Data Protection & GDPR Compliance
Secure Contacts App (SCA) is a mobile-only solution for iOS and Android that enables organizations to manage corporate contact data securely. Data is retrieved directly from the customer’s Azure tenant and is protected according to Intune or MDM/MAM policies.
Provectus provides the application only and does not access, store, or process personal data. The customer organization remains the data controller, while Microsoft acts as the data processor for cloud-based synchronization. No Data Processing Agreement (DPA) with Provectus is required under Article 28 GDPR.
All personal data is processed locally on the device or through Microsoft services under the customer’s agreements, ensuring GDPR compliance and corporate data protection.
Data Processing
Local processing (on device)
Contact data is stored and cached only on the end user’s mobile device.
Data is encrypted at rest using the device’s native security mechanisms (iOS/Android).
When the app is uninstalled, stored data is removed.
Cloud processing (via Microsoft services)
Synchronization occurs through services such as Microsoft Graph API.
All communication is encrypted in transit (TLS).
Data residency, compliance, and security are governed by Microsoft’s contractual commitments with the customer organization.
Roles and Responsibilities
Provectus (App Provider)
Does not access, store, or process contact data.
Is neither a controller nor a processor under GDPR definitions.
Customer Organization
Acts as the data controller.
Responsible for configuring Intune policies or other device/app protection settings, governing access, and handling data subject requests (DSRs).
Typical Scenarios
Lost or stolen device
Contact data remains protected through device encryption and can be wiped remotely via Intune or MDM.
Policy change
SCA applies updates at the next sync or upon re-login/re-enrollment.
Offline use
Contacts remain available in the local cache until the next synchronization.
Data subject request
The customer organization responds directly, as Provectus has no access to personal data.
Key Takeaways
SCA ensures that all personal data remains under the control of the customer organization.
Data is processed only locally on the device or via Microsoft services governed by the customer’s agreements with Microsoft.
Provectus does not act as a controller or processor under GDPR.
Additional Resources
Final Note
Under the GDPR, a Data Processing Agreement (DPA) pursuant to Article 28 is required only where a processor handles personal data on behalf of a controller. In the case of the Secure Contacts App (SCA):
Customer organization acts as the data controller.
Microsoft acts as the data processor for cloud-based synchronization services (e.g., Microsoft Graph), governed by the customer’s existing agreements with Microsoft.
Provectus provides only the application software and is contractually and technically excluded from accessing, storing, processing, or transmitting personal data.
Accordingly, Provectus is neither a controller nor a processor within the meaning of Article 4 GDPR, and no Data Processing Agreement with Provectus under Article 28 GDPR is required.
Last updated
Was this helpful?