Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the CompactHive Terms of Service and governs the processing of personal data by CompactHive on behalf of its customers, in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Parties

Controller — the customer (natural or legal person) who has accepted the Terms of Service and uses CompactHive to deploy workloads that may process personal data of that customer's own end users or clients.

Processor — CompactHive, operated by David Utěšil, IČO: 87793016, Prague, Czech Republic ("we", "us", "CompactHive").

2. Scope and Purpose

CompactHive provides managed Kubernetes infrastructure. As part of this service, we store, transmit, and make available the data that customers deploy into their namespaced environments. This may include personal data about the customer's own end users or clients.

Nature of processing: hosting, storage, transmission, backup, and availability of customer workloads on managed Kubernetes infrastructure.

Types of personal data: determined entirely by the customer. Common examples include email addresses, names, user identifiers, and usage data of the customer's end users. CompactHive does not determine the categories or volume of personal data stored in customer workloads.

Categories of data subjects: the customer's own end users, clients, or any other natural persons whose personal data the customer chooses to process within their CompactHive environment.

Purpose of processing: to provide and operate the managed infrastructure services described in the Terms of Service, solely on the documented instructions of the controller.

3. Duration

This DPA remains in effect for the same duration as the Terms of Service between the parties. Processing of personal data ceases upon account termination. Data deletion following termination is governed by the retention policy set out in the Terms of Service: customer data is deleted from live systems within 30 days of account closure and from encrypted backups within a further 30 days.

4. Processor Obligations

CompactHive, as processor, shall:

• Process personal data only on the documented instructions of the controller (i.e., the deployment and configuration choices made through the CompactHive portal and API), unless otherwise required by EU or Czech law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in section 7
• Assist the controller in responding to Data Subject Access Requests (DSARs) and exercising data subject rights, to the extent that we have the technical ability to do so from the infrastructure layer
• Notify the controller without undue delay, and no later than 72 hours after becoming aware, of any personal data breach affecting the customer's environment (see section 8)
• Delete or return all personal data to the controller upon termination, in accordance with the Terms of Service retention policy, unless storage is required by applicable law
• Make available to the controller all information necessary to demonstrate compliance with obligations under Article 28 GDPR, subject to section 9

5. Sub-processors

The controller provides general authorization for CompactHive to engage sub-processors. A current list of sub-processors is maintained at compacthive.io/subprocessors.

We will notify the controller of any intended changes to the list of sub-processors (additions or replacements) by email to the address registered on the account. The controller may object to such changes within 14 days of notification by contacting [email protected]. If the parties cannot resolve the objection, the controller may terminate the service agreement pursuant to the Terms of Service.

We impose data protection obligations on all sub-processors that are equivalent to those set out in this DPA.

6. International Transfers

All primary data processing by CompactHive occurs within the European Union (Czech Republic). No transfer to third countries takes place at the infrastructure level operated directly by CompactHive.

Sub-processors may process data outside the EU or EEA only where appropriate safeguards are in place, such as Standard Contractual Clauses adopted by the European Commission or a European Commission adequacy decision for the destination country. Details are listed on the sub-processors page.

7. Security Measures

CompactHive implements the following technical and organizational measures to protect personal data:

• Encryption in transit: all external traffic is encrypted via TLS. Internal cluster traffic is encrypted via a WireGuard mesh network.
• Encryption at rest: customer environment backups are encrypted before transmission to offsite storage.
• Access controls: platform credentials are managed in a secrets vault. Passwords are hashed using bcrypt. Access to production infrastructure is restricted to the operator.
• Tenant isolation: each customer environment runs in a dedicated Kubernetes namespace with resource quotas and network policies to prevent cross-tenant access.
• Rate limiting and authentication hardening: API and authentication endpoints are protected by rate limiting and account lockout mechanisms.
• Audit logging: security-relevant events are logged and monitored for anomalies.
• Offsite backups: encrypted environment backups are stored offsite and rotated according to the retention policy in the Terms of Service.

8. Data Breach Notification

In the event of a personal data breach affecting the customer's environment, CompactHive will notify the controller without undue delay and no later than 72 hours after becoming aware of the breach.

Breach notifications will include, to the extent known at the time of notification:

• The nature of the personal data breach
• The categories and approximate number of data subjects affected
• The categories and approximate number of personal data records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects

Notification will be sent to the email address registered on the customer's account. The controller remains responsible for notifying the relevant supervisory authority and affected data subjects in accordance with GDPR Articles 33 and 34.

9. Audit Rights

The controller may request information to demonstrate CompactHive's compliance with this DPA. We will respond to reasonable written audit requests within 30 days.

Requests should be submitted to [email protected] and must specify the particular compliance area under examination. We may satisfy audit requests by providing documentation, certifications, or third-party assessment summaries in lieu of on-site inspection. Audits that require access to production systems or infrastructure must be agreed in advance and conducted in a manner that does not disrupt service to other customers.

10. Governing Law

This DPA is governed by the laws of the Czech Republic, consistent with the Terms of Service. Any disputes arising from this DPA shall be resolved in the courts of the Czech Republic.

11. How to Execute This DPA

This DPA is automatically incorporated into the Terms of Service and applies to all customers who use CompactHive to process personal data on behalf of their end users. No separate signature is required — acceptance of the Terms of Service constitutes acceptance of this DPA.

For customers who require a separately signed DPA (for example, to satisfy internal procurement or compliance requirements), please contact us at [email protected]. We will provide a countersigned copy upon request.