Compliant Dedicated Terms & Conditions

1. Introduction

This Compliant Dedicated Terms and Conditions agreement ("Agreement") establishes the terms governing the Compliant Dedicated hosting tier provided by Ryan Davis LLC, doing business as WebOps ("WebOps", "we", "us", or "our"), to you ("Customer", "you", or "your").

This document supplements our General Terms & Conditions, Cloud VPS Hosting Terms, Acceptable Use Policy, Service Level Agreement, and Privacy Policy, together with the engagement-specific instruments referenced above.

2. Service Description

Compliant Dedicated is a single-tenant, fully managed hosting environment provisioned on dedicated infrastructure for a single Customer. It is built and documented to the Customer's compliance requirements as scoped during the engagement, and is operated by WebOps on the same hardened stack used across our fleet.

In this Agreement, "compliant" refers to documented controls mapped to recognized frameworks (see Section 3), not to any certification held by WebOps.

3. Compliance & Certification Status

WebOps is not currently ISO 27001 certified and is not currently SOC 2 audited. WebOps makes no representation that it holds any such certification at this time. We will not represent otherwise to you or to your auditors.

What WebOps provides under this tier is: (a) a set of security and operational controls that WebOps operates today; (b) a signed Security Addendum mapping those controls to ISO 27001 Annex A and the SOC 2 Trust Services Criteria; and (c) an active roadmap toward WebOps's own ISO 27001 certification, with a current internal target of Q1 2027. Any certification timeline is a good-faith target and not a contractual guarantee of a certification date.

The underlying infrastructure provider (UpCloud) maintains its own certifications, including ISO 27001 and PCI DSS, at the infrastructure layer. Those provider certifications are referenced as substrate only and do not constitute certification of WebOps.

4. Scope of Services

The scope is fixed per engagement in the Security Addendum and statement of work. Generally it includes:

• Single-Tenant Infrastructure: A dedicated server provisioned for the Customer alone, sized to workload, without shared application tenancy.
• Documented Controls: Controls operated by WebOps, documented and mapped to ISO 27001 Annex A and SOC 2 TSC in the Security Addendum.
• Encryption & Key Management: Encryption in transit and at rest, with a documented key-management and custody arrangement.
• Audit Logging: Immutable, write-once audit log shipping to object-locked storage with a one-year retention default.
• Independent Testing: Quarterly external vulnerability scanning and an annual third-party penetration test, with a summary of results available on request.
• AI-Operated Defense: An automated defense layer that monitors and proposes mitigations. Additive, reversible defenses may be applied automatically; destructive or fleet-wide actions require human review and approval.
• Named Incident-Response Contact: A designated contact and an incident-response process with service levels above the standard Cloud VPS tier.

5. Data Protection & Processing

For personal data processed on the Compliant Dedicated environment, WebOps acts as a processor and the Customer (or the Customer's client) acts as the controller. A signed Data Processing Agreement governs that processing, including processing scope, sub-processors, security measures, breach notification, and data-subject request handling.

Where the Customer's regulatory framework imposes specific obligations (for example, the EU or UK GDPR or an applicable national data protection law), the applicable obligations are addressed in the DPA and any supplementary terms executed for the engagement.

6. Data Residency & Transfers

The Customer may elect a primary data-residency region from the options offered for this tier (currently United Kingdom or European Union locations). Where data is transferred to or accessed from a jurisdiction that is not recognized as providing adequate protection, the parties will execute Standard Contractual Clauses or another lawful transfer mechanism as set out in the DPA.

7. Customer Responsibilities

Compliance is a shared responsibility. The Customer agrees to:

• Accurate Scoping: Provide complete and accurate information about the data, applications, and regulatory requirements to be supported.
• Lawful Basis: Maintain a lawful basis for the data it processes and remain responsible for its own compliance obligations as controller.
• Application Security: Keep its applications, content, and any Customer-managed components maintained and secure.
• Cooperation: Implement reasonable measures recommended by WebOps and cooperate during audits, incidents, and data-subject requests.
• Independent Backups: Maintain independent verified backups in addition to those WebOps provides.

8. Service Levels & Incident Response

Compliant Dedicated carries an incident-response process and service levels above the standard Cloud VPS tier, set out in the engagement documents. A named incident-response contact is assigned. Breach-notification timelines follow the DPA and applicable law.

9. Limitations & Shared Responsibility

No hosting environment, control set, or response capability can guarantee absolute security or guarantee that the Customer will achieve or maintain regulatory compliance for its own data practices. WebOps provides a compliant-grade hosting environment and documented controls; it does not certify the Customer, and it is not the Customer's legal or compliance adviser. Responsibility for the Customer's overall compliance posture remains with the Customer.

10. Fees & Term

Compliant Dedicated is billed at the recurring rate and one-time onboarding fee quoted for your engagement, on the term set out in your order (typically an annual term or a minimum commitment). Onboarding covers the security-questionnaire response, DPA and transfer review, key-management setup, audit-log configuration, and incident-response handoff. Fees are non-refundable except as expressly provided in your order or required by law.

11. Limitation of Liability

To the maximum extent permitted by applicable law, WebOps shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, use, or goodwill. Except where a higher cap is agreed in writing in the engagement documents, the aggregate liability of WebOps arising out of or related to this Agreement shall not exceed the total service fees paid by the Customer for the Compliant Dedicated service in the twelve (12) months immediately preceding the event giving rise to the claim.

12. Termination & Data Return

Either party may terminate in accordance with the term and notice provisions of the order. WebOps may suspend or terminate for material breach, including non-payment or violation of the Acceptable Use Policy. Upon termination, WebOps will, on request and within the period set out in the DPA, return or securely delete Customer data and provide confirmation, subject to any retention required by law.

13. Governing Law & Jurisdiction

This Agreement shall be governed by the laws of the State of Delaware, without regard to its conflict of law principles, except where the DPA or applicable data-protection law requires otherwise for the processing of personal data. Disputes not governed by those instruments will be brought exclusively in the courts located in Delaware, and the parties consent to that jurisdiction and venue.

14. Amendments

WebOps may modify these terms to reflect changes in the service, industry standards, or legal requirements. Material changes affecting an active engagement will be communicated directly to the Customer. The signed engagement instruments are amended only in writing by the parties.

15. Contact Information

For questions regarding these Compliant Dedicated Terms & Conditions, the Security Addendum, or the DPA, please contact us:

Effective Date: May 28, 2026