Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Backup Teams Inc. ("Data Processor") and you or the entity you represent ("Data Controller"). It reflects the parties' agreement regarding the processing of personal and organizational data contained within your Microsoft Teams environment.

2. Processing of Customer Data

Scope and Role: Backup Teams acts exclusively as a Data Processor. We process your data (including Teams chats, channel messages, and shared files) strictly for the purpose of providing the backup, storage, and recovery services as configured by you. We do not determine the purposes or means of processing the Personal Data contained within your backups.

Instructions: We will only process your data in accordance with your documented instructions, which are represented by your configuration and use of the Backup Teams service application via the Microsoft Graph API.

3. Security Measures

We implement and maintain stringent technical and organizational security measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

• Encryption in transit using modern TLS (1.2 or higher).
• Encryption at rest in dedicated Amazon S3 vaults using AES-256 GCM.
• Strict logical separation of tenant data (Data Isolation).
• Regular automated vulnerability scanning and key rotation.

4. Sub-processing

You authorize Backup Teams to engage infrastructure sub-processors (e.g., Amazon Web Services for cloud storage constraint). We maintain a list of active sub-processors and impose equivalent data protection obligations upon them as required by Article 28 of the GDPR. We will notify you of any intended changes concerning the addition or replacement of sub-processors.

5. Data Subject Rights & Assistance

As the Data Controller, you are responsible for fulfilling requests from data subjects (e.g., right to access, rectify, or erase). We will assist you by providing the technical tools necessary to export or cryptographically destroy specific backup vaults upon your authorized request. We will promptly notify you if we receive a direct request from a data subject regarding data processed under your tenant.

6. Data Deletion and Return

Upon termination of your subscription, or upon your explicit written request, Backup Teams will execute a secure, cryptographic "hard delete" of your tenant's dedicated S3 vault within 30 days. This renders all associated backups irretrievable. You are responsible for exporting any needed data prior to terminating the service.

7. Incident Notification

In the event of a confirmed Personal Data Breach affecting your backups, Backup Teams will notify you without undue delay (and highly target within 48 hours of discovery) and provide sufficient information to allow you to meet any obligations to report a breach to supervisory authorities.

8. Contact for Privacy Inquiries

For security reports, DPA execution inquiries, or infrastructure questions, please contact our Compliance and Security team at: