Presify Data Processing Agreement

Template notice. This document is a first-pass template drafted by Claude. It has not been reviewed by an attorney. Engage qualified legal counsel before publishing it as a binding contract. This template is provided as a starting point only and is not legal advice.

Effective Date: June 4, 2026

This Data Processing Agreement (this "DPA") supplements and forms part of the Terms of Service (the "Agreement") between Presify, LLC, a Florida limited liability company ("Presify," "we," "us," or "our"), and the entity identified as Customer on the Agreement ("Customer" or "you").

This DPA governs Presify's processing of Personal Data on Customer's behalf in connection with the Service.

1. Definitions

Capitalized terms used and not defined in this DPA have the meanings given in the Agreement.

1.1 "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Presify on Customer's behalf in connection with the Service, including without limitation the categories described in Schedule 1.

1.2 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including Authorized Users and Monitored Users.

1.3 "Processing" has the meaning given in applicable Data Protection Laws (typically, any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, and deletion).

1.4 "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, Customer is the Controller.

1.5 "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Presify is the Processor.

1.6 "Sub-processor" means any third party engaged by Presify to process Personal Data on Customer's behalf.

1.7 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Presify or its Sub-processors.

1.8 "Data Protection Laws" means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA, including without limitation the California Consumer Privacy Act ("CCPA") and any other state laws of similar effect.

2. Roles and Scope

2.1 Roles. With respect to Personal Data Processed under this DPA, Customer is the Controller, and Presify is the Processor. Each party will comply with its respective obligations under applicable Data Protection Laws.

2.2 Scope. This DPA applies to all Personal Data Processed by Presify on Customer's behalf in providing the Service.

2.3 Customer instructions. Presify will Process Personal Data only on the documented instructions of Customer, as set out in the Agreement, this DPA, and the configuration of the Service by Customer. The Service's published functionality (collecting presence events, generating reports, and similar activities) constitutes Customer's documented instructions. If Presify reasonably believes that a Customer instruction violates applicable law, Presify will inform Customer (unless prohibited by law from doing so) and may refuse to process the instruction until the matter is resolved.

2.4 Subject matter, duration, nature, purpose, and categories. A description of the Processing under this DPA is set out in Schedule 1.

3. Presify Obligations

3.1 Confidentiality. Presify will ensure that persons authorized to Process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Presify limits access to Personal Data to personnel and contractors who need access to perform Presify's obligations under the Agreement.

3.2 Security measures. Presify will implement and maintain commercially reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. A summary of these measures is set out in Schedule 2.

3.3 Assistance with Data Subject requests. Taking into account the nature of the Processing, Presify will provide reasonable assistance to Customer in fulfilling Customer's obligations to respond to Data Subject requests under applicable Data Protection Laws. The Service includes in-application functionality for Customer to fulfill access, deletion, and export requests. For requests that cannot be fulfilled using in-application functionality, Customer may contact support@presify.io for additional assistance, which may be subject to reasonable fees if the request requires significant manual effort.

3.4 Assistance with breach notification. In the event of a Personal Data Breach affecting Customer's Personal Data, Presify will, without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach: (a) notify Customer, (b) provide a description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records affected, (c) describe the likely consequences of the breach, and (d) describe the measures taken or proposed to be taken to address the breach.

3.5 Assistance with assessments. Presify will provide reasonable assistance to Customer in conducting data protection impact assessments and consultations with supervisory authorities, where required by applicable Data Protection Laws.

3.6 Records. Presify will maintain records of its Processing activities as required by applicable Data Protection Laws and will make such records available to Customer upon reasonable request.

4. Sub-processors

4.1 General authorization. Customer provides Presify with a general authorization to engage Sub-processors to assist with providing the Service.

4.2 Current Sub-processors. The current list of Sub-processors is set out in Schedule 3 and is maintained on the Presify Privacy Policy at presify.io/privacy.

4.3 Notice of new Sub-processors. Presify will provide Customer with at least thirty (30) days' notice before engaging a new Sub-processor or changing an existing Sub-processor that materially affects the Processing of Customer's Personal Data. Notice will be provided by email to Customer's Account Owner or by an updated Sub-processor list on the Privacy Policy page combined with notice in the in-application notifications center.

4.4 Customer objection. Customer may object to a new or changed Sub-processor on reasonable grounds related to the Sub-processor's ability to comply with this DPA by sending written notice to legal@presify.io within thirty (30) days of Presify's notice. If Customer objects, the parties will work together in good faith to resolve the objection. If no resolution is reached, Customer's exclusive remedy is to terminate the Agreement for the affected portion of the Service.

