Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") applies when ButWhy.Cloud processes personal data on your behalf as part of the scanning service. It satisfies requirements under GDPR (Article 28) and POPIA.

1. Definitions

"Controller" means you — the organisation initiating the scan and determining the purposes of data processing.

"Processor" means ButWhy.Cloud — processing data on your behalf to deliver the scanning service.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed as part of the scan (e.g. user principal names, display names, email addresses appearing in scan evidence).

"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.

2. Scope and Purpose

ButWhy.Cloud processes personal data solely to:

Execute security checks against your Microsoft 365 and Azure tenant via read-only API calls.
Generate a security report identifying misconfigurations and affected resources.
Deliver that report to the email address you provide.

Processing occurs only on your documented instruction (initiating a scan). We will not process your data for any other purpose.

3. Nature of Personal Data Processed

The scan may encounter personal data including:

User principal names and display names of tenant users.
Email addresses of tenant users.
Names of Azure resources (which may include personal identifiers).
Your email address (provided by you for report delivery).

4. Data Retention

Personal data encountered during scanning is retained as part of the scan report in Azure Blob Storage for a maximum of 5 days from the date of scan completion, after which it is permanently and automatically deleted. No backups or copies are retained beyond this period.

5. Controller Obligations

As Controller, you confirm that:

You are authorised to grant the OAuth permissions required for the scan.
You have a lawful basis for instructing ButWhy.Cloud to process personal data within your tenant.
You will inform affected data subjects of this processing where required by applicable law.

6. Processor Obligations

ButWhy.Cloud commits to:

Processing personal data only on your documented instructions.
Ensuring all personnel with access to personal data are bound by confidentiality obligations.
Implementing appropriate technical and organisational measures to protect personal data.
Not engaging sub-processors without your knowledge (see Section 7).
Assisting you in responding to data subject rights requests where technically feasible.
Notifying you without undue delay upon becoming aware of a personal data breach.
Deleting all personal data upon expiry of the retention period or upon your request.

7. Sub-Processors

We use the following sub-processors:

Microsoft Azure (infrastructure, blob storage) — East US region.
Mailgun (email delivery) — USA, with EU Standard Contractual Clauses in place.
Cloudflare (DNS, CDN) — Global, with Standard Contractual Clauses in place.

We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

8. International Transfers

Scan data is stored in Microsoft Azure's East US region. Email delivery via Mailgun may involve transfer to the United States. Such transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46.

9. Security Measures

We implement the following technical and organisational measures:

TLS encryption for all data in transit.
Azure Blob Storage with private access only — no public URLs.
Access restricted to scanning infrastructure via managed identity.
Automatic deletion enforced via Azure lifecycle management policies.
OAuth tokens held only in memory during scan execution, never written to persistent storage.

10. Data Subject Rights

If you receive a data subject access, deletion, or portability request relating to data processed by ButWhy.Cloud on your behalf, contact us at hello@butwhy.cloud. We will provide all reasonable assistance within 5 business days.

11. Audit Rights

You may request information demonstrating our compliance with this DPA. We will respond to reasonable audit requests within 30 days. Physical audits require 60 days notice and are subject to a reasonable fee.

12. Termination

Upon termination of your use of the Service, all personal data will be deleted within the standard 5-day retention period or immediately upon written request, whichever is sooner.

13. Governing Law

This DPA is governed by the laws of the Republic of South Africa. Where applicable, EU GDPR requirements take precedence for EEA data subjects.

14. Contact

Data protection queries: hello@butwhy.cloud