Start a 14-day trial

Data Processing Addendum

Effective: April 21, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement for the provision of the macup service (the “Agreement”) between macup, Inc. and the Customer. It governs the Processing of Personal Data by macup, Inc. on behalf of the Customer in connection with the macup service. Where the Agreement and this DPA conflict on any matter of data protection, this DPA prevails. Where the Standard Contractual Clauses incorporated below conflict with any provision of this DPA or the Agreement, the Standard Contractual Clauses prevail.

Parties and effective date

This DPA is entered into between macup, Inc., a Delaware corporation with offices at the address set out in the Order Form (“macup,” the “Processor”), and the customer entity identified in the signed Order Form that references this DPA (the “Customer,” the “Controller”). This DPA takes effect on the date the Order Form is countersigned, or on the effective date of this DPA if later.

Each party’s authorised signatory on the Order Form is deemed to have authority to bind that party to this DPA. The DPA remains in force for the duration of the Agreement and for any tail period during which macup continues to Process Personal Data on behalf of the Customer.

Definitions

Terms used in this DPA have the meanings set out below. Capitalised terms not defined here take the meaning given in the GDPR or in the Agreement.

  • Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK General Data Protection Regulation and the UK Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and any other data protection law applicable to the Processing under this DPA.
  • Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in Article 4 GDPR.
  • Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, version B1.0, effective 21 March 2022, together with any successor instrument.
  • Sub-processor means any third party engaged by macup to Process Personal Data on the Customer’s behalf in connection with the macup service.
  • Customer Personal Data means Personal Data that macup Processes on the Customer’s behalf under this DPA.

Scope and roles

With respect to Customer Personal Data, the Customer is the Controller and macup is the Processor. Where the Customer acts as a Processor on behalf of a third-party Controller, macup acts as a Sub-processor and the parties will complete Module Three of the SCCs as required.

macup Processes Customer Personal Data solely to provide the macup service as described in the Order Form and the Agreement, to meet its obligations under the Agreement, and on the Customer’s documented instructions as set out in Section 8. macup does not sell Customer Personal Data, and does not Process it for its own commercial purposes or to target advertising.

Duration

This DPA applies for the term of the Agreement and for the 30-day wind-down period set out in the Terms of Service, during which the Customer may export backup data before deletion. macup’s obligations that by their nature survive termination, including confidentiality, deletion, and cooperation with audits in respect of pre-termination Processing, continue to apply after termination until fully performed.

Nature and purpose of processing

The nature of the Processing is the provision of a managed backup, restore, and recovery service for the Customer’s users. The purposes of the Processing are:

  • storage of Customer backup data in encrypted form at destinations selected by the Customer, including macup Cloud and bring-your-own-storage destinations;
  • authentication of Customer administrators and end-users, and management of their sessions;
  • operational telemetry required to monitor backup health, reliability, and destination integrity;
  • customer support and incident response in connection with the macup service; and
  • billing, invoicing, and account administration.

Processing is carried out by automated means, except where human intervention is required to respond to support requests or incidents.

Categories of personal data

macup Processes the following categories of Customer Personal Data on behalf of the Customer:

  • Identification and contact data — email addresses, names, job titles where provided, and organisation affiliation;
  • Authentication data — salted password hashes, device identifiers, recovery codes in hashed form, API tokens, and session metadata;
  • Usage and operational data — device check-in timestamps, snapshot sizes, destination health signals, error codes, and diagnostic logs scrubbed of file content;
  • Billing data — customer identifier, plan, invoice reference, and tax location, received from the merchant of record; and
  • Customer content — the files the Customer chooses to back up, which are encrypted client-side before transmission and to which macup does not hold a decryption key. Any Personal Data contained in Customer content is therefore Processed by macup only as ciphertext.

macup does not intentionally Process special categories of Personal Data within the meaning of Article 9 GDPR. The Customer is responsible for the content it selects for backup and agrees not to use the service to Process special categories of Personal Data unless it has implemented the additional safeguards required by Applicable Data Protection Law.

