Data Protection and Privacy Policy for Webparts Developed by SharePoint Designs
1. Overview
This Data Protection and Privacy Policy outlines the principles, processes, and technical controls implemented by SharePoint Designs in the development and deployment of custom SharePoint Online webparts for Intranet portals. The policy is designed to support internal and client-facing Software Assurance, Data Protection Impact Assessments (DPIA), and to ensure compliance with the General Data Protection Regulation (GDPR), Microsoft’s Privacy Statement (link), and organizational data governance standards.
2. Scope
This policy applies to all custom webparts created and maintained by SharePoint Designs for deployment in client Microsoft 365 SharePoint Online environments. It covers all data handling, processing, and storage activities, as well as license management related data.
3. Alignment with Microsoft Privacy Statement
Our practices are fully aligned with the requirements and commitments set forth in the Microsoft Privacy Statement and related Microsoft Trust Center documentation. In particular:
- Customer Data Ownership and Control:
All data processed by our webparts remains under the ownership and control of our clients. Data is not used for profiling, advertising, or any secondary purposes. - Processor Role:
We act solely as a data processor (or sub-processor, where applicable) and follow client instructions for any data processing activities, in line with Microsoft’s processor commitments for Microsoft 365 cloud services. - Purpose Limitation and Data Minimization:
Data collection and processing are strictly limited to what is necessary for webpart functionality and license management. - Data Location and Residency:
All data remains within the client’s chosen Microsoft 365 SharePoint Online region and datacenters, supporting customer control over data residency and legal requirements regarding data transfers. - Security and Confidentiality:
Webparts inherit Microsoft 365’s robust security features (encryption, access controls, audit logging) and are developed and maintained following best practices for privacy and information security. - Third-Party Access:
No client data is shared with or accessible to third parties, except as required for license verification and only under strict contractual controls, consistent with Microsoft’s approach to subprocessors. - Transparency and Compliance:
We provide clear documentation about our data processing, facilitate DPIA and audit requests, and support clients in exercising their data subject rights. - Legal Requests:
Should any data disclosure be compelled by law, we will follow Microsoft’s customer notification approach wherever applicable and legally permissible.
4. Data Handling
4.1 Data Collection
-
No Client Data Collection:
Our webparts do not collect or store any client data. All data processed by the webparts is sourced directly from SharePoint Online within the client’s own Microsoft 365 environment.
-
License Processing: For the sole purpose of license management, we collect only the following:
- Microsoft 365 Tenant ID
- SharePoint Online Site URL
No additional personal or business data is collected, transmitted, or stored by our webparts outside the client’s SharePoint environment.
4.2 Data Processing
- All processing activities performed by the webparts are limited strictly to data already present in the client’s SharePoint Online environment.
- No data is exported, transmitted, or processed outside the boundaries of the client’s Microsoft 365 tenancy.
- The Tenant ID and SharePoint URL, collected for license processing, are handled securely and used exclusively for license validation, in accordance with client instructions and applicable law.
- Processing is performed in accordance with Microsoft’s compliance commitments and our organization’s data governance policies.
5. Data Storage
- All SharePoint data accessed or processed by the webparts remains within the Microsoft 365 SharePoint Online platform, stored in Microsoft-managed datacenters.
- No client data (other than Tenant ID and SharePoint URL for licensing) is stored or transmitted to external systems by the webparts.
- The Tenant ID and SharePoint URL used for license processing are stored securely and are not shared with third parties.
6. Data Access and Control
- The webparts operate entirely within the scope of the client’s existing SharePoint Online access controls and permissions.
- Only users authorized within the client’s Microsoft 365 tenancy can access or interact with data through the webparts.
- The license management data (Tenant ID and SharePoint URL) is accessible only to authorized personnel for the purpose of license verification.
7. Data Retention and Deletion
- No client data is retained by the webparts or transferred outside SharePoint Online.
- Tenant ID and SharePoint URL collected for licensing are retained only for the duration necessary to manage licensing and are deleted upon license termination or as required by the client.
8. Security Measures
- Inherited Microsoft 365 Security:
Webparts inherit all Microsoft 365 SharePoint Online security measures, including encryption at rest and in transit, access controls, and security monitoring. - Secure Development Lifecycle:
All software is developed using secure development practices, is regularly reviewed for vulnerabilities, and is updated to address emerging threats. - Access Controls:
Administrative access to license data is strictly controlled and audited.
9. Transparency, Compliance, and Audit
- Our practices and documentation support client requirements for privacy impact assessments, independent audits, and compliance with GDPR and other relevant data protection regulations.
- We remain available to support client audit requests and to provide information for regulatory compliance, in line with Microsoft’s transparency and compliance commitments.
10. Custom Webpart Data Flow
Below is a typical data flow for the custom webparts:
- No business or personal data is transmitted to external systems; only Tenant ID and SharePoint URL are used for license processing.
11. Data Subject Rights
We support data subjects’ rights under GDPR and other laws, including access, rectification, erasure, and objection. As no business or personal data is collected by our webparts, requests typically pertain only to license management data.
12. Compliance References
13. Contact and Support
For further information regarding data protection, DPIA documentation, or to exercise data subject rights, please contact our Data Protection Officer or IT Security Team.
Last updated: 28-Oct-2025