How Wintive processes personal data on behalf of its customers.
This Data Processing Agreement (“DPA”) supplements our Terms (and is governed by the same law — the State of New Mexico) and applies where Wintive processes personal data on behalf of a customer.
Parties and roles
For personal data contained in a customer’s Microsoft 365 tenant, the customer is the controller and Wintive acts as the processor, processing that data only on the customer’s documented instructions.
Scope and purpose of processing
Wintive processes tenant data solely to perform the services you have engaged — the M365 Instant Audit, the M365 Master Audit (assessment and remediation), and/or M365 Managed Plans — and to produce the resulting reports. We do not use customer data for any other purpose.
Categories of data and data subjects
Categories may include user and administrator identifiers (e.g., user principal names) and security configuration, sign-in, and usage signals from Microsoft 365. Data subjects are the customer’s users and administrators.
Sub-processors
Wintive engages the sub-processors listed on our sub-processors page and imposes data-protection obligations on them. We will inform customers of changes and give a reasonable opportunity to object.
Security measures
Wintive maintains technical and organizational measures appropriate to the risk, including least-privilege access (read-only for the M365 Instant Audit; changes made only with your authorization for remediation and M365 Managed Plans), application-only authentication, no storage of refresh tokens, encryption in transit, access-controlled storage, and MFA on administrative access. See our Security page.
Assistance and data subject requests
Taking into account the nature of the processing, Wintive will assist the controller in responding to data subject requests and in meeting its security and breach obligations.
Personal data breach notification
Wintive will notify the controller without undue delay after becoming aware of a personal data breach affecting the controller’s data.
International data transfers
Where personal data is transferred across borders, Wintive relies on an appropriate transfer mechanism (such as Standard Contractual Clauses) where required.
Return and deletion of data
Upon termination of the services, Wintive will delete or return the controller’s personal data, except where retention is required by law.
Contact
For a countersigned copy or questions, contact privacy@wintive.com.