15% off your workspace - subscribe to our blogNo per-service fees - one plan, unlimited appsDeploy in under 40 seconds99.95% uptime SLAFree tier available - start building today15% off your workspace - subscribe to our blogNo per-service fees - one plan, unlimited appsDeploy in under 40 seconds99.95% uptime SLAFree tier available - start building today
App DeploymentManaged DatabasesPreview AppsAutoscalingShared StorageRegionsMigetpacksFair SchedulerGitHub IntegrationSSH AccessApplication CloningMiget vs HerokuMiget vs RenderMiget vs RailwayMiget vs Fly.ioSee all comparisons
DocumentationAPI ReferenceFAQMigration GuidesOSS ProgramReferral ProgramRoadmapRelease NotesChangelogStatusDiscordGitHub
Miget x AIPlansCompareBlogDashboard
Start for Free
Platform
App DeploymentDeploy from Git or Docker in secondsManaged DatabasesPostgreSQL, MySQL, Redis built inPreview AppsAutomatic environments for every PRAutoscalingScale up and down automaticallyShared StoragePersistent volumes across servicesRegionsGlobal infrastructure locations
Features
MigetpacksZero-config builds for 14+ languagesFair SchedulerSmart CPU sharing across all appsGitHub IntegrationPush to deploy, PR previewsSSH AccessDirect shell access to containersApplication CloningDuplicate apps in one click
Compare
Miget vs HerokuA modern alternativeMiget vs RenderA better value platformMiget vs RailwayA better platform for your appsMiget vs Fly.ioA simpler alternativeSee all comparisons
Resources
DocumentationGuides and referencesAPI ReferenceREST API for your infrastructureFAQCommon questions answeredMigration GuidesMove your apps to MigetOSS ProgramFree compute for open sourceReferral ProgramEarn 30% credits for referrals
Community
RoadmapSee what's nextRelease NotesWhat's new in MigetChangelogPlatform updatesStatusSystem uptimeDiscordJoin the communityGitHubOpen source repos
Blog
Mar 31, 2026Miget Referral Program: Earn 30% Credits on Every ReferralShare your referral code and earn 30% of every payment your referrals make - applied automatically to your subscription. Cash out at $1,000+.Mar 27, 2026Miget Agent Skills: Manage Infrastructure from Your AI EditorInstall the Miget agent skill with one command and your AI editor learns the full API. Deploy, provision databases, and debug deploys through natural language.Mar 26, 2026PostgreSQL HA Clusters Are Now AvailableDeploy high-availability PostgreSQL clusters on Miget with 3, 5, or 7 instances. Automatic replication, failover, and zero connection string changes.
All articles

Data Processing Agreement

Last updated: February 10, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between ipp.net Krzysztof Taraszka, al. Powstania Warszawskiego 15, 31-539 Krakow, Poland ("Miget," "we," "us," or "Processor") and you ("Customer," "Controller") to reflect the parties' agreement regarding the processing of personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

This DPA applies where and only to the extent that Miget processes personal data on behalf of the Customer in the course of providing the Service, and such personal data is subject to GDPR or other applicable data protection laws.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement or in the GDPR.

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Miget on behalf of the Customer as part of the Service.
  • "Processing" means any operation or set of operations performed on personal data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by Miget to process personal data on behalf of the Customer.
  • "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR. The lead supervisory authority for Miget is the President of the Personal Data Protection Office (UODO) in Poland.

2. Scope and Roles

The Customer acts as the Controller and determines the purposes and means of processing personal data. Miget acts as the Processor and processes personal data only on behalf of and in accordance with the documented instructions of the Customer.

This DPA applies to all personal data processed by Miget in connection with the provision of the Service, including but not limited to data stored in applications, databases, and environments deployed on the Miget platform.

3. Customer Obligations

The Customer warrants that:

  • It has a lawful basis for the processing of personal data and has complied with all applicable data protection laws in respect of the personal data provided to Miget.
  • It has provided all necessary notices and obtained all necessary consents or authorizations required under applicable law for Miget to process personal data as described in this DPA.
  • It shall comply with its obligations under the GDPR and any other applicable data protection legislation.
  • Its instructions to Miget regarding the processing of personal data comply with all applicable laws and regulations.

4. Processing Instructions

Miget shall process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or Member State law to which Miget is subject. In such a case, Miget shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Customer's instructions for processing are set forth in this DPA and the Agreement. The Customer may issue additional reasonable instructions consistent with the terms of this DPA and the Agreement, provided that such instructions are lawful and technically feasible.

5. Confidentiality

Miget shall ensure that any person authorized to process personal data has committed themselves to confidentiality or is under an appropriate statutory obligation of confidentiality. Miget shall ensure that access to personal data is limited to those personnel who require such access in order to perform the Service.

6. Security Measures

Miget shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, as appropriate:

  • Encryption of personal data in transit (TLS 1.2+) and at rest.
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
  • Logical access controls and network segmentation to isolate Customer environments.
  • Automated monitoring and logging of access to systems processing personal data.
  • Regular vulnerability scanning and security patching of infrastructure components.

