Legal

GDPR & Data
Protection

EasyCloud's commitments as a data processor, international transfer mechanisms, security measures, and how to request a Data Processing Agreement (DPA).

📅 Effective: 1 Mangsir 2081 🇳🇵 Nepal law + GDPR Art. 28
Quick actions: Request a DPA → Privacy Policy Terms of Service SLA Agreement

🇳🇵 Nepal-based infrastructure — All data stored within Nepal. GDPR Article 28 obligations met via SCCs for EU transfers. ISO 27001 & SOC 2 Type II certified.

Overview

EasyCloud is a Nepal-based cloud provider. While we are primarily governed by Nepal's Individual Privacy Act 2018 (Byaktigat Gupta Ain 2018) and the Electronic Transactions Act 2063, we recognise that many of our customers serve end-users in the European Economic Area (EEA) and are therefore subject to the EU's General Data Protection Regulation (GDPR).

This page explains how EasyCloud supports your GDPR compliance obligations as a data controller, and how we act as a data processor when handling personal data on your behalf.

Our Role: Data Processor

When you store personal data about your end-users on EasyCloud infrastructure (e.g., in a database on your VPS, in files on object storage, or in emails on our mail servers), EasyCloud acts as a Data Processor under GDPR Article 28. You remain the Data Controller.

As a Data Processor, EasyCloud:

  • Processes personal data only on your documented instructions
  • Ensures staff with data access are bound by confidentiality obligations
  • Implements technical and organisational security measures (ISO 27001, SOC 2 Type II)
  • Assists you in responding to data subject rights requests where technically feasible
  • Notifies you of data breaches within 72 hours of becoming aware
  • Deletes or returns all personal data at the end of the service relationship
  • Provides information necessary to demonstrate compliance with GDPR Article 28

Data Processing Agreement (DPA)

If your use of EasyCloud services involves processing personal data of EU/EEA data subjects, you may require a Data Processing Agreement (DPA) with us.

To request a signed DPA, email legal@sajilocloud.com.np with subject "DPA Request — [Your Company Name]". We will review and respond within 5 business days.

Our standard DPA includes Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers from the EEA to third countries.

International Data Transfers

All EasyCloud infrastructure is located in Nepal. Nepal is not currently on the EU's list of countries with an adequacy decision. If your organisation transfers personal data from the EEA to EasyCloud for processing, this constitutes a restricted transfer under GDPR Chapter V.

EasyCloud supports the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): Our DPA incorporates the EU Commission's 2021 SCCs (Module 2: Controller-to-Processor) as the primary transfer mechanism.
  • Supplementary measures: Encryption of data in transit (TLS 1.3) and at rest (AES-256), access controls, and audit logging mitigate transfer risks.

You are responsible for assessing whether these measures are sufficient for your specific data processing activities and risk profile.

Security Measures (GDPR Art. 32)

EasyCloud implements the following technical and organisational measures to protect personal data:

  • Encryption in transit: TLS 1.3 enforced across all public endpoints
  • Encryption at rest: AES-256 for object storage and backup data
  • Access control: Role-based access with MFA required for staff
  • Physical security: Biometric access control, 24/7 CCTV, security personnel
  • Network security: Firewalls, IDS/IPS, DDoS mitigation
  • Vulnerability management: Monthly external scans, annual penetration tests
  • Staff training: Annual data protection and security awareness training
  • Incident response: Documented IR plan with 72-hour breach notification
  • ISO 27001 and SOC 2 Type II certified

Data Breach Notification

In the event of a personal data breach affecting data you have stored on EasyCloud infrastructure:

  • We will notify you within 72 hours of becoming aware of the breach
  • Notification will be sent to your registered account email and (for Enterprise customers) your designated security contact
  • We will provide: nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed
  • As the Data Controller, you remain responsible for notifying your supervisory authority and affected individuals as required by GDPR Articles 33–34

To report a suspected breach: (mark subject "SECURITY INCIDENT — URGENT")

Sub-processors

EasyCloud uses the following sub-processors who may process personal data stored on our infrastructure:

  • Stripe: Payment card processing. Location: USA. Transfer mechanism: SCCs + PCI DSS. Only billing contact data and payment tokens are shared.
  • Cloudflare: CDN, DDoS protection, DNS. Location: Global edge network. Transfer mechanism: SCCs. Only request metadata (IP, headers) is processed at edge.

We will notify you of any intended changes to sub-processors with at least 14 days' notice, giving you the opportunity to object.

Your Rights as a Data Controller

As the data controller, you are responsible for ensuring your end-users can exercise their GDPR rights (access, rectification, erasure, portability, restriction, objection). EasyCloud supports your obligations by:

  • Providing tools to export or delete your stored data via the control panel and API
  • Assisting with technical aspects of data subject requests upon written instruction
  • Providing access logs and audit trails relevant to specific data on request

Contact

For GDPR and data protection enquiries:

Privacy Officer
SajiloCloud Technologies Pvt. Ltd.
Kathmandu 44600, Nepal
Email: legal@sajilocloud.com.np
Phone: +977-1-9802113070

For EU/EEA supervisory authority escalations, contact the relevant national Data Protection Authority in your member state.