Privacy Hints

Nhost offers the following contact point for data protection issues and data protection officer: data.protecion@nhost.io

In this privacy hints document you may find information on:

1. What is personal data and why it must be protected

2. Data protection Supervisory Authorities

3. Position of the companies storing and processing personal data at nhost.io as Controllers

4. GDPR main obligations for data controllers under its scope

5. Security measures implemented in Nhost.

6. List of Nhost subprocessors / where data is located

7. Nhost Service Level Agreement

1. What is personal data and why it must be protected

Personal data is any information relating to an identified or identifiable natural person (the data subject). Examples of personal data are name and surname, web cookies identifiers, passport or national IDs, e-mail address, purchase history, date of birth, genre, biometric data, credit card data, IP address, picture/photo, alias, etc

Organizations usually process personal data about their website visitors, clients, employee, collaborators, followers, and other, in order to fulfil their objectives, comply with legal obligations and contractual obligations as well.

Any organization processing personal data must comply with Data Protection Laws and Regulations. In the European Union, the main regulation is the general Data Protection Regulation 2016/679 (GDPR). The GDPR applies not only to companies in the EU, but companies offering their services to EU residents.

Besides the GDPR, each member state of the UE enacted additional Data Protection Laws. Outside the EU, other Data Protection Laws apply, including in the United Kingdom, Switzerland, USA, Canada, Japan, Israel, etc.

2. Data protection Supervisory Authorities

Most countries have one or several Data Protection Authorities. Failing to comply with the GDPR can be fined up to 20.000.000€ or up to 4% of annual turnout as well as compensations to affected parties.

Please refer to the website of the website of the Data protection Supervisory Authority in your country or seek specialized advice on data protection.

3. Position of the companies storing and processing personal data at nhost.io as Controllers

Companies subscribing nhost.io services can store and process personal data in nhost.io databases and storages. For such data processing:

• Subscribing company acts as data controller

• Nhost acts as data processor

Data Protection Laws impose requirements both for data controllers and data processors. In this privacy hints data controllers can find information on some of the requirements imposed to them by the GDPR, as well as data protection and security guarantees offered by Nhost.

Data protection and security guarantees offered by Nhost are covered in the Data Processing Agreement offered as part of the by Nhost Terms of Service for companies under the scope of GDPR.

4. GDPR main obligations for data controllers under its scope

4.1 Record of processing activities. Companies must create a record of data processing activities in accordance with article 30 of the GDPR. In this data processing activity record, the company must include and describe the data processing performed with Nhost.

4.2 Inform data subjects when collecting their data. The information must be provied in accordance with articles 13 and 14 of the GDPR, and includes among others aspects like: (i) identity of the data controller (ii) contact data of the data protection officer (iii) purpose of the processing (iv) recipients of the data (v) data subject rights, etc. Please seek advice of a data protection expert to create information clauses as well as how to obtain proof of compliance with this requirement.

4.2 Identify valid grounds for data processing. Data processing usually can be only processed based on the data subject consent, performance of a contract, compliance with laws and regulations, mission in the public interest or other balanced legitimate interests. Valid grounds may change depending the country, sector, whether sensitive information is processed (like health data, biometric data, penal punishment data, etc) and whether data is from adults or kids. Lack of consent or other valid ground is a serious, punishable infringement. Please seek advice of a data protection expert to obtain proof of compliance with this requirement.

4.3 Perform a risk analysis and, if necessary, a data protection impact assessment. Risk assessment must cover, among others, risks for the freedoms and rights of the individuals, risk for the confidentiality and security of data, and risk for lack of compliance with data protection regulations. In-depth data protection impact assessment is usually necessary in several situations like sensitive data processing, large-scale data, subjects observation and monitoring, use of emerging technologies, etc. Please seek advice of a data protection expert, or from your local data protection authority, for compliance with this requirement. Please that in circumstances of high risk, prior consultation to the data protection authority must be performed before the beginning of the data processing.

4.4 Minimize and limit retention of data. Ensure you only store and process the minimal data, based on the purpose of the processing, avoiding unnecessary data. Ensure that you delete data once it is not necessary for the purpose. Ensure that data is only accessible for personnel involved in the processing, and not accessible for anybody else. Depersonalize data you may need for statistical or historical purposes.

4.5 Appoint a data protection officer. In accordance with articles 37, 38 and 39 of the GDPR, as well as varying local requirements, you may be required to appoint a data protection officer. Even if you are not required by laws and regulations, you may appoint one voluntarily. GDPR requires you to notify the identity and contact data of your data protection officer to your data protection supervisor authority.

4.6 Implement appropriate technical and organisational measures to ensure data security. Security requirements may come from legal requirements, contractual requirements, as well as a security risk analysis taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

For the data stored and processed in nhost.io, you may find later in this document more information about the technical and organisational measures implemented by Nhost in the service. It is the duty of any company using the Nhost services to assess whether such measures are sufficient.

4.7 Report security violations. Depending on the severity and risk, personal data violations must be notified to the data protection authorities and the persons whose data has been compromised by any data security violations (articles 33 and 34 of the GDPR).

Nhost will promptly communicate any violation of which it becomes aware, without undue delay. The GDPR establishes that the data Controller, once is aware of the breach, has 72 hours to communicate it to the control authority.

4.8 Engage into data processor agreements. Any company must engage in data processing agreements, pursuant article 28 of GDPR, with data processors. Since Nhost is a data processor, a data processor agreement is offered, as part of its terms of service, for companies under the scope of GDPR that make use of Nhost services.

4.7 Authorize subprocessing. Data processing agreements with data processor must cover the use of subprocessor. A list of Nhost subprocessor is provided later in this document.

5. Security measures implemented in Nhost

Among the security measures applied in the services of Nhost, the following are included:

• Personnel functions and obligations: Nhost personnel have received the necessary training regarding IT systems security and have all of the necessary rules and procedures.

• Incident report: Nhost will report any incidents that occur that could affect personal data, indicating the type of incident, the time it occurred, the person who made the report, who they reported it to and the possible effects of the incident.

• Identification and authentication: Nhost has implemented identification and authentication procedures based on passwords or similar mechanisms. There is a process for assigning, distributing and storing passwords that guarantees their confidentiality, integrity and individual identification for users.

• Access control: Nhost personnel are only authorized to access the necessary resources to perform their duties.

• Physical access control: The infrastructure that provides the service is housed in a space equipped with access control and monitoring and control systems to guarantee that only authorized staff have physical access.

• Device management: Nhost performs the management and inventory of the devices used in its infrastructure. Nhost has implemented measures to ensure proper deletion of data and disposal of the devices.

• Backup copies and capacity to restore data and service: Nhost will make security backups of hosted information. In case of incident, recovery point objective and recovery time objective are covered in the Nhost service level agreement.

• Data protection audits: Nhost has a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Nhost shall make available to the data controller, on request, all information necessary to contribute to audits, including inspections, by the controller or an auditor mandated by the controller in relation to the processing of data in Nhost.

• Nhost will provide the necessary data to the CLIENT to perform data protection audits related to data processing of which the CLIENT is the controller and always related to the verification of the requirements stipulated in the data protection regulations.

6. List of Nhost subprocessors / where data is located

Subprocessor	Location	Purpose
AMAZON	Subscriber can choose the region where data will be stored.	AWS Services (hosting of data)

7. Nhost Service Level Agreement

The service agreement for Nhost services can be found at: https://nhost.io/legal/service-level-agreement