General Terms & Conditions & Processor Agreement

These Terms and Conditions contain all the agreements between you and Superspace, and apply to all our services. Most importantly, we will do our very best for you. We are only human and can make mistakes. Should that happen, you can find here how we deal with those situations. Attached to these Terms and Conditions you can find our Processor Agreement.

Last modified: Jan. 20, 2025

Article 1. Definitions

1. Supplier: Superspace Hosting B.V. based in Leeuwarden and registered with the Chamber of Commerce under file number 01089811.
2. Customer: the natural or legal person who has entered into an Agreement with the Supplier or to whom the Supplier has made an offer to that effect.
3. General Terms and Conditions means the present document, including the Appendix.
4. Service: the specific service that Supplier agrees with Customer, as stated in the Agreement or quotation.
5. Agreement: the agreement between Supplier and Customer pursuant to which Supplier will perform the Service.
6. Website: the Supplier's website, accessible at www.superspace.nl
7. Personal Data: Any information about an identified or identifiable natural person, as referred to in Article 4(1) of the General Data Protection Regulation, that Supplier processes on behalf of Customer.
8. Annex: the annex attached to the General Terms and Conditions and inextricably linked thereto.

Article 2. Quotation, offer and acceptance

1. The Supplier shall prepare a quotation indicating what is included in the Service and the amount due upon acceptance. Only the description of the Service indicated in the quotation is binding. It is also possible for the Customer to make use of the electronic ordering process on the Website in order to purchase the Service. The amount due is also indicated on the Website and the description of the Service on the Website is binding.
2. A quotation is non-binding and valid for 30 days after Supplier sends it, unless otherwise indicated in the quotation.
3. If data provided by the Customer is found to be incorrect, the Supplier has the right to adjust the prices accordingly.
4. The Agreement shall at all times be subject to these General Terms and Conditions, unless otherwise expressly agreed in writing.
5. Any terms or conditions set by Customer that deviate from, or do not appear in, these General Terms and Conditions shall be binding on Supplier only if and to the extent that Supplier has expressly accepted them in writing.
6. Supplier has the right to reject a Client at its discretion without giving any reason.
7. After acceptance, the Agreement may be amended only by mutual consent.
8. The Agreement runs from the moment communication containing acceptance by Customer is received by Supplier.
9. In case of conflict of provisions in the Agreement, general terms and conditions or attachments thereto, the following order of precedence shall apply:
   - the Agreement;
   - the Service Level Agreement entered into, if any;
   - the attachments, if any;
   - these general conditions;
   - any additional conditions.

Article 3. Performance of the Service

1. After the conclusion of the Agreement, the Supplier shall perform the Service in accordance with the quotation or electronic order as soon as possible, taking into account reasonable wishes of the Customer.
2. To the extent not otherwise agreed in writing, the Supplier guarantees that the Service will be performed to the best of its ability under the application of sufficient care and skill.
3. If and to the extent required for the proper performance of the Service, the Supplier has the right to have certain work performed by third parties. The Supplier accepts no liability for services performed by third parties.
4. The Customer shall do and refrain from doing everything that is reasonably necessary and desirable to enable the timely and proper performance of the Service. In particular, the Customer shall ensure that all information which the Supplier indicates is necessary or which the Customer should reasonably understand is necessary for the performance of the Service is provided to the Supplier in good time.
5. The Supplier is permitted to independently make changes to the material supplied by the Customer without the prior consent of the Customer
6. If such is part of the Service, Supplier shall provide Customer with an administrative username and password. With these details the Customer will have access to an administrative account and a management tool with which the Customer can, at its own discretion, manage delivery of the Service and manage accounts for individual users and set the possibilities and limitations for these individual users of the Service, all within the limits specified in the Agreement. Customer shall pay all fees arising from the use of the Service with administrative username and password.
7. Any action taken through the administrative account or an account of an individual user is deemed to take place under the responsibility and at the risk of the Customer. In the event of suspected misuse of an account, the Customer must report this to the Supplier as soon as possible so that the Supplier can take action.
8. The Supplier has the right to (temporarily) take delivered products and services out of use and/or to restrict their use, or not to deliver them or to deliver them only to a limited extent, if the Customer fails to meet an obligation to the Supplier with respect to the Agreement or acts in violation of these terms and conditions.

Article 4. Prices

1. All prices are exclusive of sales tax (VAT) unless otherwise indicated.
2. All prices on the Website, offers, brochures and other documentation of Supplier are subject to obvious programming and typing errors. No liability is accepted for the consequences of such errors.
3. If the Agreement is a continuing performance agreement, the Supplier is entitled to increase the rates charged once per calendar year after the first year of the continuing performance agreement. The Supplier shall notify the Customer, via the Website, in writing or by email, of rate changes for this purpose at least 2 (two) months in advance. The Customer has the right to terminate the Agreement in the event of a price increase, subject to 1 (one) month's notice.
4. All costs arising for the Supplier from the Agreement shall be borne by the Customer, provided they are attributable to the Customer.

Article 5. Hosting and related services

1. If the Service (also) extends to providing services concerning storage and/or forwarding of material provided by the Customer to third parties, such as in the case of web hosting or e-mail services, the provisions of this article also apply.
2. The Client shall not publish or offer any information via the Supplier that violates Dutch law. This includes in particular but not exclusively information offered without permission of the copyright holder(s), information that is defamatory, threatening, insulting, racist, hate-mongering or discriminatory, information that contains child pornography or otherwise punishable pornography and information that violates the privacy of third parties or constitutes a form of stalking, as well as hyperlinks, torrents or other references to such information on third-party sites anywhere in the world (even if the information would be legal in the jurisdiction concerned).
3. Supplier maintains a complaint procedure by which third parties ("complainants") may file a complaint that in their opinion such a violation has occurred. If in the opinion of Supplier a complaint is justified, Supplier is entitled to remove or make inaccessible the material. Also, in that case, Supplier is entitled to provide Customer's Personal Data to a reporter or to the competent authorities. Supplier shall inform Customer about the course of this procedure.
4. If there is any potentially criminal information, the Supplier is entitled to report it. In doing so, Supplier may hand over all relevant information about Customer to the competent authorities and perform all other acts that these authorities request Supplier to perform as part of the investigation.
5. In case of repeated complaints about the information offered by the Customer, the Supplier is entitled to dissolve and/or terminate the Agreement.
6. The Customer acting in the course of a business or profession shall indemnify the Supplier for any damage resulting from the above. Supplier shall not be liable for any damage whatsoever suffered by Customer acting in the course of a business or profession as a result of Supplier's intervention in the complaint procedure.
7. The Customer shall refrain from obstructing other Customers or Internet users or causing damage to the servers. The Customer is prohibited from starting up processes or programs, whether or not via the server, of which the Customer knows or can reasonably suspect that this will hinder or damage the Supplier, other Customers or Internet users. Supplier shall inform Customer of any measures taken.
8. Client shall comply with the generally accepted rules of conduct on the Internet as set forth in RFC1855 (ftp://ftp.ripe.net/rfc/rfc1855.txt) and future amendments thereto.
9. Without Supplier's permission, Customer is prohibited from transferring the username or usernames and password or passwords provided by Supplier to third parties.
10. The Customer is not permitted to resell and/or re-let the Service, unless otherwise agreed.
11. The Supplier may set a maximum for the amount of storage space the Customer may use under the Service. If this maximum is exceeded, the Supplier is authorized to charge an additional amount in accordance with the amounts for additional storage space stated on the Website. No liability exists for consequences of inability to send, receive, store or modify data if an agreed storage space limit has been reached.
12. Customer hereby grants Supplier an unrestricted license to distribute, store, transmit or copy all materials distributed by Customer through Supplier's systems in any manner deemed appropriate by Supplier, but only to the extent reasonably necessary for Supplier's performance of the Agreement.
13. In addition to the obligations under the law, damage resulting from incompetence or failure to act in accordance with the above points shall be borne by the Client.

Article 6. Domain names and IP addresses.

1. If the Service (partly) involves the Supplier mediating for the Customer in obtaining a domain name and/or IP address, the provisions of this article also apply.
2. Application, assignment and possible use of a domain name and/or IP address depend on and are subject to the applicable rules and procedures of the relevant registering authorities, including the Stichting Internet Domeinregistratie Nederland and RIPE. The relevant authority decides on the allocation of a domain name and/or IP address. The Supplier only plays a mediating role in the application and gives no guarantee that an application will be honored.
3. The Customer can only learn the fact of registration from the Supplier's confirmation letter stating that the requested domain name has been registered, unless otherwise indicated. An invoice for registration fees is not confirmation of registration.
4. The Customer acting in the course of a business or profession shall indemnify and hold the Supplier harmless from any and all losses related to (the use of) a domain name on behalf of or by the Customer.
5. The Supplier is not liable for the loss by the Customer of its right(s) to a domain name and/or IP address or for the fact that the domain name and/or IP address is applied for and/or obtained by a third party in the interim, except in the case of intent or gross negligence on the part of the Supplier.
6. If Supplier registers a domain name in its name for the benefit of Customer, Supplier shall cooperate with Customer's requests to move, transfer or terminate such domain name.
7. Client must conform to the rules set by registering authorities for application, assignment or use of a domain name and/or IP address.
8. The Supplier has the right to make the domain name inaccessible or unusable if the Customer is demonstrably in default in the performance of the Agreement, but only for the duration that the Customer is in default and only after expiry of a reasonable period for performance set in a written notice of default.
9. In the event of dissolution of the Agreement for breach of contract by the Customer, the Supplier is entitled to terminate the domain name and/or IP address on one month's notice.

