NEWS : 23 January 2026 Updated Privacy Policy,
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service and/or any other agreement between Host Koala and the Customer (“Controller”) under which Host Koala provides hosting and related services (the “Services”).
This DPA is entered into in accordance with Article 28 of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Malaysia Personal Data Protection Act 2010 (“PDPA”), and other applicable data protection laws.
Trade Name: Host Koala
Legal Entity: KOALA HOST WEB HOSTING SERVICES
Registration Number: 003714309-K
Email: admin@hostkoala.com
Data Protection Officer: admin@hostkoala.com
The Customer, being the individual or legal entity that determines the purposes and means of the Processing of Personal Data when using Host Koala’s Services.
Capitalized terms not otherwise defined in this DPA shall have the meanings given to them in the GDPR, UK GDPR, PDPA, and other applicable data protection laws.
Personal Data means any information relating to an identified or identifiable natural person.
Processing means any operation or set of operations performed on Personal Data.
Controller means the entity that determines the purposes and means of Processing.
Processor means the entity that Processes Personal Data on behalf of the Controller.
Sub-processor means any third party engaged by the Processor to Process Personal Data.
This DPA governs the Processing of Personal Data by Host Koala on behalf of the Customer in connection with the provision of the Services, as further described in Annex I.
Processing shall continue for the duration of the Services, unless otherwise agreed in writing, and thereafter only as necessary to comply with deletion, return, or retention obligations under this DPA or applicable law.
Host Koala Processes Personal Data solely for the purposes described in Annex I, including:
Provision, operation, and management of the Services
Customer support and technical assistance
Security monitoring, fraud prevention, and abuse detection
Compliance with legal and regulatory obligations
Billing, payment processing, and account management
The categories of Personal Data and Data Subjects are described in Annex I.
The Customer acts as Data Controller and is responsible for:
Ensuring a valid legal basis for Processing
Providing required notices to Data Subjects
Ensuring instructions comply with applicable data protection laws
Host Koala acts as Data Processor and shall:
Process Personal Data only on documented instructions from the Customer
Not Process Personal Data for its own purposes
Independent Controller Processing:
Host Koala acts as an independent Data Controller for Personal Data processed for its own purposes, including customer account administration, billing, marketing, compliance, and website operations. Such processing is governed by Host Koala’s Privacy Policy and does not form part of the Processing governed by this DPA.
Host Koala shall:
Process Personal Data only on documented instructions from the Customer
Ensure authorized personnel are bound by confidentiality obligations
Implement appropriate technical and organizational measures
Assist the Customer with Data Subject requests
Assist with data protection impact assessments and supervisory authority consultations where required
Maintain records of Processing activities in accordance with Article 30(2) GDPR
Notify the Customer without undue delay upon becoming aware of a Personal Data Breach
Host Koala implements appropriate technical and organizational measures as described in Annex II to ensure a level of security appropriate to the risk.
The Customer authorizes Host Koala to engage Sub-processors as listed in Annex III.
Host Koala shall:
Enter into written agreements with Sub-processors imposing equivalent data protection obligations
Remain fully liable for the performance of Sub-processors
Host Koala shall inform the Customer of any intended addition or replacement of Sub-processors. The Customer may object on reasonable data protection grounds by providing written notice within a reasonable period. Host Koala shall work in good faith to address such objections.
Where Personal Data is transferred outside the Customer’s jurisdiction, Host Koala shall ensure appropriate safeguards, including:
EU Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum (IDTA)
Adequacy decisions or other lawful transfer mechanisms
Where Personal Data is transferred outside Malaysia, Host Koala shall ensure compliance with Section 129 of the Malaysia PDPA, including ensuring equivalent protection or other lawful transfer conditions.
Host Koala shall, taking into account the nature of Processing, assist the Customer in fulfilling obligations relating to:
Access, rectification, and erasure
Restriction and objection
Data portability
Automated decision-making safeguards
Host Koala shall notify the Customer without undue delay after becoming aware of a Personal Data Breach and provide information reasonably required to enable the Customer to comply with its notification obligations to supervisory authorities and Data Subjects. Responsibility for regulatory notification remains with the Customer unless otherwise required by law.
