Skip to main content
SharePoint Forge
SharePoint Forge

Legal

Data Processing Agreement

Last updated: 25 May 2026 · Version 1.0

This Data Processing Agreement (“DPA”) applies automatically alongside our Terms of Service whenever SharePoint Forge processes personal data on your behalf as part of providing the service. By entering into the Terms of Service you also enter into this DPA. No signature is required to make it binding, though we will counter-sign a PDF copy via DocuSign or equivalent on request — email privacy@sharepointforge.co.uk.

0. Scope (read this first)

We are honest about what this DPA covers and what it does not. Most of the personal data SharePoint Forgeholds — your staff's name, work email, Microsoft Object ID, organisation, billing details, package entitlements and the audit log of authentication / download / portal events — is data we determine the purposes and means of processing for. For that data we act as the controller, and the full transparency statement is in our Privacy Policy (lawful basis table at §3, retention at §6, your rights at §7).

This DPA applies only to the narrow set of processing where you choose what data we receive and we process it on your documented instructions — namely:

  • Support ticket content + attachments. When your authorised users write a ticket or attach a file, that content (and any personal data within it) is your data — we hold and process it solely to respond to the issue you raised.
  • SPFx deployment telemetry user identifiers. When packages render in your tenant, the call-home endpoint receives the Microsoft Entra Object ID (OID) of the rendering user from your tenant context. We treat that OID as data you control (the user is your tenant's user, not ours).

Everything else is covered by the Privacy Policy as controller processing. If a clause in this DPA references "personal data" or "Controller data", it means the processor-scope data described above, not the wider customer-management data we control.

1. Parties

  • Controller:the customer organisation identified by the verified business domain on the Customer Portal account (“you”, “Controller”).
  • Processor: Greg Jennings trading as SharePoint Forge, at 3 Derby Road, WN8 8BP (“us”, “Processor”).

2. Subject matter, nature and duration

This DPA governs the processor-scope personal data identified in §0 — i.e. (i) content and attachments of support tickets your authorised users submit, and (ii) the Microsoft Entra Object IDs we receive from your tenant as part of SPFx package telemetry. Processing operations comprise storage, transmission to the sub-processors in Schedule A, retrieval for support response, and deletion on instruction or expiry of the retention window.

This DPA is co-terminus with the Terms of Service. It applies for as long as we hold any processor-scope personal data described above.

3. Categories of personal data (processor-scope)

  • Support ticket content: free-text fields and file attachments submitted by your authorised users via the Customer Portal support form
  • SPFx telemetry user identifiers: Microsoft Entra Object IDs of users in your tenant that are passed to our heartbeat / licence-check endpoints by SharePoint Forge packages rendering inside SharePoint

We do not knowingly process special category data (Art. 9 UK GDPR) or criminal-conviction data (Art. 10). Under Terms §8.1 you warrant that any content you upload to the Customer Portal (including support-ticket attachments) does not contain Art.9 or Art.10 data. If you discover that it does, contact privacy@sharepointforge.co.uk and we will delete the content promptly (typically within two working days) and confirm in writing.

4. Categories of data subjects

  • Your employees and authorised users of the Customer Portal
  • Your accounts-payable / billing contacts
  • Your delegated administrators

5. Our obligations as Processor (Art. 28(3))

5.1 Documented instructions (Art. 28(3)(a))

We process personal data only on your documented instructions, which include this DPA, the Terms of Service and any subsequent written instructions you give. If we believe an instruction violates UK GDPR or applicable law we will tell you before processing, unless prohibited from doing so.

5.2 Confidentiality (Art. 28(3)(b))

Personnel authorised to process personal data are bound by written confidentiality obligations.

5.3 Security (Art. 28(3)(c) / Art. 32)

We implement appropriate technical and organisational measures including encryption in transit and at rest, access control on a least-privilege basis, audit logging, CSP headers, signed short-lived download URLs, rate limiting, and webhook signature verification. The full description is in our Privacy Policy section on security and is updated as we evolve our practices.

5.4 Sub-processors (Art. 28(2), Art. 28(3)(d) and (4))

You provide general written authorisation for us to engage the sub-processors listed in Schedule A below. We bind each sub-processor to data protection obligations equivalent to those in this DPA. We remain liable to you for the acts and omissions of our sub-processors.