Article 7. Resellers

1. If the Service (also) extends to the reselling, renting or otherwise making available for compensation ("Reselling") of Supplier's products or services by Customer to its customers, the provisions of this article shall also apply.
2. When Reselling, Customer acts in its own name, for its own account, and at its own risk and is not entitled to enter into agreements for or on behalf of Supplier or to create the impression that it is an agent or representative of Supplier.
3. Customer shall impose at least the same obligations on its customers as Supplier imposes on Customer with respect to the product(s) or service(s) made available. Supplier may require Customer to provide evidence of this.
4. Failure of Customer's customers to pay or to pay on time shall not relieve Customer of its payment obligations to Supplier.
5. Supplier shall only contact customers of Customer through Customer, unless Supplier has an urgent reason to approach these customers directly or Customer gives permission for direct contact. (Impending) damage and nuisance to third parties caused by Customer's activities is in any case an urgent reason.
6. Customer is not entitled to use in promotional or commercial communications, including a domain name, any trade name, brand name, logos or signs of Supplier for the purpose of using Supplier's goodwill or good name for customer acquisition by Customer. However, Customer may communicate in a business manner that it uses Supplier's products and/or services.
7. Customer is at all times fully liable for anything its customers do or fail to do through Supplier's systems or networks or those of its suppliers.
8. In the event of dissolution of the Agreement for breach of contract by the Customer, the Supplier acquires the right to approach, inform, and possibly take over customers of the Customer.

Article 8. Services

1. Support on hardware, software and other services will be invoiced at the applicable hourly rate. The applicable hourly rate will be announced by the Supplier in advance. Support will be charged per hour, minimum purchase is one (1) hour unless otherwise agreed. When requesting support without an SLA, the Supplier cannot guarantee a response time.

Article 9. Connectivity

1. Each month, the current consumption of Client will be reviewed. If the consumption differs from the expected package, the package may be adjusted retroactively. An increase will be implemented immediately. A decrease can only be made at the end of period of this Agreement.
2. Data traffic is not transferable to a subsequent month and/or equipment unless otherwise agreed upon.
3. Data traffic means all network traffic generated by Client, incoming and outgoing. Incoming and outgoing traffic is added together for the purpose of calculating data traffic.
4. The Supplier may set a maximum amount of data traffic per month that the Customer may use as part of the Service. If this maximum is exceeded, the Supplier is authorized to charge an additional amount in accordance with the amounts for additional data traffic stated on the Website. No liability exists for consequences of inability to send, receive, store or modify data if an agreed data traffic limit has been reached.

Article 10. Availability of the Service.

1. The Supplier shall make every effort to achieve uninterrupted availability of its systems and networks, and to provide access to data stored by the Supplier, but offers no guarantees in this respect unless otherwise agreed in the quotation or the electronic ordering procedure by means of a Service Level Agreement (SLA) designated as such. Unless otherwise provided in such SLA, the provisions of this article shall apply to availability.
2. Supplier shall make every effort to keep the software it uses up-to-date. However, the Supplier is dependent on its Supplier(s) in this regard. The Supplier is entitled not to install certain updates or patches if, in its opinion, this will not benefit proper delivery of the Service.
3. Supplier shall make every effort to ensure that Customer can use the networks directly or indirectly connected to Supplier's network. However, Supplier cannot guarantee that these networks (of third parties) will be available at any time.
4. If, in the opinion of the Supplier, there is a danger to the functioning of the computer systems or the network of the Supplier or third parties and/or to the provision of services via a network, in particular due to excessive sending of e-mail or other data, poorly secured systems or activities of viruses, trojans and similar software, the Supplier is entitled to take all measures it reasonably considers necessary to avert or prevent this danger.
5. Supplier does not make backup copies (backups) available to Customer unless Customer has purchased an additional SLA for this purpose. It is therefore the Customer's responsibility to make backup copies of the data stored at Supplier. Supplier only makes backups for continuity purposes. This is a non-binding service and no guarantees are given and the Supplier cannot be held liable for this.

Article 11. Liability

1. The Supplier's liability for direct damage suffered by the Customer as a result of an attributable shortcoming in the performance by the Supplier of its obligations under this Agreement, expressly including any shortcoming in the performance of a guarantee obligation agreed upon with the Customer, or as a result of an unlawful act by the Supplier, its employees or third parties engaged by it, shall be limited per event or a series of related events to an amount equal to the fees payable by the Customer under this Agreement per year (excluding VAT). In no event, however, shall the total compensation for direct damage exceed EUR. 1,000 (excluding VAT).
2. Supplier's liability for indirect damages, including consequential damages, lost profits, missed savings, loss of (business) data and damages due to business interruption, is excluded.
3. Outside the cases mentioned in Article 11 paragraph 1, the Supplier shall not be liable for any compensation, regardless of the ground on which an action for compensation would be based. However, the maximum amount referred to in Article 11 paragraph 1 shall lapse if and insofar as the damage is the result of intent or gross negligence on the part of managerial personnel of the Supplier.
4. The Supplier's liability for attributable failure in the performance of the Agreement shall arise only if the Customer gives the Supplier immediate and proper notice of default in writing, setting a reasonable term in which to remedy the failure, and the Supplier continues to fail imputably in the performance of its obligations even after that term. The notice of default must contain as detailed a description as possible of the failure, so that Supplier is able to respond adequately.
5. The Supplier shall never be liable for damage caused by force majeure.
6. A condition for any right to compensation is always that the Customer reports the damage to the Supplier in writing and by registered mail within 30 days of its occurrence.
7. Customer shall indemnify Supplier against all third party claims for liability resulting from a defect in the Service provided by Customer to a third party that consisted in part of items, materials or results supplied by Supplier.
8. In this article, "Client" shall mean only a Client acting in the course of his profession or business.

Article 12. Failures and force majeure

1. Supplier has the right to temporarily take its systems, including the Website, or portions thereof out of service for the purpose of maintenance, modification or improvement thereof. The Supplier shall endeavour to arrange for such taking out of service to take place as far as possible outside office hours and shall endeavour to notify the Customer in good time of the planned taking out of service. However, Supplier shall never be liable for compensation for damage in connection with such taking out of service.
2. Supplier has the right to modify its systems, including the Website, or portions thereof from time to time to improve functionality and to correct errors. If a modification results in a significant change in functionality, the Supplier shall make every effort to notify the Customer. In the case of modifications relevant to multiple Customers, it is not possible to waive a particular modification only for Customer. Supplier is not obliged to pay any compensation for damage caused by such a modification.
3. The Supplier shall make every effort to inform the Customer of the nature and expected duration of the interruption in the event of unavailability of the Service, due to breakdowns, maintenance or other causes.
4. In the event of force majeure, which shall in any case include failures or breakdowns of the Internet, the telecommunications infrastructure, synflood, network attack, DoS or DDoS attacks, power failures, civil commotion, mobilization, war, traffic congestion, strike, lockout, business disturbances, supply congestion, fire, flood, import and export impediments and in the event that the Supplier is unable to deliver by its own Suppliers, whatever the reason may be, is not enabled to deliver, as a result of which performance of the Agreement cannot reasonably be required of the Supplier, performance of the Agreement shall be suspended or the Agreement shall be terminated when the force majeure situation has lasted longer than ninety days, all without any obligation to pay damages.

