Skip to main content

Trust Center / DPA

Data Processing Addendum outline.

This working draft identifies the 11 required topics for counsel. It is not a production agreement and is not ready for signature.

1. Controller and Processor Roles

The customer acts as controller for customer data submitted to the service. [COMPANY LEGAL NAME] acts as processor except where it processes limited account or billing data as an independent controller under applicable law.

2. Processing Purpose

Processing is limited to operating deterministic Microsoft 365 change monitoring, event history, notification delivery, reliability, security, support, and billing.

3. Data Subjects and Personal Data

Data subjects may include customer administrators, monitored-resource actors, customer users referenced by supported events, and notification recipients. Data categories are limited to identifiers, names, source-supplied change properties, timestamps, and routing data.

4. Confidentiality

Authorized personnel and contractors must be bound by confidentiality obligations and may access production data only under documented, need-based controls.

5. Security Measures

Measures include encryption in transit and at rest, tenant isolation, strict RBAC, certificate-based connector credentials, Key Vault protection, logging restrictions, and tested incident procedures.

6. Subprocessors

Named subprocessors, purposes, locations, and applicable change-notification terms will be incorporated from the public subprocessor list.

7. International Transfers

Transfers outside the EEA, including disclosed Resend metadata and log processing in the United States, require an applicable transfer mechanism and documented safeguards.

8. Data-Subject Request Assistance

ChangeWitness will provide reasonable assistance for access, correction, export, restriction, objection, and deletion requests within the service's technical scope.

9. Breach Notification Process

The final DPA will define notice timing, required incident information, communication channels, and ongoing update obligations after a confirmed personal-data breach.

10. Deletion and Return

Tenant deletion starts a 7-day recoverable period. Product event data, destinations, secrets, routing, and connector metadata are purged within 30 days of confirmed deletion, subject to legally required billing retention.

11. Audit Information

Customers will receive appropriate security, subprocessor, hosting, retention, and operational information. Any additional audit mechanism, scope, confidentiality, and cost allocation require legal review.