Updated on: December 28, 2020


We take data collection and data security serious at SonicWP.

For your convenience only, we have summarised the key points of our policy here. This summary does not constitute a legally binding policy. We encourage you to consult the full policy in the sections below.

We collect only the data that we need to provide our services to you. From the client, we collect, process and store personal data like billing address, payment info, and contact details, for the purposes of legal contracts, collecting payments and other administrative functions. This data is held beyond your Agreement with us – for legal and tax purposes.

From the End Users of your websites, i.e. the visitors to your site, we collect data like their IP address, geolocation, URLs on your website that they load, for the purposes of providing you with analytical reports, but also for identifying and blocking spam and malicious users. This data is held for 3 months, and then anonymised and held only for as long as you are a client with us.

SonicWP does not sell either of these types of data to anyone. We do however have to ‘share’ the data with some third-parties. For example, to collect your monthly payment, we have to share your details with our payment processor, who in turn collects payment from your bank account. Another example is for spam detection, we share the IP address of visitors to your website with spam-detection providers, who tell us if that IP address is known to be a spammer.

Where SonicWP uses third-parties, we ensure that our agreement with them ensures that they in way process or store data that we share with them for any purpose other than what we want them to do.

1. Introduction and Scope

This Data Processing Addendum (“DPA”) is a part of the Terms of Service, Privacy Policy, and other relevant policies and agreements located on SonicWP’s website at https://www.sonicwp.com/legal/ (collectively, the “Agreement”).  If there is a conflict between this DPA and any other provisions in the Agreement (other than this DPA), then the provisions of this DPA shall control. 

This DPA is a binding agreement between SonicWP and its Clients, but only to the extent that (a) SonicWP Processes Client Personal Data (defined below) for or on behalf of the Client pursuant to the Agreement (b) and the Data Protection Laws apply to such Client Personal Data. By using our Services in any way, you are agreeing to the terms of this DPA.

2. Definitions

Capitalised terms which are not defined herein shall have the meaning provided elsewhere in the Agreement. In addition, the following defined terms apply solely with respect to this DPA.

Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data”, and “Personal Data Breach” shall have the meanings ascribed to them in Data Protection Laws. 

Client Personal Data” means any Personal Data subject to the Data Protection Laws that Client provides, transfers, or makes accessible to SonicWP in connection with the Services.

Data Protection Laws” means the Data Protection Act 2018 (DPA 2018), and the General Data Protection Regulation (GDPR) as it applies in the UK, and any other relevant UK legislation.

3. Roles of the Parties

Client is the Controller and SonicWP is the Processor with respect to Client Personal Data. SonicWP shall only Process Client Personal Data in accordance with Client’s documented instructions, which include the provisions of the Agreement, unless otherwise required to comply with any Data Protection Laws. We will inform you if, in our opinion, your instructions violate the Data Protection Laws.

Client and SonicWP shall comply with the Data Protection Laws. Client shall obtain any required authorisations, consents, releases, or permissions, and provide all required privacy notices, regarding the Client Personal Data. For the avoidance of doubt, Client shall have sole responsibility for the accuracy, quality, and legality of all Client Personal Data and the bases on which it is collected from the Data Subject.

4. Nature, Purpose, and Duration of Processing

SonicWP will Process Client Personal Data as necessary to perform the Services – which is generally limited to hosting of Client websites – or to protect SonicWP’s legal rights, for the duration of the Agreement, unless otherwise agreed upon in writing. Client’s transfer of Client Personal Data to SonicWP in connection with the Services is determined and controlled by Client in its sole discretion.

SonicWP may Process the following categories of Client Personal Data: any Personal Data collected, used, or otherwise Processed from End Users of Client Websites.

SonicWP may Process Client Personal Data from the following categories of Data Subjects: End Users of Client Websites.

For clarity, the data on End Users of Client Websites is collected for the purposes of analytical reports presented to the Client by SonicWP, and for anti-spam, security and usability research purposes. SonicWP does not in any way store or sell this data for its own gains. Individually identifiable data (Browser fingerprint, IP address and Geolocation) is usually stored for 3 months, while the anonymised aggregate data, for analytical reports, is stored for the duration of the Agreement.

5. Cross-border Transfers

The personal data we collect within your country may be transferred outside of your country to SonicWP or its third-party contractors or service providers (mentioned above) for the purposes described in this Privacy Policy. As required by data protection laws, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, appropriate safeguards, or derogations when we transfer personal data across international borders.

While the majority of client data, including backups, remain solely in the United Kingdom, the European Economic Area (“EEA”), United States or Switzerland, there are certain instances where data must be transferred to other countries. Such cases are limited to purposes to providing the Services – such as being able to process card payments, via our processor, Stripe.  

