Data Processing Addendum
Controller-to-processor terms for our EU/EEA and UK customers.
1. Scope
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Sunny Day and a customer ("the Customer") who is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or an equivalent data-protection law. Where it conflicts with the Terms of Service on a data-protection matter, this DPA prevails.
2. Roles of the parties
For personal data the Customer submits to the service, the Customer is the data controller and Sunny Day is the data processor, processing that data only on the Customer's documented instructions. For the Customer's own account and billing data, Sunny Day acts as a controller — that processing is described in our Privacy Policy.
3. Subject matter and duration
Sunny Day processes personal data for the purpose of providing the compute service for the duration of the Customer's subscription, and for the limited retention periods stated in the Privacy Policy.
4. Nature and purpose of processing
Processing consists of hosting, storing, and transmitting whatever data the Customer chooses to run on its compute instances, and the operational metadata needed to run, secure, and bill the service.
5. Sunny Day's obligations
- Process personal data only on the Customer's documented instructions, including for international transfers.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures.
- Assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
- Notify the Customer without undue delay on becoming aware of a personal-data breach affecting the Customer's data.
- On termination, delete or return the Customer's personal data, save where law requires retention.
- Make available the information needed to demonstrate compliance with this DPA.
6. Sub-processors
The Customer authorises Sunny Day to engage the sub-processors listed in our Privacy Policy — currently Stripe (payment processing), Cloudflare (DNS and edge delivery), and our Infrastructure-as-a-Service provider. Sunny Day imposes data-protection obligations on each sub-processor no less protective than those in this DPA, and remains responsible for each sub-processor's performance. We will give notice of any intended change of sub-processor so the Customer can object.
7. International transfers
Where processing involves a transfer of personal data outside the EEA or the UK to a country without an adequacy decision, the transfer is made under the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where the UK GDPR applies), which are incorporated into this DPA by reference. The specific clause modules and any supplementary measures are to be confirmed in legal review before launch.
8. Data-subject requests
Sunny Day will, to the extent legally permitted, promptly notify the Customer of any request received directly from a data subject, and will assist the Customer in fulfilling its obligation to respond. The erasure procedure is described in our Privacy Policy.
9. Audits
Sunny Day will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by the Customer or an auditor it mandates, subject to reasonable notice and confidentiality.
10. Liability and order of precedence
The liability provisions of the Terms of Service apply to this DPA. This DPA takes effect automatically for any Customer to whom GDPR or UK GDPR applies; no separate signature is required, though a signed copy is available on request.
11. Contact
Data-protection enquiries can be sent to our support team from the address on the Customer's account.