Greens247 - Data Processing Addendum

Last Revised: 24 May 2026

Overview

This Data Processing Addendum (this “DPA” or "Addendum") is entered into by and between the applicable Greens247 Contracting Party specified below, and you, and is made effective as of the date of your use of the Services or the date of electronic acceptance of the Greens247 Universal Terms of Service (the "UTOS" or "Agreement"), whichever is sooner. This DPA sets forth the terms, conditions, and legal obligations governing the Processing of Customer Personal Data on your behalf in connection with your use of our Services.

This DPA forms an integral part of the Agreement. In the event of a direct conflict between the provisions of the Universal Terms of Service and the provisions of this DPA, the provisions of this DPA shall control and prevail specifically with respect to data processing and privacy matters.

The terms “Greens247”, “we”, “us” or “our” shall refer to the applicable Greens247 Contracting Party specified in this section below. The terms “you”, “your”, “User” or “Customer” shall refer exclusively to the business customer who accepts this DPA, has access to the account, and uses the Services to host, transfer, or process data.

“Account Country” is the country associated with your account. Your contracting party for data processing is determined by your Account Country and the provision of valid localized identification:

Greens Twenty Four Seven, LLC (5th Floor, Building 55, Street 18, Maadi, 11728 Cairo, Egypt) is the contracting party if your Account Country is Egypt. (Note: To establish an Egyptian account, you are required to provide a valid Egyptian Tax Registration Number or an Egyptian National ID for the issuance of compliant Business to Business ("B2B") tax e-invoices. If you do not provide this documentation, you default to the United Kingdom ("UK") entity Greens Twenty Four Seven, LTD).
Greens Twenty Four Seven, LTD (71-75 Shelton Street, Covent Garden, London, WC2H 9JQ England, UK) is the contracting party for all other countries.

1. Definitions

Unless otherwise defined in applicable Data Protection Laws (as defined below), the capitalized terms listed in this Section have the following meanings:

1.1 “Affiliate” means any entity that controls or is under common control with a Party.

1.2 “Controller” means the natural or legal person, public authority, agency, or other body which determines the purposes and means of processing Customer Personal Data.

1.3 “Customer Personal Data” means any Personal Data processed by Greens247 on Customer’s behalf in connection with Customer’s use of the Services.

1.4 “Data Protection Law” means any law or regulation applicable to processing of Customer Personal Data under the Agreement, specifically including the UK General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018, the EU General Data Protection Regulation (“EU GDPR”), and Egypt’s Personal Data Protection Law No. 151 of 2020.

1.5 “Data Subject” means an identified or identifiable natural person to whom specific Personal Data relates.

1.6 “Greens247 Data” means all information relating to Greens247’s business, delivery of the Services, transaction history, and system access logs.

1.7 “Personal Data” means information that relates to an identified or identifiable natural person.

1.8 "Processor” means a natural or legal person that processes Customer Personal Data on behalf of a Controller.

1.9 "Processing” means any operation performed on Customer Personal Data, such as collection, storage, disclosure, or deletion.

1.10 "Services” means the products or services that Greens247 has agreed to provide pursuant to the Agreement (e.g., web hosting, VPS, dedicated servers).

1.11 “Subprocessor” means any natural or legal person with whom Greens247 contracts to process Customer Personal Data.

1.12 “Transfer” means the transfer of Customer Personal Data from Controller to Processor, or an onward transfer from Processor to a Subprocessor.

2. Scope of Data Processing and Relationship of Parties

2.1 Customer as Controller or Processor

2.1.1 Where Customer is a Controller, Customer (a) is solely responsible for determining the purposes and means of processing Customer Personal Data, (b) has all necessary authority and rights to provide Customer Personal Data to Greens247, and (c) will comply with its obligations as a Controller under applicable Data Protection Laws.

2.1.2 Where Customer is a Processor, Customer is solely responsible for complying with its agreement(s) with the ultimate Data Controller(s).

2.1.3 Customer expressly acknowledges that Greens247 is not responsible for determining which laws are applicable to Customer’s business. Customer is solely responsible for ensuring that Customer’s Processing instructions to Greens247 do not violate any applicable Data Protection Laws.

2.2 Greens247 as Processor or Subprocessor

2.2.1 Greens247 will process Customer Personal Data only upon documented instructions for the limited and specific purposes described in the Agreement, this DPA, or as required by law.