Client authorises the transfer of Client Personal Data to the EEA and any jurisdiction outside the EEA, including the United States, for the purpose of providing the Services. As the controller and/or exporter of Client Personal Data, Client is responsible for ensuring that any such transfers comply with the Data Protection Laws.

Please note that the UK government has not restricted or placed conditions on data transfers from the UK to the EEA or countries deemed by the European Commission to have adequate levels of data protection, after the UK’s exit from the EU, and deems SCCs appropriate mechanisms for governing data transfers outside of the UK and EEA.

6. Sub-processors

SonicWP engages third-party subcontractors that Process Client Personal Data (“Sub-processors“) for the purposes of providing the Services. A current list of Sub-processors is available below in Appendix A. Client authorises SonicWP to engage these Sub-processors for the purpose of providing the Services.

SonicWP may update the list of Sub-processors in Appendix A from time to time, and such updates shall be the sole means of providing notice of Sub-processor changes to Client. Client is responsible for regularly checking and reviewing the list of Sub-processors in Appendix A. Client’s failure to object in writing to a new Sub-processor within fourteen (14) days of SonicWP’s posting of the new Sub-processor shall constitute Client’s authorisation of the new Sub-processor.

If SonicWP determines in its sole discretion that it cannot reasonably accommodate Client’s timely objection to a Sub-processor, upon notice from SonicWP, Client may choose to terminate the Agreement pursuant to the termination provisions in the Terms of Service, which shall be Client’s sole and exclusive remedy.

SonicWP shall impose obligations on its Sub-processors that are the same as or substantially equivalent to those set out in this DPA by way of written contract. SonicWP shall be liable to Client for the Sub-processors’ performance of its data protection obligations with respect to Client Personal Data.

7. Security and Impact Assessments

SonicWP shall ensure that its personnel are subject to binding obligations of confidentiality with respect to Client Personal Data.

Taking into account the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, SonicWP shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Taking into account the nature of Processing and the information available to SonicWP, SonicWP shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to security, impact assessments, and consultations with supervisory authorities or regulators.

8. Personal Data Breach

Taking into account the nature of Processing and the information available to SonicWP, SonicWP shall assist the Client in ensuring compliance with Client’s obligations under the Data Protection Laws with respect to a Personal Data Breach.

In the event of a discovered Personal Data Breach, SonicWP shall provide prompt notice to Client’s technical and account contacts using those means established for routine account-related communications.

Our notice shall include the following information to the extent it is reasonably available to SonicWP at the time of the notice, and SonicWP shall update its notice as additional information becomes reasonably available:

  1. the dates and times of the Personal Data Breach;
  2. the basic facts that underlie the discovery of the Personal Data Breach, or the decision to begin an investigation into a suspected Personal Data Breach, as applicable;
  3. a description of the Client Personal Data involved in the Personal Data Breach, either specifically, or by reference to the data set(s), and
  4. the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Personal Data Breach.

9. Data Subject Requests

Taking into account the nature of the Processing, SonicWP shall assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Laws.

SonicWP will promptly notify Client if we receive a request from a Data Subject to invoke their rights with respect to Client Personal Data, unless otherwise prohibited by applicable law; and, except to the extent required by applicable law, we will not independently take any action in response to a request from a Data Subject without Client’s prior written instruction.

10. Deletion or Return of Client Personal Data

Upon proper termination of the Agreement and at the written direction of the Client, SonicWP shall take reasonable measures to delete Client Personal Data or return Client Personal Data and copies thereof to the Client, subject to applicable laws or other SonicWP obligations requiring the continued storage of the Client Personal Data by SonicWP.

11. Contact

Should you require to contact or write to us in relation to our policies, please email [email protected] or send us a letter at the address provided here.

Appendix A

List of Sub-processors

  • Infrastructure Providers:
    • Google Commerce Limited (Google Cloud Services) – UK
    • Google LLC – US
    • Amazon Web Services EMEA SARL (Amazon Web Services) – Luxembourg
    • Hetzner Online GmbH – Germany
    • OVH Limited – UK
    • Cloudflare Inc – US
    • Automattic Inc – US
    • Rsync.net Inc – Switzerland
  • Payment Processing:
    • Stripe Payments Europe Limited – UK
  • Communications:
    • Google LLC – US
    • Google Commerce Limited – UK
    • The Rocket Science Group LLC – US
    • Mailgun Technologies Inc – US
    • Sendinblue – France
    • Twilio Inc – US
    • SipGate Gmbh – Germany
    • Internet Communications Limited – UK
    • Icon Offices Ltd – UK