Data Processing Addendum

In this Data Processing Addendum ("DPA"), capitalised terms have the meanings below. Terms not defined here use the meanings in the Policytab Terms of Service ("Agreement").

• "Customer" means the organisation that registers a Policytab workspace and accepts the Agreement.
• "Controller" means the entity that determines the purposes and means of processing personal data - typically Customer for end-user data in connected Microsoft Entra tenants.
• "Processor" means Policytab when processing personal data on behalf of Customer under Customer's instructions.
• "Personal Data" means information relating to an identified or identifiable natural person processed through the Service.
• "Customer Data" means Personal Data and tenant configuration data submitted to or generated through the Service on behalf of Customer.
• "Service" means the Policytab web application, APIs, edge functions, and related infrastructure described in the Agreement.
• "Subprocessor" means a third party engaged by Policytab to process Customer Data.
• "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses adopted by the European Commission for international data transfers, as amended from time to time.

This DPA applies when Policytab processes Personal Data on behalf of Customer under the Agreement. Policytab acts as Processor; Customer acts as Controller for Personal Data of users and administrators in Customer's connected Microsoft Entra tenants. Policytab may act as Controller for billing contact details and workspace operator accounts used to administer the Policytab subscription itself - those are covered by the Privacy Policy, not this DPA.

This DPA does not apply to data processed solely under Customer's direct relationship with Microsoft (for example, data stored only in Microsoft's systems without being copied into Policytab). Customer remains responsible for its Microsoft 365 / Entra licensing, admin consent, and notices to its users.

If Customer and Policytab enter a separately executed enterprise agreement or countersigned DPA that expressly references this document, the executed agreement prevails over this online DPA for the covered workspace. Otherwise, in the event of conflict between this DPA and the Agreement regarding data protection, this DPA prevails. The Privacy Policy describes Policytab's own controller activities and does not limit Processor obligations here.

Policytab processes Personal Data only to provide, maintain, and secure the Service; to comply with applicable law; and as otherwise documented in the Agreement and Privacy Policy. Customer's instructions are embodied in normal product use: connecting Entra tenants, running drift analysis, viewing sign-in metadata, creating and applying approved Conditional Access changes, managing exclusions, and exporting reports where the subscription tier permits.

Customer instructs Policytab not to process Customer Data for advertising, sale to third parties, or training public machine-learning models. Customer is responsible for ensuring that its instructions - including connecting tenants and enabling outbound integrations - comply with applicable law and that Customer has provided any required notices and obtained any required consents from data subjects.

If Policytab believes an instruction infringes applicable data-protection law, Policytab will inform Customer without undue delay. Customer may suspend the relevant processing by disconnecting a tenant or disabling a feature where the product provides such controls.

Categories of Personal Data may include: directory identifiers (name, user principal name, object IDs); group membership; authentication method registration metadata; Conditional Access policy configuration; sign-in event metadata (timestamps, application, client IP where present in Graph, result codes); audit events describing operator actions in Policytab; and workspace operator account details (email, display name, role).

Categories of data subjects include: Customer's employees and contractors; Customer's end users in connected Entra tenants; and Customer's administrators who use Policytab. Credentials supplied for Microsoft Graph access (client secrets or certificates) are stored encrypted and used only to perform Customer-authorized Graph operations.

Policytab does not intentionally collect special categories of data under GDPR Article 9 through the Service. Customer should not submit such data through free-text fields if local law restricts processing without additional safeguards.

Processing continues for the term of the Agreement and for limited periods thereafter as described in the Privacy Policy and retention schedules applicable to Customer's subscription tier. Snapshot, audit, and sign-in history retention varies by plan; Enterprise workspaces may configure longer retention subject to product capabilities.

Policytab ensures that persons authorised to process Customer Data are bound by confidentiality obligations - whether by contract, statute, or professional duty. Access to production systems is limited to personnel who require it for support, security, or engineering, subject to role-based access controls and logging.

Customer is responsible for confidentiality of its workspace credentials, API keys, webhook signing secrets, and Entra app registration secrets stored in Policytab. Customer should use least-privilege roles inside Policytab and revoke access when staff leave.

Policytab implements technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+); encryption at rest for sensitive credentials; workspace-scoped access controls with server-side tenant ownership checks before tenant-scoped reads; isolated storage per connected customer tenant; append-only audit logging for administrative mutations; rate limiting on authentication and mutating actions; dependency patching; and separation of production and non-production environments.

Enterprise workspaces include a dedicated database instance, separate from the shared Pro platform. Policytab provisions dedicated infrastructure manually after checkout and coordinates cutover with Customer. Self-serve Enterprise features (outbound notifications, CSV exports, scheduled digests, extended audit retention) unlock at upgrade on the shared platform until dedicated cutover is complete. Dedicated provisioning does not replace Customer's obligation to evaluate overall risk and contractual requirements.