4.5 Sub-processor obligations. Presify will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Presify remains liable for the acts and omissions of its Sub-processors with respect to the Processing of Personal Data.

5. International Transfers

5.1 Current geographic scope. The Service is operated entirely on infrastructure located in the United States. By using the Service, Customer instructs Presify to transfer and Process Personal Data in the United States.

5.2 EU and UK data. The Service is not currently designed for the Processing of Personal Data of Data Subjects located in the European Union or the United Kingdom. Customer should not enroll EU or UK-based individuals as Monitored Users without first contacting Presify to confirm appropriate transfer mechanisms are in place. As of the Effective Date, Presify has not implemented Standard Contractual Clauses or other approved cross-border transfer mechanisms for EU/UK data.

5.3 Future expansion. If Customer requires Processing of EU/UK data in the future, the parties will execute additional documentation as required by applicable Data Protection Laws before such Processing begins.

6. Data Subject Rights

6.1 Customer responsibility. As Controller, Customer is responsible for responding to Data Subject requests. Customer is solely responsible for the legal basis of the Processing, providing required notices to Data Subjects, and obtaining required consents.

6.2 Presify forwarding. If Presify receives a Data Subject request directly relating to Customer's Personal Data, Presify will (a) acknowledge receipt to the Data Subject, (b) forward the request to Customer without undue delay, and (c) not respond to the Data Subject regarding the substance of the request except to confirm receipt and forwarding, unless directed by Customer or required by law.

6.3 Self-service tools. Customer may use the Service's in-application functionality to fulfill the following Data Subject requests for Monitored Users:

• Right to know: the per-user data export feature provides a complete record of presence events for a specified Monitored User within the retention window.
• Right to delete: the per-user data deletion feature deletes all presence data for a specified Monitored User, with display-name confirmation to prevent accidental deletion.
• Right to correct: presence data reflects what Microsoft Graph reported and is not directly editable. Inaccuracies in display name or UPN propagate via Microsoft's user directory and are picked up automatically by the Service's user delta sync.

7. Personal Data Breach Notification

7.1 Notification timeline. Per Section 3.4, Presify will notify Customer of a Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

7.2 Cooperation. The parties will cooperate in the investigation, remediation, and notification (where required) of any Personal Data Breach.

7.3 No public disclosure without consent. Neither party will make any public disclosure of a Personal Data Breach affecting Customer's data without the prior written consent of the other party, except where required by applicable law.

8. Audits

8.1 Information requests. Presify will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summaries of security measures, third-party audit reports, and certifications when available.

8.2 Audit rights. Customer may, upon reasonable written notice and no more than once per twelve (12) month period (or more frequently if required by a supervisory authority or following a confirmed Personal Data Breach), conduct an audit of Presify's compliance with this DPA. Audits will be conducted during regular business hours, will not unreasonably interfere with Presify's operations, and will be subject to confidentiality obligations. Customer will bear the costs of any audit unless the audit reveals material non-compliance, in which case Presify will reimburse Customer for reasonable audit costs.

8.3 Alternative to on-site audit. As an alternative to an on-site audit, Customer may request and Presify will provide: (a) a written response to a security questionnaire, (b) summaries of internal security assessments, or (c) once available, third-party audit reports such as SOC 2 or ISO 27001 attestations.

9. Liability and Indemnification

Liability under this DPA is subject to the limitations of liability set out in the Agreement, including the cap on cumulative liability. Nothing in this DPA expands or contracts the liability allocations in the Agreement, except as required by applicable Data Protection Laws.

10. Term and Termination

10.1 Term. This DPA takes effect on the Effective Date and continues for the duration of the Agreement. Provisions of this DPA that by their nature should survive termination (including obligations regarding return or deletion of Personal Data and confidentiality) survive termination.

10.2 Deletion or return of Personal Data. Upon termination of the Agreement, Presify will delete Personal Data in accordance with the cancellation lifecycle described in the Agreement, except where retention is required by applicable law. Specifically:

• During the thirty (30) day read-only window following cancellation, Customer may export its Personal Data using in-application functionality.
• At the end of the read-only window, Presify deletes Customer Data including all presence events, daily rollups, anomaly findings, presence gaps, pending enrollment records, monitored user records, Graph subscription records, tenant settings, manager scope assignments, report jobs, report files in S3, cancellation surveys, checkout sessions, and pending admin invites.
• Tenant identification fields (Microsoft tenant ID, domain, organization name) are anonymized while preserving anonymized billing audit trail records as required for tax and accounting purposes.
• Audit log entries are retained as part of Presify's compliance evidence, subject to security access controls.
• The Customer may request immediate deletion (bypassing the read-only window) via the in-application "Delete all data" feature.

