Appendices to the Terms and Conditions of Naranjatec (NextGenWebs S.L.)

These Appendices form an integral part of the Terms and Conditions (the “Terms”). In the event of a conflict, the provisions of the signed proposal/service order shall prevail, followed by the SLA, these Appendices, the AUP and the main body of the Terms.

These Appendices are drafted primarily for business Customers. In the exceptional case that the Customer qualifies as a natural person under Spanish law (TRLGDCU), mandatory consumer protection rules shall prevail over any conflicting clause.

Regulates the provision of shared hosting and virtual server (VPS) services. Specific specifications (resources, storage, transfer, IPs, software) are detailed in the Control Panel and/or commercial proposal.

• Access to the VPS is provided to the Customer in accordance with the contracted services. In shared hosting, access is limited (e.g., panel and FTP).
• The Customer must change initial credentials on first access and maintain basic security measures (key rotation, 2FA where available).

These measures apply to business Customers. For Customers who are natural persons, any suspension or limitation will comply with the procedures and safeguards required by Spanish consumer law.

• CPU/RAM/IO: in shared hosting, there are limits per account/process to protect the stability of the platform. In VPS, the contracted resources are dedicated at the quota level; there may be reasonable IOPS/bandwidth limits.
• Storage: intended for hosting websites and applications. Use as a repository for external backups, mass storage not linked to web services, or CDN-type file distribution is prohibited unless specifically provided for in the plan.
• Inodes/files: limits may be applied to prevent abuse.
• Network traffic: excess over the contracted package may be charged or temporarily limited.
• Naranjatec may apply containment measures (temporary limitation/suspension) if the Customer’s use adversely affects other users or the platform.

• In shared hosting, Naranjatec maintains the platform (OS, panels, base services).
• Self-managed VPS plans are intended for professional use. In self-managed VPS, the Customer is responsible for hardening, patches, firewall, and services; in managed VPS, Naranjatec assumes the scope of administration in accordance with the contracted services.

Internal resilience backups do not constitute a contracted restoration service. Natural persons retain any statutory rights regarding data portability.

• Shared hosting: may include periodic backups with published retention and exclusions. The exact details are specified in the SLA or contract.
• VPS: the backup service is optional or according to the plan. The Customer is responsible for verifying integrity and performing restoration tests.
• Naranjatec may retain internal backups for resilience; these do not confer access rights unless expressly contracted.

• The scope of support (hours, target response times, channels) is defined in the SLA.
• In managed plans, included/excluded operations are specified in the proposal.

• Scheduled maintenance will be carried out with reasonable prior notice. In the event of security emergencies or critical breakdowns, notice may be given at a later date.

Naranjatec can assist with migrations from third parties or between plans, with scope and costs as proposed. The Customer must provide access and validate the migration.

• Naranjatec maintains technical records for operation and security. The Customer is responsible for their application logs, unless specifically agreed otherwise.

The Customer is responsible for:

• Keeping all software (CMS, plugins, themes, applications, libraries and licences) properly updated.
• Not hosting illegal content or content that infringes the rights of third parties.
• Protecting access credentials and applying appropriate security measures (e.g., 2FA, SSH keys, ACLs).
• Maintaining the security of their systems and applications, including preventing and resolving malware infections, hacked websites, compromised accounts or misconfigurations within their environment.
• Ensuring that their use of the service does not compromise the stability, security or performance of the platform.

These obligations apply to business Customers. Natural persons must keep their systems and access secure in line with the security measures reasonably expected for the proper use of the service.

Regulates the provision of Private Cloud (dedicated computing, network and storage tenant, virtualised or bare-metal). Details of nodes, networks, storage and managed services are included in the proposal and the SLA.

Private Cloud services are intended exclusively for business and professional Customers.

• Logical isolation at tenant level; network segmentation (VLAN/VXLAN/VPC) and security policies.
• Virtualisation, orchestration, storage and network components may be updated while maintaining service compatibility.
• The location of the data/data centre is established in the proposal/contract. If applicable, failure zones or domains will be specified.

• Registration: architecture design/validation, provision of resources and secure access (VPN/Zero Trust/SSH).
• Changes: expansions/reductions and new VMs/volumes/networks are managed via the Control Panel or authorised request; they may involve a pro-rated financial impact.

• Availability targets, response/recovery times (RTO) and recovery point objectives (RPO) are set out in the SLA.
• Scheduled and emergency maintenance windows are contemplated with prior communication whenever possible.

