Data Processing Agreement

Dynamics ATS Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and supplements the Dynamics ATS End User License Agreement (“Agreement”) between Dynamics CRM Recruiting Solutions (“Processor” or “Dynamics ATS”), and Customer (“Controller”).

This DPA applies where Dynamics ATS processes Personal Data on behalf of Customer.

1. Definitions

1.1 Applicable Data Protection Law
“Applicable Data Protection Law” means all laws applicable to the processing of Personal Data under the Agreement, including but not limited to:

  • Regulation (EU) 2016/679 (GDPR)

  • UK GDPR

  • California Consumer Privacy Act (CCPA), as amended by CPRA

  • Other applicable U.S. state privacy laws

1.2 Customer Data
“Customer Data” means all data submitted to or stored within the Dynamics ATS solution in Customer’s Microsoft environment.

1.3 Personal Data
“Personal Data” means information relating to an identified or identifiable natural person.

1.4 Sub-Processor
“Sub-Processor” means any third party engaged by Dynamics ATS to process Personal Data.

2. Roles of the Parties

2.1 Customer is the Data Controller.

2.2 Dynamics ATS is a Data Processor and processes Personal Data solely on behalf of Customer.

2.3 Customer acknowledges that Microsoft Corporation acts as an independent Data Processor with respect to Microsoft cloud services, including Azure, Dataverse, Power Platform, Microsoft Entra ID, and Azure OpenAI, pursuant to the Microsoft Products and Services Data Protection Addendum (“Microsoft DPA”).

2.4 Nothing in this DPA alters the allocation of responsibilities between Customer and Microsoft under the Microsoft DPA.

3. Scope and Nature of Processing

3.1 Dynamics ATS processes Personal Data solely to:

  • Provide applicant tracking system functionality and workflows

  • Provide maintenance and technical support

3.2 Processing activities are limited to those necessary to perform the services described in the Agreement.

3.3 Customer’s configuration and use of Dynamics ATS constitute documented processing instructions.

3.4 Dynamics ATS shall not:

  • Sell Personal Data

  • Use Personal Data for advertising

  • Use Personal Data to train public AI models

  • Determine independent purposes of processing

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects

  • Candidates

  • Hiring managers

  • Customer personnel

4.2 Categories of Personal Data

  • Names and contact information

  • Resume and employment history

  • Education history

  • Interview notes and screening responses

  • Placement details

  • Timesheets and compensation information

4.3 Sensitive Personal Data is processed only if entered or configured by Customer.

5. Technical and Organizational Measures

5.1 Hosting Environment
Customer Data is stored within Customer’s Microsoft Dataverse environment.

5.2 Infrastructure Security
Infrastructure-level safeguards are governed by the Microsoft DPA.

5.3 Application-Level Safeguards
Dynamics ATS implements:

  • Role-based access controls

  • Secure API authentication

  • Managed solution architecture

  • Encryption in transit (TLS 1.2+)

  • Secure development lifecycle practices

5.4 AI Safeguards
Where AI features are enabled:

  • Processing occurs via Microsoft Azure OpenAI

  • Processing is stateless

  • Customer Data is not used to train public models

  • No cross-customer model learning occurs

  • Outputs remain within Customer’s Dataverse environment if saved

AI infrastructure protections are governed by the Microsoft DPA.

6. Sub-Processors

6.1 Authorized Sub-Processors

  • Microsoft Corporation (Azure, Dataverse, Power Platform, Entra ID)

  • Microsoft Azure OpenAI

6.2 Such Sub-Processors are governed by the Microsoft DPA.

6.3 Dynamics ATS shall notify Customer of any additional material Sub-Processors.

7. Data Residency and International Transfers

7.1 Customers select the geographic region for their Microsoft Dataverse environment within Azure.

7.2 Customer Data stored within Microsoft Dataverse remains in the selected region and is governed by Microsoft’s infrastructure policies and the Microsoft DPA.

7.3 At present, certain Dynamics ATS application services are operated from Microsoft hosted infrastructure located in the United States. Where Personal Data is accessed or processed in the United States, such processing is conducted in accordance with applicable international data transfer safeguards, including Standard Contractual Clauses or other lawful transfer mechanisms as required under Applicable Data Protection Law.

7.4 Dynamics ATS does not independently replicate or relocate Customer Data outside the customer’s Microsoft environment. Remote access for authorized support or application services does not result in the creation of independent data stores outside the customer’s environment.

7.5 As Azure regional capabilities evolve, Dynamics ATS may offer region-specific service configurations. Where such options are made available, processing will align with the customer’s selected region.

8. Data Subject Rights

8.1 Dynamics ATS shall reasonably assist Customer in responding to Data Subject Requests to the extent such requests relate to application-level processing.