2.2.2 Greens247 will not sell, retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services.

2.2.3 Greens247 will stop all Processing and notify Customer within three (3) business days if Greens247 believes that a Customer instruction violates any applicable Data Processing Laws.

3. Greens247’s Use of Subprocessors

3.1 General Authorization. Customer provides general authorization for Greens247 to engage subprocessors (including data center providers, cloud storage facilities, and upstream software vendors located in the United Kingdom, European Union, United States, and Canada). Greens247 will make a current list of approved Subprocessors available to the Customer upon request or via a dedicated page on the Greens247 website.

3.2 Subprocessor Due Diligence. Before transferring Customer Personal Data to a Subprocessor, Greens247 will ensure that a binding legal contract is in place with the Subprocessor (which may include electronic agreements, click-wrap terms of service, or digital Data Processing Agreements) that provides a level of data protection materially equivalent to that required under this DPA.

3.3 New Subprocessors. Greens247 will exercise reasonable efforts to notify Customer in writing at least sixty (60) days in advance if Greens247 intends to appoint a new Subprocessor. If Customer reasonably objects to a new Subprocessor, Customer must notify Greens247 in writing within thirty (30) days. If the Parties are unable to resolve the objection, Customer may terminate the portion of the Agreement relating to the Services utilizing the new Subprocessor.

4. Legal Process and Third-Party Requests

4.1 Greens247 will not respond to any informal request for Customer Personal Data from a government body or law enforcement agency except in response to a subpoena, search warrant, court order, or similar legal process (“Legal Process”), unless required to protect Greens247's systems from imminent harm.

4.2 Unless prohibited by law, Greens247 will notify Customer promptly if it receives any Legal Process that requires Greens247 to provide access to Customer Personal Data.

5. Data Security

5.1 Greens247 maintains an information security program that includes appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing.

5.2 Customer Responsibility. Customer expressly acknowledges that Greens247 provides security features (e.g., firewalls, SSL, access controls) that Customer can use. Customer is solely responsible for taking appropriate steps to protect the security of Customer’s account and the hosted environment, including ensuring that all code or software Customer places on the Services is free of vulnerabilities. Greens247 is not responsible for backing up Customer Personal Data unless a specific backup service is purchased.

5.3 PCI-DSS Compliance. Customer is required to comply with all Payment Card Industry Data Security Standard (PCI-DSS) requirements. Customer is solely responsible for any violation if Customer uses Greens247 Services to store PCI-DSS Data outside of specifically designated compliant environments.

6. Data Security Incidents

6.1 Greens247 is not responsible for any accidental or unlawful destruction, loss, or unauthorized disclosure of Customer Personal Data that does not result from a compromise of Greens247’s core systems (e.g., Greens247 is not responsible if Customer fails to secure their own passwords or installs vulnerable third-party software).

6.2 Greens247 will use commercially reasonable efforts to notify Customer of a breach of security of Greens247’s systems leading to the accidental or unlawful access to Customer Personal Data (“Security Incident”) without undue delay, and generally within 48 hours of confirmation of the incident.

6.3 Greens247 will provide information reasonably requested by Customer to assess the impact of a Security Incident and to allow Customer to provide notice to governmental authorities.

7. Data Subject Rights

7.1 Customer is solely responsible for responding to any request to exercise a Data Subject’s rights (e.g., access, correction, or deletion requests).

7.2 Greens247 will not respond directly to a Data Subject Request except on documented instructions from Customer or as required by law. Greens247 will promptly notify Customer of any Data Subject Request it receives directly.

8. General Provisions

8.1 Complete Agreement. This DPA constitutes the entire agreement between the Parties concerning the processing of Customer Personal Data. In the event of a conflict between this DPA and the UTOS, this DPA will govern with respect to data processing.

8.2 Termination. Following termination of this DPA or the Agreement, Greens247 will delete Customer Personal Data pursuant to the terms of the Agreement, unless Greens247 is required to maintain Customer Personal Data pursuant to applicable UK or Egyptian data retention laws.

8.3 Governing Law. This DPA is governed by the laws stipulated in the Agreement, depending on the contracting entity, except to the extent otherwise strictly required by mandatory Data Protection Laws.

