Legal
Privacy Policy
This Privacy Policy describes what personal data watchtower handles when Customer uses the service, why, who sees it, and what rights data subjects have.
1. Who we are
The data controller for personal data we collect about Customer's own users (Customer's administrators and staff who log in to watchtower) is Ampliosoft AB ("Watchtower", "we").
For personal data within Customer's Microsoft 365 / Entra tenants that watchtower processes on Customer's behalf, the data controller is the Customer and Watchtower is the data processor. The processor obligations are spelled out in the Data Processing Agreement (DPA).
2. What we collect
2.1 Data about Customer's users (we are the controller)
When Customer's authorised users sign in to watchtower and use the service, we process:
- Identity: name, email address, organization, role assignments.
- Authentication: sign-in events, IP address, browser user-agent.
- Activity: which dashboards were viewed, which findings were triaged, which evidence packs were downloaded. This is the audit chain and is append-only.
- Support correspondence if Customer's users contact us.
We do NOT collect device fingerprints or behavioural-advertising identifiers. We do NOT sell or share this data with advertisers.
2.2 Data within Customer's tenants (Customer is the controller)
To provide the service, watchtower polls Customer's Microsoft 365 / Entra tenants on a documented cadence. We retrieve:
- Tenant configuration (Conditional Access policies, identity protection settings, SharePoint admin config, Teams policies, etc.).
- Resource metadata (e.g. the list of guest users, the count of privileged accounts, license assignments).
- Audit data Microsoft exposes (e.g. activity from the Microsoft 365 audit log, when Customer's plan includes that feature).
In the course of polling those configuration surfaces, Microsoft's APIs include some personal data alongside configuration (e.g. user principal names in the list of Conditional Access targets). That data is processed on Customer's instructions per the DPA.
We do NOT read:
- Mailbox contents.
- File contents stored in OneDrive, SharePoint, or Teams.
- Chat / call contents.
- Application content created by Customer's users.
2.3 Technical data we always collect
- Server logs with request paths, response codes, durations, and IP addresses for security and performance monitoring.
- Error telemetry (Sentry; see Sub-processors). Error events capture the stack trace and request context but NOT request body contents.
3. Why we process it
| Purpose | Lawful basis (GDPR) | Data |
|---|---|---|
| Provide the service to Customer | Contract (Art. 6(1)(b)) | All of 2.1, 2.2, 2.3 |
| Secure the service | Legitimate interest (Art. 6(1)(f)) | 2.1, 2.3 |
| Comply with our own legal obligations | Legal obligation (Art. 6(1)(c)) | Audit chain (2.1), invoices |
| Improve the service | Legitimate interest (Art. 6(1)(f)) | Aggregated and pseudonymised |
We do not rely on consent (Art. 6(1)(a)) as a lawful basis for the core service. Customer's contract with us is the basis.
4. Retention
| Data | Retention | Reference |
|---|---|---|
| User profile (2.1 identity) | For the lifetime of the workspace + 30 days | Data-lifecycle policy |
| Authentication logs | 90 days | Data-lifecycle policy |
| Audit chain entries (2.1 activity) | 7 years (regulatory minimum for security audit data; deletion after that on a documented schedule) | Data-lifecycle policy |
| Tenant configuration (2.2) | Snapshot retention 30 days; current state retained until workspace deletion + 30 days | Data-lifecycle policy |
| Evidence packs (2.2 derived) | 5 years for signed packs; Customer can request earlier deletion subject to legal-hold considerations | Data-lifecycle policy |
| Server logs (2.3) | 90 days | Data-lifecycle policy |
| Error telemetry (2.3, in Sentry) | 90 days | Sentry default |
| Support correspondence | 3 years post last contact | Data-lifecycle policy |
The audit chain is structurally append-only. Deletion of a specific audit entry is technically possible only by purging the chain and starting a new one, which destroys the integrity proof. We do not accept ad-hoc deletion requests against the audit chain; if you need to exercise data-subject rights against audit-chain entries we will proceed via the documented purge-and-restart procedure with the Customer's controller, and the resulting integrity gap is preserved as a recorded event.
5. Who we share it with
We share data only with:
- Customer's authorised users, per the role-based access in watchtower.
- Sub-processors listed on our Sub-processors page who process data on our behalf under the DPA.
- Lawful requests from authorities with jurisdiction. We resist overbroad requests and notify Customer where we are legally permitted to do so. Annual transparency reporting is on the product roadmap (open item).
- Successors in the event of a merger, acquisition, or asset sale. The successor is bound by the same obligations or Customer is offered an exit.
We do not sell data. We do not transfer data to advertising or analytics platforms.
6. International transfers
The production service runs on Hetzner Cloud infrastructure in Germany (Nuremberg) under EU jurisdiction. Personal data processed by the core service does not leave the EU.
Sub-processors located outside the EU (Sentry is operated by Sentry, Inc. with infrastructure in the United States) operate under Standard Contractual Clauses with watchtower and we maintain a documented transfer-impact assessment. Where Sentry is configured, the watchtower team has explicitly accepted the residual risk; the Customer may instruct us to disable Sentry for the Customer's workspace via the DPA.
The Customer's own Microsoft 365 / Entra tenant location is the Customer's responsibility; watchtower polls whichever Microsoft region the tenant lives in.
7. Security
Watchtower invests substantively in security. Specific measures we commit to:
- Encryption in transit (TLS 1.3 for all customer-facing endpoints).
- Encryption at rest for Customer credentials in our database (AES via a managed Customer-credential encryption key).
- Role-based access control with scope isolation (including cross-tenant isolation).
- Postgres Row-Level Security as a defense-in-depth boundary between workspaces.
- An append-only audit chain recording security-relevant events.
- Documented operational runbooks for deploy, rollback, backup verification, secret rotation, and incident response.
- Vendor security review of every sub-processor.
We do NOT yet hold:
- SOC 2 Type 1 or Type 2 certification (planned).
- ISO 27001 certification (planned).
- A public bug bounty program (planned).
Security disclosures are welcomed at security@watchtower.nu. We commit to acknowledging receipt within 2 business days and publishing remediated vulnerabilities to the status page on resolution.
8. Customer rights (your rights)
If you are a Customer user, you have the following rights with respect to your personal data:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: request deletion. Subject to retention obligations above (e.g. audit chain).
- Restriction: request we stop processing your data.
- Portability: receive your data in a portable format.
- Object: object to processing based on legitimate interest.
- Complaint: lodge a complaint with your local data protection authority.
For data subjects whose personal data appears in Customer's tenant (e.g. employees of Customer who appear in Conditional Access policy targets), the controller is the Customer, not watchtower. Direct those requests to the Customer; we will support the Customer per the DPA.
To exercise rights against watchtower as a controller, contact privacy@watchtower.nu. We respond within 30 days.
9. Children
Watchtower is not intended for individuals under 16 years of age. We do not knowingly collect data from children. Customer warrants in the Terms that the users it authorises are not children.
10. Changes to this policy
We update this policy when product facts change or when the law requires. Material changes are announced at least 30 days in advance via the status page and an in-product notice; non-material changes are published when made.
11. Contact
| Topic | Contact |
|---|---|
| Privacy and data-subject rights | privacy@watchtower.nu |
| Security disclosures | security@watchtower.nu |
| Legal correspondence | legal@watchtower.nu |
| General questions | hello@watchtower.nu |
Postal address: Ampliosoft AB, Ekenleden 15A, 428 36 Kållered, Sweden