SecureTenant
Legal

Privacy Policy

Last updated: February 9, 2025

1

1. Controller Identity

Secure Tenant is the controller for the processing of personal data as described in this Privacy Policy, unless otherwise stated. Our details:

  • Company: Secure Tenant
  • KVK (Chamber of Commerce): 84249242
  • Address: Diepmeerven 33, 5645KG Eindhoven, Netherlands
  • Privacy contact: contact@secure-tenant.com
2

2. Dual Role: Controller and Processor

Secure Tenant acts in two capacities depending on the type of data being processed:

  • Controller — for your account data, usage data, payment data, and communication data. We determine the purposes and means of processing this data.
  • Processor — for Microsoft 365 Tenant Data (security configurations, audit logs, user metadata). You (the Customer) are the controller of this data, and we process it on your behalf under the terms of our Data Processing Agreement (DPA).
3

3. Categories of Personal Data

3.1 Account Data

  • Name and email address
  • Organization name (optional)
  • Role or title
  • Account credentials (encrypted, hashed)

3.2 Microsoft 365 Tenant Data (processed as Processor)

  • Security configuration settings (read-only)
  • User display names and email addresses
  • User roles, group memberships, and license information
  • Multi-Factor Authentication (MFA) enrollment status
  • Audit log data (timestamps, IP addresses, user activity metadata)
  • Conditional Access policies
  • Mail flow rules (may contain email addresses)

3.3 Usage Data

  • IP address and approximate location
  • Browser type and device information
  • Pages visited and features used within the Service
  • Scan history and timestamps

3.4 Payment Data

Payment information is processed directly by Stripe, Inc. We do not store your credit card numbers. We retain only transaction identifiers, invoice history, and subscription status.

3.5 Communication Data

Support tickets, emails, and other communications you send to us.

4

4. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, each with a specific legal basis under Article 6 of the GDPR:

4.1 Service Delivery

Processing account data and tenant data to provide the scanning and reporting service. Legal basis: Performance of contract (Art. 6(1)(b)).

4.2 Payment Processing

Processing payment data to manage subscriptions and transactions. Legal basis: Performance of contract (Art. 6(1)(b)).

4.3 Service Improvement and Analytics

Processing usage data to improve the Service, fix bugs, and understand usage patterns. Legal basis: Legitimate interest (Art. 6(1)(f)). Our legitimate interest is to continuously improve the quality and security of the Service.

4.4 Security and Fraud Prevention

Processing usage data and account data to protect the Service and detect unauthorized access. Legal basis: Legitimate interest (Art. 6(1)(f)).

4.5 Legal Compliance

Retaining billing and transaction records as required by Dutch tax law (7-year retention). Legal basis: Legal obligation (Art. 6(1)(c)).

4.6 Customer Communications

Sending service notifications, security alerts, and updates. Legal basis: Performance of contract (Art. 6(1)(b)) for service-related communications; Consent (Art. 6(1)(a)) for marketing communications.

5

5. Data Recipients and Sharing

We share your personal data only with the following categories of recipients, under appropriate contractual safeguards:

  • Microsoft Corporation — for OAuth API access to your Microsoft 365 tenant (read-only) and for security monitoring via Microsoft Sentinel.
  • Stripe, Inc. — for secure payment processing.
  • Cloud hosting provider — for data storage and computing (EU region).
  • See our Sub-processor List for the complete and current list of all sub-processors.
6

6. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to Stripe in the United States), we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) as adopted by the European Commission, and verification of the recipient's participation in the EU-US Data Privacy Framework where applicable. We do not sell or rent your personal data to third parties for marketing purposes.

7

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Account data: retained for the duration of your active account, plus 30 days after account deletion.
  • Scan results: 12 months for Premium users; 30 days for free-tier users.
  • Audit logs (platform & security monitoring): 90 days.
  • Payment and billing records: 7 years (required by Dutch tax law / Belastingdienst).
  • Communication data (support): 2 years after resolution.
  • Inactive free-tier accounts: automatically deleted after 12 months of inactivity, following a 30-day notice.
8

8. Your Rights (GDPR Articles 15-22)

As a data subject, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — restrict the processing of your data.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right not to be subject to automated decision-making (Art. 22) — we do not make decisions based solely on automated processing that have legal or similarly significant effects on you.
  • To exercise any of these rights, email us at contact@secure-tenant.com. We will respond within 30 days. This period may be extended by 60 days for complex requests, in which case we will inform you.
9

9. Tenant Data Subject Requests

If you are an individual whose data is contained within a Customer's Microsoft 365 Tenant Data and you wish to exercise your data subject rights, please contact the Customer (your employer or the organization that manages the tenant) directly. As a processor, Secure Tenant acts only on the Customer's instructions regarding Tenant Data. We will assist the Customer in fulfilling data subject requests as required by our DPA.

10

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Strict access controls based on the principle of least privilege.
  • Multi-Factor Authentication for internal systems.
  • Regular security assessments and vulnerability scanning.
  • Audit logging of all data access.
  • We use OAuth 2.0 tokens for Microsoft 365 access — we never store your Microsoft 365 passwords. You can revoke OAuth access at any time through your Microsoft 365 admin center.
11

11. Data Breach Notification

In the event of a personal data breach:

  • As controller (our own data): we will notify the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.
  • As processor (Tenant Data): we will notify the Customer (controller) without undue delay, and in any case within 48 hours of becoming aware of the breach, so that the Customer can fulfill its own notification obligations.
12

12. Children

The Service is not directed at individuals under 16 years of age (in accordance with the Dutch Uitvoeringswet AVG). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

13

13. Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

14

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or through the Service. We encourage you to review this page periodically for the latest information.

15

15. Complaints

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Dutch Data Protection Authority:

  • Autoriteit Persoonsgegevens
  • Postbus 93374, 2509 AJ Den Haag
  • Website: www.autoriteitpersoonsgegevens.nl
  • You may also contact us first at contact@secure-tenant.com, and we will do our best to resolve your concern.
16

16. Contact

For questions about this Privacy Policy or to exercise your data subject rights:

  • Secure Tenant
  • KVK: 84249242
  • Address: Diepmeerven 33, 5645KG Eindhoven, Netherlands
  • Email: contact@secure-tenant.com