7. Sub-processors

The Customer provides general written authorization for Miget to engage Sub-processors to assist in the provision of the Service. Miget shall maintain an up-to-date list of Sub-processors and shall make this list available to the Customer upon request.

Miget shall notify the Customer at least 30 days in advance of any intended changes to the list of Sub-processors, including the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the parties cannot resolve the matter, the Customer may terminate the affected Service by providing written notice.

Where Miget engages a Sub-processor, Miget shall impose on the Sub-processor data protection obligations no less protective than those set out in this DPA by way of a written contract. Miget shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.

Current Sub-processors

  • OVHcloud - Infrastructure hosting and compute services (France / European Union)
  • Cloudflare, Inc. - DNS and proxy services for Customer application domains (*.migetapp.com) (United States, with EU data processing)
  • Polar.sh - Payment processing and billing (European Union)

8. Data Subject Rights

Miget shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure / right to be forgotten (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

If Miget receives a request from a data subject in relation to the Customer's personal data, Miget shall promptly redirect the data subject to the Customer and notify the Customer of the request without undue delay. Miget shall not respond to any such request directly except on the documented instructions of the Customer or as required by applicable law.

9. Data Breach Notification

Miget shall notify the Customer without undue delay and in any event within 48 hours after becoming aware of a Data Breach affecting the Customer's personal data. The notification shall include:

  • A description of the nature of the Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
  • The name and contact details of the data protection officer or other contact point where more information can be obtained.
  • A description of the likely consequences of the Data Breach.
  • A description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Miget shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Data Breach.

10. Data Protection Impact Assessments

Miget shall provide reasonable assistance to the Customer with any data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities, which the Customer reasonably considers to be required under Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to Miget.

11. International Data Transfers

Miget is based in Poland, a member of the European Union. We primarily process and store personal data within the European Economic Area (EEA).

Where personal data is transferred outside the EEA in connection with the Service (for example, through the use of Sub-processors), Miget shall ensure that such transfers are carried out in compliance with GDPR by relying on one or more of the following transfer mechanisms:

  • An adequacy decision by the European Commission under Article 45 GDPR (e.g., the EU-U.S. Data Privacy Framework).
  • Standard Contractual Clauses ("SCCs") adopted by the European Commission under Article 46(2)(c) GDPR, supplemented by additional safeguards where required by the CJEU's Schrems II decision.
  • Binding Corporate Rules approved under Article 47 GDPR.
  • Any other valid transfer mechanism recognized under the GDPR.

Miget shall, upon request, provide the Customer with details of the transfer mechanism relied upon for any particular transfer.

12. Audit Rights

Miget shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

The Customer shall provide Miget with at least 30 days prior written notice of any audit request. Audits shall be conducted during normal business hours, no more than once per calendar year (unless required by a supervisory authority or following a Data Breach), and in a manner that minimizes disruption to Miget's operations. The Customer shall bear the costs of any audit it initiates.

Miget may satisfy audit requests by providing relevant certifications, audit reports, or summaries of independent third-party audits where available.

13. Data Retention and Deletion

Upon termination or expiration of the Agreement, or upon the Customer's written request, Miget shall, at the Customer's choice, delete or return all personal data processed on behalf of the Customer, and delete existing copies, unless European Union or Member State law requires storage of the personal data.

The Customer's data, including all personal data in deployed applications, databases, and environments, shall be made available for export for 30 days following account termination. After this period, Miget shall securely delete all remaining personal data from its systems, including backups, within 90 days unless retention is required by applicable law.

14. Details of Processing

Subject matter and duration

The subject matter of the processing is the provision of the Miget platform as a service. The duration of the processing corresponds to the term of the Agreement between the Customer and Miget.

Nature and purpose of processing

Miget provides a fixed-capacity Platform as a Service (PaaS) that enables Customers to deploy applications, databases, workers, and preview environments. Personal data is processed as necessary to provide the hosting, compute, storage, and networking services that constitute the Service.

Types of personal data

  • Account data: name, email address, billing information, IP addresses, and authentication credentials.
  • Customer application data: any personal data stored or processed within the Customer's deployed applications, databases, and environments - the content and categories of which are determined by the Customer.
  • Usage data: logs, deployment metadata, resource utilization metrics, and access records.

Categories of data subjects

  • The Customer's employees, contractors, and authorized users of the Service.
  • End users of the Customer's applications deployed on the Miget platform, as determined by the Customer.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party's aggregate liability under this DPA exceed the limitations set forth in the Agreement.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Poland, without regard to its conflict of laws provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Krakow, Poland.

17. Changes to This DPA

Miget may update this DPA from time to time to reflect changes in our processing activities, applicable laws, or industry best practices. We will notify Customers of material changes at least 30 days in advance through the email address associated with their account or through the Service.

18. Contact

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us:

  • Email: privacy@miget.com
  • Address: ipp.net Krzysztof Taraszka, al. Powstania Warszawskiego 15, 31-539 Krakow, Poland

You may also contact the lead supervisory authority - the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland - uodo.gov.pl.

Data Processing Agreement | Miget | Miget