Data Processing Agreement
Effective Date: December 3, 2024 · Last Updated: March 14, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- "Controller" or "Customer": The entity that has agreed to the Veri-Tech Terms of Service and uses the Service.
- "Processor" or "Veri-Tech": Veri-Tech, operating the Veri-Tech platform.
This DPA supplements and forms part of the Veri-Tech Terms of Service ("Agreement"). In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.
2. Definitions
- "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), and any other applicable state, national, or international data protection laws.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Veri-Tech in connection with the Service.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- "Sub-Processor" means any third party engaged by Veri-Tech to process Personal Data on behalf of the Customer.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Tenant Configuration Data" means Microsoft 365 policy configurations, settings, and metadata retrieved from Customer's tenant through the Microsoft Graph API.
3. Scope and Roles
3.1 Roles
- Customer is the Controller: Customer determines the purposes and means of processing Personal Data by deciding to use the Service and selecting which tenants to connect, which assessments to run, and which remediation actions to authorize.
- Veri-Tech is the Processor: Veri-Tech processes Personal Data only on behalf of and under the instructions of the Customer, as described in this DPA and the Agreement.
3.2 Nature of Processing
| Category | Details |
|---|---|
| Subject Matter | Provision of SOP generation, compliance assessment, and automated remediation services for Microsoft 365 tenants |
| Duration | For the term of the Agreement plus any post-termination retention period |
| Nature of Processing | Collection, storage, analysis, and generation of reports from tenant configuration data; application of remediation changes to tenant configurations |
| Purpose | To provide the Service as described in the Agreement |
| Categories of Data Subjects | Customer's administrators and authorized users |
| Categories of Personal Data | Account identifiers (name, email, Entra Object ID), tenant identifiers, IP addresses, service usage data |
3.3 Tenant Configuration Data
The majority of data processed by the Service consists of Tenant Configuration Data — organizational policy settings, device management configurations, and security controls. This data generally does not constitute Personal Data as it describes organizational configurations rather than identified individuals. To the extent any Tenant Configuration Data includes or references Personal Data (e.g., user assignments in Conditional Access policies, named accounts), it is processed in accordance with this DPA.
4. Customer Obligations
4.1 Customer is responsible for ensuring that its use of the Service and instructions to Veri-Tech comply with Applicable Data Protection Laws.
4.2 Customer represents and warrants that it has obtained all necessary consents, authorizations, and legal bases required for Veri-Tech to process Personal Data as contemplated by this DPA.
4.3 Customer is responsible for the accuracy, quality, and legality of Personal Data provided to or accessed by Veri-Tech through the Service.
4.4 Customer shall promptly notify Veri-Tech of any data subject requests it receives that relate to Veri-Tech's processing of Personal Data.
5. Veri-Tech Obligations
5.1 Processing Instructions
Veri-Tech shall:
- Process Personal Data only on documented instructions from the Customer, including as specified in this DPA, the Agreement, and any subsequent written instructions, unless required to do so by applicable law (in which case Veri-Tech shall inform Customer before processing, unless prohibited by law);
- Inform the Customer if, in Veri-Tech's opinion, an instruction infringes Applicable Data Protection Laws;
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Security Measures
Veri-Tech shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: Azure Storage Service Encryption (AES-256)
- Authentication: X.509 certificate-based authentication (HSM-backed) for tenant access; internal JWT (HMAC-SHA256) for API authentication
- Access control: Role-based access control (RBAC) with least-privilege scoping to specific Azure resources
- Just-in-time permissions: Write permissions elevated on demand and automatically revoked after use
- Rate limiting: Per-tenant rate limiting on all API endpoints
- Audit logging: Structured logging via Azure Application Insights with audit event tracking
- Input validation: GUID validation and input sanitization on all API endpoints
- Break-glass verification: Emergency access account verification before remediation operations
- Phased deployment: Observation periods between remediation phases
5.3 Sub-Processors
(a) Customer grants general authorization for Veri-Tech to engage Sub-Processors listed in Annex A below.
(b) Veri-Tech shall inform Customer of any intended changes to Sub-Processors by updating the Sub-Processor list and providing at least thirty (30) days' advance notice. Customer may object to a new Sub-Processor by notifying Veri-Tech within the notice period. If the objection cannot be resolved, Customer may terminate the Agreement.
(c) Veri-Tech shall enter into written agreements with each Sub-Processor that impose data protection obligations substantially similar to those in this DPA.
(d) Veri-Tech remains fully liable for the acts and omissions of its Sub-Processors.
5.4 Data Subject Rights
Veri-Tech shall, to the extent possible and taking into account the nature of the processing, assist Customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) under Applicable Data Protection Laws.
5.5 Data Breach Notification
(a) Veri-Tech shall notify Customer of any confirmed Data Breach without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach.
