Start a 14-day trial
Security & trust

We can't read your data. Here's how.

The short answer to every trust question a backup product gets: your keys don't leave your Mac, so neither we nor anyone who breaches us can read a single file. The long answer is this page.

Start a 14-day trial Read the details ↓

This page is reviewed every six months. If you found it via a vendor questionnaire and need the signed equivalent on letterhead, email security@macup.app — we keep a current CAIQ and SIG Lite on file.

Encryption

Every snapshot macup writes is encrypted on your Mac before it leaves. The cipher is AES-256 in a modern authenticated mode. The key that unlocks it is derived from your passphrase using a slow, salted key-derivation function — the industry-standard defence against brute-forcing a stolen encrypted blob.

The derived key lives on your Mac, in Keychain. It is never transmitted. That means the storage-plane — whether it's macup Cloud or a bucket you operate yourself — holds only ciphertext it cannot decrypt. If we're compelled by a subpoena, we can hand over ciphertext. We cannot hand over your files.

In transit, we use TLS 1.3 for every call to our APIs and for every write to macup Cloud. Certificate pins are published in the desktop client, so a compromised intermediate CA cannot silently re-issue a cert and impersonate us.

Keys rotate on a schedule. Repository keys support user-driven rotation — you can change the passphrase on a repository without re-uploading your data. Our own operational keys (for the few things macup's servers hold, like signed session tokens) rotate automatically every 90 days, and on any suspected exposure.

Architecture and infrastructure

macup separates the data plane — the encrypted blobs your Mac writes — from the control plane — the small amount of coordination state we need to know what device is entitled to what backup. The split matters: the control plane never sees your data, and the data plane never authorises anything.

All customer data sits in a single region selected at signup — US, EU, UK, Canada, or Australia. Data stays in the selected region. Object storage is content-addressed, protected by Object Lock in compliance mode, and replicated across multiple availability zones within the region. No one — including us — can delete or alter an object inside its retention window. A successful ransomware event on your Mac cannot propagate to your macup Cloud snapshots.

All edge and application services run on provider-managed compute, behind a distributed denial-of-service layer. Our target uptime for control-plane services is 99.95%. Real-time status is at status.macup.app; we post every incident there, with updates every fifteen minutes until resolved, and publish post-mortems within seven days for any Sev-1 or Sev-2 event.

A full vendor list — every service we use, what each one holds, and what contract sits behind it — is available in our standard vendor questionnaire on request from security@macup.app. We don't publish it on this page because (a) the list changes as we optimise the stack, and (b) the people who need it — procurement, security engineers — expect it signed, on letterhead, not scraped from a marketing page.

Compliance

We're honest about what we have today and what's in flight.

GDPR
Compliant. DPA available on request; sign-and-return terms. Sub-processor list maintained and versioned.
CCPA
Compliant. We do not sell personal data. Deletion requests honoured within 30 days; verification by account owner.
SOC 2 Type II
In progress. Observation period runs through 2026. Target-date report: Q1 2027. Interim control documentation available under NDA for enterprise procurement.
ISO 27001
Roadmap. Tracked as a follow-on to SOC 2 Type II once the control environment is stabilised.
HIPAA / PCI-DSS
Out of scope. macup is not a covered entity for protected health information and does not accept stored payment data — payments are handled by a PCI-DSS Level 1 merchant of record.

Data handling

The short version: we collect the minimum needed to run the product, keep it as briefly as possible, and delete it on request inside 30 days.

What we collect

  • Account data. Email, hashed passphrase, device identifiers, license state, plan. Required to authenticate you and grant the right devices access to the right repositories.
  • Encrypted backup data. Ciphertext only, in repositories you control. We store it; we cannot read it.
  • Operational metadata. Last-seen time, snapshot sizes, destination health, error codes. No file names. No file contents. Required for the menubar's status view and for support.
  • Web analytics. Consented-only page-view counts, referrer, browser type. No cross-site tracking. No sale of data.

What we do not collect

  • File names or contents of anything inside a repository.
  • Keystroke, mouse-movement, or session-replay data.
  • Location beyond the coarse country-level region derived from IP, used for region routing.

Retention

  • Account data: for the lifetime of the account, then deleted within 30 days of closure.
  • Backup data: retained on your retention policy. You own the dial.
  • Operational metadata: 90 days rolling.
  • Audit logs (for security purposes): 12 months.

Data residency

All customer data sits in a single region selected at signup — US, EU, UK, Canada, or Australia. Data stays in the selected region. Within that region, object storage is replicated across multiple availability zones and held in Object Lock compliance mode. If residency is a procurement requirement for you, write to security@macup.app and we'll share the current region allowlist and supporting documentation.

Responsible disclosure

We run a private disclosure program. If you've found a security issue, tell us before you tell anyone else, and we'll tell you the same. The short policy:

  • Report to security@macup.app. PGP key fingerprint: 3D4F 6A9E 7B1C 5D2E 8F0A 4B6C 9D1E 2F3A 5C7B 8E0F (the full key is at /pgp-security.asc).
  • Response time. We acknowledge inside 48 hours. Triage inside 5 business days. Fix-or-mitigation timeline is communicated back before day 14.
  • Disclosure window. 90 days from report to public disclosure, or earlier by mutual agreement if a fix ships sooner. Extensions up to an additional 90 days are considered for complex issues.
  • Safe harbor. Good-faith research that avoids customer-data access, service disruption, social engineering, and physical attacks is considered authorised testing and will not be pursued legally.
  • Recognition. A public hall of fame at /security-trust/hall-of-fame — reporters can opt in or stay anonymous. We don't pay cash bounties at this stage of the company; we do pay for genuinely impactful reports, case by case.

Incident history

As of 2026-04-22, no customer-impacting security incidents. When one happens — the industry average says it's a matter of time, not category — we will post it at status.macup.app in real time, write a public post-mortem inside seven days with what we learned, and contact every affected customer directly. That's a promise this page documents so you can hold us to it.

Vendor questionnaires and enterprise procurement

If your team needs a signed vendor questionnaire, DPA, or penetration-test summary before approving macup, write to security@macup.app. On file and available on request:

  • Pre-filled CAIQ (Consensus Assessment Initiative Questionnaire) from the Cloud Security Alliance.
  • Pre-filled SIG Lite (Shared Assessments Standardised Information Gathering, short form).
  • Current DPA and sub-processor list.
  • Annual penetration-test summary report, redacted where the details are client-sensitive, unredacted under NDA.

Turnaround is typically 1–2 business days.

Trust, but verify. Then start a trial.

14-day trial. No card. End-to-end encrypted from the first byte. Run a restore by Friday.

Start a 14-day trial Email security@macup.app