We will give you at least thirty (30) days' advance notice (by email to your account owner and via the Customer Portal) before adding or replacing a sub-processor. You may object on reasonable data-protection grounds; if we cannot resolve the objection we will allow you to terminate the Terms of Service for that sub-processor change without penalty for unused time.

5.5 Data subject rights (Art. 28(3)(e))

We assist you in responding to data subject rights requests (Articles 15–22) by providing self-service access to account data in the Customer Portal and by responding to written requests for export or deletion within reasonable time, taking into account the nature of the processing.

5.6 Assistance with controller obligations (Art. 28(3)(f))

We assist you with: maintaining security (Art. 32), breach notification (Arts. 33–34), DPIAs (Art. 35) and prior consultation (Art. 36), to the extent reasonably required and proportionate to the nature of our processing and the information available to us.

5.7 Deletion or return on termination (Art. 28(3)(g))

On termination of the Terms of Service, at your choice we will delete or export all processor-scope personal data we hold on your behalf within thirty (30) days. Some personal data is retained beyond that for a separate legal purpose — for example, billing invoice records are kept for six (6) years under HMRC VAT/income-tax record-keeping rules even after the operating data is deleted. The full retention schedule is in Privacy §6. Backups containing personal data are purged within thirty-five (35) days of primary deletion.

5.8 Audit and information rights (Art. 28(3)(h))

We provide all information reasonably necessary to demonstrate compliance with this DPA. The audit mechanism below is designed to satisfy Art.28(3)(h) proportionate to the scale of our processing and the residual risk to your data — a sole-trader software business with no on-premise customer data and no employees other than the proprietor.

  • Default channel — written questionnaire. You may submit a written audit questionnaire (SIG-Lite, CAIQ, or an equivalent reasonable industry framework) once per twelve-month period. We respond within ten (10) working days.
  • Sub-processor evidence.Where the question concerns a sub-processor we will furnish the sub-processor's most recent independent audit report (e.g. SOC 2, ISO 27001) under the confidentiality terms of that report.
  • On-site or live audit.If after our written response you reasonably believe there is a material data-protection deficiency that the questionnaire cannot resolve, you may request an on-site or video-call audit. We will accommodate one such audit per twelve-month period on at least thirty (30) days' written notice, conducted during normal UK business hours, subject to: (i) a written non-disclosure agreement; (ii) the audit being conducted by suitably qualified personnel (your staff or a reputable third-party auditor); (iii) the audit being scoped to the deficiency identified; and (iv) the reasonable cost of our and our sub-processors' participation being borne by you, save where the audit identifies a material breach of this DPA on our part.
  • Continuity. We will not delay or obstruct an audit reasonably required by a supervisory authority (Art.58 UK GDPR) or pursuant to a binding order of a competent court.

6. International transfers (Art. 44–49)

Personal data may be transferred to sub-processors outside the UK as shown in Schedule A. Each such transfer is made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with the relevant sub-processor, supplemented by transfer impact assessments where appropriate.

7. Breach notification (Art. 33)

We notify you of any personal data breach affecting your data without undue delay and in any event within seventy-two (72) hours of becoming aware (aligned with our own Art. 33 obligation; we aim for 48 hours in practice). Notification will include the information required by Art. 33(3) to the extent then available, with updates as more is known.

8. Liability

The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA limits or excludes liability that cannot lawfully be excluded.

9. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters.

10. Governing law

This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule A — Authorised sub-processors

Sub-processorPurposeLocationTransfer mechanism
Supabase Inc.Database storage for support ticket content + file storage for ticket attachments; database storage for SPFx telemetry eventsEU (Ireland)Within UK/EEA — no transfer mechanism required
Vercel Inc.Web hosting and global edge delivery — terminates HTTPS for the support ticket POST + SPFx heartbeat endpoints; transient transit only, not at-rest storageUnited States (edge: global)UK IDTA + EU SCCs

11. Contact

DPA queries: privacy@sharepointforge.co.uk. We will execute a counter-signed PDF copy of this DPA via DocuSign or equivalent on request.