Legal
Buyer-ready summary. The full DPA pack is provided during procurement and signed before go-live.
This page is a plain-English summary written for procurement and InfoSec reviewers. It is not legal advice. The signed Data Processing Agreement that accompanies the Master Services Agreement is the controlling document.
The Customer is the data controller for content held within its Microsoft 365 tenant and Azure subscription. OpsWork Ltd (trading name of Saqib Engineering Ltd) acts as data processor strictly in respect of the configuration, deployment and supported operation of the OpsWork product for the Customer. Each agent operates under identities and permissions granted by the Customer's Entra ID.
All Customer data is processed inside the customer-controlled Microsoft 365 tenant and Azure subscription. OpsWork deploys into UK South where the Customer's data residency policy permits and that region offers the required services. Where a service must be invoked outside UK South for capability reasons, that is recorded in the architecture pack and approved by the Customer before deployment.
OpsWork Ltd has no routine access to Customer content after deployment. Where the Customer raises a support request that requires OpsWork engineers to access their tenant or subscription, that access is granted by the Customer via standard Entra ID controls, is time-bound to the support engagement, is logged in the audit trail, and is revoked at the end of the support window.
OpsWork's operational sub-processors are Microsoft (Microsoft 365, Azure, Azure OpenAI). The Customer's own Microsoft tenancy is the primary processing environment; Microsoft's role is governed by the Customer's own agreements with Microsoft.
A current sub-processor list is provided during procurement and maintained for customers. Customers are notified of any change to the sub-processor list and have the contractual right to object.
Customer content remains in the Customer's tenant throughout and after the engagement. Removal of OpsWork comprises removal of OpsWork's app registrations, agent identities, Logic Apps and any OpsWork-provisioned resources from the Customer's subscription. The DPA records the operational steps and the timescale within which OpsWork commits to remove them at the end of the contract.
OpsWork will notify affected customers without undue delay after becoming aware of a confirmed security incident involving Customer data. The notification will include the nature of the incident, the data and resources affected, the steps taken to contain and remediate, and the Customer-side actions recommended.
Customers may audit OpsWork's processor obligations on reasonable notice during business hours. OpsWork will provide the architecture pack, identity and access matrix, sub-processor list and any relevant audit log extracts as required. Microsoft's platform-level certifications (Microsoft 365, Azure, Azure OpenAI) are inherited and are not in scope of an OpsWork-level audit.
Request the full pack
The full DPA pack — schedules, sub-processor list, architecture diagram and security questionnaire responses — is sent during procurement. Request it via the demo form or email privacy directly.