Data Processing Agreement (DPA)

These Contractual Clauses ("Agreement" or "DPA") govern the processing of personal data of third parties carried out by Rollin Servicos Digitais e Tecnologia LTDA, CNPJ 64.204.851/0001-39 ("Rollin Host" or "Processor"), on behalf of and under the instructions of the Customer ("Controller"), in the context of hosting, VPS, dedicated server, email and related services ("Services").

The Customer is the Controller of the personal data that it uploads, processes or stores in the Services, determining the purposes and essential means of processing. Rollin Host is the Processor, acting in accordance with the Controller's documented instructions (art. 5, VI and VII, of the LGPD).

This Agreement supplements and forms part of the Terms of Service and the Privacy Policy and, in the event of conflict, prevails with respect to the processing of personal data.

The terms below follow the definitions set out in Lei n. 13.709/2018 (LGPD, Brazilian General Data Protection Law):

• Personal data: information relating to an identified or identifiable natural person (art. 5, I).
• Sensitive personal data: data concerning racial or ethnic origin, religious belief, political opinion, trade union membership, health or sexual life, genetic or biometric data (art. 5, II).
• Processing: any operation carried out on personal data (art. 5, X).
• Data subject: the natural person to whom the personal data relates (art. 5, V).
• Controller: the party who makes decisions regarding the processing (art. 5, VI).
• Processor: the party who carries out processing on behalf of the controller (art. 5, VII).
• Sub-processor: a third party engaged by the Processor to carry out part of the processing.
• Security incident: an event that causes unauthorized access to, or loss, destruction, alteration or exfiltration of, personal data.
• ANPD: Autoridade Nacional de Protecao de Dados — the Brazilian national data protection authority.

This Agreement applies whenever the Customer, in the course of using the Services, stores or processes personal data of third parties — a common situation for websites with contact forms, online stores, CRM systems hosted on the infrastructure, mailing lists, management dashboards and similar use cases.

Acceptance of the Terms of Service and/or the Adhesion Agreement, combined with the actual storage or processing of personal data in the Services, constitutes acceptance of this Agreement, without the need — unless expressly requested — for a separate signed document. Business customers requiring a physically signed DPA should request one at dpo@rollinhost.com.br.

Rollin Host processes the Controller's personal data exclusively for the following purposes:

• Providing the contracted computing infrastructure (storage, processing, network);
• Running backups in accordance with the Backup Policy;
• Ensuring service security (protection against attacks, fraud and abuse);
• Complying with applicable legal and regulatory obligations;
• Fulfilling specific requests from the Controller (technical support, backup restoration, migration).

The Controller instructs the Processor to process personal data solely for the purposes above. Any additional specific instructions must be communicated through an authenticated channel (support ticket, registered email address). The Processor will promptly inform the Controller if, in its assessment, an instruction conflicts with the LGPD or any other applicable regulation.

5.1 Nature of the data

The nature, volume and categories of personal data processed are determined solely by the Controller. Rollin Host has no control over the content uploaded by the Customer, other than through enforcement of technical and legal rules (plan limits, AUP obligations).

5.2 Typical categories of data subjects

By way of illustration and without limitation, data subjects whose personal data may be processed in the Services include: the Controller's end customers, leads, suppliers, employees of the Controller, and users registered in hosted systems. In specific circumstances, data relating to children and minors may be processed — in that case, the Controller is solely responsible for obtaining parental consent, in accordance with art. 14 of the LGPD.

5.3 Sensitive personal data

The Controller must independently assess whether the data it uploads qualifies as sensitive personal data (art. 11 of the LGPD) and, if so, apply the applicable legal bases and additional security measures. Rollin Host provides technical mechanisms compatible with the processing of sensitive personal data (encryption, access controls, audit logs), but final configuration remains the Controller's responsibility.

The Processor processes personal data for the duration of the contracted Services, subject to the deletion timelines following termination set out in section 13 and in the Backup Policy, section 10.

The Controller hereby authorizes Rollin Host to engage sub-processors of the following types, subject to the obligation to impose security standards no less protective than those applied internally:

• Datacenter and physical infrastructure providers;
• Telecommunications operators and internet transit providers;
• DDoS mitigation and edge protection service providers;
• Payment service providers (solely for billing between Rollin Host and the Customer — not for payments between the Controller and its own end customers);
• Support and customer service tools (ticketing systems, internal communication platforms).

Rollin Host will notify the Controller of material changes to the list of sub-processors with reasonable advance notice. The Controller may request the current list of sub-processors effectively involved in its Services by contacting the DPO.

Rollin Host is liable to the Controller for the acts and omissions of its sub-processors in relation to the processing of personal data, pursuant to art. 39, paragraph 3, of the LGPD, within the applicable contractual and legal limits.

