ACCEPTABLE USE POLICY (AUP)
This AUP is incorporated by reference in your hosting services agreement with WPCloud.
Your services may be suspended or terminated for violation of this AUP in accordance with your hosting services agreement with WPCloud.
Inquiries regarding this policy should be directed to firstname.lastname@example.org.
You may not use the WPCloud network or services to engage in, foster, or promote illegal, abusive, or irresponsible behavior, including:
- Unauthorized access to or use of data, systems or networks, including any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without express authorization of the owner of the system or network
- Monitoring data or traffic on any network or system without the express authorization of the owner of the system or network
- Interference with service to any user of the WPCloud or other network including, without limitation, mail bombing, flooding, deliberate or non deliberate attempts to overload a system and broadcast attacks
- Use of an Internet account or computer without the owner’s authorization
- Collecting or using email addresses, screen names or other identifiers without the consent of the person identified (including, without limitation, phishing, Internet scamming, password robbery, spidering, and harvesting)
- Collecting or using information without the consent of the owner of the information
- Use of any false, misleading, or deceptive TCP-IP packet header information in an email or a newsgroup posting
- Use of the service to distribute software that covertly gathers information about a user or covertly transmits information about the user
- Use of the service for distribution of advertisement delivery software unless: (i) the user affirmatively consents to the download and installation of such software based on a clear and conspicuous notice of the nature of the software, and (ii) the software is easily removable by use of standard tools for such purpose included on major operating systems (such as Microsoft’s “ad/remove” tool)
- Any conduct that is likely to result in retaliation against the WPCloud network or website, or WPCloud employees, officers or other agents, including engaging in behavior that results in any server being the target of a denial of service attack (DoS)
- Bulk Email You may not use a WPCloud Mail Service to send bulk mail.
- No Lottery or Auction based sites unless approved by WPCloud staff.
- Due to the current legal limbo (gray area), we do not allow marijuana dispensaries.
You must comply with the CAN-SPAM Act of 2003 and other laws and regulations applicable to commercial email. In addition, commercial email must meet the following requirements:
- Your intended recipients have given their consent to receive email from you via some affirmative means, such as an opt-in procedure
- Your procedures for seeking consent include reasonable means to ensure that the person giving consent is the owner of the email address for which consent is given
- You retain evidence of each recipient’s consent in a form that can be promptly produced on request, and you honor recipient’s and WPCloud requests to produce consent evidence within 72 hours of receipt of the request
- You have procedures in place that allow a recipient to revoke their consent – such as a link in the body of the email, or instructions to reply with the word “Remove” in the subject line and you honor revocations of consent within 48 hours, and you notify recipients that the revocation of their consent will be implemented in 48 hours
- You may not obscure the source of your email in any manner, such as omitting, forging, or misrepresenting message headers or return addresses. Your email must include the recipients email address in the body of the message or in the “TO” line of the email
- The subject line of the email must clearly describe the subject matter contained in the email, and the message must include valid contact information
- You must not attempt to send any message to an email address if 3 consecutive delivery rejections have occurred and the time between the third rejection and the first rejection is longer than fifteen days
- We do not allow clients to send more than 2000 pieces of e-mail per day. If you do send more than 2000 pieces of e-mail per day, your account could be placed on hold for Network Abuse.
These policies apply to messages sent using your WPCloud services, or to messages sent from any network by you or any person on your behalf that directly or indirectly refer the recipient to a site or an email address hosted via your WPCloud service. In addition, you may not use a third party email service that does not practice similar procedures for all its customers. These requirements apply to distribution lists prepared by third parties to the same extent as if the list were created by you.
WPCloud may test and otherwise monitor your compliance with its requirements. WPCloud may block the transmission of email that violates these provisions.
You may not use your service to send email or any other communications to a person who has indicated that they do not wish to receive it. If the communication is bulk mail, then you will not be in violation of this section if you comply with the 48 hour removal requirement described above.
You may not attempt to probe, scan, penetrate or test the vulnerability of a WPCloud system or network, or to breach WPCloud security or authentication measures, whether by passive or intrusive techniques, without WPCloud’s express written consent.
Newsgroup, Chat Forums, Other Networks
You must comply with the rules and conventions for postings to any bulletin board, chat group or other forum in which you participate, such as IRC and USENET groups including their rules for content and commercial postings. These groups usually prohibit the posting of off-topic commercial messages, or mass postings to multiple forums.
You must comply with the rules of any other network you access or participate in using your WPCloud services.
