Effective date: March 2026 · Last updated: March 2026
This document provides a public DPA framework for enterprise customers. Additional contractual provisions may be required depending on the service, jurisdiction, or regulatory obligations.
1. Parties and Roles
This DPA constitutes an addendum to the service agreement entered into between Unifics Limited, operating under the RYSTAT brand, and the Customer.
- Customer: the data controller with respect to personal data, or the data processor where applicable
- RYSTAT: the data processor or sub-processor, depending on the nature of the service
RYSTAT acts as a data processor or sub-processor, processing personal data on behalf of the Customer in accordance with the Customer's instructions in the course of providing the service. The Customer, as data controller, is responsible for fulfilling all legal obligations with respect to the data being processed.
2. Subject Matter, Duration, and Purpose
RYSTAT processes personal data solely for the purposes of providing the services covered by the agreement, maintaining security, providing support, and fulfilling documented Customer instructions.
3. Categories of Data and Data Subjects
| Category | Examples |
|---|---|
| Categories of data subjects | Customer employees, end users, individuals appearing in support requests, visitors |
| Categories of personal data | Identity and contact information, account data, log records, support records, content uploaded to the system by the Customer |
| Processing activities | Hosting, storage, access, transmission, support, logging, security monitoring, backup |
4. Customer Instructions
RYSTAT processes personal data solely in accordance with the Customer's documented instructions, unless applicable law or an order of a competent authority requires otherwise. In the event of such a requirement, RYSTAT shall notify the Customer unless legally prohibited from doing so.
5. Confidentiality and Personnel Authorisation
RYSTAT restricts access to personal data to personnel and authorised service providers who require such access in the course of their duties. All individuals with access are subject to confidentiality obligations consistent with applicable data protection legislation and receive regular data security training.
6. Security Measures
- Access controls and authentication mechanisms
- Logging, incident monitoring, and security alerting processes
- Network segmentation, patch management, and vulnerability management
- Encryption or equivalent protective measures
- Backup and business continuity plans
- Physical security measures
RYSTAT implements industry-standard technical and organisational measures to ensure the security of personal data. However, no method of transmission over the internet or electronic storage is absolutely secure. The Customer is responsible for the security of its own systems and applications, and for maintaining its own backups.
7. Sub-processors
RYSTAT may engage sub-processors in the provision of the service. Sub-processors may include hosting, data centre, network, support, monitoring, communications, and billing providers.
RYSTAT enters into agreements with sub-processors imposing equivalent data protection obligations pursuant to GDPR Article 28(4) and exercises reasonable oversight. The Customer grants RYSTAT general authorisation to engage sub-processors (GDPR Article 28(2)).
In the event that RYSTAT adds a new sub-processor or makes a material change to an existing sub-processor, RYSTAT shall notify the Customer in writing at least 14 calendar days in advance, unless legally prohibited from doing so. The Customer may raise a reasoned objection within that period. If the objection is found to be justified, the parties shall agree on appropriate remedies, including suspension or termination of the agreement.
The current public sub-processor framework is published on the Sub-processor Framework page. More detailed enterprise information may be shared upon request.
8. International Data Transfers (GDPR Chapter V — Articles 44–49)
Unifics Limited is incorporated in the Hong Kong Special Administrative Region. The European Commission has not issued an adequacy decision in respect of Hong Kong (GDPR Article 45). Accordingly, appropriate safeguards under GDPR Article 46 are applied to data flows between the EEA and Hong Kong.
Applicable transfer mechanisms
- Standard Contractual Clauses (SCCs): SCCs adopted pursuant to European Commission Implementing Decision 2021/914/EU of 4 June 2021 are applied in accordance with the module appropriate to the service relationship:
- Module 2 (Controller → Processor): Applies to transfers between the Customer (controller) and RYSTAT (processor) where RYSTAT acts as a data processor.
- Module 3 (Processor → Sub-processor): Applies where RYSTAT engages sub-processors located outside the EEA.
- Transfer Impact Assessment (TIA): RYSTAT conducts transfer impact assessments in relation to third-country transfers as necessary, in accordance with EDPB Recommendations 01/2020. A summary of any applicable assessment may be shared with the Customer upon request.
- Additional technical measures: Encryption, data minimisation, and privileged access controls are applied to enhance transfer security.
Data stored on servers located within EU Member States is protected under GDPR and does not require additional transfer mechanisms.
The Customer consents to RYSTAT carrying out international data transfers using the transfer mechanisms described in this section.
9. Data Subject Requests and Assistance
RYSTAT shall provide reasonable assistance to the Customer in responding to data subject requests, to the extent possible given the nature of the processing and the service architecture. The ultimate responsibility for assessment and response lies with the data controller. Where RYSTAT receives a request directly from a data subject, it shall redirect that request to the Customer unless legally prohibited from doing so.
