Data Processing Agreement

Effective: 15 March 2026 Version 1.0
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Guardian Hub Terms of Service. It governs the processing of personal data by Bluix Group Ltd as a data processor on your behalf, as required by GDPR Article 28.

01Definitions

In this DPA, unless the context requires otherwise:

  • "Controller" means you, the Customer, as the entity that determines the purposes and means of processing personal data via the Service.
  • "Processor" means Bluix Group Ltd, acting on your instructions.
  • "Personal Data" has the meaning given in GDPR Article 4.
  • "Processing" has the meaning given in GDPR Article 4.
  • "GDPR" means Regulation (EU) 2016/679 and, where applicable, UK GDPR (as retained in UK law).
  • "Sub-processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.

02Scope & nature of processing

Bluix Group Ltd processes Personal Data on your behalf to provide the Guardian Hub service. The details of processing are set out in Annex 1 below.

Bluix Group Ltd will process Personal Data only on your documented instructions, except where required to do so by applicable law, in which case we will notify you before processing unless prohibited by law.

03Processor obligations

Bluix Group Ltd commits to:

  • Process Personal Data only for the purposes described in this DPA and the Terms of Service.
  • Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organisational security measures (see Section 5).
  • Assist the Controller in fulfilling obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
  • Assist in responding to Data Subject requests (Articles 15–22), taking into account the nature of processing.
  • At your choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless legally required to retain them.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or your mandated auditor, upon reasonable prior notice and at your cost.

04Sub-processors

You grant Bluix Group Ltd general authorisation to engage sub-processors. Our current sub-processors are listed below. We will provide at least 14 days' notice of any changes to sub-processors, giving you the opportunity to object.

Sub-processor Purpose Location Safeguard
Netcup GmbH Server hosting & storage Germany (EU) EU (no transfer)
Cloudflare, Inc. CDN, DNS, DDoS protection EU nodes prioritised SCCs
Stripe, Inc. Payment processing USA SCCs
Anthropic, PBC AI features (Autopilot WP) USA SCCs + DPA

All sub-processors are bound by written data processing agreements imposing obligations equivalent to those in this DPA.

05Security measures

We implement appropriate technical and organisational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and role-based permissions with principle of least privilege
  • Multi-factor authentication for administrative access
  • Regular security testing and vulnerability scanning
  • Automated backups with tested restore procedures
  • Incident response procedures and staff security training
  • Logging and monitoring of access to production systems

06Data breach notification

In the event of a Personal Data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware of the breach. Notification will include:

  • Nature of the breach and categories of data affected
  • Approximate number of individuals and records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

You are responsible for notifying the relevant supervisory authority and affected data subjects where required by GDPR.

07International data transfers

Where Personal Data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914) and/or the UK International Data Transfer Agreement (IDTA), or other valid transfer mechanisms. A copy of applicable SCCs is available on request.

08Term & termination

This DPA remains in force for the duration of the Terms of Service. Upon termination, we will, at your election, delete or return all Personal Data within 30 days, except where retention is required by law.

09Governing law

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales, unless otherwise required by applicable data protection law.

A1Annex 1 – Processing details

Subject matter

Provision of the Guardian Hub multi-site WordPress management platform.

Duration

For the term of the subscription agreement.

Nature & purpose of processing

Storing and processing data relating to WordPress sites managed by the Controller; providing monitoring, update, backup, security, and automation features; generating reports; providing customer support.

Categories of personal data

  • Account data: name, email address, company name, billing address
  • WordPress site data: URLs, plugin/theme data, user counts, logs
  • End-user data on managed sites (as determined by the Controller)
  • Technical/usage data: IP addresses, access logs

Categories of data subjects

  • The Controller's employees and authorised users
  • End-users of WordPress sites managed by the Controller

Special categories of data

None intended. The Controller must not use the Service to process special category data (Article 9 GDPR) without prior written agreement.

10Contact

For DPA-related queries or to request a countersigned copy:
Bluix Group Ltd
Email: dpa@guardianplug.com