Article 13. Duration, termination and renewal

1. The Agreement is entered into for one year. Unless the Client cancels the Agreement (or an individual domain name) no later than one month before the end of this period, it will be tacitly renewed for one year after expiration.
2. Client may cancel on any day after renewal. Termination will take effect one month after receipt of notice. 'One month' notice means no later than the day with the same number in the following month.
3. The previous paragraph only applies if the Client is not acting in the course of a profession or business. If the Client does act from profession or business, a notice period of two months by the end of the term of the Agreement applies.
4. Client may communicate a cancellation through the same channel through which the Agreement was entered into. Client may additionally terminate by email, through the client account (control panel) and in writing.
5. If after termination it appears that Customer has paid more than is due for the period between the last invoice and the time of termination, Supplier shall refund the difference within 30 days.
6. Upon cancellation, termination or dissolution for any reason, the Supplier shall be entitled to immediately delete or make inaccessible all stored data and close all accounts of the Customer. Supplier is not obliged in that case to provide Customer with a copy of such data.
7. Terms of delivery given by the Supplier shall, unless it is expressly stated in writing that it concerns a deadline, always be indicative in nature. The Supplier shall not be in default, even in the case of an agreed deadline, until the Customer has given it notice of default in writing.
8. Exceeding agreed delivery times due to any cause whatsoever shall not entitle to compensation unless otherwise agreed in writing.
9. If the Customer is a natural person not acting in the exercise of a profession or business, the Customer has the right, without giving reasons, to dissolve the Agreement within 14 days after the conclusion of the Agreement. Registration of domain names is excluded from this statutory cooling-off period if the Client has agreed to direct delivery and the fact that he is waiving his statutory cooling-off period.
10. If the Customer fails to fulfill any of its obligations under the Agreement, the Supplier shall have the right to terminate all Agreements concluded with the Customer in question without the need for notice of default or judicial intervention and without prejudice to the Supplier's right to compensation for damages, lost profits and interest.

Article 14. Terms of Payment

1. Supplier shall send an invoice to Customer for the amount due by Customer. The payment term of this invoice is one month after the date of the invoice, unless otherwise indicated on the invoice or otherwise agreed in the Agreement.
2. Notwithstanding the previous paragraph, the Supplier is not obliged to send a statement of expenses if the Agreement is a continuing performance agreement. The Customer shall pay the amount due for that term to the Supplier on a monthly basis or another agreed term in advance.
3. After the expiry of 14 days after the payment term, Customer who fails to pay on time shall be in default by operation of law without notice of default being required. If an amount due is not paid within the payment term, statutory interest shall be payable on the outstanding invoice amount without further notice of default by Supplier.
4. In the event of late payment, in addition to the amount due and the interest accrued thereon, Client shall be liable for full compensation of both extrajudicial and judicial collection costs, including the costs of lawyers, bailiffs and collection agencies.
5. The claim for payment is immediately due and payable in the event that Client is declared bankrupt, applies for a moratorium or a general attachment is levied on Client's assets, Client dies and furthermore, if Client goes into liquidation or is dissolved.
6. In the above cases, the Supplier shall also have the right to terminate or suspend performance of the Agreement or any part thereof not yet performed without notice of default or judicial intervention, without entitlement to compensation for any loss to the Customer that may arise as a result.
7. If Customer is not acting in the pursuit of a profession or business, Supplier shall send Customer a reminder after the expiry of the payment term mentioned in article 14.3 containing a period of 14 days to still pay the invoice. After expiry of this period Customer who is not acting in the exercise of a profession or business shall be in default subject to the provisions of article 14.4.

Article 15. Intellectual property rights.

1. All Personal Data shall remain the property of Customer, Customer's customers or end users of the Service. Supplier shall make no ownership claims to them and shall use the Personal Data only to the extent necessary for the performance of the Agreement.
2. All intellectual property rights to all materials, software, analyses, designs, documentation, advice, reports, quotations, as well as preparatory material thereof, developed or made available in the context of the Service, shall be held exclusively by Supplier or its licensors.
3. The Customer shall acquire only the rights of use and powers arising from the scope of the Agreement or granted in writing, and otherwise the Customer shall not reproduce or disclose the software or other materials.
4. Client is not allowed to remove or change any indication concerning copyrights, brands, trade names or other intellectual property rights from the materials, including indications concerning the confidential nature and secrecy of the materials.
5. Supplier is permitted to take technical measures to protect the materials. If Supplier has secured the materials by means of technical protection, Customer shall not be permitted to remove or circumvent such protection.
6. Any use, reproduction or disclosure of the materials beyond the scope of the Agreement or rights of use granted shall be considered copyright infringement. The Customer shall pay to the Supplier an immediately due and payable penalty not subject to judicial mitigation of 1,000 euros for each infringing act, without prejudice to the Supplier's right to be compensated for its losses due to the infringement or to be allowed to take other legal measures in order to have the infringement terminated.

Article 16. Secrecy

1. Parties will keep confidential any information they provide to each other before, during or after the execution of the Agreement if this information is marked as confidential or if the receiving party knows or should reasonably suspect that the information was intended to be confidential. The parties shall also impose this obligation on their employees as well as third parties engaged by them for the performance of the Agreement.
2. The Supplier shall not take cognizance of data that the Customer stores and/or distributes through the Supplier's systems, unless this is necessary for proper performance of the Agreement or the Supplier is obliged to do so pursuant to a statutory provision or court order. In that case, the Supplier shall make every effort to limit knowledge of the data as much as possible, insofar as this is within its power.

Article 17. Complaints

1. Complaints regarding the performance of the Agreement, the functioning of the system or the operation of other facilities must be communicated in writing. Within 5 working days, Client may expect a response to the complaint.

Article 18. Changes to General Terms and Conditions.

1. Supplier reserves the right to modify or supplement these terms and conditions.
2. Amendments shall also apply with respect to Agreements already entered into subject to a period of 30 days after publication of the amendment on the Supplier's Website or by electronic notification. Changes of minor importance may be made at any time.
3. If the Client does not wish to accept a change in these terms and conditions, it may terminate the Agreement by the date on which the new terms and conditions become effective.

Article 19. Final Provisions

1. Dutch law applies to this Agreement.
2. Insofar as not otherwise prescribed by the rules of mandatory law, all disputes that may arise in connection with this Agreement shall be submitted to the competent Dutch court for the district in which the Supplier is located.
3. If any provision of this Agreement is found to be invalid, this shall not affect the validity of the Agreement as a whole. The parties will in that case adopt (a) new provision(s) to replace it, which will give shape to the intention of the original Agreement and General Terms and Conditions as much as is legally possible.
4. In these terms and conditions, "in writing" includes e-mail and communication by fax, provided that the identity and integrity of the e-mail or fax is sufficiently established.
5. The version of any communication received or stored by Supplier, measurements made (for example, data traffic, but not limited to this) and monitoring by Supplier shall be deemed authentic, subject to evidence to the contrary to be provided by Customer.
6. The parties shall always promptly notify each other in writing of any changes in name, mailing address, e-mail address, telephone number and, if requested, bank account number.
7. Customer is only entitled to transfer its rights and obligations under the Agreement to a third party with Supplier's prior written consent. Supplier may do so without Customer's consent.

Appendix 1: Processing personal data

If the Supplier processes Personal Data for the benefit of the Customer in the performance of the Agreement, the terms and conditions below shall apply in addition to the General Terms and Conditions.

Article 1. General

1. The terms defined in this Appendix in the General Data Protection Regulation (hereinafter "AVG") have the meanings assigned to them in the AVG.
2. When processing Personal Data, the Customer may be designated as a Controller, or if the Customer processes the Personal Data on behalf of a third party as a Processor. Supplier performs (depending on the capacity in which the Customer processes Personal Data) the role of Processor or Subprocessor.

Article 2. Purposes of processing

1. Supplier undertakes to process Personal Data on behalf of Customer under the terms of the Agreement. The processing will take place solely in the context of the performance of the Agreement, plus those purposes reasonably related thereto or as determined by further agreement.
2. Supplier shall not process the personal data for any purpose other than as determined by Customer. Customer shall inform Supplier of the processing purposes insofar as they are not already mentioned in this Schedule. The categories of data subjects and personal data concerned are defined in the addendum to this Schedule.
3. Supplier does not control the purpose and means of processing Personal Data. Supplier does not make decisions regarding the receipt and use of Personal Data, the disclosure to third parties and the duration of storage of Personal Data.

Article 3. Supplier obligations

1. With respect to the processing mentioned in Article 2, the Supplier shall ensure compliance with the conditions that, pursuant to the AVG, are imposed on the processing of Personal Data.
2. Supplier will process Personal Data and other data that will be provided to Supplier by or on behalf of Customer.
3. Supplier shall inform Customer, at Customer's request and within a reasonable time, of the measures it has taken regarding its obligations under this Schedule.
4. Supplier's obligations under this Schedule also apply to those who process Personal Data under Supplier's authority.
5. Supplier shall notify Customer if, in its opinion, an instruction from Customer violates relevant privacy laws and regulations.
6. Supplier shall provide Customer with the necessary cooperation should a data protection impact assessment, or prior consultation with the supervisor, be necessary in the context of the processing.

Article 4. Transfer of personal data

1. Supplier may process personal data in countries within and outside the European Union, subject to relevant laws and regulations.
2. Supplier shall notify Customer, upon request, of the country or countries concerned.

Article 5. Division of responsibility

1. The parties will ensure compliance with applicable privacy laws and regulations.
2. The permitted processing operations will be performed by Supplier within a (semi-)automated environment.
3. Supplier is solely responsible for the processing of the Personal Data under this Schedule in accordance with Customer's instructions and under Customer's express (ultimate) responsibility. For all other processing of Personal Data, including but not limited to the collection of the Personal Data by Customer, processing for purposes not notified to Supplier by Customer, processing by third parties and/or for other purposes, Supplier is not responsible. The responsibility for these processing operations rests solely with Customer.
4. Client warrants that the content, use and commissioning of processing of Personal Data, as referred to in this Schedule, is not unlawful and does not infringe any third party right.

