Data Processing Agreement
This Data Processing Agreement (the "DPA") forms part of the Terms of Use between the Customer (controller) and LataSys Limited (processor) and reflects the parties' agreement on the processing of personal data by LataSys Limited on behalf of the Customer in connection with the M365 Quarantine service. It is drafted to satisfy the requirements of Article 28(3) of the UK GDPR.
Effective 2 July 2026 · LataSys Limited (UK Co. No. 17261093)
1. Subject matter, duration, and processing particulars
- Subject matter: provision of the M365 Quarantine service to the Customer.
- Duration: for the term of the Customer's subscription, plus any post-termination period required for delete-or-return under section 9.
- Nature and purpose: listing quarantined messages held by Microsoft 365 for the Customer's mailboxes, processing release requests, and maintaining an audit trail of administrative and end-user actions.
- Types of personal data: user identifiers (UPN, object id, display name); quarantine message metadata (sender address, recipient address, received date, subject, quarantine reason, policy name); tenant configuration; audit log entries (action, timestamp, IP address, user agent); billing contact details.
- Categories of data subjects: the Customer's administrators and end users whose mailboxes are protected by the Customer's Microsoft 365 quarantine policies.
- Controller's obligations and rights: as set out in the UK GDPR and these terms.
2. Processing on documented instructions
LataSys Limited will process personal data only on documented instructions from the Customer, including with regard to transfers to a third country. The Terms of Use, this DPA, and the Customer's configuration choices in the admin portal constitute the documented instructions. LataSys Limited will notify the Customer if, in its opinion, an instruction infringes the UK GDPR or other UK or EU data- protection law.
3. Duty of confidence
LataSys Limited will ensure that all persons authorised to process the personal data are subject to a binding duty of confidentiality.
4. Security of processing (UK GDPR Art 32)
LataSys Limited will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures currently in place are described in the Security Statement and include, at a minimum: encryption in transit (TLS 1.2+); encryption at rest for Postgres storage; multi-tenant isolation enforced server-side; least- privilege role-based access; audit logging of all administrative and end-user actions; UK-region hosting; and 24h synthetic availability probing.
5. Sub-processors
The Customer authorises LataSys Limited to engage the following sub- processors to assist in providing the Service:
| Sub-processor | Purpose | Location of processing | Transfer safeguard |
|---|---|---|---|
| Microsoft Corporation (Microsoft Graph) | Authentication, directory lookups, app catalog upload. | Customer's M365 region; US for some support operations. | UK IDTA / EU SCCs + UK Addendum + Microsoft DPA. |
| Microsoft Corporation (Exchange Online PowerShell) | Get-QuarantineMessage / Release-QuarantineMessage calls. | Customer's M365 region. | UK IDTA / EU SCCs + UK Addendum + Microsoft DPA. |
| Microsoft Azure (App Service, Postgres, Container Apps, Key Vault, Application Insights) | Hosting and operation of the platform. | UK South region for primary processing; US for limited operational telemetry. | UK IDTA / Microsoft Online Services DPA. |
| Stripe Payments Europe Ltd / Stripe, Inc. | Card payment processing, subscription billing, invoice generation. | Ireland (Stripe Payments Europe) and United States (Stripe, Inc.). | Stripe Data Processing Addendum; SCCs / UK IDTA for transfers to Stripe, Inc. |
LataSys Limited will provide at least 30 days' advance notice (by email to the Customer's registered administrator) before adding or replacing a sub-processor. The Customer may object in writing within that period for legitimate grounds; if the parties cannot agree, the Customer may terminate the affected portion of the Service.
LataSys Limited will impose data-protection obligations on each sub- processor that are at least equivalent to those in this DPA and remains fully liable to the Customer for any failure by a sub-processor to fulfil its obligations.
6. International transfers
Primary processing is hosted in Microsoft Azure UK South and Customer Data does not leave the United Kingdom for primary processing. Where a sub-processor transfers personal data outside the United Kingdom (for example, for operational support), the transfer is governed by an Article 46 UK GDPR safeguard — the UK International Data Transfer Agreement (IDTA), or the European Commission Standard Contractual Clauses with the UK International Data Transfer Addendum, supported by a Transfer Risk Assessment.
7. Assistance with data-subject rights
LataSys Limited will assist the Customer, by appropriate technical and organisational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR. Where LataSys Limited receives a request directly from a data subject, it will refer that request to the Customer without undue delay.
8. Personal data breach notification (Art 33)
LataSys Limited will notify the Customer of any personal data breach affecting Customer Data without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include the information set out in Art 33(3) of the UK GDPR to the extent then known and will be supplemented as further details become available.
9. Deletion or return at end of contract
At the choice of the Customer, LataSys Limited will delete or return all Customer Data after the end of the provision of the Service. The Customer may request an export at any time during the term and within 30 days after termination. After that 30-day period, all Customer Data will be deleted from production systems within 30 days, except for backups which roll off within 35 days, and audit log entries which we are required to retain to meet our own accountability obligations.
10. Audits and inspections
LataSys Limited will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Audits are at the Customer's expense and subject to reasonable notice (at least 30 days) and reasonable confidentiality undertakings.
11. Vendor / MSP tier clarification
Where a Vendor / MSP has onboarded a downstream customer tenant under the vendor portal, the data-protection roles for that downstream customer's data are as follows:
- The downstream customer is the controller for its mailbox and end-user data.
- The Vendor / MSP acts as a separate controller for its own administration, billing, and support data relating to the downstream customer.
- The Vendor / MSP acts as the controller for any actions it takes on the downstream customer's tenant under instructions from the downstream customer, UNLESS a tri-party DPA has been executed naming LataSys Limited as processor to the downstream customer; in which case LataSys Limited processes the downstream customer's data as that customer's processor under the tri-party terms.
- LataSys Limited at all times remains the processor of the downstream customer's mailbox and audit data as it is processed inside the M365 Quarantine platform.
12. Notices
Notices to LataSys Limited under this DPA should be sent through our contact form.
LataSys LimitedRegistered in England and Wales, Company No. 17261093
66 Paul Street
London, England
EC2A 4NA
United Kingdom
support [at] latasys [dot] com · latasys.com