Data Processing Agreement

This DPA applies where ShareDroid processes personal data for a customer as processor. The customer remains responsible for its own lawful basis, employee notices, DPIAs, and configuration choices.

1. Roles

The customer is the controller for tenant users, employees, devices, credentials, badges, facial authentication records, and app profile configuration. ShareDroid acts as processor when processing that data to provide the service.

2. Processing details

Subject matter	Shared Android identity, kiosk control, device management, authentication, app-profile sign-in assistance, and audit logging.
Duration	For the subscription term and any agreed retention period.
Data subjects	Customer administrators, end users, employees, contractors, support contacts, and device assignees.
Data types	Names, emails, user IDs, badge IDs/hashes, PIN hashes, device IDs, tenant IDs, telemetry, audit logs, app profile data, optional biometric face data, and managed credential references.

3. Processor obligations

• Process personal data only on documented customer instructions unless law requires otherwise.
• Use appropriate technical and organisational measures.
• Limit access to personnel and systems that need it.
• Support reasonable requests for data subject rights, security information, and deletion/export.
• Notify the customer without undue delay after becoming aware of a personal data breach affecting customer data.

4. Subprocessors

The customer authorises use of the subprocessors listed in Security and Subprocessors. We will keep that page reasonably current.

5. International transfers

Some providers may process data outside the UK or EEA. Where required, appropriate safeguards such as standard contractual clauses, UK addendum, adequacy decisions, or equivalent transfer mechanisms should apply.

6. Return and deletion

On termination, customer data may be deleted, anonymised, or exported according to the service functionality, retention settings, legal requirements, and backup cycles.