Article 6. Engaging third parties or subcontractors

1. Customer hereby authorizes Supplier to engage third parties (sub-processors) in the processing.
2. At Customer's request, Supplier shall inform Customer as soon as possible about the sub-processors it has engaged. Customer has the right to object to the engagement of a sub-processor. This objection must be made in writing, within two weeks and supported by arguments.
3. Supplier unconditionally ensures that these third parties assume in writing the same duties as agreed between Customer and Supplier. Supplier guarantees proper compliance with these duties by these third parties.

Article 7. Security

1. Supplier shall endeavor to take appropriate technical and organizational measures with respect to the processing of Personal Data to be performed, against loss or against any form of unlawful processing (such as unauthorized access, impairment, modification or disclosure of the Personal Data).
2. Supplier does not warrant that the security is effective under all circumstances. The Supplier shall make every effort to ensure that the security meets a level that is not unreasonable, given the state of the art, the sensitivity of the Personal Data and the costs associated with implementing the security.
3. Customer shall make Personal Data available to Supplier for processing only if Customer has satisfied itself that the required security measures have been taken. Customer is responsible for compliance with the measures agreed upon by the Parties.

Article 8. Duty to report

1. In the event of a security breach and/or a data breach (which shall mean: a breach of security leading accidentally or unlawfully to the destruction, loss, modification or unauthorized disclosure of, or unauthorized access to, transmitted, stored or otherwise generated data), Supplier shall, to the best of its ability, use its best efforts to inform Customer about it as soon as possible, as a result of which Customer will assess whether or not to inform the supervisory authorities and/or data subjects. Supplier shall use its best efforts to make the information provided complete, correct and accurate.
2. If required by law and/or regulations, Supplier shall cooperate in informing the relevant authorities and any parties involved. Customer is responsible for reporting to the relevant authorities.
3. At a minimum, the duty to report includes reporting the fact that a leak has occurred, as well as:v - What the (alleged) cause of the leak is;
   - What is the (as yet known and/or expected) consequence;
   - What is the (proposed) solution;
   - What actions have already been taken;
   - Contact information for following up on the report;
   - Who has been informed (such as data subject himself, Principal, supervisor).

Article 9. Handling requests from data subjects.

1. In the event that a data subject makes a request about their personal data to Supplier, Supplier will forward the request to Customer and notify the data subject. Customer will then continue to handle the request independently. If it appears that the Customer requires assistance from the Supplier for the fulfillment of a data subject's request, the Supplier shall cooperate and the Supplier may charge a fee for this assistance.

Article 10. Secrecy and confidentiality

1. All Personal Data that Supplier receives from Customer and/or collects itself in the context of this Schedule is subject to a duty of confidentiality towards third parties. Supplier shall not use such information for any purpose other than that for which it obtained it, unless it is in such form that it cannot be traced back to data subjects.
2. This duty of confidentiality does not apply:
   - To the extent that Client has given express permission to provide the information to third parties; or
   - If providing the information to third parties is logically necessary for the performance of the Master Agreement or this Schedule; and
   - If there is a legal obligation to provide the information to a third party.

Article 11. Audit

1. Client shall have the right to have audits performed by an independent ICT expert bound by confidentiality to verify compliance with all items in this Schedule.
2. This audit shall only take place after Customer has requested and assessed the similar audit reports present at Supplier and presents reasonable arguments justifying an audit initiated by Customer. Such an audit shall be justified if the similar audit reports present at the Supplier do not or insufficiently provide a definite answer about the Supplier's compliance with this Schedule. The audit initiated by Customer shall take place two weeks after prior notice by Customer, once a year.
3. Supplier shall cooperate with the audit and make available all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable time frame, whereby a period of up to two weeks is reasonable unless an urgent interest dictates otherwise.
4. The findings resulting from the audit conducted will be reviewed by the Parties in mutual consultation and, as a result, may or may not be implemented by either or both Parties jointly.
5. The reasonable costs of the audit shall be borne by the Client, provided that the costs of the ICT expert to be hired shall always be borne by the Client.

Article 12. Duration and termination

1. The Attachment is entered into for the duration as stipulated in the Agreement between the Parties and, failing that, in any case for the duration of the cooperation.
2. The Appendix cannot be terminated in the interim.
3. The parties may amend this Schedule only by mutual agreement.
4. Upon termination of the Attachment, Supplier shall promptly destroy the Personal Data received from Customer, unless the Parties agree otherwise.

Privacy Statement

Your privacy is of great importance to Superspace. We therefore adhere to the privacy law. This means that your data is safe with us and that we always use it properly. In this privacy statement we explain what we do on our website and for our services with information we learn about you. If you have any questions, or want to know exactly what we track about you, please contact us.

Last modified: Jan. 7, 2026

Your privacy is of great importance to Superspace Hosting B.V.. We therefore adhere to the relevant laws and regulations on privacy, including the General Data Protection Regulation (further: AVG). This means that we:

• Clearly define our purposes before we process your personal data, through this privacy statement;
• Store as little personal data as possible and only the data necessary for our purposes;
• Explicitly request consent to the processing of your personal data, should consent be required;
• Take necessary security measures to protect your personal data. We also impose these obligations on parties who process personal data for us;
• Respect your rights, such as the right to access, correct or delete your personal data processed with us.

Your information is safe with us, and we will always use this information appropriately. In this privacy statement, we explain what we at the company Superspace Hosting B.V. all do with information we learn about you.

If you have any questions or want to know exactly what we track about you, please contact Superspace Hosting B.V.

Your account

Certain areas of our company require you to register first. You must then provide information about yourself and choose a username. With that, we will create an account where you can log in with that username and a password of your choosing. For this we use your:

• NAW data
• phone number
• billing address
• email address
• payment information
• IP address

We need these because of the contract we make with you. We keep this information for six months after you cancel the account. We keep this information so you don't have to fill it out again and again at the company and so we can contact you more easily if necessary. You can edit information through your account whenever you want.

Order fulfillment

We need these because of the contract we make with you. We keep this information until your order is completed. We keep certain customer data for longer in connection with the statutory tax retention obligation.

• NAW data
• phone number
• billing address
• email address
• payment information
• IP address

We need these because of the contract we make with you. We keep this information for six months after you cancel the account. We keep this information so you don't have to fill it out again and again at the company and so we can contact you more easily if necessary. You can edit information through your account whenever you want.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. With these companies we have a processing agreement. For order processing we cooperate with:

• Mollie B.V. (Netherlands) - https://www.mollie.com/nl/privacy
• Stripe Technology Company Limited (Ireland) -. https://stripe.com/en-nl/privacy

Sending newsletters and notifications

We have a newsletter and you will automatically be added to the list of subscribers. In the newsletter you will read news, tips and information about our products and services. We also send notifications about your account and services you purchase from us. For this we use your:

• NAW data
• email address
• IP address

We do this based on your consent. We keep this information, until you cancel the subscription.

The newsletter is sent by mail monthly. Notifications are sent daily and weekly, depending on urgency. The content of the newsletter and notifications include the following:

• Information on new services;
• Updates on changes and improvements to existing services;
• Information about maintenance, malfunctions, security incidents and changes related to our services;
• Updates about your account, your purchased services, our company, portal and terms and conditions.

You can unsubscribe from the newsletter and receive notifications at any time. Every newsletter and notification contains an unsubscribe link.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. With these companies we have a processing agreement. For handling the newsletters we cooperate with:

• • Sendinblue France S.A.S. (France) -. https://www.brevo.com/legal/privacypolicy/

Portal Access

Our portal gives you access to a management environment where you can set up, specify and change things for the company yourself. We keep track of what you have done and when, so there is proof of that. We use your:

• NAW data
• phone number
• billing address
• email address
• payment information
• IP address

We need these because of the contract we make with you. We keep this information for six months after the end of our service to you.

Contact or inquiry form, online chat function, phone & email

With the contact or request form, the online chat function and via telephone and e-mail you can ask us questions or make requests. We use your:

• NAW data
• phone number
• email address
• IP address

We do this based on your consent. We keep this information until we are sure you are satisfied with our response and six months after that. This allows us to easily grab the information when we have follow-up questions. It also allows us to train our customer service to become even better.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. We have signed a processing agreement with these companies. For the processing of applications and questions we cooperate with:

• • Dixa ApS - https://www.dixa.com/legal/privacy/
  • Voys B.V. (Netherlands) - https://www.voys.nl/privacy-en-toegankelijkheid/

Making an appointment online

On our website you can schedule an appointment to be called back. We use your:

• NAW data
• phone number
• email address

We do this based on your consent. We keep this information until we are sure you are satisfied with our response and six months after that. This allows us to easily grab the information when we have follow-up questions. It also allows us to train our customer service to become even better.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. We have signed a processing agreement with these companies. For the processing of applications and questions we cooperate with:

• • Voys B.V. (Netherlands) - https://www.voys.nl/privacy-en-toegankelijkheid/

Status page

On our status page you can sign up to be kept informed in case of incidents and changes related to our services. We use your:

• NAW data
• email address

We do this based on your consent. We keep this information until we are sure you are satisfied with our response and six months after that. This allows us to easily grab the information when we have follow-up questions. It also allows us to train our customer service to become even better.

