HomeLegalData processing agreement

Data processing agreement

The DPA between Lawsons Enterprises Ltd (trading as ScanPosture) and customers using the service. UK GDPR compliant.

Last updated March 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Lawsons Enterprises Ltd (trading as ScanPosture™) and the organisation using the ScanPosture service (“Customer”), together the “Parties”.

This DPA is entered into in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1 · Definitions

“Controller” means the Customer, who determines the purposes and means of processing personal data within their Azure AD tenant.

“Processor” means Lawsons Enterprises Ltd (trading as ScanPosture, Company No. 16433965, VAT GB495884223, ICO Registration ZC120359), which processes personal data on behalf of the Controller to provide the scanning service.

“Personal Data” means any data relating to an identified or identifiable natural person that is processed by ScanPosture in the course of providing the service.

“Processing” means any operation performed on personal data, including collection, storage, retrieval, analysis and deletion.

“Sub-processor” means any third party engaged by ScanPosture to process personal data on behalf of the Customer.

“Data Subject” means an identifiable natural person whose personal data is processed.

“UK GDPR” means the General Data Protection Regulation as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018, as amended.

2 · Scope and purpose of processing

ScanPosture processes personal data solely to provide the Azure AD / Entra ID security scanning service as described in the Terms of Service. Processing activities include:

  • Reading user-profile data from the Customer’s Azure AD tenant via Microsoft Graph API (read-only access)
  • Storing scan results including user principal names, sign-in activity, role assignments and risk data
  • Analysing security configurations to generate findings and security scores
  • Sending email notifications related to scan results and account activity

ScanPosture does not process personal data for any other purpose, including marketing, profiling or sale to third parties.

3 · Categories of data subjects

  • Employees and staff of the Customer whose accounts exist in the Customer’s Azure AD tenant
  • Guest and external users with accounts in the Customer’s Azure AD tenant
  • Service accounts and application identities (non-human, but may be associated with individuals)

4 · Types of personal data processed

  • User principal names (email addresses)
  • Display names
  • Job titles (where available in Azure AD)
  • Sign-in timestamps and activity logs
  • Account status (enabled / disabled)
  • MFA registration status
  • Role and group membership assignments
  • Risk-level flags from Microsoft Identity Protection
  • IP addresses associated with sign-in events (where flagged as risky)

ScanPosture does not access or process:

  • Email content or attachments
  • File contents (OneDrive, SharePoint)
  • Chat messages (Teams)
  • Passwords or password hashes
  • Payment-card data (handled solely by Stripe)

5 · Obligations of the processor (ScanPosture)

ScanPosture shall:

  • Process personal data only on documented instructions from the Controller, unless required to do so by UK law.
  • Ensure that all personnel with access to personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures, including: encryption of data at rest (AES-256 via Supabase), encryption of data in transit (TLS), encryption of Azure AD refresh tokens, Row-Level Security enforcing tenant data isolation, mandatory MFA for all ScanPosture accounts, and access logging.
  • Not engage any sub-processor without prior written notice to the Controller.
  • Assist the Controller in responding to Data Subject requests within the timeframes required by UK GDPR.
  • Notify the Controller without undue delay (and within 24 hours) upon becoming aware of a personal data breach.
  • Assist the Controller with data-protection impact assessments and prior consultation with the ICO where required.
  • Delete or return all personal data upon termination of the service, subject to the retention periods described in Section 8.
  • Make available to the Controller all information necessary to demonstrate compliance with these obligations.

6 · Obligations of the controller (Customer)

The Customer shall:

  • Ensure that it has a lawful basis for processing the personal data of its Azure AD users and for granting ScanPosture read-only access to that data.
  • Ensure that Data Subjects are informed of the processing, including through appropriate privacy notices.
  • Provide documented instructions for processing that are compliant with UK GDPR.
  • Notify ScanPosture promptly of any Data Subject requests that ScanPosture must assist with.

7 · Sub-processors

The complete, current sub-processor list is published at /sub-processors and includes vendor name, purpose, data category and processing region for each. ScanPosture will notify the Customer of any intended changes to sub-processors at least 30 days before the change takes effect. The Customer may object to the change within that period.

8 · Data retention and deletion

  • Active subscription: personal data is retained for as long as the Customer’s subscription is active.
  • After cancellation: personal data is retained for 90 days to allow for reactivation, then permanently deleted.
  • Audit logs and billing records: retained for 7 years as required by HMRC and UK law.
  • Beta waitlist data: retained for up to 24 months from signup, or until deletion is requested.

Upon termination, the Customer may export all their data via the dashboard before the 90-day retention period expires. After permanent deletion, data cannot be recovered.

9 · International data transfers

ScanPosture’s primary database is hosted in the United Kingdom (London region) via Supabase. Some sub-processors (Resend, Stripe) may process data in EU or US regions in line with their published data residency models — full detail at /sub-processors.

Where personal data is transferred outside the UK, ScanPosture ensures that appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and verification that the receiving country provides adequate protection.

10 · Data breach notification

In the event of a personal data breach affecting Customer data, ScanPosture will:

  • Notify the Customer without undue delay and within 24 hours of becoming aware of the breach.
  • Provide information including the nature of the breach, categories and number of Data Subjects affected, likely consequences, and measures taken to address it.
  • Cooperate with the Customer in notifying the ICO (within 72 hours) and affected Data Subjects where necessary.
  • Document the breach and all related facts, its effects, and the remedial actions taken.

11 · Audits

The Customer may request evidence of ScanPosture’s compliance with this DPA. ScanPosture will provide:

  • Copies of relevant security policies and procedures
  • Evidence of technical and organisational measures
  • Results of any third-party security audits or penetration tests (when available)

On-site audits are not available during the beta period. ScanPosture will consider reasonable audit requests from paying customers on a case-by-case basis, with at least 30 days’ notice.

12 · Duration and termination

This DPA is effective for as long as the Customer uses the ScanPosture service. It terminates automatically when the Customer’s account is deleted and all personal data has been permanently removed in accordance with the retention periods described in Section 8.

Obligations relating to confidentiality and data-breach notification survive termination.

13 · Governing law

This DPA is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

14 · Contact

For questions about this DPA or to exercise data-protection rights:

  • Data Controller: the Customer (your organisation)
  • Data Processor: Lawsons Enterprises Ltd (trading as ScanPosture)
  • Email: contact@scanposture.com
  • Company No.: 16433965
  • VAT No.: GB495884223
  • ICO Registration: ZC120359
  • Registered in: England & Wales