transferred to third countries or international organizations.

If international transfers become necessary in the future, the Processor shall implement appropriate safeguards (Standard Contractual Clauses, Adequacy Decisions, etc.) and notify the Controller in advance.

11. Liability (GDPR Article 82)

Each party shall be liable for damages caused by processing in accordance with GDPR Article 82:

• The Processor is liable only if it has not complied with GDPR obligations specifically directed to processors or has acted outside lawful instructions
• The Processor is not liable if it proves it is not in any way responsible for the event giving rise to the damage
• Where both parties are liable, courts shall determine each party's proportional responsibility

12. Indemnification

The Processor shall indemnify and hold harmless the Controller against claims, fines, and losses arising from the Processor's breach of this DPA or GDPR obligations, except where such breach results from the Controller's instructions or negligence.

13. Termination and Effect

13.1. Termination

This DPA terminates automatically upon termination of the Secondary DNS Hosting service agreement.

13.2. Effect of Termination

• Processor deletes or returns all Personal Data within 30 days
• Controller may request immediate deletion
• Processor may retain data longer if required by EU/Member State law (will notify Controller)

14. Governing Law and Jurisdiction

This DPA is governed by French law and subject to the jurisdiction of French courts.

GDPR and applicable EU/Member State data protection laws take precedence over any conflicting provisions.

15. Order of Precedence

In case of conflict between documents:

1. This Data Processing Agreement (DPA)
2. GDPR and applicable data protection laws
3. Secondary DNS Terms of Service
4. Privacy Policy

16. Amendments

This DPA may be amended to reflect:

• Changes in GDPR or data protection laws
• Guidance from supervisory authorities
• Changes in sub-processors or security measures

Material changes require 30 days notice to the Controller via email.

17. Contact for DPA Matters

Data Protection Contact:
Maiko BOSSUYT
le_dns
Email: legal@ledns.eu
Privacy inquiries: privacy@ledns.eu
Security incidents: security@ledns.eu