Measures evolve over time. Policytab may update security controls without materially decreasing overall protection. A summary of current practices is available on the Security & trust page and in operator documentation; Enterprise customers may request additional security documentation as described in section 14.

Customer authorises Policytab to engage Subprocessors to process Customer Data. The current Subprocessors that may process Customer Data or provide infrastructure are listed below. Microsoft Graph processes data under Customer's Entra tenant as Customer's processor; Policytab invokes Graph only with Customer-authorized credentials and consent.

• Amazon Web Services - cloud infrastructure (default production region: Canada, ca-central-1)
• Supabase - database hosting, authentication, edge functions, and vault secrets
• Vercel - application hosting and serverless execution for the Policytab web app
• Stripe - payment processing for workspace billing (billing contact data, not tenant end-users)
• Resend - transactional email delivery (e.g. contact form and operational notices)
• Microsoft Corporation - Microsoft Graph API access to Customer Entra tenant data under Customer's Microsoft relationship

Policytab remains responsible for Subprocessors to the same extent as for its own processing under this DPA. Policytab imposes data-protection obligations on Subprocessors by contract or equivalent legal mechanism. Policytab will notify Customer of intended changes to Subprocessors where contractually required, giving Customer a reasonable opportunity to object on documented reasonable grounds relating to data protection. If Customer objects and Policytab cannot reasonably accommodate the objection, either party may terminate the affected workspace in accordance with the Agreement.

An updated Subprocessor list may be provided on request to Enterprise customers or in connection with security questionnaires. Material Subprocessor changes are also reflected in the Privacy Policy subprocessors section when practicable.

Customer Data is hosted in Canada by default. Subprocessors may process data in other regions according to their infrastructure (for example, United States). Where GDPR or UK GDPR applies and Personal Data is transferred to a country without an adequacy decision, Policytab relies on appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required.

Enterprise customers may request region-specific deployment or dedicated infrastructure where commercially available. Cross-border transfer mechanisms are documented in responses to enterprise security reviews and countersigned agreements when applicable.

Policytab assists Customer in responding to data subject requests under applicable data-protection law by providing export, correction, and deletion capabilities where technically feasible through the product or upon documented request. Requests concerning end-users in a Customer tenant should be directed to Customer as Controller; Policytab will support Customer's response as Processor within reasonable timeframes.

If Policytab receives a data subject request directly concerning Customer Data, Policytab will redirect the individual to Customer unless legally prohibited from doing so. Policytab may inform the individual that Customer is the appropriate contact.

On termination of the Agreement or disconnection of a tenant, Customer may export available data through product features where the subscription tier permits. After termination, Policytab deletes or returns Customer Data within a reasonable period, except where retention is required by law or for encrypted backup media with defined retention windows that are automatically purged.

Deletion of backups may lag primary database deletion by the backup retention cycle. Policytab will not restore deleted Customer Data except where required by law or to comply with a valid legal process directed to Policytab.

Policytab maintains procedures to detect, investigate, and remediate Security Incidents. Policytab will notify Customer without undue delay after confirming a Security Incident affecting Customer Data, providing information reasonably available to assist Customer in meeting its obligations to supervisory authorities and data subjects.

Notifications will describe, to the extent known: the nature of the incident; categories and approximate number of data subjects and records concerned; likely consequences; and measures taken or proposed. Policytab will cooperate with Customer's reasonable requests for additional information subject to security and legal constraints.

Enterprise customers may request security documentation, architecture summaries, and completed security questionnaires. Policytab may provide third-party audit reports or certifications when available. On-site audits are available for Enterprise workspaces by mutual agreement, subject to reasonable notice, confidentiality, and frequency limits; Customer bears its own costs unless the audit reveals a material breach of this DPA attributable to Policytab.

Customer may conduct remote audits through documentation and questionnaires rather than intrusive technical access to production systems, except where a confirmed Security Incident warrants deeper cooperation.

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement. Customer acknowledges that Policytab's Processor liability is ancillary to the Service and that Customer's remedies for unauthorized processing are primarily directed through the Agreement's limitation of liability, except where applicable law prohibits such limitation for Processor breaches.

Customer indemnifies Policytab against claims arising from Customer's instructions, unlawful processing by Customer, or Customer's failure to obtain required consents, to the extent permitted by the Agreement.

This DPA applies for the duration of the Agreement and survives termination with respect to obligations that logically continue (confidentiality, deletion assistance, incident records). Policytab may update this online DPA to reflect legal, technical, or product changes. Material changes will be posted with an updated "Last updated" date. Continued use of the Service after posting constitutes acceptance for workspaces not covered by a separately executed enterprise agreement.

DPA, privacy, and security questions: contact via the addresses in the Agreement or the contact form. Enterprise customers requiring a countersigned DPA or custom data-processing terms should select an enterprise inquiry when contacting us.

Questions or a countersigned copy: support@policytab.com or the contact form (enterprise inquiry).