Data Processing Addendum
When you store data inside a database hosted on DBHost, you are the data controller and DBHost is your data processor. This addendum forms part of your Terms of Service and describes how DBHost processes the personal data you upload on your behalf.
1. Scope
This DPA applies whenever DBHost processes personal data on a customer’s behalf — primarily the row-level contents of the customer’s PostgreSQL databases. The customer is the data controller; DBHost is the data processor.
2. Subject matter, duration, nature, purpose
Subject matter: provision of managed PostgreSQL hosting, including pooling, backups, dashboard, and API.
Duration:for the term of the customer’s subscription, plus the wind-down windows described in section 10 (Return + deletion).
Nature: storage, transmission, backup, and operational maintenance of customer-supplied database contents.
Purpose: to provide the service the customer has subscribed to.
3. Categories of data subjects and personal data
The categories of data subjects and personal data are defined by the customer through how they use their database. DBHost has no visibility into row-level contents and does not classify the data on the customer’s behalf.
4. Sub-processors
DBHost engages the following sub-processors. Material changes to this list are notified by email at least 30 days before becoming effective.
| Sub-processor | Role | Region | Transfer mechanism |
|---|---|---|---|
| Vercel | Hosting (control plane) | EU (Frankfurt, fra1) | EU |
| AWS Lightsail | Tenant database VPS | eu-north-1 (Stockholm) — moving to Hetzner HEL1 (Helsinki) after Phase 5; this DPA will be revised on cutover | EU |
| AWS S3 | Encrypted backups | eu-north-1 (Stockholm) | EU |
| Clerk | Authentication | US | EU SCCs |
| Stripe | Payment processing | US | EU SCCs |
| Resend | Transactional email | US | EU SCCs |
| BetterStack | Status page + uptime monitoring | EU | EU |
5. Tenant isolation
The Pro tier runs on shared infrastructure: a single VPS hosting a multi-tenant PostgreSQL instance. Tenants are separated by per-database PostgreSQL roles, a per-database connection cap of 30, and per-role statement, lock, and idle timeouts.
Customers who require dedicated infrastructure should look at the Dedicated tier (Phase 6 — contact us for details and a timeline).
6. Security measures
The technical and organisational measures DBHost implements are described in our Security policy and form part of this DPA by reference.
7. Data subject requests
If DBHost receives a data subject request directly, we forward it to the customer without delay and do not respond on the customer’s behalf unless instructed.
For requests routed through the customer, DBHost assists with technical actions (read-only access, export, deletion) within a reasonable time, typically within 30 days.
8. Personal data breach notification
In the event of a personal data breach affecting customer data, DBHost notifies the affected customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification includes the nature of the breach, the categories and approximate volume of records affected, the likely consequences, and the measures taken or proposed to address it.
9. Audits
The customer has the right to audit DBHost’s compliance with this DPA. Audits are conducted via written questions; DBHost responds in writing within 30 days. On-site audits are not practical for a one-person operation, but we are happy to schedule a video call for follow-up questions.
10. Return and deletion of customer data
- On termination, the customer’s databases are deleted from the primary host within 30 days.
- Backup objects under
prod/<dbname>/in the S3 backup bucket expire automatically through the bucket lifecycle rule, on a 30-day rolling window. - Audit log entries are redacted to a null user identifier after the retention period in our Privacy policy expires.
- Customers can request earlier deletion at any time per the process in our Privacy policy.
11. Liability and governing law
Liability under this DPA is governed by the limitations in the Terms of Service. The DPA is governed by the laws of Norway.
Questions?
Need a counter-signed copy, or have questions about a specific sub-processor or transfer? Reach out and we’ll respond promptly.
Contact the team →