Data Processing Agreement (DPA)
SwiftPress Software Ltd — when we process personal data on your behalf in connection with managed WordPress hosting. Last updated: 20 March 2026
When this DPA applies
This agreement supplements our Terms of Service where you (the customer) act as a data controller (or equivalent) under applicable data protection law for personal data relating to individuals (e.g. visitors to WordPress sites you host with us), and SwiftPress processes that data on your instructions as a processor. It is intended to meet UK GDPR and EU GDPR Article 28 requirements where they apply to that relationship.
1. Definitions
Capitalised terms not defined here have the meaning in the UK GDPR / EU GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" align with those laws.
2. Subject matter, nature, and purpose
Subject matter: hosting and related platform services for WordPress sites on SwiftPress infrastructure.
Duration: for the term of the hosting subscription and until deletion/return of data in line with the Terms and technical backup cycles.
Nature and purpose: storage, hosting, transmission, backup, security monitoring, support as requested by you, and other processing necessary to provide the Services you configure.
Types of data: may include identifiers, technical logs, content you upload (including WordPress database fields), and other data you choose to process on the platform.
Categories of data subjects: determined by you (e.g. your website visitors, customers, members).
3. Your instructions
We process Personal Data only on documented instructions from you, including these Terms, this DPA, and your configuration of the Services (including support tickets you submit). We will inform you if we believe an instruction infringes applicable law, unless prohibited from doing so.
4. Confidentiality and personnel
We ensure that persons authorised to process Personal Data are bound by confidentiality or statutory professional obligations.
5. Security
We implement appropriate technical and organisational measures appropriate to the risk, including as described in our Privacy Policy and security practices for the hosting platform (access control, monitoring, patching, segmentation as applicable).
6. Subprocessors
You authorise us to engage subprocessors to support the Services (e.g. infrastructure, payments where they touch Personal Data, email delivery). We impose data protection obligations on subprocessors materially equivalent to those here. We remain responsible for their performance. We will notify you of changes to subprocessors where required by law; where we provide a general list or update mechanism on our website or client area, you may object on reasonable data-protection grounds as described there.
7. Data subject requests
Taking into account the nature of hosting, we assist you by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights under applicable law. Many requests for site visitor data must be fulfilled by you as controller; we assist where the data is solely in our possession as processor.
8. Breach notification
We notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data we process on your behalf, and provide information reasonably available to us to assist you in meeting your own notification duties.
9. Deletion and return
At your choice, we delete or return Personal Data after the end of the provision of Services, except where law requires retention. Backup media may retain residual copies for a limited period until overwritten in the ordinary course.
10. Audits
On reasonable request, we make available information necessary to demonstrate compliance with Article 28 GDPR and allow for audits, including inspections conducted by you or a mutually agreed auditor, subject to confidentiality, security, and proportionality (e.g. annual questionnaire or summary reports where full onsite audit is impractical for a cloud host).
11. International transfers
Where Personal Data processed under this DPA is transferred outside the UK or EEA, we implement appropriate safeguards (e.g. UK IDTA, EU Standard Contractual Clauses, or adequacy) as required by law.
12. Conflict
If this DPA conflicts with the Terms of Service on processor obligations, this DPA prevails for processing of your end-users' Personal Data as described above. Otherwise the Terms prevail.
13. Contact
Processor contact: SwiftPress Software Ltd — use swiftpress.io or my.swiftpress.io support channels, or the registered address below marking "DPA".
Related legal documents
These documents apply to SwiftPress managed WordPress hosting and our website. They are intended to work together; where one document deals with a topic in more detail, that document controls for that topic.
- Terms of Service
- Privacy Policy
- Cookie Policy
- Refund Policy
- Service Level Agreement (SLA)
- All legal documents (overview)
- System statusLive operational view of platform components (not a legal document).
SwiftPress Software Ltd (company no. 16689460)
2 Copenhagen Street, Worcester, England, WR1 2HB, United Kingdom
Website: swiftpress.io · Client area: my.swiftpress.io · System status
For privacy, billing, and hosting support, use the contact options on our website or your client area.