MSPercury
Sign in Start free

Last updated: April 25, 2026

Data Processing Agreement

This Data Processing Agreement (“DPA”) governs the rights and obligations of the parties with regard to processing of personal data in connection with the use of the SaaS product MSPercury and supplements any existing main service agreement between the parties.

1. The parties

Controller under Art. 4(7) GDPR (“Customer”):

______________________________________
Address: ______________________________________
Authorized signatory: ____________________

Processor under Art. 4(8) GDPR (“MSPercury”):

IT Systeme Flores UG (haftungsbeschränkt)
Neufeldweg 25a
51427 Bergisch Gladbach
Germany
Represented by: Lucas Flores
Commercial register: Amtsgericht Köln, HRB XXXXXX
VAT ID: DE XXX XXX XXX
Privacy contact: privacy@mspercury.com

2. Subject matter and duration

The subject of this DPA is the processing of personal data by MSPercury on behalf of the Customer in connection with the provision and operation of the MSPercury SaaS application. Nature and scope of processing are defined in Annex 1.

The duration of this DPA matches the duration of the main service agreement and ends automatically when the main agreement ends.

3. Customer's right to instruct

MSPercury processes personal data solely on documented instructions from the Customer, including those implicit in this DPA, the main agreement, and ordinary use of the SaaS application. Any deviation requires the Customer's written consent.

4. Obligations of the processor

MSPercury shall:

  • process personal data only on the Customer's instructions (Art. 28(3)(a) GDPR);
  • engage only personnel bound by confidentiality (Art. 28(3)(b), Art. 29 GDPR);
  • implement the TOMs in Annex 3 (Art. 32 GDPR);
  • engage sub-processors only under the conditions of Section 5 (Art. 28(2), (4));
  • assist the Customer with its obligations under Articles 32 to 36 GDPR (Art. 28(3)(f));
  • assist with data-subject requests under Chapter III GDPR (Art. 28(3)(e));
  • at the Customer's choice, return or delete personal data upon termination (Art. 28(3)(g));
  • make available all information necessary to demonstrate compliance with Art. 28 (Art. 28(3)(h)).

5. Sub-processors

The Customer gives general written authorization for the sub-processors listed in Annex 2. MSPercury concludes Art. 28-compliant agreements with every sub-processor.

MSPercury notifies the Customer of intended additions or replacements at least 14 days in advance by email. The Customer may object within that period on data-protection grounds.

6. Audit rights of the controller

The Customer may verify compliance with this DPA. On request MSPercury makes available the TOMs in Annex 3, current audit reports (if any), and redacted copies of the sub-processor agreements.

On-site audits are permitted with at least 30 days' notice during business hours.

7. Technical and organizational measures

MSPercury implements the TOMs set out in Annex 3 to ensure a level of security appropriate to the risk (Art. 32 GDPR).

8. Personal-data breach notification

MSPercury notifies the Customer of any personal-data breach within the meaning of Art. 4(12) GDPR without undue delay, at the latest 48 hours after becoming aware. The notice contains:

  • a description of the nature of the breach
  • where possible, categories and approximate number of data subjects and records
  • contact details of the MSPercury representative
  • likely consequences
  • measures taken or proposed to mitigate the breach

9. Third-country transfers

MSPercury processes personal data as a rule within the European Union / EEA only (Hetzner data centres in Germany). Transfers to third countries only occur in the context of the sub-processors in Annex 2, on the basis of an adequacy decision (Art. 45 GDPR) or EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).

10. Term, return, deletion

Upon termination the Customer chooses:

  • Return: data export as a ZIP archive (JSON + CSV) via Settings → Data export, within 30 days.
  • Deletion: after the 30-day period data is irreversibly deleted, except invoicing data retained under § 147 AO.

11. Liability and miscellaneous

Liability is governed by applicable statutory law (esp. Art. 82 GDPR) and the main service agreement.

This DPA is governed by German law. Place of jurisdiction, to the extent admissible, is Bergisch Gladbach, Germany.

Annex 1 — Subject matter, nature, purpose

Subject

Provision and operation of the MSPercury SaaS application for IT CheckUps, quote generation, customer-roster management and billing.

Nature of processing

  • collection, storage, structuring, display, retrieval, modification, deletion
  • transmission to sub-processors per Annex 2
  • export / return to the controller

Categories of personal data

  • End-customer master data (the MSP's own customers): company name, contact person, email, phone, address, tax/VAT ID.
  • Project parameters: workstation counts per OS, server counts, user counts, infrastructure photos, notes.
  • CheckUp data: question answers, findings, solution notes, priorities, photos.
  • Customer user data: name, email, role, password hash, optionally M365 Object-ID.
  • Log & security data: IP, user-agent, timestamp.

Categories of data subjects

  • Customer's employees and contacts
  • End-customer contacts the Customer chooses to record

Annex 2 — Sub-processors

Sub-processorLocationServiceLegal basis
Hetzner Online GmbH, Gunzenhausen Germany (Falkenstein / Nuremberg) VPS hosting, SMTP relay, off-site backup Art. 28 GDPR (intra-EU)
Stripe Payments Europe, Ltd., Dublin Ireland; Stripe group potentially USA Payments (Checkout, Tax) Art. 28 + Art. 46(2)(c) SCCs / Art. 45 EU-US DPF
Microsoft Ireland Operations Ltd. Ireland / USA OAuth (only when M365 SSO is used) Art. 28 + Art. 46/45

Annex 3 — Technical and organizational measures

Physical access control

  • Production runs exclusively at Hetzner Online GmbH (ISO 27001 DC, 24/7 security, CCTV).
  • MSPercury staff has no physical access to customer data.

System access control (login)

  • End-to-end TLS 1.3; HSTS enabled (1 year).
  • bcrypt password hashing (cost factor ≥ 12).
  • Session cookies with HttpOnly, Secure, SameSite=Lax.
  • Optional single sign-on via Microsoft Entra ID.
  • Rate limiting on login; production SSH key-only + IP allowlist.

Data-access control (isolation)

  • Strict multi-tenant isolation via organizationId on every query.
  • Role model: admin / member.
  • Privileged-admin access is logged.

Transmission control

  • All HTTP over TLS 1.3; no unencrypted personal data by email.

Input control

  • Finalised CheckUps are immutable.
  • Audit log for security-critical changes (in preparation, active before first paying customer).

Availability

  • Daily SQLite backups; off-site replication to Hetzner Storage Box, 30-day retention.
  • Monitoring via PM2 auto-restart + external uptime check.
  • Quarterly restore drill.

Separation

  • Logical tenant separation via organizationId.
  • Dev / staging / prod separated physically and by config.

Signature

This DPA enters into force when signed by both parties. Please send the completed, signed DPA by email to privacy@mspercury.com — we countersign and return the counterpart.

   
Place, date, signature — Controller (Customer) Place, date, signature — Processor (IT Systeme Flores UG)