Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Secure Tenant ("Processor") and the Customer ("Controller") and governs the processing of personal data contained within the Customer's Microsoft 365 Tenant Data. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Capitalized terms not defined herein have the meaning given to them in the Terms of Service or the GDPR. Additionally:

• "Personal Data" — any information relating to an identified or identifiable natural person within the Tenant Data.
• "Processing" — any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
• "Sub-processor" — any third party appointed by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Supervisory Authority" — the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

The Processor processes Personal Data on behalf of the Controller for the following purpose: automated, read-only security assessment and compliance auditing of the Controller's Microsoft 365 environment. The processing includes retrieving, analyzing, and storing security configuration data, audit logs, and user metadata to generate security assessment reports and compliance recommendations.

• User display names and email addresses
• User roles, group memberships, and license assignments
• Multi-Factor Authentication (MFA) enrollment status
• Audit log data (timestamps, IP addresses, user agent strings, activity metadata)
• Conditional Access policy configurations
• Mail flow rules (which may contain email addresses)
• Login and sign-in activity metadata

• Employees and staff of the Controller's organization
• Guest users and external collaborators in the Controller's tenant
• For MSP Customers: employees and users of the MSP's managed clients

The Processor shall process Personal Data for the duration of the subscription agreement. Upon termination, the provisions of Section 13 (Data Deletion and Return) apply.

The Controller shall:

• Provide documented instructions for the processing of Personal Data.
• Ensure that it has a lawful basis for the processing and for transferring Personal Data to the Processor.
• Inform the Processor of any data subject requests received and coordinate responses.
• Conduct a Data Protection Impact Assessment (DPIA) where required by Article 35 GDPR.
• Ensure it has the administrative authority to grant OAuth consent for each tenant submitted for scanning.
• For MSP Controllers: maintain documented authorization from each managed client for the scanning of their tenant.

The Processor shall, in accordance with Article 28(3) GDPR:

• (a) Process Personal Data only on the documented instructions of the Controller, unless required by EU or Member State law.
• (b) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• (c) Implement appropriate technical and organizational security measures as described in Annex: Security Measures.
• (d) Comply with the conditions for engaging sub-processors as set out in Section 9.
• (e) Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
• (f) Assist the Controller with its obligations regarding data breach notification, DPIAs, and prior consultation with the supervisory authority.
• (g) At the Controller's choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless EU or Member State law requires retention.
• (h) Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.
• (i) Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR.

The Processor shall not transfer Personal Data outside the EEA without appropriate safeguards. Where sub-processors are located outside the EEA, the Processor shall ensure that: (a) EU Standard Contractual Clauses are in place; (b) a Transfer Impact Assessment has been conducted; and (c) supplementary technical measures (such as encryption) are implemented where necessary.

The Processor implements the following technical and organizational measures to protect Personal Data:

• Encryption: AES-256 at rest, TLS 1.2+ in transit.
• Access controls: Role-based access, principle of least privilege, multi-factor authentication for all internal systems.
• Network security: Firewalls, intrusion detection, network segmentation.
• Application security: Secure development lifecycle (SDLC), regular code reviews, OWASP-aligned security testing.
• OAuth token security: Encrypted storage, automatic rotation, immediate revocation upon service termination.
• Monitoring and logging: Continuous monitoring, centralized logging, anomaly detection.
• Vulnerability management: Regular scanning, timely patching, responsible disclosure program.
• Business continuity: Regular encrypted backups, disaster recovery procedures, tested recovery plans.
• Personnel security: Background checks, security awareness training, confidentiality agreements.

In the event of a Data Breach involving Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay, and in any case within 48 hours of becoming aware of the breach.
• Provide the Controller with the following information: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to mitigate the breach.
• Provide ongoing updates as additional information becomes available.
• Assist the Controller in notifying the Autoriteit Persoonsgegevens and affected data subjects where required.
• Document the breach and the steps taken to address it.

Upon termination of the service agreement:

• The Controller may request export of all Personal Data in a standard machine-readable format (JSON or CSV) within 30 days of termination.
• After the 30-day export period, the Processor shall permanently delete all Personal Data within 30 additional days.
• Upon request, the Processor shall provide written certification that all Personal Data has been deleted.
• Exceptions: The Processor may retain Personal Data where required by EU or Dutch law (e.g., tax records), in which case the Processor shall inform the Controller of the specific retention requirement.

The Controller has the right to audit the Processor's compliance with this DPA, subject to the following conditions:

• Audits may be conducted once per calendar year, unless a Data Breach or material non-compliance triggers additional audit rights.
• The Controller shall provide at least 30 days' written notice before conducting an audit.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
• The Controller may appoint a qualified independent third-party auditor, subject to confidentiality obligations.
• As an alternative to an on-site audit, the Controller may accept the Processor's current SOC 2 Type II report, ISO 27001 certification, or equivalent independent security assessment.
• Costs of audits are borne by the Controller, unless the audit reveals material non-compliance by the Processor.

The liability of each party under this DPA is subject to the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of its GDPR obligations to the extent such limitation would be prohibited by applicable law.

For questions about this DPA:

• Secure Tenant
• KVK: 84249242
• Address: Diepmeerven 33, 5645KG Eindhoven, Netherlands
• Email: contact@secure-tenant.com