1. Parties and relationship
This Data Processing Agreement ("DPA") is entered into between:
Controller: The MSP company subscribing to the Beacon platform ("Subscriber", "Controller"), identified by the organisation details provided at registration.
Processor: Beacon MSP ("Beacon", "Processor"), the operator of the Beacon compliance monitoring platform, reachable at hello@beaconmsp.io.
This DPA supplements and forms part of the Terms of Service. In the event of conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails. By accepting the Terms of Service during registration, the Subscriber also accepts this DPA.
The parties acknowledge that, for purposes of GDPR, the Subscriber is the data controller and Beacon is the data processor with respect to personal data processed in the delivery of the Service.
2. Subject matter, nature, and purpose of processing
Beacon processes personal data on the Controller's behalf for the following purpose:
- Operating the Beacon compliance monitoring platform for the Controller's account, including authenticating the Controller's users, storing their access credentials and preferences, and making scan results available through the portal
- Performing automated Microsoft Azure security compliance scans against the client tenants the Controller has registered in Beacon
- Maintaining tamper-evident audit logs of administrative actions taken by the Controller's users on the platform
- Sending transactional notifications (scan alerts, account notifications) to the Controller's users via email
Processing is strictly limited to what is necessary to deliver the Service as described in the Terms of Service.
3. Duration of processing
Processing continues for the duration of the active subscription. Upon termination or expiry of the subscription, Beacon will cease processing and will delete or return all personal data within the retention windows specified in the Privacy Policy (account data deleted within 30 days; audit logs deleted within 12 months of the log entry date; billing records retained for 7 years as legally required).
4. Types of personal data processed
The following categories of personal data are processed:
- Identity data: First name, last name
- Contact data: Work email address
- Authentication data: Hashed passwords (bcrypt), TOTP MFA secrets (encrypted)
- Audit log data: User ID, IP address, timestamp, and action detail for each administrative action
Azure app registration credentials (Tenant ID, Client ID, Client Secret, Certificate) are not personal data of natural persons but are sensitive business data belonging to the Controller. They are nonetheless protected with the same or greater technical controls as personal data (AES-256-GCM encryption at rest, access restricted to scan execution).
5. Categories of data subjects
Processing affects the following categories of data subjects:
- MSP staff who are users of the Beacon portal (account holders, invited users, team members)
The platform does not process personal data of the Controller's clients' employees or end users. Azure scan results contain Azure resource metadata and configuration data, not personal data of identifiable individuals.
6. Controller's obligations
The Controller agrees to:
- Have a lawful basis for providing Beacon with access to each client Azure tenant (typically: the Controller's MSA with the client authorises third-party monitoring tool integration)
- Ensure that its instructions to Beacon comply with applicable data protection law
- Be responsible for ensuring data subjects (its users) are informed of processing by Beacon via the Controller's own privacy notices, in addition to Beacon's Privacy Policy
- Promptly remove credentials for any client tenant whose relationship with the Controller has ended
- Ensure that invited portal users have been informed of and have consented (where required) to having their account data processed on the Beacon platform
7. Processor's obligations
Beacon agrees to:
- Process only on documented instructions: Process personal data only as instructed by the Controller (via the Service's functions) or as required by applicable law. If applicable law requires processing beyond the Controller's instructions, Beacon will inform the Controller before such processing, unless prohibited by law.
- Confidentiality: Ensure that all Beacon personnel authorised to process the Controller's data are bound by confidentiality obligations (contractual or statutory).
- Security: Implement and maintain appropriate technical and organisational security measures as described in Section 9 below.
- Sub-processing: Not engage any sub-processor without prior written or in-platform notification to the Controller; ensure sub-processors are bound by obligations equivalent to this DPA.
- Data subject rights assistance: Assist the Controller in responding to data subject rights requests under GDPR (access, rectification, erasure, portability) by providing such tools and information as are reasonable and technically feasible. Self-service data export and account deletion are available from the portal settings.