Categories of data subjects

Customer Personal Data relates to the following categories of Data Subjects:

  • the Customer’s employees, contractors, and authorised agents who administer or use the macup service;
  • the Customer’s end-users, where the Customer provides the service to its own personnel, members, or clients; and
  • any natural person whose Personal Data is contained within Customer content that the Customer chooses to back up.

Customer instructions

macup Processes Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which macup is subject. In that case, macup will inform the Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

The Customer’s documented instructions are set out in the Agreement, the Order Form, this DPA, and the Customer’s configuration of the macup service. Additional or revised instructions must be submitted in writing to legal@macup.app and are subject to acceptance by macup, acting reasonably. If an instruction would, in macup’s opinion, breach Applicable Data Protection Law, macup will notify the Customer without undue delay and is entitled to suspend Processing of the affected instruction until it is withdrawn or amended.

Confidentiality

macup ensures that all personnel authorised to Process Customer Personal Data are bound by contractual confidentiality obligations that survive termination of their engagement, or are under an appropriate statutory obligation of confidentiality. macup limits access to Customer Personal Data to personnel who need access to perform the Agreement and who have received training in data protection and information security.

Security measures (TOMs)

macup has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. The measures are summarised below and restated in Annex II.

  • Encryption. Customer content is encrypted client-side on the Customer’s Mac using AES-256 with keys derived from the user’s passphrase. Keys are held only in the macOS Keychain of the end-user’s device and are never transmitted to macup. All data in transit is protected with TLS 1.3. The desktop client pins the certificate chain for macup endpoints. Platform-tier keys and secrets are held in a managed key-management service with strict access controls.
  • Access controls. macup enforces least-privilege access to production systems. Multi-factor authentication is required for all personnel with access to production infrastructure. Administrative access is granted through named identities only, with session recording and auditable access trails retained for review.
  • Infrastructure segregation. macup separates its control plane (authentication, metadata, billing) from its data plane (encrypted backup storage). The managed storage tier resides in a single region selected by the customer at signup (United States, European Union, United Kingdom, Canada, or Australia). Data does not leave the selected region. Objects are replicated across multiple availability zones within the region and protected by Object Lock in compliance mode so that stored backup objects cannot be altered or deleted for the retention period defined by the tier.
  • Monitoring and logging. macup operates centralised logging with tamper-evident storage, a minimum 12-month audit log retention period, and SIEM-based alerting on security-relevant events. Production changes are made through reviewed, logged change-management workflows.
  • Incident response. macup maintains a documented incident response plan, a 24/7 on-call rotation for security incidents, and a breach-notification process that meets the 72-hour requirement in Section 14. Incident response procedures are tested at least annually.
  • Resilience and continuity. macup performs daily snapshots of control-plane databases, maintains geographically separated backups of its own systems, and conducts periodic restore drills to verify recoverability.
  • Personnel security. macup performs background checks on personnel with production access, provides mandatory security and privacy training on hire and annually thereafter, and promptly revokes access on role change or termination.
  • Secure development. macup follows a secure software development lifecycle that includes code review, dependency scanning, static analysis, and third-party penetration testing on at least an annual cadence.

macup may update the measures from time to time, provided the overall level of protection is not materially reduced.