Performing services: domain registration

If you apply for a domain name with us, certain personal data must be shared with the issuing authority. Otherwise, registration of a domain name is not possible. Your personal data are stored by the issuing authority and in addition, to a limited extent, published in a publicly accessible whois database, which stores all registered domain names with their holder information. We use your:

• NAW data
• phone number
• email address

We need these because of the contract we make with you. We keep this information for six months after the end of our service to you.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. With these companies we have a processing agreement. For offering domain registration we cooperate with:

• • InterNetX GmbH (Germany) - https://www.internetx.com/rechtliches/datenschutz/
  • Realtime Register B.V. (Netherlands) -. https://realtimeregister.com/resources/business/privacy-statement/
  • SIDN (Netherlands) for .nl domain names -. https://www.sidn.nl/over-sidn/privacy
  • DNS Belgium asbl (Belgium) for .be domain names -. https://www.dnsbelgium.be/nl/privacy/gdpr
  • EURid vzw (Belgium) for .eu domain names -. https://eurid.eu/nl/overige-informatie/privacybeleid/
  • For other domain extensions, the privacy statements of the respective registries of those extensions apply

Performing services: hosting

If you use our service to host websites or applications, we store the data of your websites or applications on our servers in a data center in the Netherlands. We also make backups of this stored data to external servers in data centers in the Netherlands, Germany and Finland. Furthermore, we keep track in server logs of which users visit your website or application, when you log in to the hosting service, and when you upload and download files to and from the hosting service in order to be able to solve any problems. Files are also checked for the presence of malware. To do this, we use data from both you and the users who visit your website or application:

• IP address
• data you store on your website or application

We need these because of the contract we make with you. We do not, for no work-related reason, take note of the content of these data or server logs. We keep this information for one month after the end of the service to you, or after you delete the stored data. Server logs and backups are deleted after one month.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. With these companies we have a processing agreement. For the provision of hosting we cooperate with:

• UpCloud Ltd. (Finland) - https://upcloud.com/privacy-policy/
• Monarx, Inc. (United States) -. https://support.monarx.com/en/articles/5594907-privacy-policy

Performing services: VPS hosting

If you use our VPS hosting service, we store the data on your VPS on our servers in your chosen data center. Optionally, we make backups of this stored data to remote servers in the same data center. We use your:

• data you store on your VPS

We need these because of the contract we make with you. We do not take note of the content of this data without a work-related reason. We keep this information until the end of the service to you, or after you have deleted the stored data.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. We have entered into a processing agreement with these companies. For the provision of VPS hosting, we cooperate with:

• UpCloud Ltd. (Finland) - https://upcloud.com/privacy-policy/

Performing services: CloudPress (WordPress hosting)

If you use our CloudPress hosting, we store the data of your websites or applications on our servers in your chosen data center. We also back up this stored data to external servers in the same data center. Furthermore, we keep track in server logs of which users visit your website or application, when you log in to the hosting service, and when you upload and download files to and from the hosting service in order to troubleshoot any problems. Files are also checked for the presence of malware. A Content Delivery Network (CDN) is used to protect and accelerate traffic to your website or application worldwide. For this we use from both you and the users visiting your website or application:

• IP address
• data you store on your website or application

We need these because of the contract we make with you. We do not, for no work-related reason, take note of the content of these data or server logs. We keep this information for one month after the end of the service to you, or after you delete the stored data. Server logs and backups are deleted after one month.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. We have entered into a processing agreement with these companies. For the provision of CloudPress hosting, we partner with:

• UpCloud Ltd. (Finland) - https://upcloud.com/privacy-policy/
• Monarx, Inc. (United States) -. https://support.monarx.com/en/articles/5594907-privacy-policy
• Bunny d.o.o. (Slovenia) - https://bunny.net/privacy/

Performing services: e-mail

If you use our service for e-mail, we store your e-mail on our servers in a data center in the Netherlands. We also back up this stored e-mail to external servers in data centers in the Netherlands, Germany and Finland. Furthermore, we keep track in server logs when you log in to the e-mail service and what e-mail is received and sent, in order to troubleshoot any problems. For this we use from both you and the parties to which you send and receive e-mail:

• NAW data
• email address
• IP address

We need these because of the contract we enter into with you. We do not, for no work-related reason, take note of the content of these e-mail or server logs. We keep this information for one month after the end of service to you, or after you retrieve and delete the stored e-mail. Server logs are deleted after one month.

Providing to third parties
We cooperate with certain companies, which may receive your personal data mentioned above from us. With these companies we have concluded a processing agreement. For the provision of e-mail we cooperate with:

• SpamExperts B.V. (Netherlands) - https://www.solarwindsmsp.com/sites/solarwindsmsp/files/resources/SpamExperts-Data-Processing-Addendum-DPA.pdf
• MailChannels Corporation (Canada) - https://www.mailchannels.com/privacy-policy/
• UpCloud Ltd. (Finland) - https://upcloud.com/privacy-policy/

Server logs

Every time you visit our website or use our services, we automatically save some data about your connection to our servers in so-called server logs. We use the data in these logs to find and fix errors in our systems, and to track down individuals who are endangering our servers in order to take measures against them. We use your:

• IP address

We do this based on your consent. We keep this information for a maximum of one month.

Applications

When you apply to us for a vacancy or internship, we would like to know whether you are suitable for the position. We check this on the basis of your CV, motivation letter, portfolio and/or submitted application assignment. For this we use your:

• NAW data
• phone number
• email address

We do this based on your consent. We retain this information for up to one month after you are not hired. Sometimes we offer the opportunity to be included in our portfolio, so that we can contact you at a later time should a position become available. We will then keep your information for a maximum of one year.

Works

When you start working or doing an internship with us, we enter into an employment contract with you. For this, we use your:

• NAW data
• phone number
• email address
• phone number
• payment information
• BSN number

We need these because of the contract we make with you. We store this information:

• Pay slips: 7 years after leaving employment
• Copy of proof of identity: 5 years after leaving employment
• Employment contract(s), performance reviews and other documents in the personnel file: 2 years after leaving employment

Advertising

We would like to send you advertising about offers and new products or services. We do this:

• by email;
• by phone;
• by mail;
• via social media.

You can object to this advertising at any time. Every email contains an unsubscribe link, you can indicate this when you receive calls, on social media you can block us or use the unsubscribe option, and every letter tells you how to object.

Disclosure to other companies or institutions

We only give your personal data to other companies or institutions if it is necessary for our services or if we are required to do so by law (for example, if the police require it in case of suspicion of a crime).

Statistics

We keep statistics on the use of our services.

Cookies

Our website uses cookies. Cookies are small files that we can store information in so that you don't have to fill it in again and again. But they also allow us to see when you visit us again.

You can disable the setting of cookies through your browser or through the cookie settings on our website, but some things on our website will then no longer work properly.

We have made agreements with other companies that place cookies. However, we do not have full control over what they themselves do with the cookies. So please read their privacy statements as well.

Google Analytics

We use Google Analytics to track which and how visitors use our website and services. We have a processing agreement with Google. This contains strict agreements about what they are allowed to track. We have not allowed Google to use the obtained Analytics information for other Google services. We have Google anonymize the IP addresses. You can find the privacy statements of Google Analytics at:

• Google Ireland Limited (Ireland) - https://policies.google.com/privacy?hl=nl-nl

Security

Security of personal data is very important to us. You can read how we protect your privacy in our separate security policy. This can be found at: https://www.superspace.nl/voorwaarden.

Changes to this privacy statement

When our company changes, we naturally have to update the privacy statement as well. So always note the date above and check regularly for new versions. We will do our best to communicate changes to you.

Your rights

If you have any questions or want to know what personal data we hold about you, you can always contact us. Please see the contact information below.

You have the following rights:

• Get an explanation of what personal data we have and what we do with it;
• Insight into the exact personal data we have;
• Getting errors corrected;
• Having outdated personal data deleted;
• Having personal data transferred to another party;
• Withdrawal of consent;
• Limit a particular processing;
• Object to a particular use.

Please make sure you always clearly identify who you are so we can be sure we are not modifying or deleting data from the wrong person.

In principle, we will comply with your request within one month. However, this period may be extended for reasons related to the specific rights of data subjects or the complexity of the request. If we extend this deadline, we will notify you in a timely manner.