• Naranjatec does not provide managed backup services within the Private Cloud offering unless expressly and separately contracted.
• The Customer is fully responsible for:

– configuring and maintaining their own backup schedules, policies, and retention;

–  verifying backup integrity and performing regular restore and recovery tests;

–  ensuring that backups comply with their own business, legal, and continuity requirements.

• Any internal resilience mechanisms employed by Naranjatec (snapshots, replication, internal platform backups) exist solely for operational continuity of the platform and do not grant the Customer any right of access or recovery unless explicitly included in their contracted plan.
• Naranjatec accepts no responsibility for incomplete, failed, corrupted, or missing backups where the Customer manages the backup configuration.

• Private Cloud environments are customer-managed. Accordingly, the Customer bears full responsibility for the security of their systems, including but not limited to:
  • hardening and securing guest operating systems, applications, and services;
  • configuring and maintaining encryption, firewalls, access controls, and other security measures;
  • implementing vulnerability management, patching, anti-malware, and monitoring;
  • ensuring compliance with applicable laws, standards, and internal policies.
• Naranjatec is responsible only for the security and hardening of the underlying Private Cloud platform (hypervisor, core network, and storage layers). Naranjatec does not manage, monitor, or secure the Customer’s workloads unless a separate managed service plan explicitly defines such responsibilities.
• The Customer acknowledges that inadequate configuration or security practices on their side may compromise their environment, and Naranjatec is not liable for incidents resulting from Customer-managed components.

• Infrastructure monitoring for all nodes and back-up servers.
• Support in accordance with the SLA (channels, hours, escalation).

• Platform updates (hypervisors, storage, networks) with prior notice and execution within agreed windows, except in emergencies.

• Vertical scaling subject to capacity availability. In cases of significant expansions, minimum consumption commitments may be defined.

• Naranjatec may use suppliers/subcontractors for components or datacenters, maintaining contractual security and confidentiality obligations. The list and location can be made available to the Customer when required.

• Upon termination, the Customer will have a window of opportunity to export their data/VMs/snapshots by the available means. Once this period has elapsed, Naranjatec may delete the data in accordance with its retention policy.

Regulates the registration, renewal, transfer and management of domain names through Naranjatec acting as a reseller/agent of accredited registrars.

• The Customer guarantees the truthfulness and accuracy of the owner/administrative/technical/billing details and undertakes to keep them up to date.
• Inaccuracy or failure to verify may result in the suspension or cancellation of the domain by the registrar/registry.

• Registration/renewal is subject to availability and acceptance by the relevant registry.
• Domains are billed in advance and are non-refundable once processed.
• Renewal requires the Customer to maintain valid payment methods and, where applicable, to request non-renewal sufficiently in advance.
• For Customers that are natural persons, the statutory withdrawal right does not apply once registration is submitted to the registry, in accordance with Article 103(a) TRLGDCU.

• To transfer a domain, the Auth‑Code/EPP is required and the domain must not be locked (Registrar‑Lock) or within restricted periods due to previous registration/transfer.
• The Customer must ensure that the owner/administrator’s email address is accessible in order to validate the transfer. Naranjatec is not responsible for delays or failed transfers due to inaccessible email addresses or registrar restrictions

• After expiry, there may be grace and/or redemption periods defined by each TLD, with additional fees to restore the domain.
• If not renewed within these periods, the domain may be deleted and become available to third parties. Naranjatec is not responsible for any loss, downtime, or impact resulting from expiry or deletion.

• In TLDs that support it, WHOIS privacy or data redaction may be activated. Availability and cost depend on the TLD/registrar.

• The Customer may use Naranjatec’s DNS servers or their own/third-party servers.
• When available, DNSSEC may be activated; its management requires coordination and may incur costs.

• Disputes over trademarks or other rights are subject to the policies of the applicable registry (e.g., UDRP/URS in gTLDs, ESNIC regulations for .es).
• Naranjatec is not a party to disputes between the Customer and third parties. The content published under the domain is the sole responsibility of the Customer.

• Naranjatec/registrar/registry may suspend or cancel a domain for: non-payment, breach of registry policies, inaccurate data, or legal/administrative requirements.

• Naranjatec does not guarantee the availability of a name until confirmation of registration by the registry/registrar.
• Naranjatec’s responsibility in relation to domains is limited to administrative management and the provisions of the Terms.

