GDPR
Please read very carefully before ordering and/or using any of AltusHost services.
General Data Protection Regulation (GDPR)
Last updated: January 10, 2026 • Version 2.3
AltusHost B.V. (“AltusHost”, “we”, “us”, or “our”) embraces the principles of the EU General Data Protection Regulation (GDPR) and takes responsibility for providing uniform, compliant standards for personal-data privacy in our role as a Cloud Service Provider (CSP). This page explains our roles, key GDPR commitments, and how customers and data subjects can exercise their rights.
1. Scope & Roles
- Controller (AltusHost): For our own business operations (e.g., billing, client account administration, fraud prevention/identity verification, marketing) we act as a controller. Details are in our Privacy Policy.
- Processor / Sub-processor (AltusHost): For customer content and personal data processed to deliver hosting services (Business/Reseller Hosting, VPS, Dedicated, Colocation with managed components), we generally act as a processor (or sub-processor where a customer’s service provider is the processor).
- Customer as Controller: You determine purposes and means of processing of the data you host with us and are responsible for a lawful basis, transparency notices, and honoring data-subject rights. We will support you under the DPA.
2. Data Processing Agreement (DPA)
Our DPA (GDPR Art. 28 terms and, where relevant, EU Standard Contractual Clauses) governs processing we perform on your behalf. Review and sign electronically:
After the e-signature, download your countersigned copy from the link above.
3. International Transfers & SCCs
Where personal data is transferred outside the EEA by AltusHost or approved sub-processors, we implement appropriate safeguards (e.g., EU Standard Contractual Clauses) together with technical and organizational measures proportionate to risk. We conduct transfer risk evaluations/assessments (TIAs) for relevant data flows.
4. Sub-Processors
We use carefully vetted infrastructure, security, and support partners (“sub-processors”) to deliver services. We maintain due-diligence records, DPAs, and (where applicable) transfer safeguards for each partner. Consistent with the DPA, we will provide notice of material changes to sub-processors.
To request our current sub-processor list or subscribe to change notifications, contact privacy@altushost.com.
5. Security & NIS2 Alignment
We implement appropriate technical and organizational measures, including (as applicable): role-based access control and MFA; encryption in transit and at rest where supported; network segmentation and DDoS protections; secure configuration baselines; vulnerability management and change control; logging/monitoring; backup and disaster-recovery testing; employee security training; supplier due diligence; and documented incident-response playbooks.
For significant incidents, we follow NIS2 coordination with competent authorities/CSIRTs and meet GDPR obligations regarding personal data breaches as described in our Privacy Policy.
6. Data Subject Rights under GDPR
Data subjects have the following rights (subject to statutory exceptions): access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable.
How to exercise your rights with AltusHost (as Controller):
- Use our request form: Data rectification or deletion form
- Email our Privacy Team: privacy@altushost.com
- Update profile data in the Client Portal: My Profile
If your data is controlled by an AltusHost customer (e.g., you are an end-user of a site hosted with us), please contact that customer (the controller) directly. We will assist the controller in fulfilling your request in accordance with the DPA.
7. Lawful Bases & Privacy Statement
Where AltusHost is the controller, our lawful bases typically include contract necessity, legal obligation, legitimate interests, and, where required, consent. Full details (including retention, sharing, transfers, and cookies) are in our Privacy Policy and Cookie Policy.
Fraud prevention & identity verification: When an order is flagged by our fraud-prevention controls, we may request ID verification using a third-party provider (currently iDenfy). For provider-specific privacy terms and insurance information, see our Privacy Policy.
8. Breach Notification
In the event of a personal-data breach, AltusHost will assess impact and, where required by GDPR, notify the competent supervisory authority within 72 hours, and notify affected individuals without undue delay where there is a high risk to their rights and freedoms. Customers (as controllers) will be notified without undue delay in line with the DPA.
9. Data Retention & Deletion
We retain personal data only as long as necessary for stated purposes or legal obligations. Upon service termination or upon your written instruction, and subject to any legal retention requirements, we will return or securely delete personal data processed on your behalf within commercially reasonable timeframes defined in the DPA (considering backup cycles and technical constraints).
10. Data Location & Residency
AltusHost offers EU data-center locations (e.g., Netherlands, Sweden, Bulgaria). You can typically select a preferred location in your Order. Unless explicitly agreed otherwise, we may move workloads within the same region for resilience or capacity (without cross-border transfer). Any cross-border processing by us or sub-processors will follow §3 safeguards.
11. Customer Responsibilities (as Controller)
- Provide transparent notices and establish a lawful basis for processing.
- Configure and use the Services securely (incl. MFA, access controls, key rotation) and maintain your own backups unless a managed backup add-on is purchased.
- Respond to data-subject requests and breach notifications; we will support you as defined in the DPA.
- Keep contact and billing information up to date in the Client Portal.
12. Records, Assessments & Audits
We maintain records of processing activities as required by GDPR, perform risk assessments where appropriate (including TIAs for relevant transfers), and review sub-processor safeguards. Upon written request and under confidentiality, we may provide reasonable information necessary to demonstrate compliance with our DPA obligations; audits shall be conducted per the DPA’s audit clause.
13. Contact, Complaints & Supervisory Authority
Questions about this page or our GDPR program: privacy@altushost.com / General: info@altushost.com
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority in the EEA.
14. Changes to this Page
We may update this GDPR page from time to time. Material changes will be communicated on our website and/or via email. Continued use of our services after the effective date constitutes acceptance of the updated terms.