Data Processing Agreement
(Version 1.0 — Effective from 2025-12-01)
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Customer – the data controller; and
- DoDone AB, a company incorporated in Sweden, Org. nr [559393-2410] (“Processor”).
This DPA supplements the Terms of Service and applies where the Processor processes personal data on behalf of the Customer.
2. Subject Matter and Duration
The Processor provides the Minyu SaaS platform, enabling configuration and management of business information systems.
Processing of personal data occurs only for the duration of the Customer’s active subscription and solely for the purpose of operating, maintaining, and supporting the Minyu service.
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Customer.
- Ensure personnel authorized to process data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organizational measures to protect data.
- Not transfer personal data outside the EEA without ensuring adequate safeguards.
4. Sub-processors
The Customer authorizes the Processor to engage the following sub-processors for the same processing purposes:
| Sub-processor | Purpose | Location | Legal Entity |
|---|---|---|---|
| Google Cloud Platform (GCP) | Hosting, database, and storage infrastructure | Sweden | Google Cloud EMEA Limited |
| Google LLC (SMTP) | Transactional email delivery | EEA / US (with SCCs) | Google LLC |
| Firebase (Google LLC) | Authentication and identity management | EEA / US (with SCCs) | Google LLC |
| Stripe Payments Europe Ltd. | Payment processing and subscription billing | Ireland | Stripe Payments Europe Ltd. |
The Processor remains fully responsible for its sub-processors’ performance and shall inform the Customer of any intended changes.
5. Data Subject Rights
The Processor shall assist the Customer, upon request, in responding to data subject requests only to the extent technically feasible within the Minyu platform.
6. Security Measures
The Processor maintains security measures including:
- Encryption in transit and at rest.
- Network isolation and tenant separation.
- Access control with role-based permissions.
- Continuous backup and secure deletion procedures.
- Logging and monitoring for unauthorized access attempts.
7. Personal Data Breach
The Processor shall notify the Customer without undue delay, and no later than 72 hours, after becoming aware of a personal data breach affecting the Customer’s data.
8. Data Return and Deletion
Upon termination of the Service or upon written request, the Processor shall:
- Return Customer Data in a structured, commonly used format upon request, and
- Permanently delete all personal data within 30 days, except where retention is required by law.
9. Compliance
DoDone AB is solely responsible for implementing and maintaining appropriate technical and organizational measures to comply with applicable data-protection law.
The Customer acknowledges that DoDone AB’s compliance may be demonstrated through internal documentation and written policies only, and no audit or inspection rights are granted unless required by competent supervisory authorities.
10. Governing Law and Jurisdiction
This DPA is governed by Swedish law.
Any dispute shall be resolved by the Stockholm District Court, unless otherwise required by mandatory law.
11. Contact
DoDone AB
Email:
Website: https://minyu.dodone.tech