You may not publish, transmit or store on or via WPCloud’s network and equipment any content or links to any content that WPCloud reasonably believes:
- Constitutes, depicts, fosters, promotes or relates in any manner to child pornography, bestiality, or non-consensual sex acts
- Is excessively violent, incites violence, threatens violence, or contains harassing content or hate speech
- Is unfair or deceptive under the consumer protection laws of any jurisdiction, including chain letters and pyramid schemes
- Is defamatory or violates a person’s privacy
- Creates a risk to a person’s safety or health, creates a risk to public safety or health, compromises national security, or interferes with a investigation by law enforcement
- Improperly exposes trade secrets or other confidential or proprietary information of another person
- Is intended to assist others in defeating technical copyright protections
- Infringes on another person’s copyright, trade or service mark, patent, or other property right
- Promotes illegal drugs, violates export control laws, relates to illegal gambling, or illegal arms trafficking
- Is otherwise illegal or solicits conduct that is illegal under laws applicable to you or to WPCloud
- Is otherwise malicious, fraudulent, or may result in retaliation against WPCloud by offended viewers or recipients, or is intended to harass or threaten.
- No Lottery or Auction based sites unless approved by WPCloud staff.
- No Porn
- No File Storage
Content “published or transmitted” via WPCloud’s network or equipment includes Web content, email, bulletin board postings, chat, tweets, and any other type of posting or transmission that relies on the Internet.
Live Events You may not use your WPCloud services to stream live sex acts of any kind, even if the content would otherwise comply with the AUP. WPCloud may prohibit you from streaming other live events where there is a special risk, in WPCloud’s reasonable discretion, that the event may violate the Offensive Content section above.
You may not use WPCloud’s network or services to download, publish, distribute, or otherwise copy or use in any manner any text, music, software, art, image, or other work protected by copyright law unless:
- You have been expressly authorized by the owner of the copyright for the work to copy the work in that manner
- You are otherwise permitted by established copyright law to copy the work in that manner
It is WPCloud’s policy to terminate in appropriate circumstances the services of customers who are repeat infringers.
You may not use any shared system provided by WPCloud in a way that unnecessarily interferes with the normal operation of the shared system, or that consumes a disproportionate share of the resources of the system. For example, we may prohibit the automated or scripted use of WPCloud Mail Services if it has a negative impact on the mail system, or we may require you to repair coding abnormalities in your code if it unnecessarily conflicts with other customers’ use of the shared environment. You agree that we may quarantine or delete any data stored on a shared system if the data is infected with a virus, or is otherwise corrupted, and has the potential to infect or corrupt the system or other customers’ data that is stored on the same system.
- You must have valid and current information on file with your domain name registrar for any domain hosted on the WPCloud network
- You may only use IP addresses assigned to you by WPCloud in connection with your WPCloud services
- You agree that if the WPCloud IP numbers assigned to your account are listed on an abuse database like Spamhaus, you will be in violation of this AUP, and WPCloud may take reasonable action to protect its IP numbers, including suspension and/or termination of your service, regardless of whether the IP numbers were listed as a result of your actions
ADDENDUM: DATA PROCESSOR AGREEMENT
2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
- Processing of personal data
3.1 Purpose: The purpose of the processing under the TOS is the provision of the Services by the Data Processor as specified in the TOS.
3.2 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
3.3 ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update sub-appendix A whenever changes occur that necessitates an update.
3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).
4.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Main Services as described in the Main Service Level Agreement. Subject to the terms of this DPA and with mutual agreement of the parties, the Data Controller may issue additional written instructions consistent with the terms of this Agreement. The Data Controller is responsible for ensuring that all individuals who provide written instructions are authorised to do so.
4.2 The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller’s instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
4.3 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified.
- The Data Processor’s obligations
5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed.
5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.
5.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Main Services and this Data Processor Agreement.
5.2 The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
5.3.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
5.4 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.
5.5 Data protection impact assessments and prior consultation
5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
5.6 Rights of the data subjects
5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
5.7 Personal Data Breaches
5.7.1 The Data Processor shall give immediate notice to the Data Controller if a breach occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).
5.7.2 The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps as they deem necessary to establish the cause, and to prevent such a breach from reoccurring.
5.8 Documentation of compliance and Audit Rights
5.8.1 Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
5.8.2 The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
5.9 Data Transfers
5.9.1 Ordinarily, the Data Processor will not transfer your data to countries outside Canada. In some cases, personal data will be saved on storage solutions that have servers outside Canada, [for example, Google Apps Mail]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed. All of our hosting infrastructure is located in Canada.