Filing a complaint

If you want to file a complaint about the use of your personal data, you can send an e-mail to support@superspace.nl We address each complaint internally and communicate this further with you.

If you feel that we are not helping you in the right way, you have the right to file a complaint with the regulator. This is called the Personal Data Authority.

Contact details

Superspace Hosting B.V.
South Square 4
8911AJ Leeuwarden
Netherlands
E-mail: support@superspace.nl
Phone: +31880006666
Chamber of Commerce number: 01089811

Security Policy

We consider information security an essential part of our service. How we deal with this and how we have secured information security within Superspace can be found in this security policy. The basis of this policy is determined by our IS027001 and ISO27017 certification processes.

Last modified: April 1, 2021

Access policy

• Access to systems and data is allowed on a need-to-know/need-to-use basis. Based on logical access lists, our employees do not have access to more systems and data than is strictly necessary for their role. These access lists are checked regularly.
• For access to systems in which confidential data is stored, we use multifactor authentication capabilities. Customer may also enable these multifactor authentication capabilities for access to our systems. We strongly encourage Customer to take advantage of this.
• For certain systems in which confidential data is stored, access is limited to the IP address of our secure VPN connection. Customer may also restrict access to certain of our systems to a list of IP addresses. We strongly encourage Customer to take advantage of this.
• Customer may add, change and delete user accounts, access rights and authentication information in the system or service at any time.
• If (virtual) servers are part of a system or service, each server is securely installed and configured according to a documented procedure.
• The use/misuse of tools that allow security measures to be circumvented is prohibited, and there is protection against customers being able to use such tools on our systems.

Password policy

• We require for ourselves and for customer the use of strong passwords, where the password consists of at least 14 characters and a combination of lowercase, uppercase, numbers and symbols.
• We store our passwords and authentication data in a password manager, which is only available to authorized employees and systems, and only through an internal (VPN) connection. Passwords and authentication data should not be stored elsewhere. We strongly recommend that customers use a password manager as well.
• Using the same password (or variations thereof) for multiple systems is not allowed.
• Passwords should never be communicated by email, phone or via online chat. Alternatively, a one-time, shareable link can be created (as on secret.xxlhosting.co.uk), where the link expires automatically after opening it once and also after a certain amount of time.
• If password and/or authentication data leaks are part of a security incident that occurred at an external service we use, we reset our password and/or authentication data or delete our account at that external service. Our password manager monitors and informs us about security incidents at external services. We recommend that Customer also monitor security incidents at external services Customer uses.

Cryptography Policy

• All of our web and mail services and systems containing confidential data are available through an encrypted SSL connection.
• We mandate the use of TLS version 1.2 or higher.
• We require the use of SSL certificates with a maximum validity period of one year and a key length of at least 2,048 bits.
• For web services and systems with confidential data, at least an A score on ssllabs.com mandatory. This is checked regularly by us.
• It is the Customer's responsibility to verify that the cryptographic measures comply with the agreements, laws and regulations relevant to the Customer.
• For certain services where the customer manages a system itself (such as VPS and container hosting), the customer is responsible for the cryptography policy on the relevant system.

Disposal Policy

• If (removable) storage media, computers, or servers are used for systems or services (or to access them), these devices are disposed of securely after use according to a documented media destruction process.
• The data on these devices are securely disposed of according to a documented data destruction process.

Change Management

• Operational changes, changes in internal and external IT components, and any other change where there is likely to be an impact on the confidentiality, integrity, or availability of information within the scope of our security policy, we implement according to a documented change management process.
• If a change impacts service to the customer, the customer will be notified via email and/or our status page notified about the change.
• In certain management systems, the customer can perform actions that can have a major impact and/or cause security incidents at the customer, such as deleting or changing - in bulk or otherwise - domain names, DNS zones, hosting and server environments, files, databases and e-mail. We strongly recommend always performing such actions very carefully (following a change management process), having a rollback plan or backup ready, and using the "four-eye principle" for critical operations.

Management of technical vulnerabilities

• We regularly monitor and check for technical vulnerabilities found or patches and updates released for the systems and services we use and provide.
• You can email at support@superspace.nl report a technical vulnerability to us. We have described in our Responsinble Disclosure Policy how we collectively handle the reporting of technical vulnerabilities. You can find our Responsinble Disclosure Policy on our website: https://www.superspace.nl/voorwaarden.
• If a technical vulnerability or the installation of a patch or update impacts customer service, the customer will be notified via email and/or our status page informed about this.
• We have our systems scanned for vulnerabilities at least annually through a penetration test.

Capacity Management

• We continuously monitor and check whether our systems and services have sufficient capacity available. Based on this information, systems or services are scaled up or down.
• Customer can view consumed capacity in the system at all times. If Customer requires more or less capacity, this can be requested in the system or by contacting us.

Backup Policy

• We back up all systems and services daily, unless otherwise specified for a service. We maintain a minimum retention period for backups of seven days.
• We make backups to external servers, and where possible in another data center. These backup servers are accessible only through an internal (VPN) connection.
• We monitor, verify and test at least quarterly whether backup creation and restore is succeeding for all systems and services.

Retention Policy

• Our privacy statement sets out for each type of (personal) data how long and for what purposes we keep them. You can find our privacy statement on our website: https://www.superspace.nl/voorwaarden.

Logging policy

• We keep logs of systems and services containing confidential data for at least 30 days.
• We keep logs in a remote, central location whenever possible to prevent unauthorized modification and promote efficient analysis.
• We regularly synchronize all logging systems to the same (NTP) source.
• As far as possible, we avoid recording (special) personal information in logbooks. If logbooks contain (special) personal information, access to it is recorded and monitored by us.
• For certain services where the Customer manages a system itself (such as VPS and container hosting), the Customer itself is responsible for the logging policy on the relevant system.

Separation in networks

• We require ourselves to use a secure VPN connection to access our systems and services.
• On our internal and hosting servers, we have separated the network we use to manage these servers from the public network. The internal network can only be accessed via the secure VPN connection.
• Customer's hosting environment is set up in isolation through the use of virtualization or containerization, where processes, the internal network and file system are separated from other customers' hosting environments.
• We use separate and distinct servers for production and test/development environments.

Development policy & system acceptance testing

• We keep source code in repositories, and all checked-in code should compile without warnings.
• We always have the design and source code checked by a colleague before it is submitted for acceptance.
• During development, we always consider security of systems, privacy of (personal) data, common threats and vulnerabilities, and writing a test plan/script.
• We document which version of libraries and frameworks we use, and deploy them without modification.
• We do not use data from production systems, but pseudo- or anonymized data for conducting (acceptance) tests.
• We perform a regression test after every change or update.

Incident Policy

• We handle security incidents according to a documented incident policy.
• You can email at support@superspace.nl report a security incident or weakness in our security to us. We have described in our Responsinble Disclosure Policy how we collectively handle the reporting of security incidents. You can find our Responsinble Disclosure Policy on our website: https://www.superspace.nl/voorwaarden.
• If a security incident impacts customer service, the customer will be notified via email and/or our status page informed about both the occurrence of, as well as the progress in resolving the security incident.
• If a security incident occurs, relevant logs are copied to and secured on an internal system.
• The responsibility for managing security incidents rests with us, except when the security incident that has occurred relates to a website, application, account, software, system or domain name that Customer manages.

Supplier Policy

• If we rely on a third-party vendor to perform our services, and/or if a third-party vendor processes personal data on our behalf, we require that the third-party vendor maintain at least the same level of information security as us.
• An external vendor is regularly reviewed for compliance with our information security policy according to a documented vendor policy.

Availability & monitoring

• We continuously monitor and check the availability of all our systems and services, unless otherwise indicated for a service.
• If an outage/unavailability impacts service to the customer, the customer will be notified via email and/or our status page informed about both the occurrence of, as well as the progress of resolving the outage/unavailability.
• Depending on the service, we offer an availability guarantee and possible compensation if this guarantee is not met. This is laid down in our Service Level Agreement (SLA) and can be found on our website: https://www.superspace.nl/voorwaarden.
• We offer buyer capabilities, tools and integration options to monitor the availability and usage of our services. This varies by service and is explained on our website.
• For certain services where the customer manages a system itself (such as VPS and container hosting), the customer is responsible for monitoring the availability of the system in question.

Legislation and contractual requirements

• We are based in the Netherlands, and Dutch and European laws and regulations apply to our services. Data is stored on systems in data centers in the Netherlands and the European Union. For certain services we use suppliers, where data may also be stored in other countries. We have entered into a processing agreement with these suppliers. Our privacy statement specifies for each service which suppliers and countries are involved. You can find our privacy statement on our website: https://www.superspace.nl/voorwaarden.
• If we receive a complaint about (allegedly) unlawful or criminal matters posted or used by the Customer on our systems or services, including but not limited to content and/or domain names that infringe intellectual property rights, we will handle the complaint according to our Notice & Takedown Policy. You can find our Notice & Takedown Policy on our website: https://www.superspace.nl/voorwaarden
• We can independently demonstrate the implementation of our security policy with an ISO27001 and ISO27017 certification. You can receive these certificates and the applicability statement from us upon request.

