(202) 963-1014
MSPowerhouse Logo
MSPowerhouse
Policies/Data Processing Agreement

Data Processing Agreement

GDPR Article 28International TransfersBinding Agreement

This Data Processing Agreement governs the processing of personal data by MS Power House on behalf of our clients in compliance with GDPR Article 28.

GDPR Compliance Notice

This DPA is designed to meet the requirements of GDPR Article 28 and ensures that personal data processing is conducted in accordance with applicable data protection laws. This agreement supplements our Master Service Agreement.

1. Definitions
"Controller" means the Client who determines the purposes and means of processing personal data.
"Processor" means MS Power House, processing personal data on behalf of the Controller.
"Personal Data" has the meaning set out in Article 4(1) of the GDPR.
"Processing" has the meaning set out in Article 4(2) of the GDPR.
"Data Subject" has the meaning set out in Article 4(1) of the GDPR.
"Sub-processor" means any processor engaged by MS Power House to process personal data.
2. Processing Activities

2.1 Subject Matter and Duration

MS Power House will process personal data as necessary to provide IT services including managed services, cloud migration, data migration, and related technical support.

Duration: For the duration of the Master Service Agreement and applicable data retention periods.

2.2 Nature and Purpose of Processing

Processing ActivityPurposeLawful Basis
Email MigrationTransfer email data to new systemsContract Performance
System MonitoringEnsure service availability and securityLegitimate Interest
Technical SupportResolve technical issues and incidentsContract Performance
Backup ServicesData protection and disaster recoveryContract Performance

2.3 Categories of Data Subjects

  • Employees and contractors of the Controller
  • Customers and clients of the Controller
  • Suppliers and business partners of the Controller
  • Website visitors and service users

2.4 Categories of Personal Data

Standard Personal Data
  • Contact information (name, email, phone)
  • Professional information (job title, company)
  • Communication records
  • Technical identifiers (IP addresses, device IDs)
Special Categories (if applicable)
  • Health data (only if explicitly authorized)
  • Biometric data (for authentication purposes)
  • Other special categories as specified in SOW
3. Processor Obligations

3.1 Processing Instructions

MS Power House will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries.

  • Initial instructions are set out in the Master Service Agreement and SOWs
  • Additional instructions may be given in writing during the term
  • MS Power House will inform Controller if instructions violate GDPR or other laws

3.2 Confidentiality

MS Power House ensures that persons authorized to process personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.

3.3 Data Subject Rights

MS Power House will assist the Controller in fulfilling data subject rights requests:

  • Access, rectification, erasure, and portability requests
  • Restriction of processing and objection requests
  • Response within 72 hours of receiving Controller's request
  • Technical and organizational measures to facilitate rights fulfillment
4. Technical and Organizational Security Measures

4.1 Security Framework

MS Power House implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

Technical Measures
  • • AES-256 encryption at rest and in transit
  • • Multi-factor authentication (MFA)
  • • Network segmentation and firewalls
  • • Intrusion detection and prevention systems
  • • Regular vulnerability assessments
  • • Automated backup and recovery systems
  • • Endpoint detection and response (EDR)
Organizational Measures
  • • Information security policies and procedures
  • • Employee security awareness training
  • • Background checks for personnel
  • • Role-based access controls
  • • Incident response and breach procedures
  • • Regular security audits and assessments
  • • Business continuity and disaster recovery

4.2 Certifications and Standards

SOC 2 Type IIISO 27001:2013NIST Cybersecurity FrameworkPCI DSS Level 1
5. Sub-processors

5.1 General Authorization

The Controller provides general written authorization for MS Power House to engage sub-processors, subject to the conditions set out in this DPA.

5.2 Current Sub-processors

Sub-processorServiceLocationSafeguards
Microsoft CorporationAzure Cloud ServicesGlobal (EU Data Residency)Standard Contractual Clauses
Amazon Web ServicesBackup and Archive ServicesEU/US (Data Residency Controls)Data Processing Addendum
AtlassianService Management PlatformGlobal (EU Data Residency)Standard Contractual Clauses

5.3 Sub-processor Changes

MS Power House will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

  • 30 days advance notice for new sub-processors
  • Controller may object within 15 days of notice
  • Updated sub-processor list maintained on our website
6. International Data Transfers

6.1 Transfer Mechanisms

Where personal data is transferred outside the EEA, MS Power House ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU Commission approved clauses
  • Adequacy Decisions: Transfers to countries with adequacy decisions
  • Binding Corporate Rules: For intra-group transfers
  • Certification Schemes: Approved certification mechanisms

6.2 Data Residency Controls

Default Policy: Personal data of EU residents is processed and stored within the EU unless explicitly authorized otherwise by the Controller. Technical and organizational measures prevent unauthorized international transfers.

7. Personal Data Breach Notification

7.1 Notification Timeline

1 Hour
Initial Detection
24 Hours
Controller Notification
72 Hours
Detailed Report

7.2 Notification Content

Breach notifications will include:

  • Nature of the breach and categories of data affected
  • Approximate number of data subjects and records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details for further information
8. Return and Deletion of Personal Data

8.1 End of Processing

Upon termination of services, MS Power House will, at the Controller's choice:

  • Return all personal data to the Controller in a structured, commonly used format
  • Securely delete all personal data and provide certification of deletion
  • Continue to store data subject to ongoing legal obligations

8.2 Deletion Timeline

  • Production Systems: Within 30 days of termination
  • Backup Systems: Within 90 days of termination
  • Archive Systems: Within 180 days of termination
  • Legal Hold: Retained as required by applicable law
9. Audits and Compliance

9.1 Audit Rights

MS Power House will make available to the Controller information necessary to demonstrate compliance with Article 28 GDPR and allow for audits:

  • Annual compliance reports and certifications
  • Third-party audit reports (SOC 2, ISO 27001)
  • On-site audits with reasonable advance notice
  • Questionnaire-based assessments

9.2 Audit Costs

Controller may conduct one audit per year at no cost. Additional audits or on-site inspections may be subject to MS Power House's then-current professional services rates.

DPA Version: 1.3 | Effective Date: January 1, 2025

Last Updated: January 2025 | Next Review: January 2026

View Privacy Policy