6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub- Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.
6.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.
6.3 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub- Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.
6.4 The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
6.5 The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.
- Remuneration and costs (Optional)
7.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processor Agreement based on the Data Processor’s hourly rates.
7.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Main Services due to the change in the Instruction. The Data Processor is exempted from liability for non-performance with the Main Agreement if the performance of the obligations under the Main Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Main Agreement is changed to reflect the new Instruction and commercial terms thereof.
- Limitation of Liability
8.1 The total aggregate liability to the Client, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Main Service Level Agreement.
8.2 Nothing in this DPA will relieves the processor of its own direct responsibilities and liabilities under the GDPR.
9.1 The Data Processor Agreement shall remain in force until the Main Service Level Agreement is terminated.
- Data Protection Officer
10.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.
11.1 Following expiration or termination of the Agreement, the Data Processor will delete or return to the Data Controller all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.
12.1 The contact information for the Data Processor and the Data Controller is provided in the Main Service Level Agreement.
We only collect information about you if we have a reason to do so–for example, to provide our Services, to communicate with you, or to make our Services better.
We collect information in three ways: if and when you provide information to us, automatically through operating our Services, and from outside sources.
1.1 The Data Processor processes the following types of Personal Data in connection with its delivery of the Main Services:
- WPCloud Inc., provides Canadian based hosting of Data and files that enable the Data Controllers Website & Email to run and be distributed as well as to provide a ready-made infrastructure to run specific features or parts of a WordPress Website.
- IP Addresses
- Basic Account Information (details you provided when signing up for a WPCloud hosting account)
- Transaction & Billing Information (we do not store credit card details)
- Credentials (cPanel, wp-admin, sftp)
- Support Communications (emails to support, support ticket contents)
- LOGS – Like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services. Logs are rotated (deleted) monthly.
- Third Party Vendors: We may share information about you with third party vendors who need to know information about you in order to provide their services to us, or to provide their services to you or your site. This group includes vendors that help us provide our Services to you (like payment providers that process your credit and debit card information, fraud prevention services that allow us to analyze fraudulent payment transactions, postal and email delivery services that help us stay in touch with you, customer chat and email support services that help us communicate with you, registrars, registries, and data escrow services that allow us to provide domain registration services, those that help us understand and enhance our Services (like analytics providers). We require vendors to agree to privacy commitments in order to share information with them.
- Categories of data subjects
2.1 The Data Processor processes personal data about the following categories of data subjects on behalf of the Client:
- [Relevant contact details of the Data Controller]
- APPROVED SUB-PROCESSORS
1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:
- GOOGLE CLOUD PLATFORM
- LiteSpeed (image optimization)
- DNS MADE EASY
- New Sub-Processors
2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:
SERVICE LEVEL AGREEMENT (SLA)
SERVICE AVAILABILITY – We guarantee network uptime of 99.95% in a given calendar month, excluding our list of exceptions.
EXCEPTIONS – We provide a very clear list of exceptions below.
– Maintenance period of 2AM – 5:30AM ET
– Emergency maintenance due to security or hardware replacement/repair (1 HOUR – 24/7)
– Downtime caused by third party DNS providers or client side DNS changes
– DDOS Mitigation
– Performing WordPress core & plugin update (under maintenance) periods.
– Modified code, changes, edits, installs (theme/core/plugins) by client or client contractor. (example would be 500 errors)
– Firewall blocks (your office IP blocked due to firewall rule trigger)
– Downtime caused by violation of our TOS/AUP
– Force majeure or any event beyond our control.
– Dev, sandbox & staging sites are not covered under our SLA.
SLA CREDITS (MONTHLY)
– 99.95% allows for 21.92 minutes of downtime in a given month.
– 23-60 minutes of downtime, you will receive a credit of 5% for the AFFECTED install(s).
– 61-120 minutes of downtime, you will receive a credit of 10% for the AFFECTED install(s).
– 121 – 180 minutes of downtime, you will receive a credit of 25% for the AFFECTED install(s).
– Any downtime event exceeding 180 minutes of downtime, you will receive a credit of 100% for the AFFECTED install(s).
– All of the above are based on the monthly charge for your install, SLA credits will not exceed 100% of your monthly fee.
– Downtime events are based on our monitoring. In the case of a dispute, the raw access logs will be reviewed to verify no traffic was being served.
HOW TO REQUEST SLA CREDITS
– open a ticket detailing the downtime event for our review.
– once approved, SLA credits will be applied as a credit balance on your WPCloud account & will be used for future invoices.