Sub-processors

The Customer grants macup a general authorisation to engage Sub-processors for the Processing activities described in this DPA, subject to the conditions in this Section.

macup’s current Sub-processors as of the effective date of this DPA are:

  • Wasabi Technologies, LLC — object storage for the macup Cloud destination; deployed in the region the customer selected at signup (US, EU, UK, CA, or AU). The customer’s data does not leave the selected region.
  • Supabase, Inc. — authentication, managed PostgreSQL, and edge compute for the control plane; United States.
  • Lemon Squeezy, Inc. — merchant of record for payment processing, invoicing, and tax handling; United States.
  • Cloudflare, Inc. — content delivery network, DDoS protection, WAF, and authoritative DNS; United States, with global edge presence.
  • Kit (formerly ConvertKit) or Beehiiv, Inc. — transactional and opt-in newsletter delivery; United States. [OPEN ITEM — final selection between Kit and Beehiiv pending; flagged for legal review before signature.]
  • PostHog, Inc. — post-consent product analytics for the marketing website and web console; United States and European Union regions, with EU residency selectable.
  • DigitalOcean, LLC — edge compute for selected support and documentation services; United States.

macup imposes on each Sub-processor, by written contract, data protection obligations that are no less protective than those in this DPA, in accordance with Article 28(4) GDPR. macup remains liable to the Customer for the performance of each Sub-processor’s obligations.

macup will give the Customer at least 30 days’ advance notice of the appointment or replacement of a Sub-processor, by updating the list at macup.app/legal/subprocessors and notifying Customer administrators by email. The Customer may object to a proposed Sub-processor on reasonable grounds relating to data protection within that 30-day window by notice to legal@macup.app. The parties will work in good faith to resolve the objection; if they cannot, the Customer’s sole remedy is to terminate the affected portion of the Agreement on written notice, without penalty, with a pro-rated refund of prepaid fees for the unused period.

Cross-border transfers

Where the Processing of Customer Personal Data by macup or a Sub-processor involves a transfer of Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country not recognised by the relevant authority as providing an adequate level of protection, the parties rely on the following transfer mechanisms, each incorporated into this DPA by reference:

  • the EU Standard Contractual Clauses, Module Two (controller to processor) where the Customer is a Controller and macup is a Processor, or Module Three (processor to processor) where the Customer is a Processor and macup is a Sub-processor;
  • the UK IDTA for transfers subject to the UK GDPR; and
  • the SCCs as amended by the Swiss Federal Data Protection and Information Commissioner for transfers subject to the FADP.

For the purposes of the SCCs, the Customer is the data exporter and macup is the data importer. The parties agree that: Clause 7 (docking clause) is included; Clause 9, Option 2 (general written authorisation for Sub-processors) applies with the 30-day notice period set out in Section 11; Clause 11(a) (independent dispute resolution) is not included; the governing law in Clause 17 is the law of Ireland; the competent courts under Clause 18 are the courts of Ireland; Annex I.C designates the lead Supervisory Authority consistent with Clause 13; and the content of Annexes I, II, and III is set out in the Annexes to this DPA.

The SCCs take precedence over any conflicting provision of the Agreement or this DPA.

Data subject requests

macup will, taking into account the nature of the Processing, provide reasonable assistance to the Customer by appropriate technical and organisational measures, insofar as possible, to enable the Customer to fulfil its obligation to respond to Data Subject requests under Chapter III of the GDPR.

If macup receives a Data Subject request that relates to Customer Personal Data, macup will, without undue delay, inform the Customer of the request and will not respond to the Data Subject directly except as strictly necessary to confirm that the request should be routed to the Customer, or where legally required. macup will not be obliged to suspend Processing on receipt of such a request unless the Customer so instructs.

Personal data breaches

macup will notify the Customer without undue delay, and in any event no later than 72 hours after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data, in accordance with Article 33 GDPR. The notification will, to the extent then known:

  • describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
  • describe the likely consequences of the Personal Data Breach;
  • describe the measures taken or proposed to address the Personal Data Breach and mitigate its possible adverse effects; and
  • provide the contact details of macup’s security point of contact for follow-up.

Where the information cannot be provided at once, it will be provided in phases without further undue delay. macup will document all Personal Data Breaches, including the facts, effects, and remedial action, in an internal register available to the Customer on request. Initial notification of a Personal Data Breach is not an admission of liability.