(b) The notification shall include, to the extent available:
- A description of the nature of the Data Breach, including categories and approximate number of data subjects and records concerned;
- The name and contact details of Veri-Tech's point of contact;
- A description of the likely consequences of the Data Breach;
- A description of measures taken or proposed to address the Data Breach, including mitigation.
(c) Veri-Tech shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
5.6 Data Protection Impact Assessments
Veri-Tech shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Laws.
5.7 Audits
(a) Veri-Tech shall make available to Customer information necessary to demonstrate compliance with this DPA.
(b) Veri-Tech shall allow for and contribute to audits, including inspections, conducted by Customer or a qualified third-party auditor mandated by Customer, subject to reasonable advance notice (at least thirty days), reasonable scope and duration, confidentiality obligations binding the auditor, and costs borne by Customer unless the audit reveals material non-compliance by Veri-Tech.
(c) Veri-Tech may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2 Type II), or third-party assessment results where available.
6. Data Transfers
6.1 Data Location
Customer Data is processed and stored in Microsoft Azure data centers in the United States (East US 2 region). Portal hosting is provided by Vercel in the United States (iad1).
6.2 International Transfers
Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States:
(a) Veri-Tech relies on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as applicable;
(b) Where the Data Privacy Framework does not apply, Veri-Tech shall ensure appropriate safeguards are in place, including the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor), which are incorporated by reference into this DPA;
(c) Customer may request a copy of the applicable transfer mechanisms by contacting privacy@veri-tech.net.
7. Data Retention and Deletion
7.1 During the Agreement
Veri-Tech retains Customer Data for the duration of the Agreement as necessary to provide the Service.
7.2 Upon Termination
Upon termination of the Agreement:
- Veri-Tech shall, at Customer's choice, return or delete all Personal Data within thirty (30) days, unless retention is required by applicable law;
- Veri-Tech shall provide Customer with the ability to export data prior to deletion;
- Backup copies shall be deleted within ninety (90) days of termination;
- Veri-Tech shall certify deletion upon Customer's written request.
7.3 Survival
Obligations relating to confidentiality, data breach notification, and audit rights survive termination of this DPA for a period of twelve (12) months or as required by Applicable Data Protection Laws.
8. Liability
Each Party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not modify or increase the liability caps established in the Agreement.
9. General
9.1 Governing Law. This DPA is governed by the same law that governs the Agreement, except that mandatory provisions of Applicable Data Protection Laws shall take precedence.
9.2 Amendments. This DPA may be amended only by a written instrument signed by both Parties, except that Veri-Tech may update the Sub-Processor list in accordance with Section 5.3.
9.3 Severability. If any provision of this DPA is found unenforceable, the remaining provisions remain in full force and effect.
9.4 Entire Agreement. This DPA, together with the Agreement, constitutes the entire data processing agreement between the Parties.
Annex A — Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure (compute, storage, networking) | Tenant configuration data, job records, generated documents, audit logs | United States (East US 2) |
| Microsoft Graph API | Tenant data access (read and write) | Tenant configuration settings, policy definitions, assignments | Microsoft global infrastructure |
| Stripe, Inc. | Payment processing and subscription management | Customer billing information, subscription status, invoice history | United States |
| Vercel, Inc. | Web application hosting (portal) | Session tokens, authentication cookies, page requests | United States (iad1) |
| Azure Application Insights | Application performance monitoring and audit logging | Service telemetry, error logs, anonymized usage data, audit events | United States |
Annex B — Technical and Organizational Measures
Access Control
- Microsoft Entra ID-based authentication for all users
- Role-based access control with five roles: viewer, member, admin, owner, billing
- 18 granular permissions mapped to roles with hierarchical inheritance
- Managed identity authentication for service-to-service communication
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for all data at rest (Azure Storage Service Encryption)
- X.509 certificate-based authentication stored in Azure Key Vault (HSM-backed)
- HMAC-SHA256 for internal API token signing
Data Minimization
- Read-only tenant access by default; write permissions granted JIT only
- Configuration data processed — no access to user mail, files, or communications
- Write permissions automatically revoked after remediation completion
- No persistent storage of Microsoft account credentials
Availability and Resilience
- Azure Container Apps with configurable scaling
- Azure Blob Storage with geo-redundant replication
- Health monitoring endpoints with automated alerting
- Phased remediation with observation periods to prevent cascading failures
Incident Response
- Structured audit logging for all security-relevant events
- Automated monitoring and alerting via Application Insights
- Documented incident response procedures
- 72-hour breach notification commitment
Contact Information
Veri-Tech — Data Protection
Email: privacy@veri-tech.net
Legal: legal@veri-tech.net
Website: veri-tech.net