Provectus Software GmbH

Data Protection & GDPR Compliance

Secure Contacts App (SCA) is a mobile-only solution for iOS and Android that enables organizations to manage corporate contact data securely. Data is retrieved directly from the customer’s Azure tenant and is protected according to Intune or MDM/MAM policies.

Provectus provides the application only and does not access, store, or process personal data. The customer organization remains the data controller, while Microsoft acts as the data processor for cloud-based synchronization. No Data Processing Agreement (DPA) with Provectus is required under Article 28 GDPR.

All personal data is processed locally on the device or through Microsoft services under the customer’s agreements, ensuring GDPR compliance and corporate data protection.

Data Processing

  • Local processing (on device)

    • Contact data is stored and cached only on the end user’s mobile device.

    • Data is encrypted at rest using the device’s native security mechanisms (iOS/Android).

    • When the app is uninstalled, stored data is removed.

  • Cloud processing (via Microsoft services)

    • Synchronization occurs through services such as Microsoft Graph API.

    • All communication is encrypted in transit (TLS).

    • Data residency, compliance, and security are governed by Microsoft’s contractual commitments with the customer organization.

Roles and Responsibilities

  • Provectus (App Provider)

    • Does not access, store, or process contact data.

    • Is neither a controller nor a processor under GDPR definitions.

  • Customer Organization

    • Acts as the data controller.

    • Responsible for configuring Intune policies or other device/app protection settings, governing access, and handling data subject requests (DSRs).

Typical Scenarios

Scenario
Handling

Lost or stolen device

Contact data remains protected through device encryption and can be wiped remotely via Intune or MDM.

Policy change

SCA applies updates at the next sync or upon re-login/re-enrollment.

Offline use

Contacts remain available in the local cache until the next synchronization.

Data subject request

The customer organization responds directly, as Provectus has no access to personal data.

Key Takeaways

  • SCA ensures that all personal data remains under the control of the customer organization.

  • Data is processed only locally on the device or via Microsoft services governed by the customer’s agreements with Microsoft.

  • Provectus does not act as a controller or processor under GDPR.

Additional Resources

Final Note

Under the GDPR, a Data Processing Agreement (DPA) pursuant to Article 28 is required only where a processor handles personal data on behalf of a controller. In the case of the Secure Contacts App (SCA):

  • Customer organization acts as the data controller.

  • Microsoft acts as the data processor for cloud-based synchronization services (e.g., Microsoft Graph), governed by the customer’s existing agreements with Microsoft.

  • Provectus provides only the application software and is contractually and technically excluded from accessing, storing, processing, or transmitting personal data.

Accordingly, Provectus is neither a controller nor a processor within the meaning of Article 4 GDPR, and no Data Processing Agreement with Provectus under Article 28 GDPR is required.

PreviousTechnical / Security OverviewNextEditions

Last updated

Was this helpful?