1.1

Use of the Service may involve the processing of Personal Data. Naranjatec acts as the Processor within the meaning of Article 4(8) of the General Data Protection Regulation (“GDPR”). The Customer is the Controller as defined in Article 4(7) GDPR and will comply with all obligations arising from that role.

• 1.2

The Customer represents and warrants that:

• • they comply with all applicable laws, including the GDPR, in relation to the Personal Data they process through the Service;
  • the Personal Data has been lawfully obtained and does not infringe the rights of third parties;
  • they are entitled to provide the Personal Data to Naranjatec; and
  • they are entitled to appoint Naranjatec as Processor and to allow Naranjatec to appoint Sub-processors.
• 1.3

The Customer indemnifies Naranjatec against all third-party claims arising from or related to:

• • the processing of Personal Data by Naranjatec on behalf of the Customer, and/or
  • a breach of the warranties in clause 1.2 by the Customer.

The Customer also indemnifies Naranjatec against claims relating to Personal Data contained in the Customer’s Content, as the Customer fully controls such Content.

• 2.1

Naranjatec will process Personal Data solely for the purposes described in this Data Processing Agreement and/or the main Agreement. Naranjatec will not process Personal Data for any other purpose without the Customer’s prior written instructions, unless required to do so by applicable law. In such a case, Naranjatec shall inform the Customer prior to the processing, unless the law prohibits such notice for reasons of public interest.

• 3.1

Naranjatec will implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures will ensure a level of security appropriate to the risks, taking into account the state of the art, implementation costs, and the nature of the processing.

• 3.2

Taking into account the nature of the processing and where reasonably possible, Naranjatec will assist the Customer in ensuring compliance with the Customer’s security obligations under the GDPR.

• 4.1

Transfers of Personal Data by Naranjatec outside the European Economic Area are only permitted where compliant with the GDPR and/or with the Customer’s prior written consent.

• 5.8

Naranjatec may engage Sub-processors where necessary for the provision of the Service. Naranjatec will ensure that each Sub-processor is contractually bound to confidentiality, security and notification obligations that are no less protective than those set out in this Agreement and the Terms and Conditions.

• 6.9

If Naranjatec becomes aware of a Personal Data Breach as defined in Article 4(12) GDPR, Naranjatec will:

(i) notify the Customer without undue delay; and

(ii) take all reasonable measures to mitigate or prevent further unauthorised access or loss.

• 6.10

Where reasonably possible, Naranjatec will assist the Customer in fulfilling their legal obligations in relation to the incident, where the Customer determines that the event qualifies as a Personal Data Breach under the GDPR.

• 6.11

Where reasonably possible, Naranjatec will support the Customer in fulfilling their duty to notify the supervisory authority or affected data subjects, as required by Articles 33 and 34 GDPR. Naranjatec is not responsible for independently notifying such authorities or data subjects.

• 6.12

Naranjatec is not liable for the correct or timely fulfilment of the Customer’s own notification obligations under Articles 33 and 34 GDPR.

• 6.13

Where reasonably possible, Naranjatec will assist the Customer in responding to data subject requests, including the rights of access, rectification, erasure, restriction, portability, and objection (Articles 15–22 GDPR). Naranjatec will forward any request or complaint received directly to the Customer without undue delay. Naranjatec may charge reasonable fees for such assistance.

• 8.14

Where reasonably possible, Naranjatec will assist the Customer in complying with their obligations to conduct Data Protection Impact Assessments (“DPIAs”) and consult with supervisory authorities, as required by Articles 35 and 36 GDPR.

• 9.15

Naranjatec will make available to the Customer all information reasonably required to demonstrate compliance with this Agreement and the GDPR. At the Customer’s request, Naranjatec will permit and cooperate with audits or inspections by the Customer or a designated auditor. If Naranjatec believes an instruction related to this clause infringes the GDPR or other applicable privacy law, Naranjatec will immediately inform the Customer.

• 10.16

All Naranjatec personnel involved in processing Personal Data are bound by confidentiality obligations consistent with Article 14 of the Terms and Conditions.

• 11.17

This Annex constitutes a data processing agreement within the meaning of Article 28(3) GDPR. The provisions of the Terms and Conditions apply in full to this Annex. If the Parties agree to a separate data processing agreement, such agreement shall prevail over this Annex

• AUP – Acceptable Use Policy: defines prohibited uses and containment measures.
• SLA – Service Level Agreement: sets availability, support, backups, RTO/RPO and maintenance windows.
• Privacy Policy: regulates the processing of personal data.