Schedule 1: Details of Processing

Subject Matter and Duration: The processing of Customer Personal Data is reasonably required to provide the web hosting, server infrastructure, and related Services described in the Agreement for the duration of the Customer's active subscription.
Type of Personal Data and Data Subjects: The types of data and categories of Data Subjects are entirely controlled by the Customer. Greens247 provides raw infrastructure; therefore, Greens247 has no visibility into, or control over, the specific categories of data the Customer chooses to host on Greens247 servers.

Schedule 2: Technical and Organizational Security Measures

Asset Management & Segregation: Greens247 maintains logical separation of Customer environments in shared infrastructure and provides dedicated isolated environments where purchased.
Physical Security: Data centers utilized by Greens247 employ strict physical security, including 24/7 CCTV, biometric access controls, and strict visitor management.
Vulnerability Management: Greens247 maintains patching protocols for core network infrastructure and hypervisors. (Note: Patching of Customer-controlled Virtual Machines or unmanaged Dedicated Servers remains the strict responsibility of the Customer).
Access Controls: Greens247 restricts internal access to systems processing Customer Personal Data to authorized personnel bound by confidentiality obligations, utilizing multi-factor authentication (MFA) and least-privilege access principles.

Schedule 3: Jurisdiction Specific Terms

1. United Kingdom & European Union

1.1 When Greens247 engages a Subprocessor, it will require the Subprocessor to comply with all technical and organizational measures required by Article 28 of the UK GDPR and EU GDPR.

1.2 ICO Registration: Greens Twenty Four Seven, LTD is registered with the United Kingdom Information Commissioner’s Office (ICO) as a fee-paying Data Controller, maintaining compliance with statutory UK data protection requirements.

1.3 Liability for Regulatory Penalties: Neither Party will be responsible for any fines issued or levied by any regulatory authority (such as the ICO or EU DPAs) on the other Party, including any fines under Article 83 of the GDPR, where the penalized Party is found to be independently at fault.

2. United States (California & State Privacy Laws)

2.1 To the extent Customer Personal Data originates from residents of California or other US States with comprehensive privacy laws (e.g., CCPA/CPRA, VCDPA), Greens247 acts strictly as a "Service Provider".

2.2 Greens247 certifies that it will not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any commercial purpose other than providing the Services specified in the Agreement, or (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Greens247 and the Customer.

3. Arab Republic of Egypt

3.1 To the extent Customer Personal Data falls under the jurisdiction of Egypt’s Personal Data Protection Law No. 151 of 2020, Greens Twenty Four Seven, LLC shall act as the Processor.

3.2 Cross-Border Transfers originating from Egypt (e.g., Egyptian customer data stored on UK infrastructure) will be conducted strictly in accordance with the licensing, permissions, and security frameworks established by the Egyptian Personal Data Protection Centre.

Schedule 4: International Mandatory Cross-Border Transfer Mechanisms

1. Order of Precedence and Data Flows. The appropriate transfer mechanism applies based on the origin of the data and the contracting entity:

(a) UK Exports: The UK International Data Transfer Agreement (IDTA) applies to transfers out of the UK.
(b) EU Exports: The EU Standard Contractual Clauses (SCCs) apply to transfers out of the EU.
(c) Egyptian Exports: Egyptian regulatory frameworks apply to transfers out of Egypt (e.g., data flowing from Greens Twenty For Seven, LLC ("the Egyptian LLC") to the United Kingdom Amazon Web Services servers).

2. The EU Standard Contractual Clauses (SCCs). For Transfers from the EU/EEA, Module Two (Controller to Processor) or Module Three (Processor to Processor) applies. The SCCs will be governed by the laws of the Republic of Ireland. The Data Exporter is the Customer, and the Data Importer is Greens247.

3. United Kingdom International Data Transfer Agreement (IDTA). The UK IDTA issued by the UK Information Commissioner applies to Transfers of Customer Personal Data from the United Kingdom to any country outside the UK not recognized as providing an adequate level of protection. By entering into this DPA, the UK IDTA is deemed executed by the Parties. The UK Information Commissioner shall act as the competent supervisory authority.

4. Adequacy Decisions. No Mandatory Transfer Mechanism (SCCs or IDTA) is strictly required if a transfer is made to a country that has been deemed to offer an "adequate level of data protection" by the Data Protection Laws of the exporting country (e.g., transfers from the EU to the UK under the current European Commission Adequacy Decision).