Legal

Data Processing Agreement

Last updated: March 5, 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") supplements the MicroStax Terms of Service and governs the processing of personal data by MicroStax on behalf of the Customer, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • Controller: The Customer, who determines the purposes and means of processing personal data.
  • Processor: MicroStax, Inc., which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.

3. Data Processing Details

  • Subject matter: Provision of ephemeral environment orchestration services
  • Duration: For the term of the service agreement
  • Categories of data subjects: Customer's employees and end-users
  • Types of personal data: Email addresses, names, GitHub profile information, IP addresses, usage logs

4. Processor Obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller with data subject rights requests
  • Delete or return all personal data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

MicroStax uses the following categories of sub-processors:

  • Cloud infrastructure: For hosting and compute services
  • Analytics: For product usage analytics (anonymized where possible)
  • Email delivery: For transactional and product update emails

We will notify the Controller before adding or replacing sub-processors, allowing reasonable time for objections.

6. Security Measures

MicroStax implements security measures including but not limited to:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Access controls and authentication (GitHub OAuth, JWT)
  • Kubernetes namespace isolation for environment separation
  • Regular security assessments and monitoring
  • Incident response procedures

7. Data Breach Notification

MicroStax will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, and will provide all information necessary for the Controller to fulfill its own breach notification obligations.

8. International Transfers

When personal data is transferred outside the EEA, MicroStax ensures appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Contact

For DPA-related inquiries, contact privacy@microstax.ai.