Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Grenadier Computing Ltd, registered in England and Wales ("Processor", "we", "us"), and the organisation using the Pain Points platform ("Controller", "you", "Partner").
1. Definitions
"Platform" — The Pain Points software-as-a-service application.
"Partner" — The MSP, IT provider, or organisation that has registered to use the Platform.
"End Users" — Individuals who access the Platform through a Partner's Microsoft 365 tenant.
"Personal Data" — Any information relating to an identified or identifiable natural person, as defined by UK GDPR.
2. Roles and Responsibilities
The Partner acts as the Data Controller, determining the purposes and means of processing. Grenadier Computing acts as the Data Processor, processing Personal Data solely on the Partner's documented instructions and for the purpose of providing the Platform.
We will not process Personal Data for any purpose other than delivering the Platform services, unless required by law, in which case we will inform the Partner before processing unless prohibited from doing so.
3. Personal Data Processed
The following categories of Personal Data are processed:
| Category | Data Elements | Source |
|---|---|---|
| Identity | Display name, email address | Microsoft Entra ID |
| Identifiers | Azure AD tenant ID, user object ID | Microsoft Entra ID |
| Platform content | Pain point submissions, comments, proposals, votes | End User input |
| Usage data | Login timestamps, activity metrics, gamification scores | Platform-generated |
4. Lawful Basis
The Partner is responsible for ensuring a lawful basis exists for processing End User data. The Platform is designed to support legitimate interest and consent-based processing. We do not independently determine lawful basis for Controller data.
5. Security Measures
We implement appropriate technical and organisational measures, including:
- Encryption in transit via TLS 1.2+ on all connections
- Encryption at rest via Azure SQL Transparent Data Encryption (TDE)
- Authentication exclusively via Microsoft Entra ID. No passwords are stored
- Access control with role-based permissions and partner-level data isolation
- Secrets management via Azure Key Vault with managed identity access
- Infrastructure hosted on Microsoft Azure (UK South region) with automatic patching
- Monitoring with structured audit logging of authentication and administrative actions
6. Sub-processors
We use a limited number of sub-processors to deliver the Platform. A current list is maintained in our Privacy Policy. We will notify Partners of any changes to sub-processors with reasonable advance notice. If a Partner objects to a new sub-processor, they may terminate their use of the Platform.
7. Data Subject Rights
We assist Partners in responding to data subject requests under UK GDPR, including:
- Access — Partners can view all End User data within the Platform
- Rectification — user profile data syncs automatically from Microsoft Entra ID
- Erasure — Partners can request deletion of individual users or entire organisations
- Portability — Partners can export all data in machine-readable JSON format
We will notify the Partner without undue delay if we receive a data subject request directly, unless prohibited by law.
8. Data Retention and Deletion
- Personal Data is retained for the duration of the Partner's active subscription.
- Upon account termination or deletion request, all Partner data is permanently deleted within 30 days.
- Backups containing Partner data are purged within 90 days of deletion.
9. Data Breach Notification
In the event of a Personal Data breach, we will notify the Partner without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include:
- The nature of the breach and categories of data affected
- The likely consequences
- Measures taken or proposed to address the breach
10. International Transfers
All primary data processing occurs within the United Kingdom (Azure UK South region). We do not transfer Personal Data outside the UK unless required to deliver the Platform (e.g. CDN edge caching via Cloudflare), in which case appropriate safeguards are in place.
11. Audit Rights
Partners may request information reasonably necessary to demonstrate compliance with this DPA. We will make available relevant documentation, certifications, and audit reports upon request.
12. Term and Termination
This DPA remains in effect for the duration of the Partner's use of the Platform. Obligations relating to data deletion and confidentiality survive termination.
13. Governing Law
This DPA is governed by the laws of England and Wales and subject to the exclusive jurisdiction of the English courts.