Other

This security policy may change from time to time.

Service Level Agreement (SLA).

As a Superspace customer, you can expect our services to be of high quality and high availability. The agreements and expectations regarding this are described in this Service Level Agreement (SLA).

Last modified: April 1, 2021

Introduction

This document constitutes the Service Level Agreement ("SLA") of Superspace Hosting B.V., located at Zuiderplein 4, 8911AJ in Leeuwarden, and registered in the trade register under number 01089811 (hereinafter "Superspace") and applies to:

• Web hosting & email hosting
• VPS hosting
• Container hosting

(hereinafter "the Services").

The SLA aims to establish what the service level is for the Services. This is achieved by setting performance standards and defining the consequences of unexpected failure to meet these standards.

The SLA commences on the date of delivery of the Services and continues for as long as the Services are provided to the Customer.

Service level

The following elements determine the level of service and are addressed in this SLA:

• Availability
• Backups
• Updates
• Customer Support
• Change Management
• Report
• Actions (if performance standards in the SLA are not met)

Availability

The availability of the Services is a guarantee and is 99.9% of the time, measured per month.

The availability of the Services is measured by Superspace, and concerns only

• For web hosting & e-mail hosting: the availability of the web server (HTTP and HTTPS), database server (MySQL), mail server (POP3, IMAP and SMTP) and at least one name server (DNS);
• For VPS and container hosting: the availability of the network and hardware platform;

Backups

Superspace makes backups of the Customer's data stored in the Services, the software that is part of the Services and the configurations of the Services, with a frequency of one day. The backups are kept for one month (consisting of the last 7 daily backups and the last 4 weekly backups), before being overwritten. For VPS hosting, no backups are made by default, and customer can optionally enable backups for the VPS at an additional cost in our portal.

Even though we monitor and control the creation of backups, we do not verify that every backup is written away correctly. Therefore, we cannot guarantee that every backup is usable.

It is possible to restore an available backup of the customer's data to the Services at the customer's request.

Updates

We regularly monitor the availability of software updates and patches for security vulnerabilities, and perform updates as often as we can and find necessary on the servers and systems we manage. For certain systems and software, Customer is responsible for performing updates itself:

• For web hosting & container hosting: customer should update the placed websites, applications, data and/or software on the hosting service himself.
• For VPS hosting: customer needs to update the entire server environment including the operating system themselves.

Customer Support

Customer service can be reached

• by email at support@superspace.nl;
• by phone at +31880006666;
• via the online chat feature on our website.

Customer service opening hours are Monday through Friday between 9:00 am and 4:30 pm. Outside these hours, we monitor incoming inquiries via email and the online chat function with some regularity, and try to answer more urgent questions.

Change Management

The Customer may submit a request for modification of the Services through Customer Service. Superspace will make every effort to implement requests for changes, but until agreement has been reached on the content, schedule and possibly price of the change, Superspace may at any time decide to forego the change altogether if it considers the effort required to do so disproportionate or considers the requested change irrelevant.

Report

Superspace does not proactively report to the customer on whether or not the (performance) standards included in the SLA have been met. It is the customer's own responsibility to monitor this.

Measures

Should the availability of the Services from this SLA not be met, the Customer shall be entitled to compensation.

If the Services are unavailable for at least 45 minutes in a calendar month, the compensation is 20% of the charges paid for the Services for the relevant month for each full additional hour of unavailability, up to a maximum of 100% of the charges paid for the Services for the relevant month. If the Services are not paid per month, then the charges will be converted pro rata to a monthly amount.

If the customer believes that a performance standard from the SLA has not been achieved, then the customer may submit a request for compensation by e-mail at support@superspace.nl.

Compensation is granted to the Customer solely in the form of credit, which can be offset against future invoices from Superspace addressed to the Customer. This credit cannot be offset against existing outstanding invoices, or paid out as a monetary amount.

For the situations listed below, the compensation scheme for failure to achieve the availability of the Services from this SLA is cancelled:

• Announced maintenance and unannounced emergency maintenance;
• Unavailability caused by an error in any website, application or software Customer has installed or used on the Services;
• Unavailability caused by error in products and services that are not part of this SLA;
• If Customer violates our Terms and Conditions;
• Unavailability caused by Acts of God, including but not limited to Denial-of-Service (DDoS) attacks;
• Unavailability due to imposed measures by government, authorities and other agencies;
• Unavailability caused by an IP address being blocked by a firewall for security reasons;
• If Customer has one or more outstanding invoices at the time of unavailability of the Services.

Disclaimer

When you visit our website, a number of rules apply. These can be found in this disclaimer. For example, certain information may be incorrect or out of date, and you may not simply copy and reuse content.

Last modified: April 1, 2021

Superspace Hosting B.V. (Chamber of Commerce: 01089811) hereby grants you access to www.superspace.nl ("the Website") and invites you to use the services offered here. Superspace Hosting B.V. reserves the right at any time to modify the content or remove parts without having to notify you.

Limited liability

Superspace Hosting B.V. makes every effort to update and/or supplement the content of the Website as often as possible. Despite this care and attention it is possible that content is incomplete and/or incorrect. The materials offered on the Website are offered without any form of guarantee or claim to correctness. These materials may change at any time without prior notice from Superspace Hosting B.V. In particular, all prices on the Website are subject to typing and programming errors. No liability is accepted for the consequences of such errors. No agreement is concluded on the basis of such errors. Superspace Hosting B.V. can never accept liability for hyperlinks on the Website to websites or services of third parties.

Copyright

All rights of intellectual property concerning these materials belong to Superspace Hosting B.V. . Copying, distribution and any other use of these materials is not permitted without written permission from Superspace Hosting B.V., except and only to the extent otherwise provided in regulations of mandatory law (such as right to quote), unless otherwise indicated in specific materials.

Other

This disclaimer may change from time to time.

Notice & Takedown Policy

It may happen that a customer places (allegedly) unlawful or criminal content online with us. If we receive notification of this, we implement this Notice & Take-down Policy (NTD), based on the code of conduct of the same name published by the Dutch government.

Last modified: April 1, 2021

Article 1. Definitions

1. Intermediary: Superspace Hosting B.V. located in Amsterdam, the Netherlands and registered with the Dutch Chamber of Commerce under file number 01089811.
2. Report: refers to the reporting by a Notifier to an Intermediary of (alleged) unlawful or criminal content on the Internet with the aim of having this content removed from the Internet.
3. Notifier: the natural or legal person filing a Report.
4. Client: the natural or legal person who put certain (challenged) content on the Internet and is a client of Intermediary.

Article 2. Notice-and-Take-Down procedure.

1. If Intermediary receives a Notification through the report form, it confirms receipt to the Notifier as soon as possible. Intermediary checks the data as far as it can. In case of missing or incorrect data provided by Melder through the complaint form, Intermediary shall have the Melder provide the additional data.
2. If it turns out that the information is not or is no longer online, or is hosted at another party, then Intermediary will inform the Reporter about this party. The Report is then settled.
3. If the Notifier has not previously contacted the Client, Intermediary forwards the Report to the Client with a deadline of two business days to respond and informs the Notifier of the forwarding. Intermediary forwards the Client's response to the Notifier. The latter can then respond to Intermediary whether he agrees with the response. If so, the Report is settled. Intermediary informs the Client accordingly. If no response is received from the Client within two working days, Intermediary goes through the following steps.
4. If the Notifier has requested removal of the material, but the Client appears unwilling to remove or modify the information itself, Intermediary will make its own assessment:
   1. If Intermediary itself believes that the Report is justified, it removes or blocks the material and informs the Client and Notifier that this has occurred. Intermediary motivates the removal to the Client. The Complaint is then settled;
   2. If Intermediary itself is of the opinion that the Report is unjustified, it will inform the Reporter of this, giving reasons. The Complaint is then settled.
5. If the Reporter has asked for identification of the Client, but the Client does not want to disclose to the Reporter, then Intermediary makes its own assessment:
   1. If Intermediary itself is of the opinion that the Report is justified and the Reporter has a real interest in identifying the Client, Intermediary will provide the name and address details (establishment details) of the Client to the Reporter and inform the Client accordingly. The Report is then settled;
   2. If Intermediary itself is of the opinion that the Report is unjustified, or the Reporter has no real interest in identifying the Client, it will inform the Reporter of this, giving reasons. The Report is then settled.
6. If there is an urgent report, Intermediary will go through the above points within one business day. The Notifier must motivate an urgent report. Based on this motivation, the Intermediary will determine whether the report will be processed within one working day.

Code of Conduct Abuse Prevention

Society must be able to rely on operators and providers of digital infrastructure to make efforts to prevent and combat use of their facilities for unlawful activities. To this end, such operators and providers use this code of conduct. Superspace has signed and acts in accordance with this code of conduct.