Return and deletion

Upon termination or expiry of the Agreement, and at the Customer’s election, macup will return or delete all Customer Personal Data. The Customer may export backup data through the product for a period of 30 days after termination.

After the export window closes, macup will delete Customer Personal Data from active production systems within 30 days, and from backups of its own systems within 90 days, except to the extent that retention is required by Union or Member State law. Required retention is limited to:

  • Tax and billing records — retained for the minimum period required by applicable tax law in the relevant jurisdiction, typically up to ten years;
  • Audit logs and security records — retained for the minimum period required for security, legal, or regulatory purposes; and
  • Dispute records — retained for the limitation period applicable to potential claims.

Personal Data retained under this Section remains subject to the confidentiality and security obligations of this DPA until deletion.

Audits

macup will make available to the Customer all information necessary to demonstrate compliance with its obligations under Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer and reasonably acceptable to macup.

Audits may be exercised once in any 12-month period, at the Customer’s cost, on at least 30 days’ prior written notice, during normal business hours, and subject to macup’s reasonable confidentiality and security requirements, including a non-disclosure agreement on customary terms. More frequent audits may be conducted where required by a Supervisory Authority, or following a confirmed Personal Data Breach affecting the Customer.

In lieu of an on-site audit, macup will, on written request, provide the Customer with:

  • its most recent SOC 2 Type II report (anticipated Q1 2027; a SOC 2 Type I report and equivalent attestations are available before that date). [OPEN ITEM — SOC 2 completion date to be confirmed by the compliance lead before signature.]
  • an executive summary of its most recent independent penetration test;
  • a completed CAIQ and/or SIG Lite questionnaire; and
  • its information security policy summary.

The Customer is entitled to share these materials with its auditors and regulators on a confidential basis.

Liability

The liability of each party under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Law, including under the SCCs in respect of Data Subjects.

Order of precedence

In the event of any conflict or inconsistency between the documents governing the Processing of Customer Personal Data, the order of precedence is: (1) the Standard Contractual Clauses and UK IDTA, where applicable; (2) this DPA; (3) the Agreement, including the Order Form.

Changes

macup may update this DPA from time to time to reflect changes in Applicable Data Protection Law, in its service, or in its Sub-processor list. Non-material changes take effect on posting. Material changes will be notified to the Customer in writing at least 30 days in advance, and, where required by law, with the Customer’s right to object and terminate in accordance with Section 11.

Annex I — Details of processing

A. List of Parties

  • Data exporter (Controller). The Customer identified in the Order Form. Contact details, role, and activities relevant to the data transferred are as set out in the Order Form. The data exporter’s signatory on the Order Form is the authorised representative for the purposes of the SCCs.
  • Data importer (Processor). macup, Inc., a Delaware corporation, providing the managed backup, restore, and recovery service described in the Agreement. Contact: legal@macup.app; security@macup.app.

B. Description of transfer

  • Categories of Data Subjects. As set out in Section 7 of this DPA.
  • Categories of Personal Data. As set out in Section 6 of this DPA.
  • Sensitive data. Not intentionally Processed; see Section 6.
  • Frequency of transfer. Continuous, for the duration of the Agreement.
  • Nature of Processing. As set out in Section 5 of this DPA.
  • Purpose of Processing. As set out in Section 5 of this DPA.
  • Retention period. For the duration of the Agreement and in accordance with Section 15 of this DPA.
  • Transfers to Sub-processors. As set out in Section 11 and Annex III of this DPA.

C. Competent Supervisory Authority

For transfers subject to the GDPR, the competent Supervisory Authority is the Irish Data Protection Commission, unless another authority has jurisdiction under Article 56 GDPR. For transfers subject to the UK GDPR, the competent authority is the UK Information Commissioner’s Office. For transfers subject to the FADP, the competent authority is the Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and organisational measures

The technical and organisational measures set out in Section 10 of this DPA are incorporated into this Annex II in full and apply to all transfers under the Standard Contractual Clauses. macup will maintain these measures at a level no less protective than described, and may improve them over time.

