GDPR & Data Processing
Maintained by: Aether365 Team Audience: Data protection officers and legal teams Scope: GDPR roles, data subject rights, and Aether365 compliance commitments
Aether365 is designed to help organisations with GDPR obligations, but as a SaaS platform it also processes personal data on your behalf. This page explains the legal basis for processing, your rights, and how to exercise them.
Roles Under GDPR
| Role | Party | Scope |
|---|---|---|
| Data Controller | Your organisation | You determine the purposes and means of processing (you chose to connect your M365 tenant to Aether365) |
| Data Processor | Aether365 | We process data on your instructions (running security checks against your tenant) |
| Sub-Processor | our cloud infrastructure provider, Stripe, etc. | Process data on Aether365's behalf - see Data Residency |
Legal Basis for Processing
Aether365 processes personal data under the following legal bases:
| Processing activity | Legal basis | Notes |
|---|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) | Required to deliver the service |
| Scanning Microsoft 365 configuration | Contract performance (Art. 6(1)(b)) | Core service function |
| Reading Microsoft Graph data | Legitimate interest (Art. 6(1)(f)) | Security scanning requires reading configuration data |
| Sending scan report emails | Contract performance | You configured email notifications |
| Billing and payment processing | Contract performance | Required for paid plans |
Personal Data Processed
When Aether365 scans your Microsoft 365 tenant, it may read configuration data that includes personal identifiers:
- User Principal Names (UPNs) - Email addresses used as identifiers in policy assignments
- Object IDs - Microsoft Entra IDs for users, groups, and service principals
- Display names - User and group display names in role assignment contexts
This data is used only to evaluate security checks and is stored as part of scan results. It is not used for any other purpose.
No AI or automated profiling
Aether365 does not use artificial intelligence or machine learning to process the personal data it reads from your tenant. Your configuration data and scan results are never sent to any AI or large language model service, used to train AI models, or subjected to automated decision-making or profiling within the meaning of GDPR Article 22.
Data Subject Rights
As the Data Controller, your organisation is responsible for responding to data subject requests from your Microsoft 365 users. Aether365 stores only configuration data - individual email content, personal documents, or personal correspondence are never processed.
As the data subject of your own Aether365 account (your email address and account data), you have the following rights under GDPR:
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Email privacy@aether365.io |
| Rectification (Art. 16) | Update your account in Settings, or email us |
| Erasure (Art. 17) | Email privacy@aether365.io to request full account deletion |
| Portability (Art. 20) | Export your scan data via CSV or API, or request a full data export by email |
| Restriction (Art. 18) | Email privacy@aether365.io |
| Objection (Art. 21) | Email privacy@aether365.io |
We respond to all data subject requests within 30 days.
Data Processing Agreement
A Data Processing Agreement (DPA) is available to customers on Pro and Enterprise plans. The DPA:
- Documents Aether365's obligations as a data processor
- Specifies technical and organisational security measures
- Lists sub-processors and their locations
- Defines procedures for data subject requests, data breaches, and audit rights
To receive the DPA, email privacy@aether365.io. Enterprise customers have the DPA included in their contract; Pro customers can request it at no additional cost.
Data Breach Notification
In the event of a personal data breach affecting your data, Aether365 will notify you without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.
Notifications will be sent to the account owner email address. Enterprise customers can designate a separate security contact address.
To report a security incident: security@aether365.io
Supervisory Authority
Aether365 is registered in the EU. Our lead supervisory authority is the Swedish Authority for Privacy Protection (IMY - Integritetsskyddsmyndigheten).
You have the right to lodge a complaint with your local supervisory authority if you believe we have processed your data unlawfully.