Last modified: December 1, 2021

Definition

Abuse is defined as: the abuse of digital infrastructure connected to the Internet in a broad sense; such as sending spam or phishing mails, spreading malware, DDoS, running a botnet, storing and distributing CSAM or other unlawful material, running a fraudulent website, etcetera. Abuse in any case includes unequivocally abusive activities and, furthermore, that which is considered undesirable by the operator in question.

Policy

Digital infrastructure operators:

• Are in principle neither liable nor responsible for the activities of the recipients of their services. Nevertheless, they will do everything in their power to combat abuse.
• They will clearly communicate this code of conduct to their customers and employees.
• Maintain an acceptable use policy for their customers and/or users, which defines what is expected of them if abuse is demonstrated in their activities.
• Enforce the NTD Code of Conduct and implement the associated processes in their organization.
• Adhere to (an) industry best practice(s) for abuse control appropriate to their activities, such as the Code of Conduct of the M3AAWG for cloud/hosting providers and make this (these) known to their customers.
• Do everything reasonably within their power to reduce the effects of abuse within their networks on other users of the Internet. Autonomous Systems do so by at least applying the measures described in MANRS.
• Implement policies to continuously improve their anti-abuse performance.

Information

Digital infrastructure operators:

• Publish on their website and in relevant whois registrations contact information for reporting abuse.
• Do everything reasonably within their power to obtain information about vulnerabilities and abuse in their networks and at their facilities. They shall do so at least by subscribing to abuse feeds, or joining CleanNetworks or consulting/connecting to other sources of information that provide insight on this.
• Reasonably accept all abuse reports received through automated systems and individual reports prepared by individuals.
• Inform themselves of their performance in the field of abuse control by consulting the sources available for this purpose.

Notifications

Digital infrastructure operators:

• Ensure correct contact information for their customers so that in case of abuse or suspected abuse, the customer can be contacted directly.
• Are proactive to their customers or users; that is, they take action when notified of abuse or vulnerabilities in their services.
• For those forms of abuse where the operator has knowledge of the nature of the abuse and its continuation causes serious harm to individuals, shall take immediate action to prevent or limit further harm. CSAM, phishing, rogue web shops and malware distribution are in any case included in these forms of abuse.
• Commit to suspend service, quarantine services or terminate contracts with such customers in the event of prolonged, substantial or repeated violations of the acceptable use policy by their customers.

Violations

• Users of this Code of Conduct report alleged inappropriate use of this Code of Conduct to (one of the) industry organizations that subscribe to this Code of Conduct, to the NBIP, or to the Internet Security Platform (PIV) of the ECP.
• The NBIP, the relevant trade association or the PIV will request an explanation from the organization concerned. If in the opinion of the above organization(s) the answer is insufficient, the party concerned will be requested to refrain from mentioning the use of the code of conduct. In that case, the situation will be reported to the PIV, to the ACM and the Ministries of Justice & Security and Economic Affairs & Climate.
• Participants in this Code of Conduct will, if possible, refrain from business relationships with organizations that are known to clearly act in violation of this Code of Conduct, or that can reasonably be said to intentionally facilitate unlawfulness.

This document

• This Code of Conduct will be reviewed periodically, based on feedback and experiences of the participants in this Code of Conduct.
• Initiators:
  • Dutch Cloud Community
  • DINL
  • ECP
  • Ministry of Economic Affairs & Climate
  • NBIP
  • TUDelft
  • Association of Registrars

Resposible Disclosure Policy

Superspace believes it is essential that Superspace's ICT systems are secure and we strive to ensure a high level of security for them. Nevertheless, it may happen that there is a vulnerability in one of our systems. Should you find such a vulnerability, you can read about how we deal with it in this policy.

Last modified: April 1, 2021

Vulnerabilities in Superspace Hosting B.V. ICT systems.

If you have found a vulnerability in one of Superspace Hosting B.V.'s ICT systems, we would like to hear from you. This will enable us to take the necessary measures to remedy the vulnerability found as quickly as possible. In order to deal responsibly with found vulnerabilities in the Superspace Hosting B.V. ICT systems, there are agreements. You may hold Superspace Hosting B.V. to these when you find a vulnerability in one of the systems.

Superspace Hosting B.V. asks you:

1. Email your findings to support@superspace.nl.
2. Provide sufficient information to reproduce the problem so that Superspace Hosting B.V. can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
3. Please leave contact information so Superspace Hosting B.V. can get in touch with you to work together for a secure outcome. Please leave at least an email address or phone number.
4. Make the notification as soon as possible after discovery of the vulnerability.
5. Not to share the information about the security problem with others until it is resolved.
6. Responsibly handle knowledge of the security problem by not taking actions beyond what is necessary to demonstrate the security problem.

In any case, avoid the following actions:

1. Posting malware.
2. Copying, modifying or deleting data in a system (an alternative to this is creating a directory listing of a system).
3. Making changes to the system.
4. Accessing the system repeatedly or sharing access with others.
5. Using what is known as "bruteforcing" access to systems.
6. Using denial-of-service or social engineering.

What to expect:

1. If you comply with the above conditions when reporting a vulnerability in an ICT system of Superspace Hosting B.V. that you have found, Superspace Hosting B.V. will not attach any legal consequences to this report.
2. Superspace Hosting B.V. treats a report confidentially and does not share personal data, without the reporter's consent with third parties, unless required to do so by law or court order.
3. By mutual agreement, Superspace Hosting B.V. may, if you wish, list your name as the discoverer of the reported vulnerability.
4. Superspace Hosting B.V. will send you a confirmation of receipt within one business day.
5. Superspace Hosting B.V. will respond to a report within three business days with the assessment of the report and an expected date for resolution.
6. Superspace Hosting B.V. will keep the notifier informed about the progress of solving the problem.
7. Superspace Hosting B.V. will solve the security problem in a system identified by you as soon as possible, but at the latest within 60 days. By mutual agreement can be determined if and how the problem, after it is solved, will be published.
8. Superspace Hosting B.V. offers a reward as thanks for the help. Depending on the seriousness of the security problem and the quality of the report, the reward can vary from a T-shirt to a maximum of 300 euros in gift vouchers. It must be a security problem that is as yet unknown and serious to Superspace Hosting B.V..

Right of Withdrawal

If you have placed an order with us as a private individual and wish to abandon it within 14 days, you can use the right of withdrawal.

Last modified: April 1, 2021

The right of withdrawal allows individuals to cancel a service purchased over the Internet. The period within which this can be done is up to 14 days after the conclusion of the contract. You are not required to provide a reason for your cancellation, although we would appreciate it.

An individual may revoke the agreement by sending an e-mail to support@superspace.nl. After Superspace receives the notice, the individual will receive an email confirmation.

All amounts already paid will be refunded free of charge as soon as possible, but no later than 14 days after an individual has revoked.

Exceptions to the right of withdrawal

Business customers are excluded from the right of withdrawal at all times.

Accessibility Statement

Last modified: May 1, 2025

Superspace Hosting B.V. strives to make its website accessible, in accordance with national legislation transposing Directive (EU) 2016/2012 of the European Parliament and the Council. In doing so, we strive to follow the WCAG guidelines.

This accessibility statement applies to the website https://superspace.nl

Thanks to the use of WordPress, Elementor and the Ally Web Accessibilty plugin, the rules are followed when building and maintaining the website. Examples of how we aim to achieve accessibility include:

1. We take into account the WCAG guidelines in the construction.
2. We aim for a clear contrast between different colors, and offer the option to adjust contrast and color usage.
3. When uploading images, it is our policy to always add an ALT text.
4. When formatting a new page or blog post, we always strive to use headers correctly and efficiently.
5. We provide a tool on every page of our website that allows you to adjust text size, color use and contrast, images and animations, among other things.

Compliance status

This website partially complies with accessibility requirements because not all plugins or elements meet these requirements as stated in Directive (EU) 2016/2012 of the European Parliament and the Council.

ALT text

Some images, which require ALT text, have not yet been completed with ALT text. We are working to make all (useful) images on the website accessible.

Color Constrast

The color contrast may not be optimal everywhere. Do you notice this? Please let us know at support@superspace.nl.

PDF files

Some PDF files may not be accessible. Do you notice this? If so, please let us know at support@superspace.nl.

Subdomains

The accessibility plugin that allows you to adjust color contrast, among other things, does not work on certain subdomains of our website, such as support.superspace.co.uk and dashboard.superspace.co.uk. We are working on an alternative solution.

Drafting this accessibility statement

This accessibility statement was prepared on May 1, 2025 and last revised on May 1, 2025. This statement was prepared based on a factual evaluation of compliance with the requirements of Directive EU 2016/2022 in the form of a self-assessment.

Feedback and contact information

If certain rules of accessibility are not followed in this website, please let us know at support@superspace.nl. You can also use this e-mail address for further questions or comments about the accessibility of this website.