Upon termination of the Services, Host Koala shall, at the Customer’s choice:
Delete Personal Data upon client request within 72 hours to the extent technically feasible and excluding data stored in backups, which shall be deleted in accordance with standard backup retention cycles , or
Return Personal Data and delete existing copies upon client request within 72 hours to the extent technically feasible and excluding data stored in backups, which shall be deleted in accordance with standard backup retention cycles,
unless retention is required by applicable law.
Host Koala shall make available information reasonably necessary to demonstrate compliance with this DPA and allow audits conducted by the Customer or an independent auditor, subject to reasonable notice and confidentiality obligations.
Each party’s liability under this DPA shall be subject to the limitations of liability set out in the applicable Terms of Service, to the extent permitted by law.
This DPA shall be governed by the laws applicable under the main agreement between the parties, without prejudice to mandatory data protection laws.
In the event of a conflict between this DPA and other agreements, this DPA shall prevail with respect to data protection matters.
A. Subject Matter of the Processing
The Processing of Personal Data by Host Koala on behalf of the Customer consists of the provision of hosting, infrastructure, security, support, and related services under the applicable agreement.
B. Nature of the Processing
Processing operations may include, as applicable:
Collection
Recording
Organization
Structuring
Storage
Retrieval
Consultation
Use
Transmission
Disclosure
Alignment or combination
Restriction
Erasure or destruction
C. Purpose(s) of the Processing
Personal Data is Processed solely for the following purposes:
Provision, maintenance, and operation of the Services
Customer support and technical assistance
Security monitoring, fraud prevention, and abuse detection
Compliance with legal and regulatory obligations
Billing, payment processing, and account administration
D. Categories of Data Subjects
Customers (individuals or representatives of legal entities)
Authorized users of the Customer’s account
End-users whose Personal Data is hosted, stored, or otherwise processed through the Services
E. Categories of Personal Data
Depending on the Services used, Personal Data may include:
Account and Identity Data
Name
Email address
Physical address
Telephone number
Company name
Username
Tax identification number
Billing and Transaction Data
Billing address
Payment metadata
Transaction identifiers and history
Technical and Usage Data
IP address
Browser type and version
Operating system and platform
Device type and identifiers
Timestamps
Pages visited and features used
Support and Communication Data
Support tickets
Email correspondence
Chat transcripts
Call records
Security and Fraud Data
Risk indicators
Fraud detection scores
Threat intelligence data
F. Special Categories of Personal Data
Host Koala does not intentionally Process special categories of Personal Data unless explicitly instructed by the Customer and permitted by applicable law.
G. Duration of the Processing
Personal Data shall be Processed for the duration of the Services and thereafter only as necessary to comply with deletion, return, or retention obligations under the Agreement or applicable law.
Host Koala implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:
1. Access Control
Role-based access control (RBAC)
Least-privilege access principles
Multi-factor authentication for administrative access
2. Data Security
Encryption of data in transit using TLS/SSL
Encryption of sensitive data at rest where appropriate
Secure key management practices
3. Network and Infrastructure Security
Firewalls and intrusion detection/prevention systems
Segmentation of production and internal systems
Regular vulnerability scanning and patch management
4. Operational Security
Logging and monitoring of system access and activity
Incident detection and response procedures
Business continuity and disaster recovery measures
5. Organizational Measures
Confidentiality obligations for personnel
Regular security and data protection training
Internal data protection policies and procedures
6. Incident Management
Documented personal data breach response process
Timely escalation and notification procedures
The Customer authorizes Host Koala to engage the following categories of Sub-processors:
| Category | Purpose |
|---|---|
| Payment Processors (e.g. Stripe ( www.stripe.com ), PayPal ( www.paypal.com ) | Payment processing and fraud prevention |
| Infrastructure & Data Center Providers | Hosting, storage, and network services |
| Security & Fraud Prevention Providers (e.g. MaxMind ( https://www.maxmind.com/ ) , FraudLabs Pro ( https://www.fraudlabspro.com/ ) | Security monitoring and fraud detection |
| Communication & Support Platforms ( www.hostkoala.com/clients ) | Customer support and communications |
An up-to-date list of Sub-processors is published here and updated from time to time.