Trust Center / DPA
Data Processing Addendum outline.
This working draft identifies the 11 required topics for counsel. It is not a production agreement and is not ready for signature.
1. Controller and Processor Roles
The customer acts as controller for customer data submitted to the service. [COMPANY LEGAL NAME] acts as processor except where it processes limited account or billing data as an independent controller under applicable law.
2. Processing Purpose
Processing is limited to operating deterministic Microsoft 365 change monitoring, event history, notification delivery, reliability, security, support, and billing.
3. Data Subjects and Personal Data
Data subjects may include customer administrators, monitored-resource actors, customer users referenced by supported events, and notification recipients. Data categories are limited to identifiers, names, source-supplied change properties, timestamps, and routing data.
4. Confidentiality
Authorized personnel and contractors must be bound by confidentiality obligations and may access production data only under documented, need-based controls.
5. Security Measures
Measures include encryption in transit and at rest, tenant isolation, strict RBAC, certificate-based connector credentials, Key Vault protection, logging restrictions, and tested incident procedures.
6. Subprocessors
Named subprocessors, purposes, locations, and applicable change-notification terms will be incorporated from the public subprocessor list.
7. International Transfers
Transfers outside the EEA, including disclosed Resend metadata and log processing in the United States, require an applicable transfer mechanism and documented safeguards.
8. Data-Subject Request Assistance
ChangeWitness will provide reasonable assistance for access, correction, export, restriction, objection, and deletion requests within the service's technical scope.
9. Breach Notification Process
The final DPA will define notice timing, required incident information, communication channels, and ongoing update obligations after a confirmed personal-data breach.
10. Deletion and Return
Tenant deletion starts a 7-day recoverable period. Product event data, destinations, secrets, routing, and connector metadata are purged within 30 days of confirmed deletion, subject to legally required billing retention.
11. Audit Information
Customers will receive appropriate security, subprocessor, hosting, retention, and operational information. Any additional audit mechanism, scope, confidentiality, and cost allocation require legal review.