Data Processing Agreement

1. Overview

This DPA governs the processing of personal data by MacYou on behalf of its customers in connection with the provision of dedicated Apple Mac Mini M4 Pro cloud servers. It is designed to meet the requirements of Article 28 of Regulation (EU) 2016/679 (the “GDPR”) and applies wherever MacYou processes personal data on behalf of a customer who acts as a data controller.

A DPA is required when you, as a MacYou customer, use our servers to process personal data of your end-users, employees, or other individuals. This DPA supplements and is incorporated into our Terms of Service and Privacy Policy.

2. Scope

In the context of this DPA, MacYou acts as a data processor, and you (the customer) act as the data controller for personal data that you or your end-users store, process, or transmit on your dedicated MacYou servers.

MacYou does not determine the purposes or means of processing your end-users' personal data. You retain full control over what data is processed on your servers and how it is used. MacYou's role is limited to providing the infrastructure and ensuring its availability, security, and performance.

This DPA does not apply to data that MacYou processes as a data controller in its own right (e.g., your account registration data, billing information), which is governed by our Privacy Policy.

3. Processing Details

Types of Personal Data

The types of personal data processed depend on the applications and services you run on your MacYou server. This may include but is not limited to: names, email addresses, IP addresses, device identifiers, location data, financial data, health data, or any other personal data your applications collect from your end-users.

Categories of Data Subjects

Data subjects may include your end-users, customers, employees, contractors, partners, or any other individuals whose personal data is processed on your MacYou server.

Duration of Processing

MacYou will process personal data for the duration of your subscription. Upon termination of your account, data will be handled in accordance with Section 7 (“MacYou's Obligations”) regarding deletion and return.

Nature and Purpose of Processing

The nature of processing is the provision of dedicated cloud hosting infrastructure. MacYou provides the physical hardware, network connectivity, power, and environmental controls necessary for you to run your applications. The purpose of processing is to enable you to operate your software and services on dedicated Mac Mini hardware.

4. MacYou's Obligations

As a data processor, MacYou commits to the following obligations under Article 28 GDPR:

• Processing on documented instructions — MacYou will process personal data only on your documented instructions, unless required to do so by applicable law. If such a legal requirement arises, MacYou will inform you before processing (unless prohibited by law).
• Confidentiality — all MacYou personnel who have access to personal data are bound by contractual obligations of confidentiality and have received appropriate training on data protection.
• Security measures — MacYou implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration, as detailed in Section 7.
• Sub-processor management — MacYou will not engage a sub-processor without your prior general authorization. We will notify you of any intended changes to sub-processors, giving you the opportunity to object, as detailed in Section 5.
• Assistance with data subject requests (DSARs) — MacYou will assist you, insofar as technically possible and by appropriate technical and organizational measures, in fulfilling your obligations to respond to data subject access requests and other rights under the GDPR (access, rectification, erasure, portability, restriction, objection).
• Deletion or return after termination — upon termination of your subscription, MacYou will, at your choice, delete or return all personal data and delete existing copies, unless applicable law requires retention. Data is securely wiped in accordance with NIST 800-88 guidelines within 30 days of account termination.
• Audit rights — MacYou will make available to you all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable advance notice and confidentiality obligations.

5. Sub-processors

MacYou uses the following sub-processors in the delivery of its services. By agreeing to this DPA, you provide general authorization for the use of these sub-processors:

MacYou will notify you by email at least 30 days before adding or replacing a sub-processor. If you have a reasonable objection to a new sub-processor, you may notify us within 14 days of notification. MacYou will make reasonable efforts to address your concerns or offer an alternative. If no resolution is possible, you may terminate the affected service without penalty.

6. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom, or Switzerland, MacYou ensures that appropriate safeguards are in place:

6.1 Customer (Controller) to MacYou (Processor) — transfer to Georgia

Macyou LLC is established in Georgia, which is not currently the subject of an EU adequacy decision under GDPR Article 45. Where the Customer is established in the EEA, the United Kingdom, or Switzerland and MacYou processes personal data on the Customer's behalf at the Tbilisi, Georgia data center or in support systems operated under Georgian law, this DPA incorporates by reference the European Commission's Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller → Processor), with:

• the Customer as data exporter and Macyou LLC as data importer;
• the docking clause (Clause 7) selected (the SCCs may be acceded to by additional parties);
• Option 2 of Clause 9(a) selected — general written authorisation for sub-processors with the notice mechanism described in Section 5;
• Option 1 of Clause 17 selected — the SCCs are governed by the law of the EU Member State in which the data exporter is established (or, where that law does not allow third-party beneficiary rights, the law of Ireland);
• Clause 18 — the competent supervisory authority is the authority of the EU Member State in which the data exporter is established.

For personal data subject to the UK GDPR, the UK Addendum to the EU Standard Contractual Clauses (version B1.0) issued by the UK Information Commissioner's Office under section 119A(1) of the Data Protection Act 2018 is incorporated and amends the SCCs accordingly. For Swiss personal data, the SCCs are read with the modifications published by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annexes I, II, and III of the SCCs are completed in the Annex section of the executable DPA PDF available at MacYou_DPA_v1.pdf.

6.2 MacYou to Sub-processors

MacYou has executed the European Commission's Standard Contractual Clauses (Module 2: Controller → Processor, and Module 3: Processor → Processor as applicable) with all sub-processors located outside the EEA that process personal data. Where applicable, transfers may also be made to countries that the European Commission has determined provide an adequate level of data protection (e.g., the EU-U.S. Data Privacy Framework).

6.3 Transfer Impact Assessment

MacYou has carried out a transfer impact assessment covering the Georgian legal environment (including law enforcement access powers, judicial oversight, and onward-transfer restrictions) and considers that, in combination with the technical and organisational measures described in Section 7 (in particular end-to-end encryption, access controls, and audit logging) and the supplementary contractual commitments in this DPA, the level of protection essentially equivalent to that guaranteed in the EEA is preserved. A summary of this assessment is available to Customers on request to [email protected].

MacYou will inform the Customer if it becomes aware that any sub-processor (or MacYou itself) is unable to comply with the transfer safeguards described above, and will take reasonable steps to remedy the situation or cease the affected transfer.

7. Security Measures

MacYou implements the following technical and organizational measures to protect personal data processed on our infrastructure:

• Encryption at rest — all data stored on MacYou servers is encrypted using AES-256 encryption.
• Encryption in transit — all network communications are encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) are disabled.
• Access controls — MacYou employs strict role-based access controls (RBAC) for all internal systems. Administrative access to customer infrastructure requires multi-factor authentication and is logged.
• Monitoring & logging — MacYou maintains continuous infrastructure monitoring, intrusion detection systems, and audit logs for all administrative actions. Logs are retained for a minimum of 12 months.
• Physical security — MacYou servers are housed in facilities with 24/7 security, biometric access controls, and environmental monitoring (fire suppression, climate control, redundant power).
• Incident response — MacYou maintains a documented incident response plan with defined roles, escalation procedures, and communication protocols.

8. Breach Notification

In the event of a personal data breach (as defined in Article 4(12) GDPR), MacYou will notify you without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:

• A description of the nature of the breach.
• The categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed by MacYou to address the breach and mitigate its effects.
• The name and contact details of MacYou's point of contact for further information.

MacYou will cooperate with you and provide all reasonable assistance to help you comply with your own breach notification obligations under Articles 33 and 34 GDPR and any other applicable data protection laws.

9. How to Execute This DPA

To enter into this DPA with MacYou, download the pre-signed PDF version, counter-sign it, and return the executed copy to us by email.

Send your counter-signed DPA to [email protected]. We will confirm receipt and provide you with a fully executed copy for your records within 5 business days.

10. Contact

For questions, concerns, or requests related to this DPA or data protection matters, please contact us:

Also see our Terms of Service, Privacy Policy, and DMCA & Takedown Policy.