8.2 Customer retains primary administrative control of Personal Data within its Microsoft Dataverse environment.

9. Confidentiality

9.1 Dynamics ATS personnel with access to Personal Data are subject to confidentiality obligations.

10. Security Incident Notification

10.1 Dynamics ATS shall notify Customer without undue delay upon confirmation of a Security Incident attributable to application-level processing.

10.2 Security Incidents relating to Microsoft infrastructure services are governed by the Microsoft DPA.

11. Data Retention and Deletion

11.1 Customer Data is stored within Customer’s Microsoft Dataverse environment, which serves as the system of record. Dynamics ATS does not maintain an independent production database containing Customer Data.

11.2 If Customer deletes Personal Data from its Microsoft Dataverse environment:

  • Such data becomes inaccessible to the Dynamics ATS application

  • Dynamics ATS ceases active processing of that deleted data

  • Dynamics ATS does not restore deleted data into active environments

  • Dynamics ATS does not maintain separate archival copies for independent business purposes

11.3 Deleted data may persist temporarily only in:

  • Standard system logs

  • Temporary processing buffers

  • Microsoft-managed backups

  • Disaster recovery systems

Such retention is limited to standard operational safeguards and is governed by Microsoft’s DPA where applicable.

11.4 Upon termination of the Agreement:

  • Upon termination of the Agreement or removal of the Dynamics ATS application, Customer is responsible for exporting any Customer Data it wishes to retain prior to removal of the application. Dynamics ATS does not retain independent copies of Customer Data and does not restore deleted data after the application has been removed.

  • Dynamics ATS shall delete any remaining support-related artifacts containing Customer Data upon written request

  • Infrastructure-level data retention is governed by Microsoft’s DPA

12. U.S. State Privacy Provisions

12.1 Dynamics ATS acts as a “Service Provider” or “Processor” under applicable U.S. state privacy laws.

12.2 Dynamics ATS shall:

  • Process Personal Data solely for business purposes

  • Not retain, use, or disclose Personal Data beyond the Agreement

  • Not combine Personal Data with other data except as permitted by law

13. Limitation of Liability

13.1 Liability under this DPA is subject to the limitations set forth in the Agreement.

14. Term

14.1 This DPA remains in effect for the duration of the Agreement.

15. Order of Precedence

15.1 In the event of conflict between this DPA and the Agreement, this DPA governs solely with respect to Personal Data processing.

Dynamics ATS Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and supplements the Dynamics ATS End User License Agreement (“Agreement”) between Dynamics CRM Recruiting Solutions (“Processor” or “Dynamics ATS”), and Customer (“Controller”).

This DPA applies where Dynamics ATS processes Personal Data on behalf of Customer.

1. Definitions

1.1 Applicable Data Protection Law
“Applicable Data Protection Law” means all laws applicable to the processing of Personal Data under the Agreement, including but not limited to:

  • Regulation (EU) 2016/679 (GDPR)

  • UK GDPR

  • California Consumer Privacy Act (CCPA), as amended by CPRA

  • Other applicable U.S. state privacy laws

1.2 Customer Data
“Customer Data” means all data submitted to or stored within the Dynamics ATS solution in Customer’s Microsoft environment.

1.3 Personal Data
“Personal Data” means information relating to an identified or identifiable natural person.

1.4 Sub-Processor
“Sub-Processor” means any third party engaged by Dynamics ATS to process Personal Data.

2. Roles of the Parties

2.1 Customer is the Data Controller.

2.2 Dynamics ATS is a Data Processor and processes Personal Data solely on behalf of Customer.

2.3 Customer acknowledges that Microsoft Corporation acts as an independent Data Processor with respect to Microsoft cloud services, including Azure, Dataverse, Power Platform, Microsoft Entra ID, and Azure OpenAI, pursuant to the Microsoft Products and Services Data Protection Addendum (“Microsoft DPA”).

2.4 Nothing in this DPA alters the allocation of responsibilities between Customer and Microsoft under the Microsoft DPA.

3. Scope and Nature of Processing

3.1 Dynamics ATS processes Personal Data solely to:

  • Provide applicant tracking system functionality and workflows

  • Provide maintenance and technical support

3.2 Processing activities are limited to those necessary to perform the services described in the Agreement.

3.3 Customer’s configuration and use of Dynamics ATS constitute documented processing instructions.

3.4 Dynamics ATS shall not:

  • Sell Personal Data

  • Use Personal Data for advertising

  • Use Personal Data to train public AI models

  • Determine independent purposes of processing

4. Categories of Data and Data Subjects

4.1 Categories of Data Subjects

  • Candidates

  • Hiring managers

  • Customer personnel

4.2 Categories of Personal Data

  • Names and contact information

  • Resume and employment history

  • Education history

  • Interview notes and screening responses

  • Placement details

  • Timesheets and compensation information

4.3 Sensitive Personal Data is processed only if entered or configured by Customer.

5. Technical and Organizational Measures

5.1 Hosting Environment
Customer Data is stored within Customer’s Microsoft Dataverse environment.

5.2 Infrastructure Security
Infrastructure-level safeguards are governed by the Microsoft DPA.

5.3 Application-Level Safeguards
Dynamics ATS implements:

  • Role-based access controls

  • Secure API authentication

  • Managed solution architecture

  • Encryption in transit (TLS 1.2+)

