Last updated: May 7, 2026

This DPA is provided for informational purposes. For enterprise agreements or custom DPA requirements, contact [email protected].

Data Processing Agreement

This Data Processing Agreement (“DPA”) governs the processing of personal data in connection with TenantBridge, a product of Level 3 IT Corp.

1. Introduction and Parties

This DPA is entered into between Level 3 IT Corp, acting as Data Processor (also referred to as “Processor” or “we”), and the Customer, acting as Data Controller (also referred to as “Controller” or “you”).

TenantBridge is a product of Level 3 IT Corp. The effective date of this DPA is the date the Customer begins using TenantBridge. This DPA forms part of and is subject to the Terms of Service agreed between the parties.

2. Definitions

Unless otherwise defined herein, capitalized terms have the meanings set out below:

  • Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
  • Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data Controller (or Controller) means the entity that determines the purposes and means of the Processing of Personal Data.
  • Data Processor (or Processor) means the entity that Processes Personal Data on behalf of the Controller.
  • Data Subject means the identified or identifiable natural person to whom Personal Data relates.
  • Supervisory Authority means an independent public authority established under applicable data protection law.
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • SCCs means the Standard Contractual Clauses approved by the European Commission for transfers of personal data to third countries.
  • Sub-processor means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

References to the GDPR include, where applicable, the UK GDPR and related UK legislation. This DPA also acknowledges applicable United States state privacy laws, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), where those laws apply to the Processing described herein.

3. Scope and Purpose of Processing

Nature of processing

The nature of the Processing is the migration of email, calendar, contacts, files, and directory data between cloud tenants using TenantBridge as instructed by the Customer.

Purpose

The purpose of the Processing is to execute data migration services as instructed and documented by the Customer.

Types of personal data

Depending on the workloads configured, types of Personal Data may include email addresses, names, calendar events, contact details, file metadata, and directory information.

Categories of data subjects

Categories of Data Subjects include the Customer’s employees, contractors, and end users whose data is being migrated.

Duration

Processing will continue for the term of the migration project plus any retention period specified in the Terms of Service or as otherwise agreed in writing.

4. Processor Obligations

Level 3 IT Corp shall:

  • Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law (in which case Level 3 IT Corp shall, to the extent permitted by law, inform the Customer of that legal requirement before Processing);
  • Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures referred to in Article 32 of the GDPR;
  • Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests for exercising Data Subject rights;
  • Assist the Customer in ensuring compliance with obligations regarding security of processing, personal data breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of Processing and the information available to Level 3 IT Corp;
  • At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage;
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA; and
  • Allow for and contribute to audits as described in Section 11.

5. Technical and Organisational Security Measures

Level 3 IT Corp implements appropriate technical and organizational measures, including:

  • Local processing. TenantBridge runs as a desktop application on the Customer’s own machine; migration data does not pass through Level 3 IT Corp servers in the ordinary course of providing the migration software.
  • Encryption in transit. Where data is transmitted over networks (for example, between the Customer’s environment and third-party cloud APIs), such transmission uses TLS or equivalent protections as implemented by the relevant platforms.
  • Access controls and authentication. The application and related services use access controls and authentication mechanisms appropriate to their function.
  • No persistent migration storage by Level 3 IT Corp. Level 3 IT Corp does not persistently store Customer migration content beyond what is required for licence validation and similar operational purposes described in the Terms of Service.

6. Sub-processors

The Customer generally authorizes the engagement of Sub-processors listed below. The Customer’s acceptance of this DPA constitutes consent to the Sub-processors listed as of the effective date.

Current Sub-processors:

  • Microsoft (Azure AD / Microsoft 365 API) — authentication and source data access.
  • Google (Google Workspace API) — authentication and destination data access.
  • Resend — transactional email for demo request notifications only; no migration data.

Level 3 IT Corp will provide at least 30 days’ prior notice of any intended addition or replacement of Sub-processors (for example, by updating this page or written notice). The Customer may object to a new Sub-processor in writing within 14 days of such notice. Where an objection is reasonable and cannot be resolved, the parties will discuss an appropriate remedy in good faith.

7. International Data Transfers

For transfers of Personal Data subject to the GDPR from the European Economic Area (EEA) to countries not recognized as providing an adequate level of protection, Level 3 IT Corp will rely on Standard Contractual Clauses (SCCs) or other mechanisms recognized under applicable law, including adequacy decisions where applicable.

For transfers subject to the UK GDPR, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs will apply where required.

For Processing subject to US state privacy laws, including the CCPA/CPRA for California residents, Level 3 IT Corp will comply with applicable requirements to the extent they apply to its role and the services provided.

Because TenantBridge processes migration data locally on the Customer’s machine, the risk profile associated with international transfers of migration content through Level 3 IT Corp is significantly reduced compared to traditional hosted processing models. Transfers may still occur between the Customer’s systems and cloud providers (for example, Microsoft and Google) in accordance with those providers’ terms and the Customer’s configuration.

8. Data Subject Rights

Level 3 IT Corp will assist the Customer, taking into account the nature of the Processing, in fulfilling requests to exercise Data Subject rights within timeframes required by applicable law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection where applicable.

The Customer remains responsible for responding to Data Subjects and for determining the lawfulness of Processing under its role as Controller.

9. Data Breach Notification

Level 3 IT Corp will notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Customer, and where feasible within 72 hours of becoming aware, in line with GDPR expectations where applicable.

Notification will include, to the extent available: the nature of the breach; the categories and approximate number of Data Subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach and mitigate harm.

10. Data Retention and Deletion

Upon termination of services, Level 3 IT Corp will delete or return Personal Data in its possession or control within 30 days, unless retention is required by applicable law.

The Customer is responsible for retaining its own copies of data and for export prior to termination where needed for business continuity.

11. Audit Rights

The Customer may audit Level 3 IT Corp’s compliance with this DPA once per calendar year upon at least 30 days’ prior written notice, during normal business hours and subject to reasonable confidentiality and security procedures.

Level 3 IT Corp may satisfy audit requests by providing relevant certifications or third-party audit reports where appropriate in lieu of on-site audits.

12. Governing Law

This DPA is governed primarily by the laws of the state of incorporation of Level 3 IT Corp, without regard to conflict-of-law principles that would require application of another jurisdiction’s laws, except where mandatory data protection law provides otherwise.

GDPR-related obligations are interpreted in accordance with EU and UK GDPR as applicable. US obligations are governed by applicable state law, including CCPA/CPRA where applicable to California residents.

13. Contact

For data protection queries related to this DPA or TenantBridge, contact [email protected]. Please verify this address is correct before publishing.