Applicable Data Protection Law means all laws and regulations applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, Processed, and Processing have the meanings given in Applicable Data Protection Law.
Customer Personal Data means any Personal Data processed by Kyberbyte on behalf of the Customer in connection with the Services.
Services means the website, portal, reports, scans, dashboards, APIs, support, and related services provided by Kyberbyte under the Terms and Conditions.
Subprocessor means any third party appointed by Kyberbyte to process Customer Personal Data on behalf of the Customer in connection with the Services.
The parties acknowledge that, for the processing of Customer Personal Data under this DPA, the Customer is the Controller and Kyberbyte is the Processor, except to the extent Kyberbyte acts as a Controller in its own right for business administration, account management, billing, fraud prevention, security logging, legal compliance, and other purposes identified in its Privacy Policy.
The Customer instructs Kyberbyte to process Customer Personal Data only as necessary to provide the Services, perform the Terms and Conditions, comply with documented lawful instructions from the Customer, and comply with Applicable Data Protection Law.
If Kyberbyte believes an instruction infringes Applicable Data Protection Law, Kyberbyte will inform the Customer without undue delay unless prohibited from doing so by law.
The subject matter, duration, nature, and purpose of the processing, together with the types of Personal Data and categories of Data Subjects, are set out in Schedule 1.
The Customer is responsible for ensuring that it has all necessary rights, consents, notices, permissions, and lawful bases required to disclose or make available Customer Personal Data to Kyberbyte and to instruct Kyberbyte to process it.
The Customer remains responsible for complying with its obligations as Controller under Applicable Data Protection Law.
Kyberbyte shall:
Kyberbyte will implement and maintain appropriate technical and organisational measures for the protection of Customer Personal Data. Measures may include:
No method of transmission over the internet or method of electronic storage is completely secure. Kyberbyte does not warrant absolute security, but will maintain measures appropriate to the risks presented by the processing.
The Customer grants Kyberbyte general written authorisation to appoint Subprocessors for the processing of Customer Personal Data, provided that Kyberbyte remains responsible for the performance of its Subprocessors' obligations where required by Applicable Data Protection Law.
Current Subprocessors are listed in Schedule 2. Kyberbyte will ensure that each Subprocessor is bound by written terms providing a level of protection for Customer Personal Data that is no less protective, in all material respects, than the obligations imposed on Kyberbyte under this DPA.
Kyberbyte will not transfer Customer Personal Data outside the United Kingdom unless it has taken such measures as are necessary to ensure the transfer is compliant with Applicable Data Protection Law. Such measures may include transferring Customer Personal Data to a country subject to adequacy regulations or using an approved transfer mechanism and carrying out any required transfer assessment.
If Kyberbyte receives a request from a Data Subject relating to Customer Personal Data, Kyberbyte will, unless legally prohibited, promptly notify the Customer. Kyberbyte will not respond directly to the request except on the Customer's documented instructions or where required by law.
Kyberbyte will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and, to the extent available, provide reasonable information to assist the Customer in meeting any notification obligations.
Kyberbyte will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Any audit or inspection rights shall be exercised:
Kyberbyte may satisfy audit obligations by providing current third-party audit reports, security summaries, certifications, questionnaires, policies, or other information reasonably demonstrating compliance where appropriate.
On termination or expiry of the Services, and on the Customer's written request, Kyberbyte will delete or return Customer Personal Data, unless retention is required by law or reasonably necessary for the establishment, exercise, or defence of legal claims, fraud prevention, backup cycling, or security logging retention periods.
Each party's liability arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Terms and Conditions, unless Applicable Data Protection Law requires otherwise.
Nothing in this DPA removes or reduces either party's liability to Data Subjects or regulators to the extent such liability cannot lawfully be excluded or limited.
If there is any conflict between this DPA and any other agreement between the parties relating to the processing of Customer Personal Data, this DPA shall prevail to the extent of that conflict.
This DPA is governed by the law of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction unless mandatory law requires otherwise.
| Subject matter | Processing of Personal Data by Kyberbyte in connection with the provision of the Services, including tenant connection, data ingestion, scan execution, report generation, support, troubleshooting, security monitoring, and delivery of outputs to the Customer |
| Duration | For the period during which Kyberbyte provides the Services to the Customer and for any limited retention period afterwards in accordance with the Terms and Conditions, this DPA, and applicable law |
| Nature and purpose | Receiving or accessing Microsoft 365 related tenant data authorised by the Customer; analysing licensing, usage, account status, configuration, and related operational data; generating preview reports, full reports, summaries, recommendations, dashboards, and related outputs; providing customer support, issue investigation, service administration, and security operations; and storing, organising, retrieving, transmitting, and deleting data as needed to provide the Services |
| Categories of Data Subjects | The Customer's employees, workers, contractors, and temporary staff; the Customer's administrators and authorised users; and the Customer's end users whose Microsoft 365 related account or usage data is included in the Services |
| Types of Personal Data | Name, work email address or user principal name, account identifiers and directory identifiers, licence assignment and service plan data, account state and sign-in related metadata, product usage or activity indicators made available from source systems, role or administrative status indicators, support communications, and other Personal Data contained in relevant source systems or submitted by the Customer through the Services |
| Special category data | The Services are not intended for the routine processing of special category Personal Data or criminal offence data. The Customer will not intentionally provide such data unless expressly agreed in writing and subject to appropriate additional safeguards |
| Subprocessor | Service provided | Location |
|---|---|---|
| Microsoft Microsoft Ireland Operations Ltd / Microsoft Corporation |
Cloud hosting, storage, compute, identity, automation, key management, report delivery infrastructure, email communications, and related Microsoft 365 and Azure service dependencies. Relevant services include Azure, Azure Storage, Azure Functions, Azure Static Web Apps, Azure Automation, Key Vault, Microsoft Entra ID, Microsoft Graph, Outlook, Exchange Online, and related Microsoft cloud services. | United Kingdom, European Economic Area, and other locations used by Microsoft in accordance with its applicable data processing terms and transfer mechanisms |
| Stripe Stripe Payments Europe, Ltd. / Stripe, Inc. |
Payment processing, billing operations, transaction records, and related financial administration data connected with paid Services | United Kingdom, European Economic Area, and other locations used by Stripe in accordance with its applicable data processing terms and transfer mechanisms |
Kyberbyte does not currently use any separate third-party monitoring, logging, diagnostics, security, helpdesk, ticketing, CRM, or customer support platform outside Microsoft for the delivery of the Services. If this changes, Schedule 2 will be updated in accordance with this DPA.