← Back to site

Data Processing Agreement (DPA)

Last updated: 3 May 2026

This Data Processing Agreement ("DPA") governs the processing of personal data by olyteck ("Processor") on behalf of a Customer ("Controller") in connection with their use of Cyber. It is incorporated by reference into the Terms of Service and applies whenever the Service processes personal data describing identified or identifiable individuals from the Customer's Microsoft 365 tenant (e.g. the names, UPNs and email addresses of the Customer's employees and external guests that the scanner enumerates).

1. Parties and definitions

  • Customer / Controller: the organisation that signed up for the Service and connected its Microsoft 365 tenant.
  • Cyber / Processor: olyteck, operating under SIRET 993 174 499 00018.

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "sub-processor" have the meanings given to them in the EU GDPR.

2. Subject-matter and purpose

  • Subject-matter: read-only enumeration of the Customer's Microsoft 365 tenant — SharePoint sites, OneDrive drives, Teams, Entra ID identities, consented OAuth applications, and tenant-level posture — to produce findings for the Customer's security, hygiene and storage-cost review. Where the Customer enables remediation actions, scoped writes carried out by an authorised tenant administrator are also within scope.
  • Duration: for as long as the Customer's subscription is active, plus the retention windows in §7.
  • Nature of the processing: automated reads of Microsoft Graph endpoints; storage of SAFE-payload metadata (Graph IDs, display names, counts, timestamps, severity); never file contents, share URLs, or persistent access tokens.
  • Categories of data subjects: employees, contractors, external guests, and service principals enumerated in the Customer's Microsoft 365 tenant.
  • Categories of personal data: Entra Object IDs and UPNs, work email addresses, display names, role membership, sign-in timestamps, license assignment booleans, OAuth-app consent metadata. No special categories (Art. 9 GDPR) and no criminal-conviction data (Art. 10) are intentionally processed.

3. Roles and instructions

Cyber acts as a processor for the Customer's tenant data. The Customer is and remains the controller. Cyber processes personal data only on the Customer's documented instructions, including the act of using the product as described in the public documentation. Cyber will inform the Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member-State data-protection law.

4. Cyber's obligations as processor (Art. 28(3))

  • Process personal data only on documented Customer instructions, including with regard to international transfers (§6).
  • Ensure that staff with access are bound by confidentiality.
  • Implement the technical and organisational measures described in §5 ("TOMs").
  • Engage sub-processors only under §6 and only under contracts that impose data-protection obligations equivalent to those in this DPA.
  • Assist the Customer in responding to data-subject requests (Art. 12–22), DPIAs (Art. 35), prior consultations (Art. 36), and security/breach obligations (Art. 32–34) to the extent reasonably possible.
  • Notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of any personal-data breach affecting the Customer's data.
  • At the Customer's choice, delete or return all personal data at the end of the service, save where Union or Member-State law (e.g. accounting retention) requires further storage.
  • Make available all information necessary to demonstrate compliance and allow for and contribute to audits (§8).

5. Security measures (Art. 32 — TOMs)

  • TLS 1.2+ for all traffic between the Customer and the Service.
  • Encryption at rest for the application database (AES-256 or equivalent).
  • Microsoft Entra (Azure AD) SSO — no application-managed passwords, no plaintext credentials.
  • Principle of least privilege for staff access; mutating operations are CSRF-protected and audit-logged.
  • Session cookies HttpOnly, Secure, SameSite=Lax with rotation on every privilege change.
  • Parameterised SQL throughout — no user input is concatenated into queries.
  • Microsoft Graph access tokens are held only in memory for the duration of a single scan and discarded afterwards. Where a client-credentials refresh token is required, it is stored encrypted and scoped to the Customer's tenant only.
  • Segregation of customer data: every row carries a tenant_id and every query is scoped to it. Cross-tenant reads are not part of the application surface.
  • Daily backups of the application database with a 30-day rolling window; backup encryption at rest.
  • Incident-response runbook with a 72-hour notification target.
  • Annual review of the TOMs; this DPA's "Last updated" date reflects the most recent revision.

6. Sub-processors and international transfers

The Customer authorises Cyber to engage the following sub-processors. Each is bound by a written contract imposing data-protection obligations equivalent to those in this DPA:

  • Microsoft Ireland Operations Ltd. — Microsoft Graph API, called on the Customer's behalf to enumerate the tenant. Tenant data resides in the Customer's own Microsoft 365 region (typically EU for our customer base).
  • Stripe Payments Europe, Ltd. (Ireland) — subscription billing. Payment-card data never reaches Cyber's servers.
  • Google Ireland Ltd. — Google Analytics 4 on the public marketing pages only. Loads only after the visitor clicks "Accept" on our consent banner. Configured with IP anonymisation; Advertising features and Google Signals are OFF. Does not run inside the authenticated app.
  • EU-region cloud host — application server, application database, scheduled cron workers. EU data residency.
  • Transactional email provider — sends receipts, weekly digests, scan-failure alerts, and (only with explicit Customer-user opt-in) the trial-onboarding sequence.

Where a sub-processor processes data outside the European Economic Area, transfers rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914) and, where available, the EU-US Data Privacy Framework, with supplementary technical measures (encryption in transit, access control, IP truncation in the case of Google Analytics).

Cyber will give the Customer at least 30 days' notice before adding or replacing a sub-processor that materially handles Customer personal data. Notice is given by email to the tenant's administrator address. The Customer may object on reasonable grounds; if the parties cannot agree on an alternative, the Customer may terminate the affected portion of the Service for cause.

7. Storage location and retention

Application data is hosted in the European Union. Default retention windows:

  • Account / tenant data — for the lifetime of the subscription, plus 30 days after deletion.
  • Active findings — kept for as long as they remain unresolved on the tenant.
  • Resolved findings — 180 days, then hard-deleted by the retention worker.
  • Scan-run history — 90 days for scheduled runs; 180 days for admin-triggered manual deep scans.
  • Audit log — 24 months.
  • Public-page analytics — 25 months (CNIL ceiling for the cookieless server-side counter).
  • Billing records — 10 years (French accounting law).

8. Audit

Once per year and on at least 30 days' written notice, the Customer (or an independent auditor it mandates, subject to confidentiality) may audit Cyber's compliance with this DPA. Cyber may instead provide a summary of an independent third-party audit or security attestation where available. The Customer bears the cost of its own audits unless the audit reveals a material non-compliance, in which case Cyber bears its reasonable costs.

9. Assistance with data-subject requests

Where a data subject contacts the Customer exercising a GDPR right — access, rectification, erasure, restriction, portability, objection, or rights related to automated processing under Art. 22 — and the request concerns data processed through the Service, Cyber will provide reasonable technical assistance to the Customer to enable it to respond within the statutory deadline. Where a data subject contacts Cyber directly, Cyber will redirect them to the Customer.

10. Liability and termination

The liability cap in the Terms of Service also governs claims under this DPA, except where prohibited by law. This DPA terminates automatically when the underlying service agreement terminates.

11. Governing law

This DPA is governed by French law. The courts of Paris, France have exclusive jurisdiction, without prejudice to any mandatory consumer-protection rules that may apply.

12. Contact

For DPA questions, countersigned copies, or breach notifications, email [email protected]. Operator: olyteck — SIRET 993 174 499 00018.