Data Processing Agreement

How Wintive processes personal data on behalf of its customers.

This Data Processing Agreement (“DPA”) supplements our Terms (and is governed by the same law — the State of New Mexico) and applies where Wintive processes personal data on behalf of a customer.

Parties and roles

For personal data contained in a customer’s Microsoft 365 tenant, the customer is the controller and Wintive acts as the processor, processing that data only on the customer’s documented instructions.

Scope and purpose of processing

Wintive processes tenant data solely to perform the services you have engaged — the M365 Instant Audit, the M365 Master Audit (assessment and remediation), and/or M365 Managed Plans — and to produce the resulting reports. We do not use customer data for any other purpose.

Categories of data and data subjects

Categories may include user and administrator identifiers (e.g., user principal names) and security configuration, sign-in, and usage signals from Microsoft 365. Data subjects are the customer’s users and administrators.

Sub-processors

Wintive engages the sub-processors listed on our sub-processors page and imposes data-protection obligations on them. We will inform customers of changes and give a reasonable opportunity to object.

Security measures

Wintive maintains technical and organizational measures appropriate to the risk, including least-privilege access (read-only for the M365 Instant Audit; changes made only with your authorization for remediation and M365 Managed Plans), application-only authentication, no storage of refresh tokens, encryption in transit, access-controlled storage, and MFA on administrative access. See our Security page.

Assistance and data subject requests

Taking into account the nature of the processing, Wintive will assist the controller in responding to data subject requests and in meeting its security and breach obligations.

Personal data breach notification

Wintive will notify the controller without undue delay after becoming aware of a personal data breach affecting the controller’s data.

International data transfers

Where personal data is transferred across borders, Wintive relies on an appropriate transfer mechanism (such as Standard Contractual Clauses) where required.

Return and deletion of data

Upon termination of the services, Wintive will delete or return the controller’s personal data, except where retention is required by law.

Contact

For a countersigned copy or questions, contact privacy@wintive.com.

Scroll to Top