Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the watchtower Terms of Service. It governs watchtower's processing of personal data on Customer's behalf as a processor under Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent requirements in the UK GDPR, the Swiss FADP, and (where applicable to the Customer) the California Consumer Privacy Act as amended by CPRA ("CCPA").
1. Definitions
Terms not defined here have the meanings given in the GDPR.
- Customer: the entity entering this DPA via the Terms of Service.
- Watchtower: Ampliosoft AB as defined in the Terms.
- Customer Data: personal data processed by watchtower on Customer's behalf, including (a) data within Customer's Microsoft 365 / Entra tenants polled by the service, (b) data Customer's authorised users supply through the service, and (c) any other personal data Customer chooses to load.
- Authorised Personnel: watchtower employees and contractors with a legitimate need to access Customer Data, who have signed confidentiality obligations.
- Sub-Processor: a third party engaged by watchtower to assist in processing Customer Data. The current list is maintained on our Sub-processors page.
- Security Incident: any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
2. Roles
Customer is the controller. Watchtower is the processor. Where Customer Data includes personal data of Customer's own end users (e.g. employees of Customer who appear in Customer's Microsoft tenant), Customer represents that it has the legal basis to disclose that data to watchtower for the purposes set out in the Terms.
3. Subject matter and duration
Subject matter: processing of Customer Data to provide the watchtower service as described in the Terms.
Duration: for the term of the Terms plus the retention period in the Privacy Policy.
Nature and purpose of processing: continuous polling of Customer's Microsoft tenants on a documented cadence (5-minute drift sweeps); storage of configuration snapshots; computation of findings against a published benchmark catalog; generation of signed evidence packs; surface of those findings to Customer's authorised users via the watchtower web application.
Categories of personal data:
- Identity data (names, email addresses, role assignments).
- Authentication metadata (sign-in IP, browser user-agent).
- Tenant-configuration data including personal data that Microsoft's configuration surfaces incidentally expose (e.g. user principal names in policy targeting).
- Behavioural data within the watchtower app (which findings were viewed, which evidence packs were downloaded).
Categories of data subjects:
- Customer's authorised users of watchtower.
- Customer's end users whose data appears in Customer's tenant configuration.
No special category data is processed by design. Watchtower does not read mailbox contents, file contents, or chat contents.
4. Watchtower's obligations
Watchtower shall:
- Process Customer Data only on documented instructions from Customer. These Terms, the Privacy Policy, and any written configuration choices in the watchtower workspace constitute documented instructions.
- Ensure that Authorised Personnel are bound by confidentiality.
- Implement and maintain the technical and organisational measures in Annex A.
- Engage Sub-Processors only under Section 5.
- Assist Customer in fulfilling its obligations to respond to data subject requests, per Section 6.
- Assist Customer with data protection impact assessments and prior consultation, per Section 7.
- Make available to Customer the information necessary to demonstrate compliance with Article 28, including our documented operational runbooks, and allow audits per Section 8.
- Notify Customer of any instruction that, in watchtower's opinion, infringes data protection law, before complying.
Watchtower shall NOT:
- Sell Customer Data or use it for purposes other than providing the service.
- Combine Customer Data across customers for any purpose other than aggregate, pseudonymised service improvement.
- Transfer Customer Data outside the EEA except under Section 9.
5. Sub-Processors
Customer authorises watchtower to engage the Sub-Processors listed on our Sub-processors page.
Watchtower shall:
- Maintain that list and update it before adding or replacing a Sub-Processor.
- Bind each Sub-Processor by written contract to data protection terms equivalent to this DPA.
- Remain liable for the acts and omissions of its Sub-Processors as for its own.
Adding or replacing a Sub-Processor: watchtower shall provide at least 30 days' written notice (via the in-product changelog and an email to Customer's designated contact) before the change takes effect. Customer may object on reasonable data protection grounds within 14 days of notice; if the parties cannot resolve the objection, either party may terminate the affected workspace without penalty.
6. Data subject requests
Customer is responsible for responding to data subject requests as the controller. Watchtower shall, on Customer's written request and to the extent technically practicable, assist Customer with:
- Providing copies of Customer Data held by watchtower (access).
- Correcting Customer Data (rectification).
- Deleting Customer Data (erasure), subject to the audit-chain carve-out in Section 11.
- Restricting or porting Customer Data.
Customer may use the watchtower self-service data export feature under our data-lifecycle policy to fulfil most access and portability requests without watchtower's manual involvement.
7. DPIA and prior consultation assistance
On reasonable request, watchtower shall:
- Provide information about the service's technical and organisational measures to support Customer's Data Protection Impact Assessment.
- Assist with prior consultation with supervisory authorities where the DPIA indicates high residual risk.
The published runbooks and security overview are intended to provide much of this information without case-by-case work.
8. Audits
Customer may audit watchtower's compliance with this DPA:
- Documentation audit: Customer may at any time review the watchtower documentation, runbooks, and operations log artefacts; this is part of watchtower's trust-narrative commitment.
- Penetration testing: Customer may, with at least 30 days' written notice, commission a third-party penetration test of the watchtower service against Customer's workspace, subject to a scope agreed in writing. Watchtower may require the test be conducted within Customer's tenant only and not exceed agreed rate limits.