10.3 Confirmation of deletion. Upon request, Presify will confirm deletion in writing.

11. General

11.1 Order of precedence. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data.

11.2 Governing law. This DPA is governed by the laws of the State of Florida, consistent with the Agreement.

11.3 No third-party beneficiaries. This DPA does not create any third-party beneficiary rights.

11.4 Modifications. Presify may modify this DPA as necessary to comply with changes in Data Protection Laws or to reflect changes to the Service. Material changes will be communicated to Customer by email at least thirty (30) days before they take effect.

Schedule 1 — Description of Processing

Subject matter of Processing: Provision of the Presify service, including collection, storage, analysis, and reporting of Microsoft Teams presence data.

Duration of Processing: For the term of the Agreement and any post-termination read-only window, plus retention periods required by law.

Nature of Processing: Automated collection of presence status by polling the Microsoft Graph API on a regular interval; storage of presence events in a relational database; aggregation into daily summaries; generation of reports; detection of anomaly patterns; display of dashboards; export of data on Customer's request.

Purpose of Processing: To provide Customer with historical reporting and analytics on Microsoft Teams presence data for Customer's monitored users.

Types of Personal Data:

• Microsoft user identifier (immutable)
• User principal name (UPN)
• Display name
• Microsoft tenant identifier
• Presence status changes (Available, Busy, Away, In a Meeting, etc.) with timestamps
• Aggregated presence statistics (daily totals, anomaly findings)
• For Authorized Users: name, work email, Microsoft user identifier, last sign-in timestamp
• For billing contacts: name, email, organization name (managed by Stripe)

Categories of Data Subjects:

• Authorized Users of the Service (typically IT administrators of Customer)
• Monitored Users selected by Customer for presence data collection

Excluded categories (not processed by the Service):

• Special categories of personal data under GDPR Article 9 (such as health, racial or ethnic origin, religious beliefs, political opinions, biometric data)
• Children's data (under thirteen)
• Email, chat, or file content
• Calendar event content
• Government-issued identifiers

Schedule 2 — Technical and Organizational Measures

Presify implements the following technical and organizational measures:

Encryption

• Data at rest encrypted using AES-256 within AWS managed services (RDS / Aurora encrypted storage, S3 with server-side encryption)
• Microsoft Graph access tokens stored as encrypted columns using AES-256-GCM
• Data in transit encrypted using TLS 1.2 or higher

Access controls

• Multi-factor authentication required for all personnel with administrative access to production systems
• Role-based access controls with least-privilege design
• Customer access via Microsoft Entra ID single sign-on
• Internal admin access scoped via Secrets Manager allowlist
• All administrative impersonation requires Customer opt-in and is logged with both the impersonating personnel UPN and the impersonated user UPN

Network security

• Production databases located in private subnets with no public network access
• Lambda compute resources in private subnets with restricted egress to known service endpoints
• AWS Web Application Firewall (WAF) on public endpoints with rate limiting and OWASP rule sets
• Stripe webhook signature verification on every billing event; Microsoft Graph accessed over TLS using encrypted, short-lived application tokens

Logical isolation

• Multi-tenant data model with tenant_id scoping on every database query
• PostgreSQL Row Level Security policies enforce tenant isolation as a second layer
• S3 bucket key prefixes per tenant with IAM policy enforcement
• Cross-tenant data leakage tests run on every code change

Monitoring and detection

• AWS GuardDuty for threat detection
• AWS Security Hub for security posture
• AWS Inspector for vulnerability scanning
• AWS CloudTrail for API audit logging
• AWS X-Ray for distributed tracing
• Application-level audit log (append-only, row-level-security enforced)
• Failed sign-in attempt logging and alerting

Backup and recovery

• Automated database backups with point-in-time recovery
• Multi-availability-zone deployment for production database
• Quarterly recovery drills

Vulnerability and incident management

• Automated dependency scanning with vulnerability blocking on high-severity findings
• License audit on all dependencies
• Source bill of materials (SBOM) generation
• Incident response runbooks and severity classification framework
• Cyber liability insurance with carrier-coordinated incident response

Personnel security

• Background checks for personnel with production access (as feasible for a small organization)
• Confidentiality obligations for all personnel and contractors
• Acceptable use and security policies provided to personnel

Data minimization and retention

• Only data necessary to provide the Service is collected
• Plan-gated retention with automatic deletion of expired data
• Per-user deletion and per-user export features available to Customers

Schedule 3 — Sub-processors

The following Sub-processors process Personal Data on behalf of Presify in connection with the Service. The current list is also maintained at presify.io/privacy.

Last updated: June 4, 2026