# Data Processing Agreement
Effective date: 8 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Fundamental Software SAS ("Processor", "machine0", "we") for the provision of the machine0 service. This DPA applies where machine0 processes personal data on behalf of the Controller within the meaning of GDPR Article 28.
## 1. Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", and "Sub-processor" have the meanings given in GDPR Article 4. "Service" means the machine0 cloud VM platform.
## 2. Scope of Processing
| Detail | Description |
|---|---|
| Subject matter | Provision of cloud virtual machines |
| Duration | Duration of the service agreement |
| Nature and purpose | Hosting and running VMs on behalf of the Controller. machine0 provides compute, storage, and networking infrastructure. machine0 does not access data stored within VMs unless the Controller explicitly invokes a remote execution feature (such as SSH command execution via MCP), in which case command output is relayed to the Controller's client in real-time and is not stored or logged by machine0. When the HTTP proxy feature is enabled, web traffic transits machine0 infrastructure in real-time without storage, logging, or inspection. |
| Type of personal data | Determined by the Controller. machine0 has no knowledge of or access to the categories of data stored on VMs. |
| Categories of data subjects | Determined by the Controller. |
## 3. Controller Obligations
- The Controller is responsible for ensuring a lawful basis for processing personal data stored on VMs.
- The Controller determines the categories of personal data and data subjects.
- If the Controller processes special category data (e.g., health data under Article 9 GDPR), the Controller is solely responsible for ensuring appropriate safeguards and legal basis.
## 4. Processor Obligations
Pursuant to Article 28(3) GDPR, machine0 shall:
- (a) Process personal data only on documented instructions from the Controller, unless required by EU or member state law. The Controller's instructions are defined by the service configuration and API calls.
- (b) Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Take all measures required pursuant to Article 32 (security of processing), as described in Section 5.
- (d) Respect the conditions for engaging sub-processors as set out in Section 6.
- (e) Assist the Controller in responding to data subject requests, to the extent technically feasible via the service interface (VM access, account management).
- (f) Assist the Controller in ensuring compliance with Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to machine0.
- (g) At the Controller's choice, delete or return all personal data after the end of the service, and delete existing copies unless EU or member state law requires storage. Upon account deletion, all VMs and associated data are destroyed. Account metadata is purged within 30 days, except where legal retention applies (billing records: 10 years per French Commercial Code Art. L123-22).
- (h) Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as described in Section 10.
## 5. Security Measures (Article 32)
machine0 implements the following technical and organisational measures:
- Encryption in transit: All API traffic over TLS. All VM access over SSH.
- Encryption at rest: Managed SSH private keys encrypted with AES. VM disk encryption per DigitalOcean infrastructure defaults.
- Access control: SSH key-based authentication only. Password authentication disabled on VMs. Session-based API authentication with automatic expiry. Full SSH public keys stored server-side (public keys are not secret).
- Network isolation: Each VM receives a dedicated IP address. VMs are isolated at the hypervisor level by DigitalOcean.
- Personnel: Access to production systems is restricted to authorised personnel under confidentiality obligations.
- Monitoring: Request logging, error monitoring, and rate limiting on authentication endpoints.
- Backup: Not provided by default. The Controller is responsible for VM data backups.
- HTTP proxy: When the HTTP proxy feature is enabled, traffic between machine0 infrastructure and the VM transits over plain HTTP. Customers handling sensitive data should use direct SSH tunnels.
- Availability: VM compute uptime is covered by DigitalOcean's infrastructure SLA (99.99% for CPU VMs, 99% for GPU VMs). See the Terms of Service for details and exclusions.
## 6. Sub-processors
machine0 uses the following sub-processors:
| Sub-processor | Processing Activity | Location |
|---|---|---|
| Railway | Application hosting, database, cache | US |
| DigitalOcean | VM infrastructure (compute, storage, networking) | Per region selected |
| Cloudflare | DNS and network proxy | Global (Anycast) |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| OAuth authentication (when used) | US | |
| Segment | Product analytics (when configured) | US |
| Sentry | Error monitoring (when configured) | US |
- machine0 shall inform the Controller of any intended addition or replacement of sub-processors, giving the Controller reasonable opportunity to object.
- If the Controller objects and machine0 cannot reasonably accommodate the objection, the Controller may terminate the service agreement.
- machine0 imposes data protection obligations on each sub-processor by contract that are equivalent to those set out in this DPA.
## 7. International Transfers
- Account data (email, billing, sessions, SSH keys) is hosted on Railway infrastructure in the United States.
- VM data resides in the region the Controller selects when creating a VM.
- Transactional email is sent via Resend (US).
- Where personal data is transferred outside the EEA, machine0 ensures appropriate safeguards per GDPR Chapter V, relying on Standard Contractual Clauses (SCCs) or applicable adequacy decisions.
## 8. Data Subject Requests
- machine0 will promptly notify the Controller if it receives a request from a data subject regarding personal data processed on the Controller's behalf.
- machine0 will not respond to such requests directly, unless authorised by the Controller or required by law.
- machine0 provides the Controller with full SSH access to VMs, enabling the Controller to fulfil data subject requests independently.
## 9. Breach Notification
- machine0 shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting data processed on the Controller's behalf.
- Notification shall include: the nature of the breach, categories and approximate number of data subjects affected (if known), likely consequences, and measures taken or proposed to mitigate the effects.
## 10. Audits
- machine0 shall make available to the Controller information necessary to demonstrate compliance with this DPA.
- The Controller may conduct or commission audits, with reasonable advance notice (minimum 30 days), during business hours, no more than once per 12 months unless required by a supervisory authority or following a data breach.
- The Controller shall bear the cost of any audit.
## 11. Duration and Termination
- This DPA is effective for the duration of the service agreement.
- Obligations regarding data deletion and return survive termination.
- Upon termination, machine0 deletes all Controller personal data within 30 days, except where retention is required by law.
## 12. Execution
This DPA applies automatically to all customers using the machine0 service. To request a countersigned copy for your records, contact [email protected].
## 13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
## 14. Governing Law
This DPA is governed by French law. The courts of Annecy, France have jurisdiction, unless EU regulations mandate otherwise.
## 15. Contact
Data protection enquiries: [email protected]
Fundamental Software SAS 74310 Les Houches, France