- On-site audit: for paid customers with an enterprise plan, watchtower shall accommodate up to one on-site audit per 12-month period at Customer's expense, with at least 60 days' notice.
For paid customers, when watchtower obtains a SOC 2 Type 2 or ISO 27001 certification (planned per the Privacy Policy), Customer may rely on the audit report in lieu of an on-site audit for any 12-month period during which the certification is current.
9. International transfers
Watchtower processes Customer Data primarily on infrastructure in the European Economic Area (Germany / Hetzner Cloud). Where Customer Data is transferred to a Sub-Processor outside the EEA:
- The Standard Contractual Clauses (Module 3, processor-to-processor) apply between watchtower and that Sub-Processor by reference and are incorporated into this DPA.
- A Transfer Impact Assessment is documented in our Transfer Impact Assessment.
- Supplementary measures (encryption, data minimisation, contractual audit rights) are documented in the same place.
Customer may instruct watchtower to disable Sub-Processors located outside the EEA, at the cost of the service features those Sub-Processors enable. The customer-facing default is that Sentry (US-based) is enabled; disabling it removes error telemetry but does not affect other service features.
10. Security measures
Annex A details the technical and organisational measures watchtower maintains. These measures track our operational runbooks and are updated when those runbooks change.
Customer may notify watchtower of additional measures it requires; the parties shall discuss feasibility, cost, and timeline.
11. The audit-chain carve-out
Watchtower maintains an append-only audit chain recording security-relevant events at the workspace level. The chain's integrity is the basis for the signed-receipt feature and for the operations-log artefacts.
When a data subject exercises the right to erasure with respect to data within the audit chain, two paths are available:
- Standard erasure: the data is purged from operational tables; the audit-chain entry is rewritten to remove personally identifying information while preserving the chain's hash-continuity. Customer's audit-log search no longer surfaces the personal data; the integrity proof remains valid.
- Full erasure (chain reset): if standard erasure does not satisfy the request, the chain is purged in full and restarted. The integrity gap is recorded and visible to all auditors. Customer must explicitly request this and acknowledge the consequence.
Watchtower shall implement standard erasure within 30 days of Customer's written request. Full erasure shall be implemented within 60 days.
12. Security incident notification
Watchtower shall notify Customer of a Security Incident without undue delay and no later than 72 hours after becoming aware. The notification shall include:
- The nature of the incident, including the categories and approximate number of data subjects and records affected.
- The likely consequences.
- The measures taken or proposed to address the incident and mitigate its possible adverse effects.
Watchtower shall provide updates as the investigation progresses, publish a public incident record on the status page when the incident is customer-visible, and produce a post-incident review within 5 business days.
13. Return and deletion
On Customer's instruction or on termination of the Terms, watchtower shall return or delete Customer Data within 30 days, except for copies required to be retained by law. Section 11 governs the audit-chain treatment.
Watchtower may retain pseudonymised aggregate statistics (e.g. anonymous counts of findings raised, never personally identifiable) for service-improvement purposes without limitation.
14. Liability
Liability under this DPA is subject to the limitations in the Terms except where law forbids such limitation.
15. Conflict
In case of conflict between this DPA and the Terms, this DPA controls.
Annex A: Technical and organisational measures
These measures track our operational runbooks and are updated when those documents change.
A.1 Access control
- Role-based access with workspace and scope isolation.
- Postgres Row-Level Security as a defense-in-depth boundary between workspaces.
- All Authorised Personnel access is mediated through the watchtower application; direct database access by personnel is restricted to documented incident-response paths and is logged.
A.2 Encryption
- TLS 1.3 for all customer-facing endpoints.
- Customer credentials in the watchtower database are encrypted at rest using AES with a managed key.
- Encrypted off-host backups via restic (passphrase held in OpenBao).
A.3 Logging and monitoring
- Append-only audit chain for security-relevant events.
- Sentry error telemetry without default PII (per the observability runbook).
- Public status page with declarative configuration in git.
A.4 Vulnerability management
- Dependency scanning via the npm advisory database on every CI run.
- Static analysis via the typecheck + lint guardrails on every pull request.
- Manual security review of any change to the audit-chain, evidence-pack-signing, or RLS code paths.
- Security disclosures routed via security@watchtower.nu per the Privacy Policy.
A.5 Operational discipline
- Documented runbooks for deploy, rollback, backup verification, secret rotation, secret history scrubbing, and observability.
- Monthly backup-restore drill against staging-class infrastructure.
- Quarterly reconciliation of the documentation set against the shipped product.
A.6 Personnel
- All Authorised Personnel are bound by written confidentiality obligations.
- Onboarding includes security training relevant to the role.
- Access is removed within 24 hours of role change or termination of employment.
A.7 Sub-Processor management
- Sub-Processor selection requires documented security review.
- Sub-Processors are bound by contract to terms equivalent to this DPA.
- The Sub-Processor list on our Sub-processors page is the source of truth.
A.8 Incident response
- A documented incident-response runbook.
- 72-hour customer notification window per Section 12 above.
- Postmortem within 5 business days per our rollback runbook.