Data Processing Agreement
Required for GDPR compliance. MicroBackups signs a DPA with all customers who process personal data of EU residents.
Request a signed DPA
To request a signed Data Processing Agreement, email us with your company name and the email address associated with your MicroBackups account. We aim to return a signed DPA within 1 business day.
compliance@microbackups.comLast updated: March 2026
1. Definitions
In this Data Processing Agreement ("DPA"), "Controller" means the customer entity that has entered into the MicroBackups Terms of Service; "Processor" means MicroBackups; "Personal Data", "Processing", "Data Subject", "Supervisory Authority" have the meanings given in the GDPR.
2. Scope and purpose
This DPA applies to all Processing of Personal Data by MicroBackups as Processor on behalf of the Controller in connection with the MicroBackups backup service. The Processing is for the purpose of providing cloud backup and recovery services.
3. Controller instructions
MicroBackups shall process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law. MicroBackups shall promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
4. Confidentiality
MicroBackups ensures that all personnel authorised to process Personal Data have committed to confidentiality or are subject to appropriate statutory obligations of confidentiality.
5. Security measures
MicroBackups implements and maintains appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include AES-256 encryption at rest, TLS 1.2 in transit, access controls, and regular security audits. See our Security page for full details.
6. Sub-processors
The Controller authorises MicroBackups to engage sub-processors for the provision of the service. MicroBackups currently uses Google Cloud Platform (GCP) and Amazon Web Services (AWS) as infrastructure sub-processors. MicroBackups will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. A full sub-processor list is available on request.
7. Data subject rights
MicroBackups shall assist the Controller in fulfilling obligations to respond to Data Subject rights requests (access, rectification, erasure, portability, objection) to the extent technically possible. The Controller is responsible for responding to Data Subjects directly.
8. Data breach notification
In the event of a Personal Data breach, MicroBackups shall notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of the breach, providing sufficient information to enable the Controller to meet its notification obligations to Supervisory Authorities and Data Subjects.
9. Data protection impact assessments
MicroBackups shall provide reasonable assistance to the Controller for data protection impact assessments and prior consultation with Supervisory Authorities where required by Article 35 and 36 of the GDPR.
10. Data deletion and return
Upon termination of the service or written request by the Controller, MicroBackups shall delete or return all Personal Data, and delete existing copies, unless applicable law requires continued storage. Deletion is completed within 30 days of the termination date.
11. Audit rights
MicroBackups makes available to the Controller all information necessary to demonstrate compliance with this DPA, and allows for audits conducted by the Controller or a mandated auditor. MicroBackups may require the auditor to sign a non-disclosure agreement before disclosure of confidential information.
12. International transfers
Where Personal Data is transferred outside the EEA, MicroBackups ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission.
13. Governing law
This DPA is governed by the law of the Controller's EU member state, or where the Controller is not established in the EU, by the law of Ireland.