  • Secure development lifecycle practices

5.4 AI Safeguards
Where AI features are enabled:

  • Processing occurs via Microsoft Azure OpenAI

  • Processing is stateless

  • Customer Data is not used to train public models

  • No cross-customer model learning occurs

  • Outputs remain within Customer’s Dataverse environment if saved

AI infrastructure protections are governed by the Microsoft DPA.

6. Sub-Processors

6.1 Authorized Sub-Processors

  • Microsoft Corporation (Azure, Dataverse, Power Platform, Entra ID)

  • Microsoft Azure OpenAI

6.2 Such Sub-Processors are governed by the Microsoft DPA.

6.3 Dynamics ATS shall notify Customer of any additional material Sub-Processors.

7. Data Residency and International Transfers

7.1 Customers select the geographic region for their Microsoft Dataverse environment within Azure.

7.2 Customer Data stored within Microsoft Dataverse remains in the selected region and is governed by Microsoft’s infrastructure policies and the Microsoft DPA.

7.3 At present, certain Dynamics ATS application services are operated from Microsoft hosted infrastructure located in the United States. Where Personal Data is accessed or processed in the United States, such processing is conducted in accordance with applicable international data transfer safeguards, including Standard Contractual Clauses or other lawful transfer mechanisms as required under Applicable Data Protection Law.

7.4 Dynamics ATS does not independently replicate or relocate Customer Data outside the customer’s Microsoft environment. Remote access for authorized support or application services does not result in the creation of independent data stores outside the customer’s environment.

7.5 As Azure regional capabilities evolve, Dynamics ATS may offer region-specific service configurations. Where such options are made available, processing will align with the customer’s selected region.

8. Data Subject Rights

8.1 Dynamics ATS shall reasonably assist Customer in responding to Data Subject Requests to the extent such requests relate to application-level processing.

8.2 Customer retains primary administrative control of Personal Data within its Microsoft Dataverse environment.

9. Confidentiality

9.1 Dynamics ATS personnel with access to Personal Data are subject to confidentiality obligations.

10. Security Incident Notification

10.1 Dynamics ATS shall notify Customer without undue delay upon confirmation of a Security Incident attributable to application-level processing.

10.2 Security Incidents relating to Microsoft infrastructure services are governed by the Microsoft DPA.

11. Data Retention and Deletion

11.1 Customer Data is stored within Customer’s Microsoft Dataverse environment, which serves as the system of record. Dynamics ATS does not maintain an independent production database containing Customer Data.

11.2 If Customer deletes Personal Data from its Microsoft Dataverse environment:

  • Such data becomes inaccessible to the Dynamics ATS application

  • Dynamics ATS ceases active processing of that deleted data

  • Dynamics ATS does not restore deleted data into active environments

  • Dynamics ATS does not maintain separate archival copies for independent business purposes

11.3 Deleted data may persist temporarily only in:

  • Standard system logs

  • Temporary processing buffers

  • Microsoft-managed backups

  • Disaster recovery systems

Such retention is limited to standard operational safeguards and is governed by Microsoft’s DPA where applicable.

11.4 Upon termination of the Agreement:

  • Upon termination of the Agreement or removal of the Dynamics ATS application, Customer is responsible for exporting any Customer Data it wishes to retain prior to removal of the application. Dynamics ATS does not retain independent copies of Customer Data and does not restore deleted data after the application has been removed.

  • Dynamics ATS shall delete any remaining support-related artifacts containing Customer Data upon written request

  • Infrastructure-level data retention is governed by Microsoft’s DPA

12. U.S. State Privacy Provisions

12.1 Dynamics ATS acts as a “Service Provider” or “Processor” under applicable U.S. state privacy laws.

12.2 Dynamics ATS shall:

  • Process Personal Data solely for business purposes

  • Not retain, use, or disclose Personal Data beyond the Agreement

  • Not combine Personal Data with other data except as permitted by law

13. Limitation of Liability

13.1 Liability under this DPA is subject to the limitations set forth in the Agreement.

14. Term

14.1 This DPA remains in effect for the duration of the Agreement.

15. Order of Precedence

15.1 In the event of conflict between this DPA and the Agreement, this DPA governs solely with respect to Personal Data processing.