Specifically, for the purposes of Annex II of the SCCs:

  • Measures of pseudonymisation and encryption. Client-side AES-256 encryption of backup content; TLS 1.3 in transit with certificate pinning; platform secrets in a managed KMS.
  • Measures for ensuring ongoing confidentiality, integrity, availability, and resilience. Single-region data residency per customer; multi-AZ replication within the chosen region; Object Lock in compliance mode on the managed storage tier; documented disaster-recovery procedures within the chosen region; periodic restore drills.
  • Measures for ensuring the ability to restore availability and access. Daily snapshots of control-plane databases; geographically separated backups; 24/7 on-call.
  • Processes for regularly testing, assessing, and evaluating effectiveness. Annual third-party penetration testing; quarterly internal control reviews; continuous vulnerability management.
  • Measures for user identification and authorisation. Named identities with MFA for all production access; role-based access control; session recording for privileged access.
  • Measures for the protection of data during transmission and storage. TLS 1.3; encrypted at rest on all storage tiers; Object Lock for immutable retention of backup content.
  • Measures for ensuring physical security of processing locations. macup does not operate its own data centres; Sub-processors operate certified facilities (SOC 2, ISO 27001, or equivalent).
  • Measures for ensuring events logging. Centralised logging; minimum 12-month audit log retention; SIEM-based alerting.
  • Measures for ensuring system configuration, including default configuration. Hardened baseline images; infrastructure-as-code with peer review; secret scanning in CI.
  • Measures for internal IT and IT security governance and management. Written information security policy; designated security lead; annual security and privacy training.
  • Measures for certification and assurance of processes and products. SOC 2 Type II in progress (see Section 16); CAIQ and SIG Lite available on request.
  • Measures for ensuring data minimisation. macup does not hold decryption keys for Customer content; operational metadata excludes filenames, paths, and contents.
  • Measures for ensuring data quality. Control-plane schemas enforce referential integrity; automated anomaly detection on billing and account data.
  • Measures for ensuring limited data retention. Retention schedule as set out in Section 15.
  • Measures for ensuring accountability. Change management, audit logs, and incident-response documentation maintained per SOC 2.
  • Measures for allowing data portability and ensuring erasure. Self-service export of backup data during the 30-day wind-down; documented deletion SLAs per Section 15.

For transfers to Sub-processors, macup ensures that Sub-processors apply equivalent measures through written contracts and periodic review.

Annex III — Sub-processor list

The list of Sub-processors set out in Section 11 of this DPA is incorporated into this Annex III in full for signing convenience:

  • Wasabi Technologies, LLC — object storage for macup Cloud; deployed in the region the customer selected at signup (US, EU, UK, CA, or AU).
  • Supabase, Inc. — authentication, managed PostgreSQL, edge compute; United States.
  • Lemon Squeezy, Inc. — merchant of record for payments; United States.
  • Cloudflare, Inc. — CDN, DDoS protection, DNS; United States with global edge.
  • Kit (formerly ConvertKit) or Beehiiv, Inc. — newsletter delivery; United States. [OPEN ITEM — final selection pending.]
  • PostHog, Inc. — post-consent product analytics; United States and European Union.
  • DigitalOcean, LLC — edge compute for selected support services; United States.

The authoritative, up-to-date Sub-processor list is maintained at macup.app/legal/subprocessors.

Contact

For matters relating to this DPA, including additional documented instructions, Sub-processor objections, audit requests, and Personal Data Breach follow-up, contact:

Written notices to macup may also be sent to the registered office address listed in the Order Form. [OPEN ITEM — registered office address, arbitration venue, and insurance specifics to be confirmed by counsel before signature.]

Revision history

  • — Initial version.

Questions?

Write to legal@macup.app. For security disclosures use security@macup.app. For product support use support@macup.app.