Data Processing Agreement

For the purposes of this Data Processing Agreement, the following definitions apply:

"Controller"

The natural or legal person who determines the purposes and means of the processing of personal data. In this Agreement, you (the customer) are the Controller.

"Processor"

The natural or legal person who processes personal data on behalf of the Controller. IntuneBrew (Ugur Koc) acts as the Processor.

"Personal Data"

Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing"

Any operation performed on personal data, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.

"Sub-processor"

Any third party engaged by the Processor to process personal data on behalf of the Controller.

"Data Subject"

An identified or identifiable natural person whose personal data is processed.

"GDPR"

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

"Service"

The IntuneBrew platform and related services as described in the Terms of Service.

Subject Matter

This DPA governs the processing of personal data by IntuneBrew (Processor) on behalf of the Customer (Controller) in connection with the provision of the IntuneBrew service for macOS application deployment to Microsoft Intune.

Duration

This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service, the Processor shall delete or return all personal data as specified in Section 12, unless required by law to retain such data.

Purpose of Processing

The Processor processes personal data solely for the following purposes:

• Authenticating users via Microsoft Entra ID
• Facilitating application deployment to Microsoft Intune
• Storing user preferences and settings
• Sending notification emails about application updates
• Providing customer support and processing feedback
• Maintaining audit logs for security and compliance

Nature of Processing

Processing activities include collection, storage, retrieval, use, transmission, and deletion of personal data as necessary to provide the Service. The Processor does not engage in profiling or automated decision-making that produces legal effects for data subjects.

The following categories of personal data are processed:

The following categories of data subjects may have their personal data processed:

• Authorized Users - Employees or contractors of the Controller who are authorized to use the Service
• IT Administrators - Personnel responsible for managing Microsoft Intune deployments
• Support Contacts - Individuals who submit feedback or support requests

As the Controller, you are responsible for:

• Ensuring that you have a lawful basis for the processing of personal data
• Providing appropriate notice to data subjects about the processing
• Ensuring that instructions given to the Processor comply with applicable data protection laws
• Maintaining records of processing activities as required by Article 30 of the GDPR
• Implementing appropriate technical and organizational measures to protect personal data
• Obtaining necessary consents from data subjects where required
• Responding to data subject requests in accordance with GDPR requirements

The Processor commits to:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 10
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Delete or return all personal data upon termination of the Service
• Make available information necessary to demonstrate compliance with this DPA
• Notify the Controller if an instruction infringes GDPR or other data protection laws

Authorization

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.

Current Sub-processors

The following sub-processors are currently engaged:

Notification of Changes

The Processor shall notify the Controller of any intended changes to sub-processors by updating this page. The Controller may object to such changes within 30 days of notification. If the Controller objects and the parties cannot reach a resolution, the Controller may terminate the Service.

Assistance with Requests

The Processor shall assist the Controller in fulfilling data subject requests under Chapter III of the GDPR, including:

• Right of Access (Art. 15) - Providing copies of personal data
• Right to Rectification (Art. 16) - Correcting inaccurate data
• Right to Erasure (Art. 17) - Deleting personal data
• Right to Restriction (Art. 18) - Restricting processing
• Right to Data Portability (Art. 20) - Exporting data in machine-readable format
• Right to Object (Art. 21) - Ceasing certain processing activities

Response Time

Upon receiving a data subject request forwarded by the Controller, the Processor shall respond within 14 days with the information or action required. If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller.

Technical Measures

The Processor implements the following technical security measures:

• Encryption in Transit - All data transmitted using TLS 1.2 or higher
• Encryption at Rest - Database encryption via Supabase
• Token Encryption - AES-256-GCM encryption for queued access tokens
• Access Controls - Role-based access, Microsoft Entra ID authentication
• Rate Limiting - Protection against abuse and denial of service
• Input Validation - Server-side validation of all user inputs
• Secure Headers - HTTP security headers (HSTS, CSP, etc.)

Organizational Measures

The Processor maintains the following organizational security measures:

• Access Management - Principle of least privilege for system access
• Audit Logging - Comprehensive logging of authentication and data access events
• Incident Response - Documented procedures for security incident handling
• Secure Development - Security-focused code review practices
• Vendor Management - Assessment of sub-processor security practices

For detailed information about our security practices, please refer to our Security Information page.

Notification Content

The breach notification shall include, to the extent known:

• Description of the nature of the breach, including categories and approximate number of data subjects and records affected
• Name and contact details of the data protection contact
• Description of likely consequences of the breach
• Description of measures taken or proposed to address the breach and mitigate adverse effects

Cooperation

The Processor shall cooperate with the Controller and provide reasonable assistance in investigating the breach, notifying supervisory authorities and data subjects as required, and implementing measures to mitigate harm.

Upon Termination

Upon termination of the Service or upon the Controller's request, the Processor shall:

• Delete all personal data within 30 days, unless retention is required by law
• Provide the Controller with a copy of personal data in a commonly used, machine-readable format upon request (made before deletion)
• Certify in writing that all personal data has been deleted

Exceptions

The Processor may retain personal data to the extent required by applicable law (e.g., for tax or legal compliance purposes). Such retained data shall continue to be protected in accordance with this DPA and shall be deleted when the legal retention period expires.

Information and Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.

Third-Party Certifications

The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or other documentation demonstrating compliance with applicable data protection requirements.

Transfer Mechanisms

Personal data may be transferred to countries outside the European Economic Area (EEA) where our sub-processors are located. Such transfers are protected by:

• EU-U.S. Data Privacy Framework - For transfers to certified U.S. organizations
• Standard Contractual Clauses (SCCs) - As adopted by the European Commission
• Adequacy Decisions - Where applicable

Supplementary Measures

Where required, the Processor implements supplementary technical and organizational measures to ensure an adequate level of protection for transferred personal data, including encryption and access controls as described in Section 10.

Allocation of Liability

Each party shall be liable for damages caused by processing that infringes the GDPR or this DPA:

• The Controller shall be liable for damages caused by processing that does not comply with the Controller's obligations under the GDPR
• The Processor shall be liable for damages caused by processing that does not comply with the Processor's obligations under the GDPR or this DPA, or where it has acted outside of or contrary to lawful instructions from the Controller

Indemnification

Each party shall indemnify the other for any costs, claims, damages, or expenses arising from the indemnifying party's breach of this DPA or violation of applicable data protection laws.

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without regard to its conflict of law provisions. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Hamburg, Germany.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Contact Information

For questions about this DPA or to exercise data protection rights, contact:

Related Documents

• Privacy Policy - Our full privacy practices
• Terms of Service - Service terms and conditions
• Security Information - Detailed security measures