10. Personal Data Breaches
RYSTAT shall notify the Customer without undue delay of any personal data breach within its sphere of control that affects Customer data, in accordance with applicable law and the nature of the incident. Such notification shall include information regarding the nature of the breach, the categories of data affected, the approximate number of data subjects concerned, the measures taken, and the likely consequences. RYSTAT shall provide reasonable assistance to the Customer in investigating and mitigating the breach.
11. Audit and Information Rights
RYSTAT shall respond to reasonable information requests from the Customer within reasonable confidentiality and security parameters. On-site audit requests shall be conducted by prior arrangement and in a manner that does not compromise service security, the confidentiality of other customers, or trade secrets. RYSTAT may provide independent third-party audit reports or certifications in lieu of conducting an audit.
12. Return or Deletion of Data Upon Termination
Upon termination of the service, data shall be deleted, anonymised, or returned to the Customer in accordance with the agreement, the service architecture, and applicable legal retention obligations. Deletion from technical backups may occur within ordinary system cycles. The Customer is responsible for backing up its data prior to termination of the service.
13. Order of Precedence and Conflicts
In the event of any conflict between this document and any other contractual document, the following order of precedence shall apply:
- Signed enterprise agreement, order form, or proposal addendum
- Product-specific service terms
- Acceptable Use Policy (AUP)
- Service Level Agreement (SLA)
- This Data Processing Agreement (DPA) (with respect to data processing matters only)
- Terms of Service
- Privacy Policy
- Refund Policy
- Public disclosure documents (e.g., Sub-processor Framework)
Signed enterprise agreements, order forms, or proposals shall always take precedence over these public documents. In the event of a conflict, the most specific and most recent signed document shall prevail.
14. Contact
privacy@rystat.com
15 (New). Managed / Self-Service VDS — Product-Specific Role Allocation
15.1 Managed VDS
For Managed VDS services, RYSTAT acts as a data controller within the meaning of GDPR Article 4(7) and KVKK Article 3/1-(ı) in respect of the operational data that RYSTAT necessarily processes in order to operate the service. Such data includes:
- Server health, capacity and security metrics (CPU, RAM, disk I/O, network traffic patterns)
- Operating-system log records (auth.log, syslog, kernel log) — for security incident detection
- Off-site backup metadata (backup timestamp, size, success status)
- Support-ticket content (tickets opened from the RYSTAT panel)
For applications, database content, end-user records and application files that the Customer hosts on the server, RYSTAT continues to act as a data processor, processing such data on the Customer's documented instructions. RYSTAT accesses such data only where: (a) a support ticket opened by the Customer requires it, (b) a security-incident investigation makes such access necessary, or (c) a competent authority issues a lawful order. Each such access is recorded in the AuditLog and is visible to the Customer through the customer panel.
For data processed under its controller role within the Managed VDS scope, RYSTAT complies with the Privacy Policy / Information Notice and undertakes full adherence to the security measures set out in Section 6 of this DPA.
15.2 Self-Service VDS
For Self-Service VDS services, RYSTAT does not access the application data hosted on the Customer's server and does not carry out any processing activity on such data. In this service category, RYSTAT:
- does not even qualify as a sub-processor with respect to personal data within the Customer's application; RYSTAT acts solely as a technical infrastructure provider;
- is not the controller for application data — the Customer is the sole data controller in respect of personal data within its own application;
- processes only infrastructure-layer metrics (hardware health, aggregate network traffic, billing-account data); these are operational data that RYSTAT processes in its own capacity as data controller within the meaning of GDPR Article 4(7).
By purchasing a Self-Service VDS, the Customer acknowledges that it is solely responsible for fulfilling, in respect of its own application layer, the obligations to provide information notices under KVKK, to manage explicit consent, to respond to data-subject requests, to notify breaches and to apply technical measures.
15.3 Reference to Section 5 — Data Accessible to RYSTAT
For the purposes of Section 5 (Personnel Authorisation) of this DPA, the categories of data accessible to RYSTAT personnel vary by product model:
| Data Type | Managed VDS | Self-Service VDS |
|---|---|---|
| Hardware metrics (CPU/RAM/disk) | Accessible | Accessible |
| Operating-system log records | Accessible (operations) | Not accessible (Customer collects) |
| Server console (rescue/KVM) | Accessible (scheduled maintenance + emergency) | Only on Customer request |
| Off-site backup snapshot content | Stored; content read only on Customer request or under legal compulsion | No backups retained |
| Application database content | Only within the scope of a support ticket / security incident, AuditLog-tracked | Not accessible |
| Billing and account data | Accessible (RYSTAT controller) | Accessible (RYSTAT controller) |
All data types listed in the table are subject to the security measures set out in Section 6 and to applicable KVKK/GDPR provisions. Where the Customer wishes to control third-party access to in-application data, the Customer may request a "Customer Key (BYOK)" or an end-to-end encryption add-on.