- Breach notification: Notify the Controller without undue delay (and no later than 48 hours after becoming aware) of any personal data breach affecting the Controller's data, together with sufficient detail to allow the Controller to meet its GDPR 72-hour breach notification obligation to supervisory authorities.
- Deletion or return: At the Controller's choice, delete or return all personal data upon termination, as described in Section 3.
- Audit cooperation: Make available all information reasonably necessary to demonstrate compliance with this DPA. Where the Controller requests an audit, Beacon will accommodate reasonable audit requests (which may be satisfied by providing third-party audit reports or security questionnaire responses in the first instance).
8. Sub-processors
The Controller authorises Beacon to engage the following sub-processors to deliver the Service. Beacon will notify the Controller of any intended changes via email to the account holder, with at least 14 days' notice before engaging a new sub-processor:
| Sub-processor | Role | Location | Transfer mechanism |
|---|
| Railway |
Application hosting, PostgreSQL database |
EU and US |
Standard Contractual Clauses |
| Vercel |
CDN, static asset delivery |
US (global CDN) |
Standard Contractual Clauses |
| Stripe |
Payment processing, subscription billing |
US (Stripe Payments Europe for EU) |
Standard Contractual Clauses / adequacy decision |
| Resend |
Transactional email delivery |
US |
Standard Contractual Clauses |
| Sentry |
Error tracking, application performance monitoring |
US |
Standard Contractual Clauses |
| Microsoft Azure |
Outbound API calls for compliance scanning |
Global (Microsoft data centres) |
Microsoft Data Processing Agreement / adequacy |
Beacon ensures each sub-processor is bound by data processing obligations at least equivalent to those in this DPA before processing commences.
9. Technical and organisational security measures
Beacon implements the following technical and organisational measures to protect personal data and sensitive business data. These measures may be updated over time; Beacon will maintain measures that meet or exceed industry standards for a B2B SaaS platform handling sensitive credentials.
9.1 Encryption
- All Azure app registration secrets and certificates stored in the database are encrypted with AES-256-GCM. The authentication tag ensures detection of any tampering. Encryption keys are stored separately from the encrypted data.
- All data in transit is protected by TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled.
- TOTP MFA secrets are stored encrypted at rest.
9.2 Access control
- Role-based access control (RBAC) is enforced server-side. Users can only access data within their own organisation.
- Cross-organisation data access is prevented at the database query level, not just the UI layer.
- TOTP MFA is required for all user accounts.
- Beacon staff do not have access to decrypted Azure credentials under any circumstances.
- Support access to subscriber portals is scoped, time-limited, and recorded in the subscriber's audit log.
9.3 Audit logging
- Tamper-evident HMAC-SHA256 chained audit logs record all administrative actions.
- Logs capture actor ID, timestamp, source IP, and action detail.
- The chaining key is held server-side; logs cannot be forged or silently modified.
9.4 Breach notification
- Beacon maintains an incident response plan. On discovery of a personal data breach, the response team is activated immediately.
- The Controller is notified within 48 hours of Beacon becoming aware of a breach affecting the Controller's data, with sufficient detail to support the Controller's own notification obligations.
- A supervisory authority is notified within 72 hours where required by GDPR Art. 33.
9.5 Other measures
- Authentication rate limiting and account lockout after repeated failures
- Regular dependency security updates, tracked in the public changelog
- Logical isolation between subscriber organisations at the application and database level
- Secrets and credentials never included in error reports, logs, or API responses
10. International data transfers
Where personal data is transferred from the EEA to a third country (e.g., to US-based sub-processors), Beacon relies on the European Commission's Standard Contractual Clauses (2021/914/EU) as the legal transfer mechanism, supplemented by transfer impact assessments where applicable. The Controller accepts these transfer mechanisms as part of accepting this DPA.
11. Contact and questions
For questions about this DPA, data subject rights requests, or security incidents, contact:
Beacon MSP — Data Protection
Email: hello@beaconmsp.io
Subject line: DPA / Data Protection Inquiry