The Services are provided preferably from datacenters located in Brazil or in jurisdictions that offer an adequate level of data protection, as assessed by Rollin Host. Where an international transfer does occur, it will be based on the legal grounds provided under art. 33 of the LGPD (in particular, standard contractual clauses or equivalent measures).

The specific datacenter location applicable to a contracted Service may be provided upon request to the DPO.

Rollin Host implements technical and organizational measures to protect personal data, including at a minimum:

• Encryption in transit (TLS 1.2+) across all connections to control panels and APIs;
• Encryption at rest for backups and volumes designated for that purpose;
• Role-based access control (RBAC) to internal infrastructure, with multi-factor authentication (MFA) for personnel operating in environments that handle customer data;
• Logical segregation between tenants (isolation by cPanel account, virtual machine, container or network);
• Audit trails for relevant administrative operations;
• Operating system hardening and timely application of security patches;
• Perimeter protection against attacks (firewall, DDoS mitigation, intrusion detection and blocking);
• Formal incident response procedures;
• Regular training for personnel who access personal data.

Certain specific configurations — such as application-level encryption for sensitive data within the Controller's own systems — are the Controller's responsibility as part of its operational duties.

In the event of a security incident involving personal data under the Controller's responsibility, Rollin Host will:

• Notify the Controller without undue delay, and in any case no later than 72 (seventy-two) hours after becoming aware of the incident, unless a different timeframe is required by law or forensic investigation;
• Provide, to the extent possible, information on: the nature of the incident, affected personal data, data subjects involved (an estimate where an exact number is unavailable), measures taken and ongoing mitigations;
• Cooperate with the Controller in fulfilling any obligation to notify the ANPD or data subjects, pursuant to art. 48 of the LGPD;
• Maintain internal records of the incident and its handling for the applicable statutory period.

The obligation to notify the ANPD and/or data subjects, where applicable, rests with the Controller, except where the incident affects solely services and data under Rollin Host's own responsibility.

The rights set out in art. 18 of the LGPD (access, rectification, portability, erasure, anonymization, etc.) are exercised primarily against the Controller. Rollin Host, acting as Processor, provides reasonable technical cooperation when the Controller requires assistance in responding to a data subject request — for example, to locate records, export data or delete specific information from hosted systems.

Data subject requests received directly by Rollin Host that concern data under the Customer's control are forwarded to the Controller within 5 (five) business days, together with the information necessary to handle the request.

Upon reasonable written request with at least 30 days' notice, the Controller may require:

• Documentation of the technical and organizational measures adopted by Rollin Host;
• Summaries of external security reports that Rollin Host produces (internal audits, penetration tests);
• Written clarifications regarding processing practices.

Physical on-site audits or inspections are not, as a rule, permitted given the shared nature of the infrastructure and the risks to other customers; Rollin Host provides equivalent documentary evidence. Any audit requests will be assessed on a case-by-case basis, taking into account confidentiality, security and costs involved.

Upon termination of the Services (cancellation, rescission or expiry of the contract), Rollin Host will, in accordance with the Controller's instructions:

• Make available, during the retention period defined in the Backup Policy, a mechanism for the Controller to export its data;
• After that period, delete the personal data and all backups, except for data whose retention is required by law or regulation.

Requests for immediate erasure by a data subject (LGPD art. 18, VI) are processed in accordance with the Backup Policy, section 11, subject to logical quarantine where applicable.

Each party is responsible for complying with its obligations under the LGPD and this Agreement. Civil liability of the parties towards third parties and the ANPD is governed by art. 42 and following of the LGPD, taking into account the roles each party has effectively performed (Controller and Processor) and each party's causal contribution to any damage.

Any compensation owed by Rollin Host to the Controller for breach of this Agreement is subject to the liability cap set out in the Terms of Service, except where applicable law prohibits such limitation.

This Agreement is coterminous with the contracted Services and remains in force for as long as personal data under the Controller's responsibility is processed in Rollin Host's infrastructure. Obligations that by their nature must survive termination — such as confidentiality, notification of incidents not yet communicated, and deletion of data — remain binding after the Agreement ends.

This Agreement is governed by Brazilian law, in particular the LGPD (Lei 13.709/2018) and the Brazilian Internet Civil Framework (Lei 12.965/2014). The parties elect the courts of the Comarca de Campinas — SP, Brazil, as the exclusive jurisdiction, without prejudice to the right of individual consumers to bring proceedings before the courts of their domicile (CDC, art. 101, I).

Rollin Host maintains a dedicated channel for matters relating to the processing of personal data, overseen by the Data Protection Officer (DPO):

• DPO: dpo@rollinhost.com.br
• Contractual questions about this Agreement: juridico@rollinhost.com.br
• Report a security incident involving personal data hosted with us: abuso@rollinhost.com.br